We would like to inform you about how we handle your personal data and what rights you have under the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). The responsibility for data processing lies with the organization STATICS Holding GmbH (hereinafter referred to as “we” or “us”). 

Responsibilities

We are responsible for the processing of your personal data: 

STATICS Holding GmbH

Maximilian Lang, Melanie Groß & Kirsten Wilhelm

Stephansplatz 3 – Old Head Post Office

20354 Hamburg

Phone: +4940604297717

E-Mail: info@statics-group.de

Contact details of the data protection officer

You can reach our data protection officer using the following contact details: 

Iqanta GmbH

Sven Weschler

Boschstrasse 23a

22761 Hamburg

E-Mail: kontakt@iqanta.com

Phone: +49 40 357 014 60

General information on the legal basis for data processing

“Personal data” is all information that relates to a specific person. We process this data in accordance with the applicable data protection laws, in particular the GDPR and the BDSG. We may only process personal data if we have legal permission to do so. 

We only process personal data with your consent in order to enter into contract with you or to respond to your request in connection with a potential business relationship, to comply with legal obligations or to protect our legitimate interests, provided that this does not affect your interests or fundamental rights and freedoms that require the protection of personal data. 

Storage duration of personal data

We only store your data for as long as is necessary to achieve the purpose of the processing or to fulfill our contractual or legal obligations, unless otherwise stated in the following information. Statutory retention obligations may arise from commercial or tax regulations. After the end of the calendar year in which we collected the data, we will retain personal data contains in our accounting records for ten years and personal data contained in business letters and contracts for six years. Furthermore, we will retain data in connection with consents requiring proof as well as complaints and claims for the duration of the statutory limitation periods. Data stored for advertising purposes will be deleted if you object to processing for this purpose. 

Processing when exercising your rights

If you wish to exercise your rights in accordance with Articles 15 to 22 of the GDPR, we will process the personal data you have provided in order to implement these rights and to be able to provide proof of this. We will process the data stored for the purpose information and preparation exclusively for this purpose and for data protection control purposes and otherwise restrict processing in accordance with Article 18 of the GDPR. 

These processing operations are based on the legal basins of Article 6(1)(c) of the GDPR in conjunction with Articles 15 to 22 of the GDPR and Section 34(2) of the BDSG. 

Rights of the data subject

The General Data Protection Regulation (GDPR) guarantees every data subject certain rights in relation to their personal data. These include: 

  • The right to information: Every data subject has the right to obtain confirmation from us as to whether or not personal data is being processed and to obtain information about this data as well as further information and copies of this data. 
  • The right to rectification: Every data subject has the right to demand the immediate rectification of inaccurate personal data. 
  • The right to erasure (“right to be forgotten”): Every data subject hast the right to request the immediate erasure of their personal data. 
  • The right to restriction of processing: Every data subject hast the right to request the restriction of the processing of their personal data. 
  • The right to data portability: Every data subject hast the right to receive the personal data concerning them, which they have provided to us, in a structured, commonly used and machine-readable format.
  • Right to object: Every data subject hast the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR. If we process personal data about the data subject for purpose of direct marketing, the data subject may object to this processing in accordance with Art. 21 (2) and (3) GDDPR. 

The data subject also has the right to lodge a complaint with a supervisory authority if they consider that the processing of their personal data infringes the GDPR. 

The supervisory authority responsible for us is: The Hamburg Commissioner for Data Protection and Freedom of Information. 

Information on the processing of personal data

Processing: STATICS Mind APP/web application

Purpose of the processing

We process your personal data insofar as this is necessary to fulfill the following purposes: 

  • Operation of the APP
  • Measuring and training mental health

Description: 

Collection of personal data in connection with the use of the APP. 

Legal basis

The legal basis for the processing of your personal data for the above-mentioned purposes is/are:

  • Consent (Art. 6 para. 1 lit. a GDPR, Art. 7 GDPR)

Information on the legal basis: 

  • Consent to the processing of health data. 

Special security measures: Detailed authorization concept, small group of authorized persons, see general technical and organizational measures; encryption; multi-factor authentication; pseudonymization. 

Sources of the personal data

If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the sources of this data. 

