We would like to inform you about how we handle your personal data and what rights you have under the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). The responsibility for data processing lies with the organization STATICS Holding GmbH (hereinafter referred to as "we" or "us").

Responsibilities
Responsible for the processing of your personal data is

STATICS Holding GmbH
Maximilian Lang, Kirsten Wilhelm, Melanie Groß & Daniel Albrecht

Stephansplatz 3 - Alte Oberpostdirektion
20354 Hamburg

Phone: +4940604297717
Email: info@statics-group.de

Contact details of the data protection officer
You can reach our data protection officer using the following contact details

Iqanta GmbH
Sven Weschler

Boschstrasse 23a
22761 Hamburg

E-mail: kontakt@iqanta.com
Phone: +49 40 357 014 60

General information on the legal basis of data processing
"Personal data" is all information that relates to a specific person. We process this data in accordance with the applicable data protection laws, in particular the GDPR and the BDSG. We may only process personal data if we have legal permission to do so.

We only process personal data with your consent in order to enter into a contract with you or to respond to your request in connection with a potential business relationship, to fulfill legal obligations or to protect our legitimate interests, provided that this does not affect your interests or fundamental rights and freedoms that require the protection of personal data.

Storage duration of personal data
We only store your data for as long as is necessary to achieve the purpose of the processing or to fulfill our contractual or legal obligations, unless otherwise stated in the following information. Statutory retention obligations may arise from commercial or tax regulations. After the end of the calendar year in which we collected the data, we will retain personal data contained in our accounting records for ten years and personal data contained in business letters and contracts for six years. Furthermore, we will retain data in connection with consents requiring proof as well as complaints and claims for the duration of the statutory limitation periods. Data stored for advertising purposes will be deleted if you object to processing for this purpose.

Processing when exercising your rights
If you wish to exercise your rights in accordance with Articles 15 to 22 of the GDPR, we will process the personal data you have provided in order to implement these rights and to be able to provide proof of this. We will process the data stored for the purpose of providing information and preparation exclusively for this purpose and for data protection control purposes and otherwise restrict processing in accordance with Article 18 of the GDPR.

These processing operations are based on the legal basis of Article 6(1)(c) of the GDPR in conjunction with Articles 15 to 22 of the GDPR and Section 34(2) of the BDSG.

Rights of the data subject
The General Data Protection Regulation (GDPR) guarantees every data subject certain rights in relation to their personal data. These include:

  • The right of access: every data subject has the right to obtain from us confirmation as to whether or not personal data concerning them are being processed, and access to those data, as well as further information and copies of those data.
  • The right to rectification: Every data subject has the right to request the rectification of inaccurate personal data without undue delay.
  • The right to erasure ("right to be forgotten"): Every data subject has the right to request the erasure of their personal data without undue delay.
  • The right to restriction of processing: Every data subject has the right to request the restriction of the processing of their personal data.
  • The right to data portability: Every data subject has the right to receive the personal data concerning them, which they have provided to us, in a structured, commonly used and machine-readable format.
  • Right to object: Every data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) GDPR. If we process personal data about the data subject for the purpose of direct marketing, the data subject may object to this processing in accordance with Art. 21 (2) and (3) GDPR.

The data subject also has the right to lodge a complaint with a supervisory authority if they consider that the processing of their personal data infringes the GDPR.

The supervisory authority responsible for us is: The Hamburg Commissioner for Data Protection and Freedom of Information

Information on the processing of personal data
Processing: STATICS Mind APP/web application
Purpose of processing
We process your personal data insofar as this is necessary to fulfill the following purposes

  • Operation of the APP
  • Measurement and training of mental health

Description:

Collection of personal data in connection with the use of the APP

Legal basis
The legal basis for the processing of your personal data for the above-mentioned purposes is/are

  • Consent (Art. 6 para. 1 lit. a GDPR, Art. 7 GDPR)

Information on the legal basis:

  • Consent to the processing of health data.
    Special security measures: Detailed authorization concept, small circle of authorized persons, see general technical and organizational measures; encryption; multi-factor authentication; pseudonymization

Sources of personal data
If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the sources of this data.

  • From the data subject
  • Technical, automatic transmission

Categories of personal data
If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the categories of data concerned.

