プライバシーポリシー

Privacy Policy

1. General information

Thank you for your interest in our online products and services. As your data, trust, and satisfaction are very important to us, we ask that you read through the following privacy policy carefully.

This privacy policy applies to all of the following websites (hereinafter referred to as "Web- site"):

· www.pentaxmedical.com

· www.eus-j10.com

· www.scopepilot.com

· Hygiene Solution – PENTAX Medical Hygiene

· www.versaysystem.com

· Home – PENTAX Defina (definasystem.com)

· http://www.hd-platform.com

· INSPIRA Video Processor – PENTAX Inspira (pentaxmedical.com)

· www.imaginasystem.com

· www.optivistaplus.com

· my PENTAX Medical

· EMEA (i-scanimaging.com)

We would like to point out that we do not use gender-specific terms. We care about your privacy!

When using our website, you can rest assured that we will use the data you have en- trusted to us responsibly and not transfer it to third parties without your consent. The protection of your personal data is of particular importance to us.

The following privacy policy aims to explain the type, extent, and purpose of the pro- cessing of personal data by our online services, in mobile applications, as well as on our website and social media accounts (hereinafter referred to as "Online Offering"). With regard to the terms used in our privacy policy, such as "processing" or "controller", etc., we refer to the definitions in the General Data Protection Regulation (see Article 4 GDPR). We also want to explain the rights you have as data subjects.

You can generally use our webpages without having to provide any personal data. How- ever, we would like to point out that it may be necessary to process your personal data if you wish to make use of certain services via our Website.

As controllers responsible for data processing, we have introduced a number of technical and organizational measures to ensure that any personal data processed by this Website is protected as far as possible. Nevertheless, data transferred via the internet may be subject to security gaps. This means that we cannot guarantee absolute protection. For this reason, you are free to transfer any necessary personal data to us in alternative ways, for example, over the telephone.

2. Controller

The controller responsible for processing data within the meaning of the GDPR and the Federal Data Protection Act (BDSG) is: The controller responsible for processing your personal data is:

PENTAX Europe GmbH, Julius-Vosseler-Str. 104, 22527 Hamburg, Germany, info.emea@pentaxmedical.com

You can contact our data protection officers by means of the above postal addresses (with post addressed to "The data protection officer").3.

3. Processing overview

The following overview is a summary of the types of processed data and the reasons for processing thereof, and lists the data subjects.

Categories of data subject:

The following categories of data subject are those affected by data processing on our Website: customers, prospective customers, communication partners, users, business and contract partners, clients, employees.

Types of processed data:

The following categories of personal data are processed: inventory data, contact data, content data, contract data, usage data, meta and communication data.

Purpose of the processing:

By processing your personal data, we pursue the following processing purposes: provi- sion of contractual and customer services, requests for contact and communication, se- curity measures, direct marketing, measuring reach, office and organizational processes, remarketing, conversion management, click tracking, target group formation, affiliate tracking, managing and responding to requests, feedback, marketing, profiles with user information, provision of our Online Offering and ease of use.

4. Relevant legal bases

The personal data, for example, names, addresses, email addresses, or telephone num- bers of a data subject, is processed by us exclusively in compliance with the requirements of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG), as well as in accordance with the other specific data protection provisions which apply to us in Germany. Below is an overview of the legal bases upon which we process your personal data. Please note that national data protection provisions may apply in your or our country of residence in addition to the provisions of the GDPR.

· The legal basis for consent is Article 6(1)(a) GDPR: The data subject has given consent to the processing of his or her personal data for one or more specific pur- poses.

· The legal basis for fulfilling our contractual obligations and responding to your re- quests is Article 6(1)(b) GDPR: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

· The legal basis for fulfilling our legal obligations is Article 6(1)(c) GDPR: Processing is necessary for compliance with a legal obligation to which the controller is subject.

· The legal basis for processing to protect our legitimate interests is Article 6(1)(f) GDPR: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

5. Security measures

In accordance with the legal regulations and taking account of the state of the art, imple- mentation costs and the type, extent, circumstances, and purposes of the processing, as well as the different levels of likelihood of occurrence and the extent to which the rights and freedoms of natural persons are threatened, we have taken suitable technical and organizational measures to ensure a level of protection that is proportionate to the risk.

The measures include, in particular, ensuring the privacy, integrity, and availability of the data by monitoring physical and electronic access to the data, as well as access, entry, disclosure, and ensuring the availability and separation thereof. Furthermore, we have set up processes which ensure the assertion of data subjects' rights, the deletion of data, and responses to data threats. Moreover, we take account of the protection of personal data when developing or selecting hardware, software, and processes in accordance with the principle of data protection, through technology design and through privacy-friendly default settings.

Shortened IP addresses: If IP addresses are processed by us or by the service provid- ers and technology we use, and the processing of a complete IP address is not required, the IP address will be shortened (known as "IP masking"). In this case, the last two digits or the last part of the IP address after a period are removed or replaced with placeholders. The purpose of truncating an IP address is to prevent identification of a person from their IP address, or to make it difficult to do so.

SSL encryption (https): We use SSL encryption to protect your data transferred via our Online Offering. You can identify these kinds of encrypted connections by the prefix https:// in your browser's address bar.

