Privacy Policy

Controller for data processing:
Medicos Kosmetik GmbH & Co. KG
Hafengrenzweg 3
48155 Münster
Germany
datenschutz/at/dermasence/dot/de

We appreciate your interest in our website. The protection of your personal data is very important to us. Below, we explain in detail how we process your personal information. 

1. Access data and hosting

You can visit our website without providing any personal information. 
Whenever you access a page, our web server automatically stores a so-called server log file, which may include: 

  • the name of the requested file
  • your IP address
  • date and time of access
  • amount of data transferred
  • the requesting internet provider 

These access data are processed exclusively to ensure a smooth operation of the site and to improve our services. 

The processing is based on our legitimate interest (Art. 6(1)(f) GDPR) in presenting our website correctly. 

All access data are processed only for as long as necessary for the purposes mentioned above. 

Hosting

Hosting and displaying the website is partly carried out by external service providers who process data on our behalf. Unless stated otherwise in this privacy policy, all access data as well as all data entered into forms on this website are processed on these providers’ servers. If you have questions regarding our service providers or the legal basis of our cooperation, you may contact us using the details provided in this privacy policy. 

2. Data processing for the purposes of establishing contact and customer communication

2.1 Contacting Us

When you contact us (e.g., via contact form, live chat tool, or email), we process the personal data you voluntarily provide in order to handle your request. 

Legal basis: Art. 6(1)(b) GDPR (processing steps prior to entering into a contract). 

Mandatory fields are marked as such because we need this information to handle your request. 

Once your inquiry has been completed, your data will be deleted unless: 

  • you have given explicit consent for further processing (Art. 6(1)(a) GDPR), or
  • further processing is legally permitted and explained in this privacy policy. 

2.2 Telephone Contact

For incoming and outgoing phone calls, we use the telephony solution Swyx / Telekom NetPhone. 

The following personal data may be processed: 

  • transmitted phone number
  • name (if available)
  • time of the call
  • call duration 

Caller identification may be used to automatically display existing customer records in our CRM system. 

Incoming fax messages are processed in the same way, particularly for order handling. 

Call and fax data are used exclusively: 

  • for communication, and
  • internal analyses (e.g., call statistics) 

They are deleted once no longer required, or according to statutory retention periods. 
 

2.3 Whistleblower System

We provide an internal whistleblowing system in accordance with EU whistleblower protection rules. It enables you to confidentially report potential violations of laws or internal guidelines. 

The following personal data may be processed: 

  • your name
  • your contact details
  • content of the report
  • information about individuals mentioned in the report 

Processing is based on a legal obligation (Art. 6(1)(c) GDPR). 

If you submit a report anonymously, no directly identifiable personal data will be collected. 

Further information can be found in our whistleblower policy and directly within the whistleblowing system.

2.4 Privacy Information for Job Applicants (Art. 13 GDPR)

We are pleased that you are interested in working with us. Below, we inform you about the processing of your personal data during the application process.

Data Controller: 
Medicos Kosmetik GmbH & Co. KG 
Hafengrenzweg 3 
48155 Münster 
Germany 
E-mail: datenschutz@dermasence.de

What data do we process – and for what purpose? 
We process the information you provide during your application in order to:

  • assess your suitability for the position you applied for
  • consider you for other open positions (if applicable)
  • carry out the overall application procedure

Legal Basis

  • Application processing: Art. 6(1)(b) GDPR
  • If no employment results: further processing for legal claims: Art. 6(1)(f) GDPR
  • Inclusion in a talent pool: only with your explicit consent (Art. 6(1)(a) GDPR)

Retention Period

  • If no employment occurs → deletion after 6 months
  • With consent for talent pool → retention for up to 2 years
  • If hired → data are transferred to your employee file

How and where are your data processed? 
Data are processed only by authorised internal departments (HR, supervisors). Technical processing is carried out via the applicant management system myHR from perbit Software GmbH — within the EU/EEA. No transfer outside the EEA occurs without your prior consent and without appropriate safeguards (Art. 44 ff. GDPR). 

