Privacy Policy

Data Protection and Security Policy

Effective Date: 01.08.2023

Last Updated: 01.10.2024

Responsible Officer: Data Protection Officer (DPO)

Policy Owner: NXT Med GmbH

Scope: Applies to all employees, contractors, and third-party providers of NXT Med GmbH who process personal data.

---

1. Introduction

At NXT Med GmbH, we take the protection of personal data seriously. We are committed to ensuring that the data we collect, store, and process is handled with the highest level of security and in full compliance with the General Data Protection Regulation (GDPR) (EU 2016/679). This policy sets out our commitment to the protection of personal data and establishes the principles under which we operate to safeguard this data.

2. Purpose

The purpose of this policy is to ensure that all personal data processed by NXT Med GmbH is managed and protected in a way that meets the legal and regulatory requirements set forth by the GDPR. It outlines the procedures we use to maintain the confidentiality, integrity, and availability of personal data, ensuring the privacy rights of data subjects are upheld.

3. Definitions

Personal Data: Any information relating to an identified or identifiable natural person (data subject).

Processing: Any operation performed on personal data, including collection, storage, modification, retrieval, sharing, or deletion.

Data Subject: An individual whose personal data is being processed.

Data Controller: The entity that determines the purposes and means of processing personal data.

Data Processor: An entity that processes personal data on behalf of the Data Controller.

DPO (Data Protection Officer): The appointed individual responsible for ensuring GDPR compliance within NXT Med GmbH.

4. Data Processing Principles

In accordance with the GDPR, NXT Med GmbH adheres to the following principles when processing personal data:

  • Lawfulness, Fairness, and Transparency: Personal data will be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
  • Purpose Limitation: Personal data will only be collected for specified, explicit, and legitimate purposes and will not be further processed in a manner incompatible with those purposes.
  • Data Minimization: Only data that is adequate, relevant, and limited to what is necessary will be processed.
  • Accuracy: Personal data will be kept accurate and up to date. Any inaccurate data will be corrected or deleted without delay.
  • Storage Limitation: Personal data will not be kept for longer than is necessary for the purposes for which the personal data is processed.
  • Integrity and Confidentiality: Personal data will be processed in a manner that ensures its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

5. Legal Basis for Data Processing

We process personal data based on one or more of the following legal bases:

  • Contractual Necessity: Processing is necessary for the performance of a contract with the data subject (e.g., processing customer orders, delivering goods), (Art. 6(1)(b) GDPR).
  • Legitimate Interests: Processing is necessary for the legitimate interests of NXT Med GmbH, provided that such interests are not overridden by the interests or fundamental rights of the data subject, (Art. 6(1)(f) GDPR).
  • Legal Obligation: Processing is necessary for compliance with a legal obligation to which NXT Med GmbH is subject (e.g., tax or customs regulations), (Art. 6(1)(c) GDPR).
  • Consent: Where required, consent will be obtained from the data subject for specific processing activities, (Art. 6(1)(a) GDPR).

6. Data Collection and Usage

We collect and process personal data for the following purposes:

  • Customer Data: To fulfill orders, manage accounts, provide customer service, and deliver goods.
  • Employee Data: For employment-related activities, including payroll, benefits administration, and performance monitoring.
  • Supplier and Partner Data: To manage relationships with suppliers and third-party partners involved in the supply chain.
  • Marketing: With consent, personal data may be used for sending marketing communications about new products or services.

In all instances, NXT Med GmbH ensures that personal data collected is limited to what is necessary and relevant for the intended purpose.

7. Data Security Measures

NXT Med GmbH is committed to safeguarding personal data by implementing robust security measures to protect against unauthorized access, accidental loss, destruction, or damage. These measures include:

  • Encryption: All personal data transmitted electronically (e.g., via emails, systems, or networks) is encrypted using industry-standard encryption protocols.
  • Access Control: Personal data is only accessible to authorized personnel who require access to fulfill their job duties. Access levels are regularly reviewed.
  • Data Anonymization and Pseudonymization: Where possible, personal data is anonymized or pseudonymized to protect the identity of data subjects.
  • Physical Security: Offices and data storage facilities are protected by secure entry systems, and data is stored in locked filing cabinets or rooms.
  • Regular Audits: We conduct regular audits to assess data security measures, identify vulnerabilities, and ensure GDPR compliance.
  • Data Breach Procedures: In the event of a data breach, NXT Med GmbH has a comprehensive incident response plan in place, including the notification of the DPO, data subjects, and the relevant supervisory authority where required.

8. Data Retention and Disposal

Personal data will be retained only for as long as necessary for the purposes for which it was collected or as required by law. After this period, data will be securely deleted or destroyed. We implement the following retention guidelines:

  • Customer Data: Retained for the duration of the business relationship and any legal retention periods.
  • Employee Data: Retained in accordance with employment laws and payroll regulations.
  • Supplier Data: Retained as necessary for the management of supplier relationships and compliance with contractual obligations.