  • From the person concerned
  • Technical, automatic transmission

Categories of personal data

If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject of the categories of data concerned.

  • Contact details
  • Usage data
  • Meta/communication data
  • Master data
  • Image data
  • Position
  • Profession
  • Hobbies
  • Health data

Storage duration

We will inform you of the duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration. 

  • Deletion after fulfillment of purpose
  • After revocation of consent

Automated decision-making including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. 

In the following, we provide information about the logic involved and the scope and intended effects for the data subject. 

  • Not specified

Processing: Evaluation of health questions

Purpose of the processing

We process your personal data to the extent necessary to fulfill the following purposes: 

  • Measuring and training mental health
  • Preventive measures for health in the workplace

Description:

Health data is analyzed for advice and preventive health measures. 

Legal basis

The legal basis for the processing of your personal data for the above-mentioned purposes is/are:

  • Consent (Art. 6 para. 1 lit. a GDPR, Art. 7 GDPR)

Information on the legal basis: 

  • Consent to the processing of health data. 

Special security measures: Detailed authorization concept, small group of authorized persons, see general technical and organizational measures; encryption; multi-factor authentication; pseudonymization. 

Sources of the personal data

If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the sources of this data. 

  • Online form
  • Voluntary self-disclosure
  • Technically determined measures values, transfer to the system

Categories of personal data

If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject of the categories of data concerned.

  • Contact details
  • Name
  • Health data

Storage duration

We will inform you of the duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration. 

  • Deletion after fulfillment of purpose
  • After revocation of consent

Processing: Health employees

Purpose of the processing

We process your personal data to the extent necessary to fulfill the following purposes: 

  • Making an appointment
  • Measuring and training mental health
  • Preventive measures for health in the workplace

Description:

Employees have the option of registering for a Health-day via a personal application on the web portal and making an appointment. To take part, medical history forms are filled out and measurements (foot and spine) are taken. Depending on the evaluation of the medical history and the measurement results, recommendations for health promotion are made. Anonymized data can be analyzed for improvements in the working environment. 

Legal basis

The legal basis for the processing of your personal data for the above-mentioned purposes is/are:

  • Consent (Art. 6 para. 1 lit. a GDPR, Art. 7 GDPR)

Information on the legal basis: 

  • Consent to the processing of health data. 

Special security measures: Detailed authorization concept, small group of authorized persons, see general technical and organizational measures; encryption; multi-factor authentication; pseudonymization.

Sources of the personal data

If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the sources of this data. 

  • Data determined by means of the online tools/procedures
  • From the person concerned
  • Technically determined measured values, transfer to the system

Categories of personal data

If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject of the categories of data concerned.

  • Contact details
  • Name
  • Company name
  • Health data

Storage duration

We will inform you of the duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration. 

  • Deletion after fulfillment of purpose
  • After revocation of consent

Processing: Anonymized evaluation of health data

Purpose of the processing

We process your personal data to the extent necessary to fulfill the following purposes: 

  • Preventive measures for health in the workplace

Description: 

Health data collected is anonymized and statistically evaluated for advice on preventive health measures. 

Legal basis

The legal basis for the processing of your personal data for the above-mentioned purposes is/are:

  • Consent (Art. 6 para. 1 lit. a GDPR, Art. 7 GDPR)
  • Legitimate interest (Art. 6 para. 1 lit. f GDPR)

Information on the legal basis: 

  • Consent to the processing of health data, after anonymization no more persona data is available. 

Special security measures: Detailed authorization concept, small group of authorized persons, anonymization of personal data using a state-of-the-art technical procedure that makes it possible to irrevocably remove the personal reference and all characteristics for identifying the data subject. Anonymization is only carried out from 20 data subjects. 

Sources of the personal data

If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the sources of this data. 

  • Collected from the person concerned
  • Technically determined measured values, transfer to the system

Categories of personal data

If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject of the categories of data concerned.

  • Contact details
  • Name
  • Health data

Legitimate interests

The indication of the “legitimate interests” of the controller or the third party pursued with the processing of personal data refers to Art. 6 para. 1 sentence 1 lit. f GDPR. 

  • Anonymized statistical evaluation for preventive health measures

Storage duration

We will inform you of the duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration. 