3. Advertising by Email, Post and Telephone 

3.1 Postal Advertising and Your Right to Object 

We reserve the right to use your first and last name as well as your postal address to send you information and offers about our products by post. 

The processing is based on our legitimate interest in customer communication (Art. 6(1)(f) GDPR). 

You may object to this use of your data at any time by contacting us using the details provided in this privacy policy. 

3.2 Telephone Advertising 

If you have given your explicit consent (Art. 6(1)(a) GDPR), we may use your telephone number to inform you about our products and offers. 

You may withdraw your consent at any time, either: 

  • by contacting us through the details provided, or
  • verbally during any call. 

Upon withdrawal, your telephone number will be deleted unless you have consented to further processing or if such processing is legally permitted. 

3.3 Email Newsletter with Registration and Newsletter Tracking (Separate Consent Required) 

If you sign up for our newsletter, we use: 

  • the data required to send it, or
  • any additional data you provide 

to regularly send you our newsletter based on your consent (Art. 6(1)(a) GDPR). 

Unsubscribing 
You may unsubscribe at any time: 

  • via the link included in every newsletter
  • or by contacting us directly 

After unsubscribing, your email address will be deleted unless further processing is legally permitted. 

Newsletter Tracking (Separate Consent Required) 
If you give your explicit consent, we evaluate your interaction with our newsletters, e.g.: 

  • open rates
  • clicks
  • time of opening
  • browser information
  • IP address
  • date/time of registration and confirmation 

We use one-pixel technologies (tracking pixels / web beacons). 
You may withdraw your consent at any time via the unsubscribe link or by contacting us. We store your tracking data for as long as you are subscribed to the newsletter. 

3.4 Newsletter Dispatch via Service Providers 

We may send newsletters and tracking data via external service providers under a processing agreement. 

If you have questions about these service providers, you may contact us at any time. 

3.5 Newsletter for Existing Customers 

If you provided your email address during a purchase, we may use it to send information about similar products without separate consent, based on our legitimate interest in direct advertising (Art. 6(1)(f) GDPR).You may object at any time with effect for the future by contacting: datenschutz/at/dermasence/dot/de After receiving your objection, we will immediately stop all such communications. 

3.6 Processing of Personal Data for Personalized Newsletter Content 

If you explicitly consent, we analyse: 

  • your newsletter usage behaviour (opens, clicks)
  • voluntarily indicated interests (e.g., atopic dermatitis, acne, anti-aging, sun protection)
  • product lines you already know (optional information you may provide) 

This helps us tailor our newsletter content to your preferences. 

All such information is voluntary and may be withdrawn at any time. 

3.7 Email Guides

If you subscribe to one of our email advice guides, your personal data (e.g., email address, name) will be used to send you ongoing, topic-based content. 

Processing is based on your consent (Art. 6(1)(a) GDPR). 
You may unsubscribe at any time. 

4. Information on third country transfer (data transfer to third countries)

We use technologies on our website whose service providers may have servers located in third countries, including the United States

If a country does not have an EU adequacy decision, appropriate safeguards must be in place (e.g., Standard Contractual Clauses, Binding Corporate Rules). 

For the USA, the EU–US Data Privacy Framework (DPF) applies. 
Data may be transferred to the USA if the receiving entity is DPF-certified

Where no certification exists, transfers rely on Standard Contractual Clauses and, where possible, additional safeguards. 

Possible Risks 
Despite contractual and technical protections, third-country data protection levels may deviate from EU standards. 

Thus, in some situations, we may request your explicit consent (Art. 49(1)(a) GDPR), particularly for U.S. transfers. 

Risks may include: 

  • access by U.S. authorities
  • limited legal remedies for individuals 

5. Cookies and further technologies

General information

General Information 
We use cookies and similar technologies to make your visit user-friendly and to enable specific website features. 

Types of Cookies: 

  • Session cookies (deleted when the browser closes)
  • Persistent cookies (stored to recognise your browser during later visits) 

Storage duration can be found in your browser settings. 

Privacy on Terminal Devices 
We distinguish between: 

1) Strictly necessary technologies 
Do not require consent. 

2) Non-essential technologies 
Require your explicit consent
Lack of consent may limit certain website functions. 