6.Transferring personal data

As part of our processing of personal data, it may be the case that the data is transferred to other places, companies, legally independent organizational units, or people, or dis- closed to them. Recipients of this data may, for example, be service providers commis-sioned with IT tasks or providers of services and content that are integrated into a web- site. In this case, we will observe the legal requirements and conclude, in particular, cor- responding contracts or agreements with the recipients of your data, which will serve to protect your data.

Data transfer within our corporate group: We may transfer personal data to other companies in our corporate group or grant them access to this data. If this data transfer is for administrative purposes, it will be based on our legitimate corporate and business interests [Article 6(1)(f) GDPR] or will take place if it is required to fulfill our contractual obligations [Article 6(1)(b) GDPR], or if a data subject has provided their consent [Article 6(1)(a) GDPR], or if there is legal permission [Article 6(1)(c) GDPR].

7. Data processing in third countries

If you visit our Website, it may be the case that we process data in a third country [i.e., outside the European Union (EU) or the European Economic Area (EEA)] or the pro- cessing takes place as part of use by third‑party services or disclosure or transfer of data to other people, bodies, or companies. However, this will only occur in accordance with the legal provisions.

Subject to express consent or contractual or legal transfer obligations, we process data or have data processed only in third countries with a recognized level of data protection, and are committed to standard protection clauses of the EU Commission if there are certifications or binding internal data protection regulations (Articles 44 to 49 GDPR, see EU Commission info page: https://commission.europa.eu/law/law-topic/data-protec- tion/international-dimension-data-protection_en).

8. Data erasure

The data we process will be erased in accordance with the legal regulations, as soon as you revoke your consent to processing or there are no longer circumstances which permit processing (e.g., if the purpose of this data processing ceases to apply or the processing is no longer required for the purpose). If the data is not erased, because it is required for other, legally permissible purposes, processing will be limited to these purposes. This means that the data will be blocked and not processed further for other purposes. This applies, for example, to data that needs to be retained for reasons related to commercial or tax law, or where storage thereof for asserting, exerting, or defending legal claims, or to protect the rights of another natural or legal person is required. As part of our data protection notice, we can provide users with further information on the erasure and stor- age of data that refers specifically to the respective processing.

9. Use of cookies

Cookies are small text files or other storage references that store information on end devices and read information from the end devices. For example, to store the login status in a user account, the retrieved content, or the functions used on a website. Cookies can also be used for various purposes, for example, for functionality, security, and ease of use of websites, as well as to create analyses of visitor streams.

Notes on consent: We use cookies in accordance with the legal provisions. We there- fore obtain prior consent from the user, unless this is not legally required. Consent is not required in particular if the storage and reading of information, including cookies, is ab- solutely necessary in order to provide users with a service they have expressly re- quested, e.g., our Online Offering. The consent, which may be revoked, will be clearly communicated to users and contains the information on cookie usage.

Notes on the legal bases for data protection: The legal basis for data protection, upon which we process the personal data of users with the aid of cookies, depends on whether or not we ask users for their consent. If a user provides consent, the legal basis for pro- cessing the data is the declared consent. Otherwise, the data processed using cookies is processed on the basis of our legitimate interests (e.g., for efficient operation of our Online Offering and the improvement of its usability) or, if this occurs as part of the fulfill- ment of our contractual obligations, if the use of cookies is required in order to enable us to fulfill our contractual obligations. We will explain the purposes for which we process cookies in this privacy policy or as part of our consent and processing processes. In terms of the storage duration, a distinction is made between the following types of cookie:

· Temporary cookies (or session cookies): Temporary cookies are deleted at the very latest once the user has left an Online Offering and closed their end device (e.g., browser or mobile application).

· Permanent cookies: Permanent cookies are stored even after the end device is closed. This means, for example, that a login status can be stored or preferred con- tent displayed straightaway when a website is visited again. User data that has been collected using cookies can also be used for measuring reach. If we do not expressly inform users of the type and storage duration of cookies (e.g., to obtain consent), users should assume that cookies are permanent and they can be stored for up to two years.

General information on revocation and objection (opt-out): Users can revoke con- sent they have given at any time and object to processing in accordance with the legal provisions in Article 21 GDPR (further information on revocation can be found in this privacy policy). Users can also opt out via their browser settings.

Processing of cookie data based on consent: We use a cookie consent management process, through which users consent to the use of cookies and the processing and pro- viders named as part of the cookie consent management process can be monitored and managed, and revoked by users. The declaration of consent is stored here, so that the request does not need to be made again and in order to provide proof of the consent in accordance with our legal obligations. Data can be stored by the server and/or in a cookie (opt-in cookie) or with the aid of comparable technology, in order to assign the consent to a user or their device. The following information applies, subject to individual infor- mation about the providers of cookie management services: The consent can be stored for up to two years.

Additional information on the services used:

Cookiebot

Type and extent of processing

We have integrated Usercentrics on our Website. Usercentrics is a consent solution from Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich Germany , which can be used to obtain and document consent to the storage of cookies. Usercentrics uses cookies or other web technology to recognize users and store their granted or revoked consent.

Purpose and legal basis

The use of this service is based on obtaining the legally required consent to the use of cookies in accordance with Article 6(1)(c) GDPR.

