Responsible under German Press Law:
Ascyrus Medical GmbH
60311 Frankfurt, Germany
Phone: +1 (617) 839-8525
General Management: Ali Shahriari, MD
Registered in the Commercial Registry of the local court Mannheim under the HRB number 729207
Sales tax identification number: DE 315 660 414
We wish to inform you about the processing of personal data by Ascyrus Medical, in particular when you are using our website. We process personal data (e.g. name, address, e-mail address and telephone number of a data subject) in accordance with the applicable law, in particular the General Data Protection Regulation (GDPR) and the German Data Protection Law (BDSG).
1. Name and Address of the Controller
Controller in the sense of Art. 4 para. 7 GDPR is:
Ascyrus Medical GmbH
60311 Frankfurt, Germany
Phone: +1 (617) 839-8525
- Data Protection Officer
You may contact our Data Protection Officer as follows:
Ascyrus Medical GmbH
– attn. the Data Protection Officer –
60311 Frankfurt, Germany
- Processing of Personal data when visiting our website
The mere informatory use of our website only leads to a processing of personal data that are transmitted by your internet browser to our server. While visiting our website we process the following data. This is technically necessary for us in order to display the website and to safeguard its stability and security (legal basis: Art. 6 para. 1 phr. 1 lit. f GDPR):
- date and time of the request
- time zone difference to Greenwich Mean Time (GMT)
- content of the request (concrete page)
- access status/HTTP status code
- the respectively transmitted data volume
- the website from which the request came from
- browser type
- operating system (OS) and its surface
- language and version of the browser software.
- Processing of Personal Data in the event of personal contact
When you are entering into personal contact with us by e-mail, letter, contact form or in another way we will process the transmitted data (e.g. your e-mail address, your name and/or your telephone number) in order to process and/or answer your request (legal basis: Art. 6 para. 1 phr. 1 lit. a, f GDPR). The data processed in this context will be deleted as soon as their storage is no longer necessary, or we restrict the processing if we have to fulfill a legal obligation to retain such data.
- Processing of Personal Data in Recruitment Procedures and Employment
5.1 If you transmit personal data to us in the context of recruitment procedures, such data will be processed only for the implementation of this procedure, to determine the possible success of your application (legal basis: Art. 6 para. 1 phr. 1 lit. a, f GDPR).
5.2 If a contract is concluded between you and us, we will process the data for the purposes of conclusion and execution of the employment subject to the statutory provisions (legal basis: Art. 6 para. 1 phr. 1 lit. b GDPR). In any other case, we will automatically delete the application documents after six months, unless the deletion is in contrary to our legitimate interests (e.g. procedures according to the German General Equal Treatment Act).
- Processing of Personal Data of Other Contract Partners
When entering into a contractual relationship with us (e.g. as a client or supplier) and in the initiation phase, we will process the data you have provided to us, including those of eventual contact partners. These data will be processed for the conclusion and execution of the contractual relationship. Legal basis is Art. 6 para. 1 phr. 1 lit. b GDPR; or Art. 6 para. 1 phr. 1 lit. a GDPR for data that is not required, but provided by you.
- Processing of Patient Data
7.1 If data of a patient is transmitted to Ascyrus Medical, e.g. by contract partners (in particular by clinics where the patient receives the medical treatment), Ascyrus Medical will immediately pseudonymize or anonymize the patient’s data.
7.2 The patient’s data (including data concerning health) will only be processed by Ascyrus Medical, if this is permitted according to statutory provisions.
7.3 This is particularly the case if the patient has given his/her explicit consent to the processing of personal data for the purposes mentioned in the declaration of consent. Legal basis is Art. 9 para. 2 lit. a GDPR (for data concerning health), for other data Art. 6 para. 1 phr. 1 lit. a GDPR.
7.4 In addition, we will process personal data for necessary measures of quality assurance (Legal basis for data concerning health: Art. 9 para. 2 lit. h, i GDPR as well as § 22 para. 1 No. 1 lit. b, c BDSG – German Federal Data Protection Act; for other data: Art. 6 para. 1 phr. 1 lit. f GDPR) and the eventually necessary medical support of the patient, especially in case of emergency (Legal basis for data concerning health: Art. 9 para. 2 lit. c, h; for other data: Art. 6 para. 1 phr. 1 lit. a, f GDPR).
