Eurofins Privacy Notice
Information regarding the collection and processing of your personal data
Accuracy and transparency form the basis of our interaction with customers: a collaborative approach that is based on trust. We are therefore providing you with information on how we use your data and how you can exercise your rights under the General Data Protection Regulation. The personal data that we use and the purpose for which it is used depend on the applicable contractual relationship.
1 Who is responsible for processing the data?
The party responsible is the respective Eurofins entity with whom you have entered into a contract:
- Eurofins Analytik GmbH
- Eurofins BioTesting Service Nord GmbH
- Eurofins CLF Specialised Nutrition Testing Services GmbH
- Eurofins Dr. Specht Laboratorien GmbH
- Eurofins Food Control Services GmbH
- Eurofins Food Integrity Control Services GmbH
- Eurofins GeneScan GmbH
- Eurofins GfA Lab Service GmbH
- Eurofins Global Control GmbH
- Eurofins Inlab GmbH
- Eurofins Institut Dr. Appelt Hilter GmbH
- Eurofins Institut Dr. Appelt Leipzig GmbH
- Eurofins Institut Dr. Rothe GmbH
- Eurofins Institut Nehring GmbH
- Eurofins Laborservices GmbH
- Eurofins SOFIA GmbH
- Eurofins WEJ Contaminants GmbH
2 How can you contact the Data Protection Officer?
Our Data Protection Officer’s contact details are:
Dr. Klaus zu Hoene
Data Protection Officer
Beim Strohhause 17
3 Which personal data do we use?
We process your personal information if you submit a query, receive a quote from us or sign a contract with us. We also process your personal data for purposes, which include fulfilling our legal obligations, safeguarding a legitimate interest, or on the basis of the consent that you have granted us.
Depending on the legal basis, this concerns the following categories of personal data:
- First name, surname
- Communication data (telephone number, e-mail address)
- Date of birth
- Contract-related master data, in particular contract number, duration, cancellation period, type of contract
- Invoice data/sales data
- Payment data/account details
- Account information, especially registration and logins
- Customer group/interests
- Customer number
- Contact history
- Appointment data
- Occupation-related information
In the course of initiating the contract, we also make use of data that has been supplied to us by third parties. Depending on the type of contract, this concerns the following categories of personal data:
- Information on creditworthiness (obtained from credit agencies)
4 Which sources are used to obtain the data?
We process personal data that we receive from our customers, service providers and suppliers.
We receive personal data from the following sources:
- Credit agencies
- Publicly accessible sources: commercial or association registers
5 What do we use your data for and what is our legal basis for doing so?
We process your personal data with particular consideration of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG), as well as in accordance with all further relevant legislation.
5.1 On the basis of the consent that you have granted (Art. 6 (1a) GDPR)
Where you have expressed your voluntary consent for us to collect process or transmit certain personal data, this consent then forms the legal foundation for the processing of this data.
In the following instances, we will process your personal data on the basis of your consent:
- Sending out e-mail newsletters
- Personalised newsletter tracking
- Market research (e.g. customer satisfaction surveys)
- Publishing a customer reference (name and photo)
5.2 To fulfil a contract (Art. 6 (1b) GDPR)
Eurofins offers extensive analysis and consultancy services in the food, pharmaceuticals, environment, product testing, agroscience and clinical diagnostics sectors to determine the safety, identity, composition, authenticity, origin and purity of biological substances and products, as well as the clinical diagnostics.
5.3 To fulfil legal obligations (Art. 6 (1c) GDPR) or if it is in the public interest (Art. 6 (1e) GDPR)
As a business, we are subject to a number of legal obligations. In order to fulfil these obligations it may be necessary to process personal data.
- Control-related and reporting requirements
- Documentation requirements in accordance with ISO17025 and/or the German Medicines Act (AMG)
5.4 Due to a legitimate interest (Art. 6 (1f) GDPR)
In certain cases we may process your data to safeguard our or a third party’s legitimate interest.
- Direct advertising or market research and opinion polling
- Central customer data management within the Group
- Measures for the safety of buildings or facilities
- Video surveillance to protect domiciliary rights
- Consultation and data exchange with credit agencies for the purpose of establishing credit and default risks
- Guaranteeing IT security and IT operation
6 To whom do we forward your data?
To fulfil our contractual and legal obligations your personal data is disclosed to various public or internal bodies, as well as to external service providers.
Service providers within the Group:
- Eurofins Finance Transactions Germany GmbH
- Eurofins GSC Lux Sarl
- Eurofins Information Systems GmbH
- Eurofins IT Solutions India Pvt Ltd
- Eurofins NDSC Food Testing Germany GmbH
- Eurofins NSC Finance Germany GmbH
- Eurofins NSC IT-Infrastructure Germany GmbH
- Eurofins Scientific SE
External service providers:
- Internet service providers as well as IT providers (e.g. maintenance and hosting providers)
- Service providers for file and data destruction
- Payment service providers
- Advisory and consulting services
- Credit agencies
- Web hosting service providers
In addition, we may be required to pass on your personal data to other entities, such as to authorities for the fulfilment of legal reporting obligations.