Storage duration

We are unable to influence the specific storage duration of the processed data, as it is determined by Usercentrics GmbH . More information can be found in the Usercentrics CDN privacy policy: https://usercentrics.com/privacy-policy/

10. Provision of the Online Offering and webhosting

We process the data of our contractual and business partners, for example, customers and prospective customers (referred to jointly as "Contractual Partners") as part of con- tractual and comparable legal relationships and associated measures, as well as part of communication with the Contractual Partners (or pre-contractually), for example, as part of a response.

We process this data in order to fulfill our contractual obligations. These include, in par- ticular, the obligations to provide the agreed services, any obligations to update and re- medial measures in the event of warranty and other performance issues. Furthermore, we process the data to safeguard our rights and for the purposes of the administration tasks associated with these obligations and the company organization. We also process the data on the basis of our legitimate interests in proper, efficient company management and security measures for the protection of our Contractual Partners and our business against misuse, threats to their data, secrets, information, and rights (e.g., for the inte- gration of telecommunications, transport, and other assistance services, as well as sub- contractors, banks, tax and legal advisors, payment service providers, or financial au- thorities). Within the framework of the applicable law, we pass on data of Contractual Partners to third parties only if this is required for the aforementioned purposes or in order to fulfill legal obligations. Contractual Partners will be informed of other forms of pro- cessing, for example, for marketing purposes, in this privacy policy.

We inform Contractual Partners before or during data collection, for example, in online forms, through symbols (e.g., asterisks) or in person, as to which data is required for the aforementioned purposes.

We erase the data once the legal warranty and comparable obligations have been met, i.e., after 4 years, unless the data is stored in a customer account, for example, if it needs to be retained for legal archiving reasons. We will erase data that the Contractual Partner has shared with us as part of an order in accordance with the order specifications, and generally once the order is completed.

If, in order to provide our services, we use third‑party providers or platforms, the terms and conditions and privacy notices of the respective third‑party provider or platform apply to the relationship between the user and the provider.

Analysis and market research: For business reasons and so that we can identify mar- ket trends, the needs of Contractual Partners and users, we analyze the data made avail- able to us through business transactions, contracts, requests, etc., whereby the group of data subjects may be Contractual Partners, prospective customers, customers, visitors, and users of our Online Offering.

The analyses take place for the purposes of business analysis, marketing, and market research (for example, to determine customer groups with different characteristics). If available, we may consider the profiles of registered users together with their details, such as the services they use. The analyses are solely for our benefit and will not be disclosed externally, unless the analyses are anonymous with consolidated (i.e., anony- mous) values. Furthermore, we take into consideration the privacy of users and process the data for analysis purposes preferably under a pseudonym and, if possible, anony- mously (e.g., as consolidated data).

Provision of the Online Offering and webhosting: So that we can provide our Online Offering securely and efficiently, we use the services of one or more webhosting provid- ers, from whose servers (or servers they manage) the Online Offering can be retrieved. For these purposes, we can make use of infrastructure and platform services, computing power, storage space, and database services, as well as security services and technical maintenance services.

All information about a user of our Online Offering which is provided as part of use and communication may form part of the data processed as part of provision of the hosting service. This information includes, in particular, the IP address, which is required in order to deliver the content of the Online Offering to the browser, as well as all entries made within our Online Offering or on Websites.

· Types of processed data: content data (e.g., entries in online forms); usage data (e.g., websites visited, interest in content, access times); meta/communication data (e.g., retrieved information, IP addresses).

· Data subjects: users (e.g., website visitors, users of online services).

· Purposes of the processing: provision of our Online Offering and for ease of use.

· Legal basis: legitimate interests [Article 6(1)(f) GDPR]; your consent [Article 6(1)(a) GDPR].

Collection of access data and log files: We (or our webhosting providers) collect data about each access to the server (known as server log files). The access data includes the name and address of the retrieved website and files, the date and time of retrieval, the transferred data quantity, the report of successful retrieval, the browser type and ver- sion, the operating system of the user, the referrer URL (the page visited beforehand), and generally the IP address and the requesting provider. The server log files can be used for security purposes, in order to prevent server overload, as well as to unburden the servers and ensure their stability.

Log file information is saved for no more than 90 days and is then erased or anonymized. Data that needs to be stored for evidence purposes is excluded from the erasure until the respective incident has been conclusively resolved.

Content delivery network: We use a content delivery network (CDN). This is a service consisting of a network of connected servers which are used to quickly and securely deliver content from an Online Offering, especially large media files (such as graphics or program scripts), by means of regionally distributed servers connected to the internet. If a user visits our Website, a load distribution system ensures that most parts of our Web- site will be delivered from the server which can display our Website to you the quickest. This means that content on our Website is delivered to visitors not only by our host server, but also by servers all over the world. The following types of data are processed here: content data (e.g., text entries, photos, videos), usage data (e.g., visited websites, inter- est in content, access times), meta/communication data (e.g., device information, IP ad- dresses). Data subjects affected by the data collection include our users (e.g., visitors to our Website, users of online services); the purpose of the processing is fast, secure de- livery of content, which represents a legitimate interest within the meaning of Article 6(1)(f) GDPR.

