Data Privacy

Data Privacy Information

We are pleased that you are visiting our website. We take the protection of your personal data very seriously.

In the following Data Privacy Information, you will find information on the type and scope of the processing of your personal data in accordance with Art. 13 of the GDPR by Biologische Heilmittel Heel GmbH (hereinafter: “we” or “us”).

1. Name and contact information of the controller; data protection officer’s contact information

(1) The name and contact information of the controller:

Biologische Heilmittel Heel GmbH
Dr.-Reckeweg-Str. 2-4
76532 Baden-Baden, Germany
E-mail: info@heel.com

You can find more information in the Legal Notice

(2) Contact details of the Data Protection Officer:

Biologische Heilmittel Heel GmbH
Data Protection Officer
Dr.-Reckeweg-Str. 2-4

76532 Baden-Baden, Germany
E-mail: dataprotection@heel.com

2. Processing of personal data when using our website

2.1 Accessing the website

(1) When you visit our website, we inform you about various third-party services and content via our cookie banner. You can find this information again in Section 5 of this Data Privacy Information below. In this case, the type and scope of data processing depends in part on which ‟privacy settings” you make within the cookie banner.

In addition, we process the data from you described below in this Section 2. The type and scope of data processing here depends in particular on which functions of the website you use or how you communicate with us.

In this context, we collect the following data, which is technically necessary for us to display our website and to ensure its stability and security:

IP address of the requesting processor
Date and time of the request
Name and URL of the file retrieved
Operating system information and its access status/HTTP status code
The volume of data transmitted in each case
Website from which our site was accessed
Browser and language and version of the browser software

(2) If this data constitutes personal data, we process it on the basis of our overriding legitimate interests (Art. 6 Para. 1 (1) Letter f) of the GDPR).

The aforementioned data is processed by us for the following purposes:

Ensuring a problem-free connection setup of the website
Evaluation of system security and stability
Analysis of unauthorised access or attempts to access the system

(3) The listed data is automatically deleted after a period of seven days

2.2 Use of our contact options
(1) If you have any questions, you can contact us directly by e-mail. In addition to your request (including content and subject), your e-mail address and usually your name data will be processed.

Please note that data cannot always be transmitted securely on the internet. Protection cannot be guaranteed when exchanging data, especially in e-mail correspondence. Please do not send sensitive data (including health-related aspects) to us via e-mail.

We also offer you the option of contacting us by telephone using the published telephone numbers (such as the customer hotline). Other communication channels (such as post and fax) can also be used.

Last name, first name and other data depending on the selected medium (e.g., telephone numbers provided, address, notes on the content of the call) are regularly processed when this is done.

(2) The legal basis for the processing of personal data is Art. 6 Para. 1 (1) Letter b) of the GDPR. According to it, we are allowed to process data if the processing is required for the fulfilment of a contract to which you are a party or for the performance of pre-contractual measures. Otherwise, if you are not a customer of ours and no customer relationship is being formed, we base the data processing on our overriding legitimate interests (Art. 6 Para. 1 (1) Letter f) of the GDPR). We process the data listed for the following purposes:

Getting in touch
Responding to specific questions

(3) The personal data we collect will only be stored for as long as is necessary to achieve the purpose for which the data was collected. We may be obliged to store data beyond this due to retention duties under the provisions of fiscal and commercial law.

2.3 Event registration

(1) Potential guests of Heel events receive an invitation via email containing a link which leads to an online event registration platform.

The following data categories are collected via the forms included in this registration platform for the sole purpose of the logistical organization and execution of the event.

In particular, master and contact data (eg. name and contact data, such as the email address). To simplify the registration process, these data are partly preset in the form fields based on the invitation email.

In addition to this data, further data may be collected if needed for the event organization. If included in the social program, it might be possible to register for additional program items eg. dinners.

For the execution of transfer services (eg. from the airport to the venue), travel information, such as the arrival date and flight details as well as the mobile phone number can be provided. The mobile phone number might be required by the service provider to coordinate pick-up at the airport.

Assistance for a visa application can also be requested via the registration form.

Furthermore, it is possible to request the reservation of hotel rooms. However, the registration platform is not linked to any hotel websites for registration purposes. If meals are offered during the event, it is

possible to provide information about dietary requirements (eg. vegetarian) or allergies on a voluntary basis.

2) Pursuant to Art. 6 Para. 1 (1) Letter b) of the GDPR, the legal basis for processing is the implementation of pre-contractual measures as well as the fulfilment of contracts and pursuant to Art. 6 Para. 1 (1) Letter a) of the GDPR your consent.

2.4 Creation and publication of Photo, Audio, and Video Recordings at Heel Events

(1) During the event, Heel will make photo and, if applicable, audio or video recordings before, during, and after the event, especially to capture impressions of the event. These data are used for event information and documentation (in exceptional cases: audio files for transcription to create minutes) and may be published via internal and external communication channels (including print media, Heel’s websites, and Heel’s social media presences, e.g., Facebook, Instagram, LinkedIn, and TikTok). For data processing on

social media, we also refer to our Social Media Data Protection Information (link).

(2) Legal Basis and Purposes of Data Processing: The creation and publication of photo, audio, and video recordings are generally based on Art. 6 Para. 1 (1) Letter f) GDPR (overriding legitimate interests). Processing is carried out for the following purposes:

- Creation and publication of photo and video recordings as part of the event for event information and documentation, and

- Presentation of Heel as the event organizer via internal and external communication channels (e.g., website and company-owned social media channels).

