Privacy Policy

With this privacy policy we inform you about the scope of the processing of your personal data (hereinafter "data"). The German version of this privacy policy is authoritative. The English version is for information purposes only. Refer to German version oft the privacy policy.

1. Data processing responsibility

Responsible for data processing in accordance with the provisions of the General Data Protection Regulation (GDPR) is:

Ondal Medical Systems GmbH
Wellastrasse 6
36088 Hünfeld
Phone: +49 6652-81-0

2. Data protection officer contact details

Sarah Tavcer
RMPrivacy GmbH
Große Langgasse 1A
55116 Mainz
Tel.: 06131 28770 85             

3. Joint processing

We process personal data jointly within the Ondal group of companies for effective internal management of personal data and group systems. For this purpose, we transfer your data to companies affiliated with us pursuant to Section 18 of the German Stock Corporation Act (AktG) et seq. by analogy, or process the data in systems operated jointly with the companies affiliated with us.

You can view the parties involved in our group of companies :

  • Ondal Holding GmbH
  • Ondal Medical Systems GmbH
  • Ondal Medical Systems of America, Inc.
  • Ondal Medical Systems (Suzhou) Co. Ltd.

No personal data is exchanged with Ondal Real Estate GmbH or Ondal Medtech TopCo GmbH, which are also affiliated companies.

The legal basis for joint data processing is our legitimate interest in effective administration and IT infrastructure pursuant to Article 6 (1) f) GDPR.

For the processes subject to joint data processing, we are jointly responsible with our affiliated companies pursuant to Article 26 GDPR. Accordingly, we have defined the internal responsibilities and accountabilities in a contract.

The information obligations of the GDPR will be fulfilled by the respective company with which you are first in contact.

We have assigned the fulfillment of data subject rights internally to Ondal Medical Systems GmbH. You can contact us at any time with inquiries or to assert your data subject rights using the contact details in Section 1.

The specific processes that fall under joint processing are marked as follows.

4. General information on data processing

In the course of our business and website operations, we process data.

This includes disclosure by transmission to third parties and, where applicable, to countries outside the European Union ("EU") and the European Economic Area ("EEA"). Insofar as we transfer data outside the EU or the EEA, we have detailed this accordingly below.

5. Data processing

The data gathered for processing purposes, legal bases, recipients and, where applicable, transfers to third countries are listed below:

a) Log file during website visit

We log your website visit. In doing so, we process:

  • name(s) of our accessed website(s);
  • date and time of access;
  • amount of data transferred;
  • browser type and version;
  • operating system used by you;
  • referrer URL (the previously visited website);
  • your IP address;
  • requesting provider.

The legal basis for data processing is our legitimate interest in the ongoing provision and security of our website in accordance with  6 (1) f) GDPR.

The log file is deleted after seven days, unless it is needed to prove or clarify specific legal violations that have become known within the retention period.

b) Hosting

Our online provider is René Münnich, ALL-INKL.COM - Neue Medien Münnich, Hauptstraße 68, 02742 Friedersdorf, which processes all data in connection with the operation of this website (log file when visiting the website) on our behalf.

The legal basis for the data processing is our legitimate interest in the provision of our website in accordance with Article 6 para. 1 f) GDPR.

c) Contacting us

When you contact us, we collect the following data for the purpose of processing and handling your request: Name, contact details if provided by you and your message.

The legal basis for the data processing is our obligation to fulfill the contract and/or to fulfill our pre-contractual obligations pursuant to Article 6 (1) b) GDPR and/or our interest in processing your request pursuant to Article 6 (1) f) GDPR.

d) Contacting us for applications

When you contact us to submit your application as an employee, by e-mail or via a contact form, the data you provide (e.g. name, e-mail address, desired location), your message and the application documents submitted will be processed exclusively for the purpose of processing and handling your application request.

The legal basis for data processing is primarily Section 26 of the German Data Protection Act (BDSG). Accordingly, the processing of data that is required in connection with the decision on the establishment of an employment relationship is permissible.