Additional information on the services used:

Usercentrics CDN

Type and extent of processing

We use Usercentrics CDN in order to properly provide the content on our Website. Usercentrics CDN is a service provided by Usercentrics GmbH , Sendlinger Straße 7, 80331 Munich, Germany, which works as a content delivery network (CDN) on our Website to guarantee the functionality of other Usercentrics GmbH services. There is a separate section in this privacy policy describing the aforementioned services. This section solely describes the use of the CDN.

A CDN helps to provide content from our Online Offering more quickly, in particular, files such as graphics or scripts, with the aid of regionally or internationally distributed servers. When you access this content, you establish a connection to the servers ofUsercentrics GmbH , whereby your IP address and, if necessary, browser data (such as your user agent) are transferred. This data will be processed by Usercentrics GmbH exclusively for the above- mentioned purposes and to maintain security and functionality.

Purpose and legal basis

The content delivery network is used on the basis of our legal interests, i.e., interest in secure, efficient provision as well as the optimization of our Online Offering in accordance with Article 6(1)(f) GDPR.

Storage duration

LinkedIn CDN

(Only on the website www.pentaxmedical.com)

Type and extent of processing

We use LinkedIn CDN for proper provision of the content on our Website. LinkedIn CDN is a service run by the LinkedIn Corporation, Sunnyvale, California, United States, and functions on our website as a content delivery network in order to ensure the functionality of other services of the LinkedIn Corporation. There is a separate section in this privacy policy describing the aforementioned services. This section solely describes the use of the CDN.

A CDN helps to provide content from our Online Offering more quickly, in particular, files such as graphics or scripts, with the aid of regionally or internationally distributed servers.

If you access this content, you establish a connection to the servers of the LinkedIn Cor- poration, whereby your IP address and, if necessary, browser data (such as your user agent) are transferred. This data will be processed by LinkedIn CDN exclusively for the abovementioned purposes and to maintain security and functionality.

Purpose and legal basis

We intend to transfer personal data to third countries outside the European Economic Area, particularly the USA. In cases where there is no adequacy decision from the Euro- pean Commission (e.g., in the USA), we have agreed other suitable guarantees with the recipients of the data within the meaning of Article 44 ff. GDPR. Unless otherwise speci- fied, these are standard contractual clauses of the European Commission in accordance with Implementing Decision (EU) 2021/914 dated June 4, 2021. You can find a copy of these standard contractual clauses at https://eur-lex.europa.eu/legal-con- tent/EN/TXT/PDF/?uri=CELEX:32021D0914&qid=1688139624811 .

We would like to point out that there may be unknown risks in the details of third-country transfers (e.g., data processing by security authorities of the third country, whereby we do not know the precise extent and consequences for you and over which we have no influence, and of which you may have no knowledge under certain circumstances).

Storage duration

We are unable to influence the specific storage duration of the processed data, as it is determined by the LinkedIn Corporation. More information can be found in the LinkedIn CDN privacy policy: https://www.linkedin.com/legal/privacy-policy?trk=homepage- basic_footer-privacy-policy .

12. Contact and request management

When we are contacted (for example, by means of contact form, email, telephone or via social media), as well as in the context of existing usage and business relationships, the information from the requesting person is processed to the extent necessary in order to respond to the contact requests and any requested measures.

We respond to contact requests and manage contact and request data as part of con- tractual or pre-contractual relationships in order to fulfill our contractual obligations or respond to (pre-)contractual requests and furthermore on the basis of legitimate interests to respond to requests and maintain user or business relationships:

· Types of processed data: inventory data (e.g., names, addresses), contact infor- mation (e.g., email, telephone numbers), content data (e.g., entries in online forms).

· Data subjects: communication partners.

· Purpose of the processing: contact requests and communication.

· Legal bases: your consent [Article 6(1)(a) GDPR]; contract performance and pre- contractual requests [Article 6(1)(b) GDPR]; legitimate interests [Article 6(1)(f) GDPR].

Additional information on the services used:

CallRail

(Only on the website www.pentaxmedical.com)

Type and extent of processing

We use functions of CallRail Inc., 10 Peachtree St NW #2700, Atlanta, GA 30303, United States ("CallRail"). This is an integrated software solution that helps us to track and opti- mize call centers, including software which can track and record customer calls, and gives our customers the option to use online communication for measuring marketing campaigns, improving customer service, and increasing sales performance. For more details on the services, visit www.callrail.com/services/.

Purpose and legal basis

CallRail is used on the basis of your consent in accordance with Article 6(1)(a) GDPR and Section 25(1) of the German Telecommunications-Telemedia Data Protection Act (TTDSG).

We also obtain your consent prior to a third-country transfer of this kind in accordance with Article 49(1)(a) GDPR, which you grant by means of the Consent Manager (or other forms, registrations, etc.). We would like to point out that there may be unknown risks in the details of third-country transfers (e.g., data processing by security authorities of the third country, whereby we do not know the precise extent and consequences for you and over which we have no influence, and of which you may have no knowledge under certain circumstances).

Storage duration

We are unable to influence the specific storage duration of the processed data, as it is determined by CallRail Inc. More information can be found in the CallRail privacy policy: https://www.callrail.com/privacy .