Subsequent Data Processing via Cookies and Similar Technologies 
Some technologies are essential. They may process: 

  • IP address
  • time of visit
  • device and browser information
  • usage interactions 

The legal basis is our legitimate interest in optimisation (Art. 6(1)(f) GDPR). 

Other technologies serve: 

  • legal compliance (e.g., recording of consent)
  • web analytics
  • marketing purposes 

Details follow in subsequent sections. 

Cookie Settings 
Browser settings for cookie management: 
Microsoft Edge™ / Safari™ / Chrome™ / Firefox™ / Opera™ / Atlas™ / Brave 

If you granted consent (Art. 6(1)(a) GDPR), you may withdraw it at any time. 

Cookies consent with CCM19 Cookie Consent Management  

Our website uses the cookie consent management tool ‘CCM19’ to obtain your consent for necessary cookies and cookie-based applications and to document them in accordance with the GDPR. The provider of this technology is Papoo Software & Media GmbH - Dr Carsten Euwens, Auguststr. 4, 53229 Bonn, Germany (hereinafter referred to as CCM19). 

When you visit our website, a banner appears that allows you to give your consent for certain cookies and cookie-based applications. As long as no consent is given, the cookie consent tool blocks the placement of necessary cookies. The tool collects certain user information when visiting our website, including the IP address, in order to assign page views to individual users and to log the consent settings made and save them during the session. This data is not forwarded to CCM19. 

The data collected will be stored until you ask us to delete it. CCM19 will then delete the data manually or as soon as the purpose for storing the data no longer applies. Statutory retention periods remain unaffected by this. 

The use of CCM19 cookie consent technology serves to obtain the legally required consents for the use of necessary cookies and cookie-based applications. The legal basis for this is Art. 6 para. 1 sentence 1 lit. c GDPR. 

We have concluded an order processing contract with CCM19, which obliges the service provider to protect your data and not to pass it on to third parties. 

You can find more information here:  
https://www.ccm19.de/cookie-banner.html 

If you have consented to the use of the technologies in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, you can revoke your consent at any time by notifying us via the contact option provided in the privacy policy. 
 

Cookie settings

Revoke consent to load third-party content:

6. Use of cookies and other technologies

Below you will find information on the various third-party tools used on our website. 
Unless otherwise stated, processing is based on your consent (Art. 6(1)(a) GDPR).

You may withdraw your consent at any time.

After the purpose of the individual technologies ceases to apply, or if we stop using a technology, the collected data will be deleted. 

6.1 Use of Google services

We use several technologies offered by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland
Automatically collected data (IP address, timestamps, device/browser data, usage behaviour) is usually transmitted to: 

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA 

Some processing may occur under a joint controllership agreement (Art. 26 GDPR), unless stated otherwise. 

Further information can be found in Google’s privacy policy 

Data Transfers to Third Countries 
Google may process data on servers located: 

  • in countries with an EU adequacy decision, or
  • in other countries based on Standard Contractual Clauses (SCCs) 

Google Analytics 
We use Google Analytics for website analysis. 
The following data is collected: 

  • IP address
  • date and time
  • device and browser information
  • interaction and usage patterns 

Google creates pseudonymised user profiles using cookies. 

If you visit our website from within the EU, your IP address is first processed on a server located in the EU to determine location data and is then immediately deleted before being forwarded to Google. 

All processing takes place under a data processing agreement. 

Google Signals 
If you are logged into your Google account and have enabled personalised advertising, Google can analyse your behaviour across different devices. 

We receive only aggregated statistics, never personal data. 

Google Ads / Remarketing 
When you visit our website, Google sets a Remarketing cookie that: 

  • records your browsing behaviour
  • assigns a pseudonymised identifier
  • enables interest-based advertising 

If you are logged into your Google account, Google may merge your Analytics and Remarketing data to create custom audiences. 

Google Ads Conversion Tracking 
If you reach our website via a Google ad, Google Ads Conversion Tracking may analyse: 

  • your subsequent website interactions
  • pages visited
  • conversions such as newsletter sign-ups 

The data is used to create pseudonymised usage profiles. 
 