  • Contact data
  • Usage data
  • Meta/communication data
  • master data
  • Image data
  • Position
  • Occupation
  • Hobbies
  • Health data

Storage duration
We will inform you of the duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration.

  • Deletion after fulfillment of purpose
  • After withdrawal of consent

Automated decision-making, including profiling
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

In the following, we provide information about the logic involved and the scope and intended effects for the data subject.

  • No information

Processing: Evaluation of health questions
Purpose of processing
We process your personal data insofar as this is necessary to fulfill the following purposes:

  • Mental health measurement and training
  • Preventive measures for health in the workplace

Description:

Evaluations of health data are carried out for advice and for preventive health measures.

Legal basis
The legal basis for processing your personal data for the above-mentioned purposes is/are

  • Consent (Art. 6 para. 1 lit. a GDPR, Art. 7 GDPR)

Information on the legal basis:

  • Consent to the processing of health data.

Special security measures: Detailed authorization concept, small circle of authorized persons, see general technical and organizational measures; encryption; multi-factor authentication; pseudonymization

Sources of personal data
If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the sources of this data.

  • Online form
  • Voluntary self-disclosure
  • Technically determined measured values, transfer to the system

Categories of personal data
If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the categories of data concerned.

  • Contact details
  • Data subject's name
  • Health data

Storage duration
We will inform you of the duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration.

  • Deletion after fulfillment of purpose
  • After withdrawal of consent

Processing: Healthday employees
Purpose of processing
We process your personal data insofar as this is necessary to fulfill the following purposes

  • Making appointments
  • Measurement and training of mental health
  • Preventive measures for health in the workplace

Description:

Employees have the opportunity to register for a Healthday via a personal registration from the web portal and make an appointment. In order to participate, medical history forms are filled out and measurements (foot and spine) are taken. Depending on the evaluation of the medical history and the measurement results, recommendations for health promotion are made. Anonymized data can be analyzed for improvements in the working environment.

Legal basis
The legal basis for the processing of your personal data for the above-mentioned purposes is/are

  • Consent (Art. 6 para. 1 lit. a GDPR, Art. 7 GDPR)

Information on the legal basis:

  • Consent to the recording and processing of health data.
    Special security measures: Detailed authorization concept, small circle of authorized persons, see general technical and organizational measures; encryption; multi-factor authentication; pseudonymization

Sources of personal data
If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the sources of this data.

  • Data collected by means of online tools/procedures
  • From the data subject
  • Technically determined measured values, transfer to the system

Categories of personal data
If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the categories of data concerned.

  • Contact details
  • Company name
  • Company name
  • Health data

Storage duration
We will inform you of the duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration.

  • Deletion after fulfillment of purpose
  • After withdrawal of consent

Processing: Anonymized evaluation of health data
Purpose of processing
We process your personal data insofar as this is necessary to fulfill the following purposes:

  • Preventive measures for health in the workplace

Description:

Collected health data is anonymized and statistically evaluated for advice on preventive health measures

Legal basis
The legal basis for the processing of your personal data for the above-mentioned purposes is/are

  • Consent (Art. 6 para. 1 lit. a GDPR, Art. 7 GDPR)
  • Legitimate interest (Art. 6 para. 1 lit. f GDPR)

Information on the legal basis:

  • Consent to the processing of health data, no personal data is available after anonymization has been carried out.
    Special security measures: Detailed authorization concept, small circle of authorized persons, anonymization of personal data by means of an applied technical procedure according to the current state of the art, which makes it possible to irrevocably remove the personal reference and all characteristics for identifying the person concerned. Anonymization is only carried out from 20 data subjects.

Sources of personal data
If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the sources of this data.

  • Collected from the data subject
  • Technically determined measured values, transmission to the system

Categories of personal data
If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the categories of data concerned.

  • Contact details
  • Data subject's name
  • Health data

Legitimate interests
The indication of the "legitimate interests" of the controller or the third party that are pursued with the processing of personal data refers to Art. 6 para. 1 sentence 1 lit. f GDPR.

  • Anonymized statistical evaluation for preventive health measures

Storage duration
We will inform you of the duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration.