12. Cloud services

We use software services available on the internet which run on provider servers ("cloud services", also known as "Software as a Service" or "Platform as a Service") for the fol- lowing purposes: storage and management of documents, calendar management, send- ing emails, table calculations and presentations, the exchange of documents, content, and information with certain recipients, or settings of websites, forms, or other content and information, as well as chatting and participating in audio and video conferences.

In this context, personal data can be processed and stored on the provider servers, if this is part of the communication processes with us, or is otherwise processed by us, as set out in this privacy policy. This data may be, in particular, user master and contact data, data on transactions, contracts, other processes, and their contents. Providers of cloud services also process user data and meta data which they use for security purposes and to optimize the service.

When we use cloud services to provide forms or other documents and content for other users or publicly accessible websites, the provider can store cookies on user devices for web analysis purposes or to change user settings (e.g., for media control).

Notes on legal bases: When we obtain consent for use of the cloud services, the legal basis for the processing is the consent. Furthermore, use thereof may form part of our (pre-)contractual services, if the use of cloud services has been agreed in this context. Otherwise, the user data is processed on the basis of our legitimate interests (i.e., inter- ests in efficient, secure management and collaboration processes).

· Types of processed data: inventory data (e.g., names, addresses); contact infor- mation (e.g., email, telephone numbers); content data (e.g., entries in online forms); usage data (e.g., visited websites, interest in content, access times); meta/communication data (e.g., device information, IP addresses).

· Data subjects: customers, employees (e.g., employees, applicants, former employ- ees); prospective customers; communication partners.

· Purpose of the processing: office and organizational processes.

· Legal basis: consent [Article 6(1)(a) GDPR]; contract performance and pre-contrac- tual requests [Article 6(1)(b) GDPR]; legitimate interests [Article 6(1)(f) GDPR].

13. Web analysis, monitoring, and optimization

Web analysis (also known as "measuring reach") is used to analyze visitor streams on our Online Offering and may include behavior patterns, interests, or demographic infor- mation about visitors, such as age or gender, as pseudonym values. Measuring reach allows us, for example, to identify the time at which our Online Offering or its functions or contents are used most frequently, or to invite you to use our Online Offering again. We can also track the areas where there is a need for optimization. In addition to web analy- sis, we may also use test processes, for example, to test and optimize different versions of our Online Offering or its components.

Unless otherwise specified below, profiles (i.e., data compiled for a usage process) may be created for this purpose, and information may be stored in and read out from a browser or end device. The information collected includes, in particular, the websites visited and the elements used there, as well as technical information such as the browser used, the computer system used, and information about usage times. Location data may also be processed, provided that the users have given us or the providers of services we use their consent to collect their location data. The IP addresses of users are also recorded. To protect the user, however, we use an IP masking process (i.e., pseudonymization by shortening the IP address). In general, no explicit user data (e.g., email addresses or names) is stored as part of web analyses and optimization. Pseudonyms are stored in- stead. This means that we and the providers of the used software do not know the actual identity of the user, but only the information stored in their profiles for the purpose of the respective process.

Notes on legal bases: When we ask users for their consent to use by third‑party provid- ers, the legal basis for processing the data is the consent. Otherwise, the user data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and receiver-friendly services). In this context, we also refer to the information on the use of cookies (see Point 8 above).

· Types of processed data: usage data (e.g., websites visited, interest in content, ac- cess times); meta/communication data (e.g., device information, IP addresses).

· Data subjects: users (e.g., website visitors, users of online services).

· Purpose of the processing: measuring reach (e.g., access statistics, identifying re- peat visitors); profiles with user‑based information (creation of user profiles); click tracking; feedback (e.g., collection of feedback via online forms); heat maps (mouse movements of users, which form an overall picture); surveys and questionnaires (e.g., surveys with input options, multiple choice questions); marketing.

· Security measures: IP masking (pseudonymization of the IP address).

· Legal basis: consent [Article 6(1)(a) GDPR]; legitimate interests [Article 6(1)(f) GDPR].

Additional information on the services used:

Google Analytics

Type and extent of processing

We use Google Analytics run by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, as an analytics service for statistical analysis of our Online Offering.

This includes, for example, the number of times our Online Offering is retrieved, the sub- pages visited, and the time visitors spend on pages. Google Analytics uses cookies and other browser technology to analyze user behavior and recognize users.

This information is used, among other things, to put together reports on Website activity.

Purpose and legal basis

Google Analytics is used on the basis of your consent in accordance with Article 6(1)(a) GDPR and Section 25(1) TTDSG. We intend to transfer personal data to third countries outside the European Economic Area, particularly the USA. In cases where there is no adequacy decision from the Euro- pean Commission (e.g., in the USA), we have agreed other suitable guarantees with the recipients of the data within the meaning of Article 44 ff. GDPR. Unless otherwise speci- fied, these are standard contractual clauses of the European Commission in accordance with Implementing Decision (EU) 2021/914 dated June 4, 2021. You can find a copy of these standard contractual clauses at https://eur-lex.europa.eu/legal-con- tent/EN/TXT/PDF/?uri=CELEX:32021D0914&qid=1688139624811 .

Storage duration

We are unable to influence the specific storage duration of the processed data, as it is determined by Google Ireland Limited. More information can be found in the Google Analytics privacy policy: https://policies.google.com/privacy .