Google Maps 
When using Google Maps, Google collects: 

  • your IP address
  • your location data 

We have no influence over Google’s subsequent data processing. 

Google Tag Manager 
Google Tag Manager manages scripts and services integrated into the site. 

Google may process: 

  • IP address
  • online identifiers (cookies, etc.) 

Processing is based on a data processing agreement. 

If you deactivate a tool (e.g., Analytics), Google Tag Manager respects this setting. 

YouTube (Video Module) 
We embed videos from YouTube in extended data-protection mode. 

YouTube collects data only when you play a video, including: 

  • IP address
  • time of access
  • device and browser metadata 

The data is processed by Google and may be transferred to the USA. 

6.2 Use of Microsoft services

We use the technologies described below from Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland (“Microsoft”). Processing is carried out on the basis of an agreement between joint controllers pursuant to Article 26 GDPR. The information automatically collected by Microsoft technologies about your use of our website is generally transmitted to a server of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, and stored there. Further information about Microsoft’s data processing can be found in Microsoft’s privacy notices. 

Our service providers are based and/or use servers in countries outside the EU/EEA for which the European Commission has adopted an adequacy decision (Article 45 GDPR). 

Our service providers are based and/or use servers in countries outside the EU/EEA without an adequacy decision. Our cooperation with them is based on the European Commission’s Standard Contractual Clauses (Article 46(2)(c) GDPR). 

Microsoft Advertising

For advertising purposes in Bing, Yahoo, and MSN search results and on third-party websites, the Microsoft Advertising remarketing cookie is set when you visit our website, automatically enabling interest-based advertising using a pseudonymous cookie ID based on the pages you visit and data collected and processed (IP address, time of visit, device and browser information, and information about your use of our website). 

For website analytics and event tracking, we measure your subsequent usage behavior via Microsoft Advertising Universal Event Tracking (UET) if you arrived at our website via a Microsoft Advertising ad. Cookies may be used and data (IP address, time of visit, device and browser information, and information about your use of our website based on events we define, such as visiting a page or signing up for a newsletter) collected to create usage profiles under pseudonyms. Where your internet-enabled devices are linked to your Microsoft account and you have not deactivated “interest-based advertising” in your Microsoft account, Microsoft can generate reports on usage behavior (in particular cross-device user numbers) even if you switch devices (so-called cross-device tracking). We do not process personal data for this purpose; we only receive statistics generated on the basis of Microsoft UET. 

Microsoft Forms

We use the ‘Microsoft Forms’ tool to conduct anonymous surveys and polls.

Please note that this data protection information only covers the processing of your personal data by us in the context of the use of Microsoft Forms. Information on the processing of your data by Microsoft can be found in the corresponding Microsoft statement under the following links: 

Microsoft Service Agreement 

Security and data protection in Microsoft Forms   

When using Microsoft Forms, various types of data are processed, depending on the information you provide when participating in surveys or polls. This includes: 

  • User name, display name, e-mail address
  • Preferred language
  • Date and time of opening the questionnaire
  • Date and time of sending the response

The information you provide in surveys is survey-specific. You decide for yourself which personal data you enter in response fields.

Our interest at Medicos Kosmetik GmbH & Co. KG is to collect information to improve service, offers and products and to increase customer satisfaction and employee satisfaction. Participation in surveys and polls is always voluntary.

6.3 Use of Facebook services

We use several technologies from Meta Platforms Ireland Ltd., Dublin

Facebook Pixel 
Facebook Pixel automatically collects: 

  • IP address
  • date and time
  • browser and device data
  • website interactions (page views, conversions, sign-ups) 

A pseudonymised cookie ID enables user recognition. 

Meta may link the data to your Facebook account and use it for: 

  • analytics
  • personalised advertising
  • audience creation (Custom Audiences) 

Data may be transferred to the USA or other third countries. Transfers rely on DPF certification or Standard Contractual Clauses

Facebook Analytics / Statistics 
Facebook Pixel can generate aggregated usage statistics. 
Processing is governed by a data processing agreement with Meta. 

Facebook Ads Manager (Advertising) 
We define campaign settings; Meta controls the display of the ads. 