  • Deletion after fulfillment of purpose
  • After revocation of consent

Data recipient

Recipients of personal data outside the organization

Article 4(9) of the General Data Protection Regulation (GDPR) defines the term “recipient” as “the natural or legal person, public authority, agency or any other body to whim personal data are disclosed, whether a third party or not”.

  • Employer
  • Hetzner Online GmbH
  • HubSpot, Inc.
  • K&W Media Consulting GmbH
  • Idiag AG
  • molibso Entwicklungs- und Vertriebs GmbH
  • SurveyMonkey Europe UC
  • Calendly, Inc. 

General information for the transfer of data to third countries

As part of our data processing, certain personal data may be transferred to countries in which the EU General Data Protection Regulation (EU GDPR) is not applicable law (so-called third countries). Such a transfer is only permitted if the European Commission has determined that an adequate level of data protection is guaranteed in the third country on question. If there is no such adequacy decision by the. European Commission, personal data may only be transferred to a third country if suitable guarantees pursuant to Art. 46 GDPR are in place or if one of the requirements of Art. 49 GDPR is met. 

Unless otherwise stated below, we use the EU standard data protection clauses as appropriate safeguards for the transfer of personal data to third countries. The data subject has the right to obtain a copy of these EU standard data protection clauses or to inspect them. For this purpose, it is recommended to contact the contact details provided under Responsibilities. 

Insofar as the data subject expressly consents to transfer of personal data, the transfer takes place on the legal basis of Art. 49 para. 1 lita GDPR. 

Transfer of data to a third country or international organization

A transfer of personal data to an “international organization” (within the meaning of Art. 4 No. 26 GDPR) or to controllers, processors or other recipients in a country outside the European Union (EU) and the European Economic Area (EEA) entails particular data protection risks from the perspective of the data subject. 

We transfer personal data to the following recipients outside the European Union (EU) and the European Economic Area (EEA): 

  • Data transfer to a third country or to an international organization does not take place and is not planned. 

Adequacy decision of the EU Commission

A transfer of personal data to a country outside the European Union (EU)  and the European Economic Area (EEA) or to an international organization is permitted if the European Commission has determined that the country, territory or one or more specific sectors within that country or the international organization in question ensures an adequate level of protection. 

We transfer personal data to the following recipients outside the European Union (EU) and the European Economic Area (EEA) for which an adequacy decision exists: 

  • HubSpot, Inc. (United States of America)
  • Idiag AG (Switzerland)
  • SurveyMonkey Europe UC (United States of America)
  • Calendly, Inc. (United States of America) 

Purpose of the processing

We process your personal data to the extent necessary to fulfill the following purposes: 

  • Operation of the APP
  • Measuring and training mental health
  • Preventive measures for health in the workplace
  • Making an appointment

Legal basis

The legal basis for the processing of your personal data for the above-mentioned purposes is/are:

  • Consent (Art. 6 para. 1 lit. a GDPR, Art. 7 GDPR)
  • Legitimate interest (Art. 6 para. 1 lit. f GDPR)

Sources of the personal data

If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the sources of this data. 

  • From the person concerned 
  • Technical, automatic transmission
  • Online form
  • Voluntary self-disclosure
  • Technically determined measured values, transfer to the system
  • Data determined by means of online tools/procedures
  • Collected from the person concerned

Categories of personal data

If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject of the categories of data concerned. 

  • Contact details
  • Usage data
  • Meta/communication data
  • Master data
  • Image data
  • Position
  • Profession
  • Hobbies
  • Health data
  • Name
  • Company name

Legitimate interests

The indication of the “legitimate interests” of the controller or the third party pursued with the processing of personal data refers to Art. 6 para. 1 sentence 1 lit. f GDPR. 

  • Anonymized statistical evaluation for preventive health measures.

Storage duration

We will inform you of the duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration. 

  • Deletion after fulfillment of purpose
  • After revocation of consent

Automated decision-making including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. 

In the following, we provide information about the logic involved and the scope and intended effects for the data subject. 

  • Not specified

 

 

Welcome to STATICS MIND

We want to offer you an optimal and individual journey. It is therefore necessary to answer a few questions in advance.