Google Tag Manager

(Only on the website www.pentaxmedical.com)

Type and extent of processing

We use Google Tag Manager from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is used to manage website tags via an interface and enables us to manage the precise integration of services on our Website. This allows us to flexibly integrate additional services for analyzing visitor access to our Website.

Purpose and legal basis

Google Tag Manager is used on the basis of your consent in accordance with Article 6(1)(a) GDPR and Section 25(1) TTDSG. We intend to transfer personal data to third countries outside the European Economic Area, particularly the USA. In cases where there is no adequacy decision from the Euro- pean Commission (e.g., in the USA), we have agreed other suitable guarantees with the recipients of the data within the meaning of Article 44 ff. GDPR. Unless otherwise speci- fied, these are standard contractual clauses of the European Commission in accordance with Implementing Decision (EU) 2021/914 dated June 4, 2021. You can find a copy of these standard contractual clauses at https://eur-lex.europa.eu/legal-con- tent/EN/TXT/PDF/?uri=CELEX:32021D0914&qid=1688139624811 .

Storage duration

We are unable to influence the specific storage duration of the processed data, as it is determined by Google Ireland Limited. More information can be found in the Google Tag Manager privacy policy: https://marketingplatform.google.com/about/analytics/tag-man- ager/use-policy/.

Clarity

(Only on the website www.pentaxmedical.com)

Type and extent of processing

We have integrated Clarity on our Website. Clarity is a service from Microsoft Corpora- tion, One Microsoft Way Redmond, WA 98052-6399, United States, and provides optimi- zation tools which analyze the behavior and feedback of users of our Website through analysis and feedback tools.

Clarity uses cookies and other browser technology to analyze user behavior and recog- nize users.

This information is used, among other things, to put together reports on Website activity and statistically analyze user data. Furthermore, Clarity records clicks, mouse move- ments, and scroll heights, in order to create heat maps and session replays.

In this case, your data is transferred to the operator of Clarity, the Microsoft Corporation.

Purpose and legal basis

Clarity is used on the basis of your consent in accordance with Article 6(1)(a) GDPR and Section 25(1) TTDSG.

Storage duration

We are unable to influence the specific storage duration of the processed data, as it is determined by Microsoft Corporation. More information can be found in the Clarity privacy statement: https://privacy.microsoft.com/en-us/privacystatement .

LinkedIn Insight Tag

(Only on the website www.pentaxmedical.com)

Type and extent of processing

We use LinkedIn Insight Tag from LinkedIn Corporation, Sunnyvale, California, United States, to create target groups, segment visitor groups for our Online Offering, determine conversion rates, and then optimize them. This takes place in particular when you interact with adverts that we have inserted with LinkedIn Corporation. To this end, LinkedIn Cor- poration offers a retargeting service for website visitors for displaying targeted adverts outside our Website.

LinkedIn Insight Tag records data on visitors to our Website, including the URL, referrer URL, IP address, device and browser properties (user agent), as well as time stamps. This data is used to present anonymized reports on the Website's target groups and the advert performance.

Purpose and legal basis

LinkedIn Insight Tag is used on the basis of your consent in accordance with Article 6(1)(a) GDPR and Section 25(1) TTDSG.

We also obtain your consent prior to a third-country transfer of this kind in accordance with Article 49(1)(a) GDPR, which you grant by means of the Consent Manager (or other forms, registrations, etc.). We would like to point out that there may be unknown risks in the details of third-country transfers (e.g., data processing by security authorities of the third country, whereby we do not know the precise extent and consequences for you andover which we have no influence, and of which you may have no knowledge under certain circumstances).

Storage duration

We are unable to influence the specific storage duration of the processed data, as it is determined by the LinkedIn Corporation. More information can be found in the LinkedIn Insight Tag privacy policy: https://www.linkedin.com/legal/privacy-policy .

14. Online marketing

We process personal data for the purposes of online marketing, which may include, in particular, the marketing of advertising space or the display of advertising and other con- tent (referred to jointly as "Content") based on the potential interests of users and the measurement of their effectiveness.

For this purpose, user profiles are created and stored in files (cookies) or used in similar processes, through which the user information that is relevant for the display of the afore- mentioned Content is stored. This information may include, for example, viewed content, visited websites, online networks used, as well as communication partners and technical information such as the browser used, the computer system used, as well as information about usage times and functions used. If the users have consented to the collection of their location data, this may also be processed.

The IP addresses of users are also recorded. To protect the user, however, we use avail- able IP masking processes (i.e., pseudonymization by shortening the IP address). In gen- eral, no explicit user data (e.g., email addresses or names) is stored as part of online marketing. Pseudonyms are stored instead. This means that we and the providers of the online marketing process do not know the actual identity of the user, but only the infor- mation stored in their profiles.

The information in the profile is generally stored in the cookies or by means of a similar process. As a rule, these cookies can then be read out on other websites that use the same online marketing process and analyzed for the purposes of displaying content. Ad- ditional data can also be added to them, and they can be stored on the server of the provider of the online marketing process.

By way of exception, explicit data can be assigned to the profiles. This is the case, for example, if the user is a member of a social network whose online marketing process we use, and the network links the profile of the user to the aforementioned information. Please note that users can conclude additional agreements with the providers, for exam- ple, by providing their consent during registration.