Custom Audiences 
Segmented target groups created from pseudonymised data. 

Remarketing 
Ads shown based on previous website interactions. 

Conversion Tracking 
Measures user actions after clicking one of our ads. 
 
Further Information:  
www.facebook.com/privacy/policy/ 

6.4 Other providers of web analytics - and online-marketing-services

We use Matomo for web analytics, hosted on our own servers. 

Collected data: 

  • IP address
  • dates/times
  • device and browser information
  • user interactions 

Profiles are pseudonymised and never merged with personally identifiable data. 

Hotjar 
Hotjar collects: 

  • IP address (anonymised)
  • device and browser information
  • clicks, scroll behaviour
  • session metadata
  • usage statistics 

Hotjar acts as a processor

Data may be stored in: 

  • adequacy countries
  • non-adequacy countries → safeguarded by Standard Contractual Clauses 

VWO (Wingify) – A/B Testing, Heatmaps, Session Tracking 
VWO enables: 

  • A/B testing
  • multivariate testing
  • heatmaps
  • session recordings 

Collected data include: 

  • mouse movements
  • clicks
  • scroll depth
  • IP address
  • device type
  • screen resolution
  • preferred language
  • country
  • timestamps 

Legal basis: consent (Art. 6(1)(a) GDPR). 

You may opt out of VWO tracking here: 
https://vwo.com/de/opt-out 

Wingify privacy policy: 
https://vwo.com/privacy-policy/#locale_lang 

contentbird convert – Interactive Content 
We use contentbird convert for interactive content modules. 

Collected data: 

  • timestamps
  • usage behaviour
  • answers provided
  • contact details (if entered)
  • anonymised IP
  • referring URLs
  • web requests 

Local Storage may store which hotspots you have already opened. 

No transfer to third countries. 

Legal basis: consent (Art. 6(1)(a) GDPR). 

Further information: 
https://en.contentbird.io/ 
https://en.contentbird.io/datenschutz 

Vimeo (Video Integration) 
When embedding Vimeo videos: 
Vimeo collects: 

  • IP address
  • timestamps
  • browser and device metadata 

Vimeo may also automatically embed Google Analytics, creating pseudonymised profiles. 

Data may be transferred: 

  • to countries with adequacy decisions
  • to other third countries under Standard Contractual Clauses

7. Product reviews

As a user of our website, you can submit reviews of our products

To publish a review, certain personal information is required. 

Collected Data: 

  • first and last name, or a nickname
  • age and gender
  • professional category (e.g., consumer, PTA/PKA, pharmacist, doctor)
  • email address
  • rating (stars)
  • optional photo
  • free text review 

Legal basis: your consent (Art. 6(1)(a) GDPR). 

Publication of Your Review 
All information you provide — except

  • your email address
  • your full surname 

— will be made publicly visible on our website alongside your review. 

Purpose of Data Processing 
Your review data may be used for: 

  • product improvement
  • customer satisfaction analysis
  • tolerance/intolerance assessment
  • marketing activities
  • evaluation by internal departments or third parties where appropriate 

Automatic Translation 
Your review (title and free text) is automatically translated using the service DeepL. 

Contact in Case of Product Issues 
If you report negative experiences, dissatisfaction, or potential intolerance, we may need to contact you via email. 

This requires your explicit consent, which is confirmed via a double opt-in email. 

If consent is not granted, your review cannot be saved or published. 

Retention Period 
Your review remains published until: 

  • you withdraw your consent, or
  • you request deletion. 

A simple email is sufficient. 

8. Product Campaigns / Product Testing ("DERMASENCE Produktcheck")

When you participate in our product testing campaigns or promotional activities, we process your personal data to administer and complete the campaign. 

Details can be found in the respective participation conditions. 

Required Information 
Certain data must be provided in order to enter a campaign. 
Without this information, participation is not possible. 

Recipients 
Your data may be shared with: 

  • internal departments, and
  • external service providers (e.g., shipping/logistics) 

— but only to the extent necessary for performing the campaign. 

Retention and Deletion 
After the campaign ends, your data will be deleted unless: 

  • statutory retention periods apply, or
  • legal limitation periods require extended storage. 