  • Deletion after fulfillment of purpose
  • After withdrawal of consent

Data recipients
Recipients of personal data outside the organization
Article 4(9) of the General Data Protection Regulation (GDPR) defines the term "recipient" as "the natural or legal person, public authority, agency or any other body to whom personal data are disclosed, whether a third party or not".

  • Employer
  • Hetzner Online GmbH
  • HubSpot, Inc.
  • K&W Media Consulting GmbH
  • Idiag AG
  • molibso Entwicklungs- und Vertriebs GmbH
  • SurveyMonkey Europe UC
  • Calendly, Inc.

General information for data transfer to third countries
As part of our data processing, certain personal data may be transferred to countries in which the EU General Data Protection Regulation (EU GDPR) is not applicable law (so-called third countries). Such a transfer is only permitted if the European Commission has determined that an adequate level of data protection is guaranteed in the third country in question. If there is no such adequacy decision by the European Commission, personal data may only be transferred to a third country if appropriate safeguards pursuant to Art. 46 GDPR are in place or if one of the requirements of Art. 49 GDPR is met.

Unless otherwise stated below, we use the EU standard data protection clauses as appropriate safeguards for the transfer of personal data to third countries. The data subject has the right to obtain a copy of these EU standard data protection clauses or to inspect them. For this purpose, it is recommended to contact the contact details provided under Responsibilities.

Insofar as the data subject expressly consents to the transfer of personal data, the transfer takes place on the legal basis of Art. 49 para. 1 lit. a GDPR.

Transfer of data to a third country or international organization
A transfer of personal data to an "international organization" (within the meaning of Art. 4 No. 26 GDPR) or to controllers, processors or other recipients in a country outside the European Union (EU) and the European Economic Area (EEA) entails particular data protection risks from the perspective of the data subject.

We transfer personal data to the following recipients outside the European Union (EU) and the European Economic Area (EEA)

  • Data transfer to a third country or to an international organization does not take place and is not planned.

Adequacy decision of the EU Commission
A transfer of personal data to a country outside the European Union (EU) and the European Economic Area (EEA) or to an international organization is permitted if the European Commission has determined that the country, territory or one or more specific sectors within that country or the international organization in question ensures an adequate level of protection.

We transfer personal data to the following recipients outside the European Union (EU) and the European Economic Area (EEA) for which an adequacy decision exists:

  • HubSpot, Inc (United States of America)
  • Idiag AG (Switzerland)
  • SurveyMonkey Europe UC (United States of America)
  • Calendly, Inc (United States of America)

Purpose of processing
We process your personal data to the extent necessary to fulfill the following purposes

  • Operation of the APP
  • Mental health measurement and training
  • Preventive measures for health in the workplace
  • Making appointments

Legal basis
The legal basis for processing your personal data for the above-mentioned purposes is/are

  • Consent (Art. 6 para. 1 lit. a GDPR, Art. 7 GDPR)
  • Legitimate interest (Art. 6 para. 1 lit. f GDPR)

Sources of the personal data
If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the sources of this data.

  • From the data subject
  • Technical, automatic transmission
  • Online form
  • Voluntary self-disclosure
  • Technically determined measured values, transfer to the system
  • Data collected by means of online tools/procedures
  • Collected from the data subject

Categories of personal data
If personal data is not collected directly from the data subject, the controller is obliged to inform the data subject about the categories of data concerned.

  • Contact data
  • Usage data
  • Meta/communication data
  • master data
  • Image data
  • Position
  • Occupation
  • Hobbies
  • Health data
  • Your name
  • Company name

Legitimate interests
The indication of the "legitimate interests" of the controller or the third party pursued with the processing of personal data refers to Art. 6 para. 1 sentence 1 lit. f GDPR.

  • Anonymized statistical evaluation for preventive health measures

Storage duration
We will inform you of the duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration.

  • Deletion after fulfillment of purpose
  • After withdrawal of consent

Automated decision-making, including profiling
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

In the following, we provide information about the logic involved and the scope and intended effects for the data subject.

  • No information
c

Welcome to STATICS MIND

We want to offer you an optimal and individual journey. It is therefore necessary to answer a few questions in advance.