Generally, we only have access to compiled information about the success of our adver- tising measures. However, we may use conversion measurements to check which of our online marketing processes has led to a conversion, i.e., a contract being concluded with us. The conversion measurement is used exclusively to analyze the success of our mar- keting measures.

Unless otherwise specified, you can assume that the cookies used will be stored for a period of two years.

Notes on legal bases: When we ask users for their consent to use by Third‑Party Pro- viders, the legal basis for processing the data is the consent. Otherwise the user data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and receiver-friendly services). In this context, we also refer to the information on the use of cookies in this privacy policy.

Additional information on the services used:

Google Ads

Type and extent of processing

We have integrated Google Ads on our Website. Google Ads is a service run by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, which shows users tar- geted advertising. Google Ads uses cookies and other browser technology to analyze user behavior and recognize users.

Google Ads gathers information about visitor behavior on various websites. This infor- mation is used to optimize the relevance of the advertising. Furthermore, Google Ads provides targeted advertising on the basis of behavior profiles and geographical location. Your IP address and other identifying features such as your user agent are transferred to the provider.

If you are registered with a Google Ireland Limited service, Google Ads can also assign the visit to your account. Even if you are not registered with Google Ireland Limited or have not logged in, it is possible for the provider to find out and store your IP address and other identifying features.

In this case, your data is transferred to the operator of Google Ads, Google Ireland Lim- ited.

Purpose and legal basis

Google Ads is used on the basis of your consent in accordance with Article 6(1)(a) GDPR and Section 25(1) TTDSG.

Storage duration

We are unable to influence the specific storage duration of the processed data, as it is determined by Google Ireland Limited. More information can be found in the Google Ads privacy policy: https://policies.google.com/privacy .

Google AdSense

(Only on the website www.pentaxmedical.com)

Type and extent of processing

We have integrated Google AdSense on our Website. Google AdSense is a service run by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, for displaying targeted advertising on our Website. Google AdSense uses cookies and other browser technology to analyze user behavior and recognize users.

Google Ireland Limited collects information about user behavior on various websites. This information is used to optimize the relevance of the advertising. In addition, Google Ad- Sense provides targeted advertising on the basis of behavior profiles and geographical location. Your IP address and other identifying features such as your user agent are transferred to the provider.

If you are registered with a Google Ireland Limited service, Google AdSense can also assign the visit to your account. Even if you are not registered with Google Ireland Limited or have not logged in, it is possible for the provider to find out and store your IP address and other identifying features.

In this case, your data is transferred to the operator of Google AdSense, Google Ireland Limited.

Purpose and legal basis

Google AdSense is used on the basis of your consent in accordance with Article 6(1)(a) GDPR and Section 25(1) TTDSG.

Storage duration

We are unable to influence the specific storage duration of the processed data, as it is determined by Google Ireland Limited. More information can be found in the Google Ad- Sense privacy policy: https://policies.google.com/privacy .

DoubleClick by Google

(Only on the website www.pentaxmedical.com)

Type and extent of processing

We have integrated components of DoubleClick by Google on our Website. DoubleClick by Google is a service run by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, through which predominantly specific online marketing solutions are marketed to advertising agencies and publishers. DoubleClick by Google transfers data to the DoubleClick server with each impression as well as clicks or other activity.

Each of these data transfers triggers a cookie request in the browser of the data subject. If the browser accepts this request, DoubleClick places a cookie in your browser.

DoubleClick uses a cookie ID, which is required to run the technical process. The cookie ID is required, for example, to display an advert in a browser. DoubleClick can also use the cookie ID to record which adverts have already been inserted into a browser, in order to avoid duplicate adverts. In addition, the cookie ID also makes it possible for Dou- bleClick to record conversions. Conversions are then recorded, for example, when a DoubleClick advert has previously been shown to a user and the user then makes a purchase on the website of the advertising company using the same internet browser.

A DoubleClick cookie does not contain any personal data, but may include additional campaign identifiers. A campaign identifier is used to identify the campaign with which you were in contact on other websites. As part of this service, Google obtains knowledge of data which helps it to generate commissions. Google can also track whether you have clicked on certain links on our Website. In this case, your data is transferred to the oper- ator of DoubleClick. More information and the applicable DoubleClick by Google privacy policy can be found at https://policies.google.com/privacy .

Purpose and legal basis

We process your data using DoubleClick cookies for the purpose of optimization and insertion of adverts on the basis of your consent in accordance with Article 6(1)(a) GDPR and Section 25(1) TTDSG.

Storage duration

We are unable to influence the specific storage duration of the processed data, as it is determined by Google Ireland Limited. More information can be found in the Google Dou- bleClick privacy policy: https://policies.google.com/privacy .

15. Plugins and embedded functions and content

We include functions and content in our Online Offering which are acquired from the servers of the respective provider (hereinafter "Third-Party Providers"). These may be, for example, graphics, videos, or maps (hereinafter referred to jointly as "Content").

The integration always requires the Third‑Party Providers of this Content to process the IP address of the user, as they could not send the Content to the browser without the IP address. The IP address is therefore required to display this Content or these functions. We aim to use only such Content whose respective providers use the IP address only to deliver the content. Third‑Party Providers can also use pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The pixel tags can be used to analyze information such as visitor traffic on the pages of this Website. The pseu- donymized information can also be stored in cookies on the user device and includes technical information about the browser and operating system, websites to be retrieved, the time of the visit, and other information about the use of our Online Offering, and may also be linked to this kind of information from other sources.