Our interests prevail in these cases, as we limit data processing to a level that is customary and appropriate for such events. Publication of photo and video recordings only takes place if there is a connection to the event and the depicted persons appear as incidental. If, in individual cases, we wish to publish photo or video recordings for which consent is required under data protection law, we will contact the affected persons in advance and request their voluntary consent.

If a participant does not agree to being photographed during the event or being recognizable in the event coverage, this person can object to the processing of their data under Art. 21 Para. 1 GDPR, e.g., by informing a Heel contact person or the photographer directly on site. Alternatively, you can notify us afterwards using the contact details provided in section 1. If we process your photo or video based on your consent, you have the right to withdraw your consent at any time by sending a message to the contact details listed in section 1, without affecting the lawfulness of processing carried out based on your consent before its withdrawal.

(3) Duration of Storage: The personal data we collect will only be stored for as long as necessary to achieve the purpose for which the data was collected. The images or videos of the event are linked for the last two years. Please note that images on other platforms (such as social media) may be accessible for a longer period.

3. Notes on consent for provision of the personal data

If you have given your consent to the processing of your data, you can withdraw it at any time free of charge. Such a withdrawal will affect the admissibility of the processing of your personal data after you have given it to us.

You can easily declare the withdrawal of your consent. Depending on the processing operation, the following options are available to you:

Insofar as you have given your consent to a newsletter (for example, by registering on the website), you can withdraw your consent by clicking on the unsubscribe link within the newsletter.
Insofar as you have given your consent in another way, you can declare your withdrawal by informal declaration to us via a contact option specified in the Legal notice.

5. Recipient of the personal data; transfer to EU third countries

As a rule, your data will not be transferred to third parties unless explicitly described under Section 2. In particular, we do not transfer your data to recipients based outside the European Union or the European Economic Area, with the exception of the processing operations described under Section 2.

In some cases, we use external service providers to process personal data in the context of third-party processing as per Art. 28 of the GDPR (such as IT service providers). We have selected and commissioned them carefully, and they are bound by our instructions and inspected on a regular basis.

Your data will only be transferred to bodies such as supervisory authorities and law enforcement agencies within the scope of statutory provisions if doing so is necessary to prevent and detect fraud and other criminal offences or to ensure the security of our data processing systems.

The legal basis for this is Art. 6 Para. 1 (1) Letter c) (“fulfilment of legal obligations”) and Letter f) of the GDPR (“protection of legitimate interests”).

If personal data is processed in a third country, a comparable level of data protection shall be ensured by means of appropriate guarantees in accordance with Art. 44 et seq. of the GDPR. In this case, you will find further information on data transmission in Section 2.

As a general rule, when transferring data outside the European Union and the European Economic Area to a country for which an up-to-date adequacy decision is in place as assessed by the European Commission (see listing under https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en), we base our actions on this adequacy decision (see Art. 45 of the GDPR). For a possible data transfer to other countries, we generally base our actions on standard data protection clauses (see Art. 46 Para. 2 Letter c) of the GDPR).

6. Your rights

(1) You have the following rights with respect to your personal data:

Right of access (Art. 15 of the GDPR)
You can request information about whether we are processing personal data about you. If this is the case, you have a right of access to this personal data as well as to further information related to the processing (see Art. 15 of the GDPR). Please keep in mind that this right to information may be restricted or ruled out in certain cases.
Right to rectification (Art. 16 of the GDPR)
In case personal data about you is incomplete or is not (or is no longer) accurate, you may request this data to be corrected and, if necessary, completed (see Art. 16 of the GDPR).
Right to deletion or restriction (Art. 17 and 18 of the GDPR)
If the legal requirements are met, you can request the deletion of your personal data (see Art. 17 of the GDPR) or the restriction of the processing of this data (Art. 18 of the GDPR) if, for instance, the processing of this personal data is no longer necessary for the purposes for which we collected it.
Right to data portability (Art. 20 of the GDPR)
Under certain conditions, you have the right to receive the personal data about you that you have provided to us in a specific format or to transfer this data to another data controller (see Art. 20 of the GDPR).

Certain legal requirements must be met in order for you to exercise your aforementioned rights, and in certain cases your rights may be limited due to legal exceptions, in particular those under Art. 17 Para. 3 and Art. 22 Para. 2 of the GDPR, or under national legislation.

(2) Right to Objection (Art. 21 of the GDPR)

Moreover, you have the right to object to our processing of your personal data at any time (i) in the case of direct marketing or (ii) in other cases on grounds relating to your particular situation if we are processing your personal data to protect our legitimate interests on the basis of Art. 6 Para. 1 (1) Letter f) of the GDPR (Art. 21 Para. 1 and Para. 2 of the GDPR). Should you raise an objection, we will cease to process your personal data for the purpose of direct advertising in any case, and, in the case of data processing for other reasons, we will normally cease the processing unless we can demonstrate urgent reasons for the processing which are worthy of protection and override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

7. External links

Our offer contains links to external websites of third parties whose content we have no influence over. For that reason, we are also unable to assume any responsibility for this third-party content. The respective provider or operator of the websites in question assume responsibility for the contents of the linked websites at all times. The linked sites were checked for possible legal violations at the time the links were made. No unlawful content could be detected at the time of linking.

However, continuous inspection of the contents of the linked pages without specific indications of a legal violation cannot reasonably be expected. Should we gain knowledge of any legal violations, we will remove the links in question without delay. If you notice that the contents of the external providers violate applicable law, please let us know. This Data Privacy Information only applies to the content on our websites.