9. Social Media

We maintain profiles on several social media platforms: 

  • Facebook (Meta)
  • X (formerly Twitter)
  • Instagram (Meta)
  • YouTube
  • Pinterest
  • LinkedIn
  • Xing
  • TikTok 

If you have given consent to the respective platform (Art. 6(1)(a) GDPR), personal data may be collected automatically when you visit our social media pages. 

The purposes include: 

  • market research
  • personalised advertising
  • creation of pseudonymised usage profiles 

Cookies may be used for this purpose. 

You can find detailed information in the privacy policies of the respective platform providers. 

For assistance in understanding these details, you may contact us at any time. 

Facebook (by Meta) 
EU provider: Meta Platforms Ireland Ltd., Block J, Serpentine Avenue, Dublin 4, Ireland 

When you visit our Facebook page, data is usually transferred to and processed by: 
Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA 

We operate our Facebook page under a joint controllership arrangement with Meta (Art. 26 GDPR). 
More information on Facebook “Insights” data: 
https://www.facebook.com/legal/terms/information_about_page_insights_data 

Data Transfers May Occur To: 

Countries with EU adequacy decision: 

  • USA (when DPF-certified)
  • Canada
  • Japan
  • South Korea
  • New Zealand
  • United Kingdom
  • Argentina 

Countries without adequacy decision: 

  • Australia
  • Hong Kong
  • India
  • Indonesia
  • Malaysia
  • Singapore
  • Thailand
  • Taiwan
  • Brazil
  • Mexico 

In these cases, data is transferred under Standard Contractual Clauses

X 
EU provider: X Internet Unlimited Company, Dublin 
Data may be transferred to: X Corp., FM 1209, Building 2, Bastrop, Texas 78602, USA 

X may use servers: 

  • in adequacy-approved countries, or
  • in third countries protected by Standard Contractual Clauses 

Instagram (by Meta) 
Instagram is operated by Meta Platforms Ireland Ltd. 

When visiting our Instagram page, data is often transferred to the USA. 
This is also based on a joint controllership arrangement

YouTube 
Provider: Google Ireland Ltd., Dublin 
User interaction data may be transferred to: Google LLC, Mountain View, USA 
 
Google uses servers: 

  • in countries with adequacy decisions, or
  • in other third countries under Standard Contractual Clauses 

Pinterest 
EU provider: Pinterest Europe Ltd., Dublin 
Data may be transferred to: Pinterest, Inc., San Francisco, USA 

Transfers occur: 

  • to adequacy-approved countries
  • or under Standard Contractual Clauses 

LinkedIn 
EU provider: LinkedIn Ireland Unlimited Company, Dublin 
Data may be transferred to: 
LinkedIn Corporation, Sunnyvale, USA 
If the U.S. entity is certified, transfers rely on an EU adequacy decision. 

Xing 
Provider: New Work SE, Hamburg, Germany 

Some processing may occur on servers in third countries. 
Transfers are based on Standard Contractual Clauses

TikTok 
We use TikTok Business for communication, branding, and interaction with users. 
EU provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, Ireland 

TikTok Automatically Collects Data Such As: 

  • IP address
  • date and time of request
  • time zone
  • device type, OS, app version
  • browser or app usage
  • language settings
  • amount of data transferred
  • content displayed
  • metadata
  • user interactions (likes, shares, comments, messages) 

Data may be transferred to: 

  • the USA
  • China
  • other non-EU/EEA countries without adequacy decision 

TikTok may also use subprocessors, such as Facebook or Google. 

Interaction Options 
On TikTok, you may: 

  • like videos
  • comment
  • share
  • send private messages
  • interact with our content in various ways 

Depending on your privacy settings, some of this information may be publicly visible

Legal Basis 

  • your consent (Art. 6(1)(a) GDPR)
  • our legitimate interest in communication and service optimisation (Art. 6(1)(f) GDPR) 

Retention and Deletion 
We delete your data when it is no longer necessary or when you request deletion, unless legal regulations require otherwise. 

You may also delete content you have posted on our TikTok page yourself. 

Right to Object 
You may object to processing at any time (Art. 21 GDPR), particularly when it is based on legitimate interests. 