Should the data be necessary for legal prosecution after completion of the application process, if applicable, data processing may be carried out to safeguard our legitimate interests pursuant to Article 6 (1) f) GDPR, namely to assert and/or defend claims.

e) Applicant pool

If you give us your consent to store your application documents after the application process has been completed, we will store them in our applicant pool for the purpose of contacting you for future vacancies that fit your profile. The legal basis for processing within the scope of our applicant pool is your prior consent pursuant to Article 6 (1) a) GDPR.

f) Contract processing

We collect your personal customer and contract data for the purpose of processing the contractual relationship between you and us.

The legal basis for the data processing is the fulfillment of our contractual obligations pursuant to Article 6 (1) b) GDPR and, in individual cases, the fulfillment of our legal obligations pursuant to Article 6 (1) c) GDPR.

We transmit your address data to the company commissioned with the delivery. If necessary, we additionally transmit your e-mail address or your telephone number to the company commissioned with the delivery in order to coordinate a delivery date (notification).

Your transaction data (name, date of order, payment method, date of dispatch and/or receipt, amount and payee, bank details or credit card data, if applicable) are transmitted to the payment service provider responsible for processing the payment.

g) Customer account: MyOndal

In connection with the opening and use of a customer account, we process your inventory data (name, address, e-mail address) and your usage data (user name, password). This allows you to manage your orders and we can identify you as a customer. The legal basis for this data processing is your consent in accordance with Article 6 (1) a) GDPR.

h) Microsoft Teams

We use the video conferencing function of Microsoft Teams from the Office 365 product line of Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park Leopardstown, Dublin 18, D18 P521, Ireland for communication. Through this, we can offer you participation via video and audio in our meetings and online events.

We do not record Microsoft Teams online events and meetings unless we have obtained consent in advance.

The people who can see your audio and video input are dependent on the Teams mode we use:

Live Events, Webinars: For live events, we do not allow audio or video input from participants to maintain anonymity.

Team meetings: In team meetings, all participants can set their own audio and video inputs. We cannot definitively exclude or prevent unauthorized processing by other participants, for example by recording the meeting.

Data processing with Office 365 is carried out on our behalf on servers in data centers in the European Union in Ireland and the Netherlands.

For the purpose of remote maintenance, Microsoft may request remote access. This access will be reviewed and approved by us on a case-by-case basis if it is necessary for Microsoft to perform support services (e.g. for troubleshooting). In this case, such access may also be provided by Microsoft affiliates from outside the European Union. This may include countries for which there is no EU Commission adequacy decision. We have entered into standard contractual clauses with Microsoft exclusively for this case of access from outside the European Union in individual cases approved by us. We will provide a copy of the contractual clauses upon request. To do so, please contact

Microsoft reserves the right under its Privacy Policy to process Customer Data for its own legitimate business purposes. We have no control over these data processing activities by Microsoft. To the extent that Microsoft Teams processes personal data in connection with its legitimate business purposes, Microsoft is the independent data controller for those data processing activities and, as such, is responsible for compliance with all applicable data protection laws. If you require information about Microsoft's processing, please refer to the relevant Microsoft statement:

We carry out data processing activities on the basis of a legitimate interest pursuant to Article 6 (1) f) GDPR. The purpose and legitimate interest of this data processing are: provision of communication options with our customers, business partners and interested parties via the Internet as well as for internal coordination and, if applicable, implementation of webinars and similar live events.

Your personal data will be deleted after 180 days at the latest.

i) Newsletter

In order to provide you with regular information about our company and offers, we distribute an e-mail newsletter. With your newsletter registration, we process the data you entered during registration (e-mail address and other voluntary information). In order to prevent misuse, we will send you an e-mail after your registration in which we ask you to confirm your registration (double opt-in procedure). In order to be able to prove the registration process in a legally compliant manner, your registration is logged. This includes the time of registration and confirmation as well as your IP address.

The legal basis for sending the newsletter is your consent in accordance with Article 6 (1) a) GDPR. The data processing in connection with the sending of the confirmation email for your registration and the associated data logging is carried out in accordance with Article 6 (1) f) GDPR due to our legitimate interest in proving your proper registration.

If you give us consent, we survey whether you have opened the newsletter as well as scrolling and clicking behavior within the newsletter. This is done for the purpose of optimally tailoring our newsletter to your interests and improving the content of our newsletter. The legal basis for the analysis of the newsletter is your consent in accordance with Article 6 (1) a) GDPR.