7.5 As a producer of medical devices Ascyrus Medical also has to fulfill legal reporting obligations towards public regulatory authorities. As an example, this applies for (adverse) events that may have led to a serious deterioration in the state of a patient’s health. These reporting obligations are also applicable towards public authorities in third countries (countries outside the European Union). We will only transfer patient data in a pseudonymized or, if possible and legally permitted, anonymized form (Legal basis for data concerning health: Art. 9 para. 2 lit. f, h, i GDPR as well as § 22 para. 1 No. 1 lit. b, c BDSG – German Federal Data Protection Act; for other data: Art. 6 para. 1 phr. 1 lit. a, f GDPR).
- Recipients of Personal Data
We will only transfer personal data to third parties in those cases mentioned in this policy or if we explicitly inform you accordingly on other occasions. In addition, we partly use external processors in the sense of Art. 28 GDPR (e.g. host provider, e-mail provider). However, these service providers process personal data only within the European Union unless otherwise agreed under separate agreements.
- Profiling, Data Transfer in Third Countries
We do use any automated decision-making processes, including profiling, in the sense of the GDPR. A transfer of personal data to third countries will only be made in those cases explicitly mentioned in this policy or you have given your consent.
- Your Rights
10.1 With respect to your personal data you have the following rights:
- right to request,
- right to rectification and erasure,
- right to restriction of processing,
- right to object to the processing,
- right to withdrawal, if the processing is based on your consent,
- right to data-portability.
10.2 You may withdraw your consent at any time for the future without providing reasons.
10.3 If you think that we have not duly observed your rights, you are entitled to lodge a complaint with the supervisory authority concerning our processing of your personal data. However, before lodging a complaint, we would be happy if you could inform us about your criticism so that we are able to remedy the grounds of your complaint.
- Erasure of Data by the Controller
11.1 We process your data only for the period of time that is necessary to achieve the respective storage purpose or if we are following our legal obligations. All server log files (including your IP-address) will be automatically erased within 14 days.
11.2 We will erase your personal data if the processing purpose or the legal storage obligation ceases to exist. Therefore, you don’t have to take any actions to this end.
12.2 You may configure your browser preferences according to your demands and, for example, prevent the acceptance of third party or all cookies. However, please note that by refusing cookies, some functions of this website may eventually not be accessible.
- Analytical Tools
13.1 This website uses Google Analytics, a web analytics service of Google Inc. (“Google“). Google Analytics uses “cookies”, which means text files placed on your computer that allow an analyses how you use the website. The information generated by the cookie about your use of the website will in general be transmitted to and stored by Google on servers in the USA. If the IP – anonymization is activated on this website (see below), your IP-address will be previously shortened by Google within a member state of the European Union or in a contracting state to the Agreement on the European Economic Area. Only as an exception your IP-address will be fully transmitted to a server located in the USA and shortened there. Google will use these information on behalf of the controller for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services for the controller relating to website activity and internet usage.
13.2 Google will not associate your IP address with any other data held by Google.
13.4 This website uses Google Analytics with the extension „_anonymizeIp()“. Therefore, only shortened IP-addresses will be processed. A direct link to a data subject should be excluded.
13.5 We use Google Analytics to analyze and to constantly improve the use of our website. For cases of an exceptional transmission of personal data in the USA, Google has joined the EU-US Privacy Shield regulation, see https://www.privacyshield.gov/EU-US-Framework. Legal basis for the use of Google Analytics is Art. 6 para. 1 phr. 1 lit. f GDPR.
14.1 Our website uses YouTube-Videos that are stored under www.YouTube.com and may be directly activated on our website. All these videos are embedded in the extended data protection mode, which means that your user data will not be transferred to YouTube, if you do not activate the video play button. If you activate it, the data mentioned in the following section will be transferred. We do not have any influence on this data transfer.
14.2 If you are visiting our website, YouTube receives this information and the data set forth above, that is processed when you visit our website, will be transferred as well. This data is transferred whether or not you have a user account at YouTube and/or if you are logged in. If, at the same time, you are logged in at your Google account, your data will be directly attributed thereto. If you do not wish such attribution to your YouTube profile, you have to sign off before activating the button. YouTube collects your data in user profiles and uses them for the purpose of advertisement, market research and/or for a demand-oriented design of its website. This analysis is in particular done to provide a demand-oriented advertisement and to inform other users about your activity on our website (even if you are not logged in). You have the right to object to the creation of such user profiles. But such objection has to be directed to YouTube.
14.3 You may receive further information about the purpose and extent on the processing of data by YouTube in the data policy. This policy also provides you with further information on your rights and the different options for the protection of your privacy: https://www.google.de/intl/en/policies/privacy. Google also processes your personal data in the USA but has joined the EU-US Privacy Shield regulation, see https://www.privacyshield.gov/EU-US-Framework .
- Definitions of the GDPR
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘pseudonymization’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;