9. Rights of Data Subjects

Under the GDPR, data subjects have the following rights:

  • Right to Access: Data subjects can request access to their personal data and obtain information on how it is processed.
  • Right to Rectification: Data subjects have the right to request corrections to inaccurate or incomplete personal data.
  • Right to Erasure (Right to Be Forgotten): Data subjects can request the deletion of their personal data where it is no longer necessary for the purpose for which it was collected or where they have withdrawn consent.
  • Right to Restrict Processing: Data subjects can request the restriction of processing under certain circumstances.
  • Right to Data Portability: Data subjects can request a copy of their personal data in a structured, machine-readable format.
  • Right to Object: Data subjects can object to the processing of their personal data on grounds relating to their particular situation.

To exercise any of these rights, data subjects can contact our DPO at hello@nxt-med.com

10. Third-Party Data Processors

When using third-party data processors (e.g., cloud service providers, payment processors), NXT Med GmbH ensures that these processors provide sufficient guarantees to implement appropriate technical and organizational measures in compliance with GDPR. We enter into data processing agreements with all third-party providers to ensure they meet GDPR requirements.

  • 10.1 Data processed by third parties
    • Google Analytics (Universal Analytics) (Google Ireland Limited)
      • Google Analytics (Universal Analytics) is a web analysis service provided by Google Ireland Limited (“Google”). Google utilises the Data collected to track and examine the use of this Website, to prepare reports on its activities and share them with other Google services. Google may use the Data collected to contextualise and personalise the ads of its own advertising network. In order to understand Google's use of Data, consult Google's partner policy. Personal Data processed: Trackers; Usage Data. Place of processing: Ireland – Privacy Policy – Opt Out.
    • Google Analytics 4 (Google LLC)
      • Google Analytics 4 is a web analysis service provided by Google LLC (“Google”). Google utilizes the Data collected to track and examine the use of this Website, to prepare reports on its activities and share them with other Google services. Google may use the Data collected to contextualize and personalize the ads of its own advertising network. In Google Analytics 4, IP addresses are used at collection time and then discarded before Data is logged in any data center or server. Users can learn more by consulting Google’s official documentation. In order to understand Google's use of Data, consult their partner policy and their Business Data page. Personal Data processed: number of Users; session statistics; Trackers; Usage Data. Place of processing: United States – Privacy Policy – Opt Out.
    • We host our website with Webflow. The provider is Webflow, Inc, 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA (hereinafter: Webflow). When you visit our website, Webflow collects various log files including your IP addresses. Webflow is a tool for creating and hosting websites. Webflow stores cookies or other recognition technologies that are necessary for the presentation of the page, to provide certain website functions and to ensure security (necessary cookies). For details, please refer to Webflow's privacy policy: EU & Swiss Privacy Policy | Webflow 92.
    • The use of Webflow is based on Art. 6 (1) lit. f DSGVO. We have a legitimate interest in ensuring that our website is presented as reliably as possible. Insofar as a corresponding consent has been requested, processing is carried out exclusively on the basis of Art. 6 (1) lit. a DSGVO and Section 25 (1) TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) as defined by the TTDSG. The consent can be revoked at any time. Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: EU & Swiss Privacy Policy | Webflow 92.
    • Order processing
      • We have concluded a contract on order processing (AVV) with the above-mentioned provider. This is a contract required by data protection law, which ensures that this provider only processes the personal data of our website visitors in accordance with our instructions and in compliance with the DSGVO.

11. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), NXT Med GmbH ensures that appropriate safeguards, such as Standard Contractual Clauses or other GDPR-approved mechanisms, are in place to protect the data during transfer.

12. Data Breach Notification

In the event of a personal data breach that poses a risk to the rights and freedoms of individuals, NXT Med GmbH will notify the relevant supervisory authority within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of data subjects, those affected will also be informed without undue delay.

13. Training and Awareness

All employees handling personal data receive training on data protection and privacy principles. Regular refreshers and updates are provided to ensure ongoing awareness of GDPR requirements and the importance of safeguarding personal data.

14. Governance and Compliance

The DPO is responsible for overseeing the implementation and enforcement of this policy and ensuring compliance with the GDPR. Regular audits will be conducted to ensure that data protection practices are up to date, effective, and aligned with GDPR requirements.

If you have any concerns about how we collect and use your data, please reach out to us. Alternatively, you have the right to contact your local Data Protection Authority. You can find the contact details for these authorities within the EU at the following link: ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

15. Policy Review

This policy is reviewed annually or when necessary to reflect changes in laws, regulations, or business practices. Any amendments will be communicated to all employees and third parties involved in the processing of personal data.

Contact Information

For questions or concerns regarding this policy or data protection practices, please contact our Data Protection Officer at:

NXT Med GmbH

Kantstraße 105

10627 Berlin

Kontakt

Telefon: +49 (0) 211 / 586786-00

Fax: +49 (0) 211 / 586786-86

E-Mail: hello@nxt-med.com

Handelsregister: Amtsgericht Charlottenburg (Berlin) HRB 253414 B

Managing Director:  Daniel Mahnert-Lueg

---

Acknowledgement

By accessing and using NXT Med GmbH's services, all employees, customers, suppliers, and partners agree to adhere to the provisions of this Data Protection and Security Policy.

Privacy Policy
Cookie Policy