For the distribution of the newsletter, we use a service provider located within the EU, to whom we transmit the named data.

j) Direct e-mail advertising for existing customers

Unless you have objected, we will send you direct advertising in connection with the goods and services you have purchased in order to offer you similar goods and services. For this purpose, we use the e-mail address you used when completing the contract.

You can object to this use at any time without incurring any costs other than the transmission costs according to the basic rates.

The legal basis for sending this direct advertising is Section 7 (3) of the German Law Against Unfair Competition (UWG) in conjunction with. Article 95 GDPR. For the distribution of the newsletter, we use service providers to whom we transmit the aforementioned data.

k) Use of cookies

We use cookies on our website. Cookies are small text files that are stored on your respective end device (PC, smartphone, tablet, etc.) and saved by your browser.

We use functional cookies that technically facilitate the use of our website or serve to optimize it (e.g. as part of the login to My Ondal). The legal basis is our legitimate interest in the technically optimized provision of our website pursuant to Article 6 (1) f) GDPR.

Insofar as we have integrated cookies for advertising purposes, the use takes place on the legal basis of your consent pursuant to Article 6 (1) a) GDPR. You can find information about the specific cookies we use, their providers and purposes in our Consent banner. There you can give your consent to the respective services, can revoke it, or adjust your settings subsequently.

l) Our consent banner

In order to document your choices regarding certain data processing procedures and to fulfill our obligations under data protection law, we use a consent banner. When you access our website, your cookie preferences are requested via a banner. We then set a cookie in which data on consent given or revoked is stored. The data processing is carried out to fulfill our legal obligations according to Article 6 (1) c) GDPR.

m) Web analysis with Matomo

We use the web analysis software Matomo on our website. When you visit our site, this saves information about your use of the website (including IP address). We use the information to evaluate your use of our website, to compile reports on website activity for us and to provide other services related to website activity and internet usage.

The legal basis for data processing is your consent in accordance with Article 6 (1) a) GDPR.

Please note that this website uses Matomo with the extension "anonymizeIp()". This shortens IP addresses before transmission. A direct personal reference in connection with the stored data is thus fundamentally excluded. We may transfer the stored information to third parties if required by law.

6. Duration of data storage

We store personal data only as long as it is necessary for the purposes for which it is processed or until any consent you have given us has been revoked by you. Insofar as statutory retention obligations must be observed, the storage period for certain data can be up to 10 years, regardless of the processing purposes.

7. Your data subject rights

a) Information

Upon request, you will receive information about all personal data we have stored about you at any time and free of charge.

b) Correction, deletion, restriction of processing (blocking), objection

If you no longer agree with the storage of your personal data or if this data has become incorrect, we will arrange for the deletion or blocking of your data or make the necessary corrections (to the extent possible according to the applicable law) on the basis of a corresponding instruction. The same applies if we are only to process data in a restrictive manner in the future. You have a right of objection in particular in cases where your data is required due to the performance of a task that is in the public interest or the data processing is based on our legitimate interest, as well as profiling based on this. Likewise, in the case of data processing for the purpose of direct advertising, you have such a right of objection.

c) Right of revocation for consents

You may revoke any consents you have given at any time in order to affect future processing. Your revocation will not affect the lawfulness of the processing until the time of revocation.

d) Data portability

If data processing takes place on the basis of a contract, pre-contractual negotiations, consent or with the help of automated processes, you have the right to data portability. Upon request, we will provide you with your data in a common, structured and machine-readable format so that you can transfer the data to another responsible party upon request.

e) Restriction of processing

Data for which we are not able to identify the data subject (e.g. data which has been anonymized), is not covered by the above rights. Information, deletion, blocking, correction or transfer to another company may be possible in relation to this data if you provide us with additional information that allows us to identify you.

f) Exercise of your data subject rights and right of appeal

If you have any questions regarding the processing of your personal data, wish to obtain information, correct, block, object to or delete data, or wish to have your data transferred to another company, please contact

You have the option of filing a complaint with a supervisory authority about your data protection rights.