10. Contact options and your rights

10.1 Your rights

You have the following rights: 

Right of Access (Art. 15 GDPR) 
You may request information about the personal data we process about you. 

Right to Rectification (Art. 16 GDPR) 
You may request correction of inaccurate or incomplete data. 

Right to Erasure (Art. 17 GDPR) 
You may request deletion of your data unless processing is still necessary, e.g., for: 

  • exercising freedom of expression/information
  • compliance with legal obligations
  • reasons of public interest
  • legal claims (establishment, exercise, defence) 

Right to Restriction of Processing (Art. 18 GDPR) 
You may request restriction of processing if: 

  • you contest the accuracy of data
  • processing is unlawful and you request restriction instead of deletion
  • we no longer need the data but you require it for legal claims
  • you have objected under Art. 21 GDPR 

Right to Data Portability (Art. 20 GDPR) 
You may obtain your data in a structured, machine-readable format. 

Right to Lodge a Complaint (Art. 77 GDPR) 
You may lodge a complaint with your local data protection authority — in most cases the authority of: 

  • your place of residence,
  • your workplace, or
  • our company headquarters. 

Right to Object (Art. 21 GDPR) 
If we process data based on legitimate interests, you may object at any time for reasons relating to your particular situation. 

Direct Marketing 
If the objection concerns direct advertising, we stop processing immediately, without requiring any justification. 

12.2 Contact 

For inquiries regarding: 

  • collection
  • processing
  • use
  • access
  • correction
  • restriction
  • deletion of your data
  • or withdrawal of consent 

please contact us using the details listed in our legal notice. 

Data Protection Officer 
DSB Münster GmbH 
Martin-Luther-King-Weg 42–44 
48155 Münster 
Germany 
E-mail: datenschutz/at/dermasence/dot/de

Privacy Notice for the Application Process (Article 13 GDPR) 

Who is responsible for data processing? 
 Medicos Kosmetik GmbH & Co. KG 
 Hafengrenzweg 3 
 48155 Münster, Germany 

datenschutz@dermasence.de

What personal data do we process and for what purposes? 

We process the personal data you submit to us as part of your application in order to assess your suitability for the specific position and, if applicable, for other open positions within our company. This data is also required for managing and carrying out the application process. 

On what legal basis do we process your data? 

The processing of your personal data is necessary to take steps prior to entering into a contract and is based on Article 6(1)(b) of the General Data Protection Regulation (GDPR). If the application process does not result in an employment relationship, further data processing may take place for the purpose of asserting or defending legal claims under Article 6(1)(f) GDPR. 

If you explicitly consent, we will store your documents in our applicant pool in order to consider you for future job openings. In this case, processing is based on your voluntary consent in accordance with Article 6(1)(a) GDPR and may be withdrawn at any time with effect for the future. 

How long do we store your data? 

If no employment results from your application, we will delete your data no later than six months after the conclusion of the application process. If you give your explicit consent to a longer retention period, we will retain your documents in our applicant pool for up to two years. 

If an employment relationship is established, your data will be transferred to your personnel file. 

How and where is your data processed? 

Your application data is processed solely by authorized internal personnel (e.g. HR department and responsible supervisors). Technical processing is handled via the applicant management system myHR from perbit Software GmbH, under a GDPR-compliant data processing agreement. All data is processed exclusively in certified data centers within the European Economic Area (EEA). Data processing outside the EEA only takes place with your prior consent 

and in compliance with the requirements set out in Articles 44 et seq. GDPR. There is no transfer of data to unauthorized third parties. 

Whistleblower Reporting System

In accordance with the EU Whistleblower Protection Directive (Directive (EU) 2019/1937), we provide an internal reporting system that allows for the confidential submission of concerns about potential violations of laws or internal policies.

When using the system, personal data may be processed – such as names, contact details, message content, or data relating to individuals mentioned in the report. Processing is carried out to fulfill our legal obligations under Art. 6 (1)(c) GDPR.

If the report is submitted anonymously, no directly identifiable personal data will be collected.

For more information, please refer to our Whistleblower Policy and the reporting system itself.