- Financial authorities
- Customs authorities
- Social insurance agencies
Should you have further questions regarding the individual recipients, please contact us at firstname.lastname@example.org.
7 Will your data be transmitted to countries outside the European Union (known as ‘third countries’)?
Countries outside the European Union (and the European Economic Area, the EEA) manage the protection of personal data differently to countries within the European Union. To process your data we also use service providers who are located in third countries outside the European Union. There is currently no proclamation from the EU Commission that these third countries in general provide an appropriate level of protection.
We have therefore taken specific measures to ensure that your data is processed equally as securely in third countries as within the European Union. With service providers in third countries, we conclude the standard privacy clauses provided by the Commission of the European Union. These clauses provide appropriate safeguards for the protection of your data with service providers located in the third country.
Our service providers in the USA are, moreover, certified in accordance with the EU-US Privacy Shield agreement.
If you would like to inspect the existing guarantees in detail, please contact us at email@example.com.
8 How long will my data be stored for?
We store your personal data for as long as is required to allow us to fulfil our legal and contractual obligations.
Should it no longer be necessary to store the data for the purposes of fulfilling contractual or legal obligations, your data will be deleted, unless further processing is necessary due to the following reasons:
- Retention requirements in accordance with ISO17025 and/or the German Medicines Act (AMG)
- Fulfilling commercial and tax retention obligations. This includes retention periods from the German Commercial Code (HGB) or the General Fiscal Code (AO).
- Preserving evidence in the context of the regulatory statute of limitations. According to the statute of limitations of the German Civil Code (BGB), these limitation periods can, in some cases, be up to 30 years; the regular limitation period is three years.
9 What rights do you have regarding the processing of your data?
Each individual affected has the right to information as per Art. 15 GDPR, the right to correction as per Art. 16 GDPR, the right to deletion as per Art. 17 GDPR, the right to limiting the processing as per Art. 18 GDPR, the right to appeal as per Art. 21 GDPR and the right to data portability as per Art. 20 GDPR. With regard to the right to information and the right to deletion, restrictions apply in accordance with §§ 34 and 35 BDSG.
9.1 Right to appeal
You may veto the use of your data for advertising purposes at any time without incurring anything other than the transmission costs based on the basic tariffs.
- What are your rights in the event of data processing for your legitimate or public interest?
In accordance with Art. 21 (1) GDPR, due to reasons that arise from your particular situation, you have the right at any time to file an objection against the processing of personal data concerning you that takes place on the basis of Art. 6 (1e) GDPR (data processing in the public interest), or Art. 6 (1f) GDPR (data processing for the purposes of safeguarding a legitimate interest) this also applies to profiling based on this provision.
In the event of your objecting we will no longer process your personal data, unless we can prove that we have compelling legitimate reasons for doing so, which outweigh your interests, rights and freedoms; or if processing serves to enforce, exercise or defend legal claims.
- What rights do you have in the event of data being processed for the purposes of direct mail advertising?
If we process your personal data for the purposes of direct mail advertising, you have the right, in accordance with Art. 21 (2) GDPR, to file an objection at any time against the processing of personal data pertaining to yourself for the purposes of this type of advertising; this also applies to profiling, insofar as it is associated with this direct mail advertising.
In the event of your objecting to processing for the purposes of direct mail advertising, we will no longer process your personal data for this purpose.
9.2 Revoking consent
You can revoke your consent for the processing of your personal data at any time. Please be aware that the revocation is only effective for the future.
9.3 Right to information
You can request information regarding whether we have stored personal data about you. Should you so wish, we will inform you what data we hold on you, what the data is being used for, to whom the data has been disclosed, how long the data will be stored and what further rights you have in relation to this data.
9.4 Other rights
In addition, you have the right to correct data that is incorrect or to have your data deleted. Where there is no reason to store it, further we will delete your data; otherwise, we will limit the processing of it. You can also demand that we provide you, or a person or company of your choice, with all personal data that you have provided us with, in a structured, commonly acceptable and machine-readable format.
Furthermore, you have a right of appeal to the data protection supervisory authority responsible (Art. 77 GDPR in conjunction with § 19 BDSG).
9.5 Being aware of your rights
To find out your rights you can contact those officials responsible or the data protection authorities using the contact details provided. We will process your requests promptly and in accordance with the legal requirements and inform you of the measures we have taken.
10 Is there an obligation to provide your personal data?
To enter into a business relationship you must provide us with the personal data required to implement the contractual relationship, or that we are required to collect due to legal stipulations. If you do not provide us with this data, we will not be able to implement or perform the contractual relationship.
11 Changes to this information
If the purpose or methods of the processing of your personal data are subject to significant changes, we will update this information in a timely manner and communicate the changes promptly.