Notes on legal bases: When we ask users for their consent to use by Third‑Party Pro- viders, the legal basis for processing the data is the consent. Otherwise, the user data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and receiver-friendly services). In this context, we also refer to the information on the use of cookies in this privacy policy.

· Types of processed data: usage data (e.g., visited websites, interest in content, ac- cess times); meta/communication data (e.g., device information, IP addresses); in- ventory data (e.g., names, addresses); contact information (e.g., email, telephone numbers); content data (e.g., entries in online forms); event data (Facebook) ["event data" is data which can be transferred by us to Facebook, e.g., by means of Face- book pixels (via the app or other means) and which can be attributed to people or their actions; the data includes, for example, information about website visits, inter- actions with content, functions, installation of apps, purchases of products, etc. The event data is processed to form target groups for content and advertising information (custom audiences); event data does not contain any actual content (such as written comments), login information, or contact information (i.e., no names, email ad- dresses, or telephone numbers)]. Event data is erased by Facebook after no more than two years on a target group basis with the deletion of our Facebook account.

· Data subjects: users (e.g., website visitors, users of online services)

· Purposes of the processing: provision of our Online Offering and for user friendli- ness; provision of contractual services and customer service; marketing; profiles with user-specific information (creation of user profiles); feedback (e.g., gathering feedback by means of online form).

· Legal basis: consent [Article 6(1)(a) GDPR]; contract performance and pre-contrac- tual requests [Article 6(1)(b) GDPR]; legitimate interests [Article 6(1)(f) GDPR].

Additional information on the services used:

YouTube

(only on the websites www.pentaxmedical.com , www.eus-j10.com , hygiene.pentaxmed- ical.com, and inspira.pentaxmedical.com)

Type and extent of processing

We have integrated YouTube Video on our Website. YouTube Video is a component of the video platform run by YouTube LLC, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, on which users can upload content, share it on the internet, and obtain detailed statistics.

YouTube Video enables us to integrate content from the platform into our Website.

YouTube Video uses cookies and other browser technology to analyze user behavior, recognize users, and create user profiles. This information is used to analyze the activity of content that has been listened to and create reports. If a user is registered with YouTube LLC, YouTube Video can assign the played videos to the profile.

If you access this content, you establish a connection with the servers of YouTube LLC, and your IP address and, if necessary, browser data such as your user agent will be transferred.

Purpose and legal basis

This service is used on the basis of your consent in accordance with Article 6(1)(a) GDPR and Section 25(1) TTDSG.

Storage duration

We are unable to influence the specific storage duration of the processed data, as it is determined by YouTube LLC. More information can be found in the YouTube Video pri- vacy policy: https://policies.google.com/privacy .

Vimeo Video

(only on the websites www.pentaxmedical.com and definasystem.com)

Type and extent of processing

We have integrated Vimeo Video on our Website. Vimeo Video is a component of the video platform run by Vimeo LLC, 555 W 18th St, New York, New York 10011, USA, on which users can upload content, share it on the internet, and obtain detailed statistics. Vimeo Video enables us to integrate content from the platform into our Website.

Vimeo Video uses cookies and other browser technology to analyze user behavior, rec- ognize users, and create user profiles. This information is used to analyze the activity of content that has been listened to and create reports. If you access this content, you es- tablish a connection with the servers of Vimeo LLC, and your IP address and, if neces- sary, browser data such as your user agent will be transferred.

Purpose and legal basis

Vimeo Video is used on the basis of your consent in accordance with Article 6(1)(a) GDPR and Section 25(1) TTDSG.

Storage duration

We are unable to influence the specific storage duration of the processed data, as it is determined by Vimeo LLC. More information can be found in the Vimeo Video privacy policy: https://vimeo.com/privacy .

16. Rights of data subjects

In accordance with the GDPR, you have various rights as a data subject. These rights can be found in particular under Articles 15 to 21 GDPR:

· Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct mar- keting.

· Right to withdraw consent: You have the right to withdraw your consent at any time.

· Right of access: You have the right to obtain confirmation as to whether personal data concerning you is being processed, and obtain access to this data and, in ac- cordance with the statutory provisions, further information and a copy of the data.

· Right to rectification: In accordance with the statutory provisions, you have the right to have incomplete personal data concerning you completed or to have inac- curate personal data concerning you rectified.

· Right to erasure and restriction of processing: You have the right, in accordance with the statutory provisions, to obtain the erasure of personal data concerning you without undue delay, or alternatively to obtain restriction of processing in accordance with the statutory provisions.

· Right to data portability: You have the right to receive the data that you have pro- vided to us, in accordance with the statutory provisions, in a structured, commonly used and machine-readable format, or to have the data transmitted to another con- troller.

· Right to lodge a complaint with a supervisory authority: In accordance with the statutory provisions and without prejudice to any other administrative or judicial rem- edy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

17. Changes and updates to this privacy policy

We ask that you stay regularly informed about the content of our privacy policy. We will amend the privacy policy as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require your participation (e.g., consent) or another individual communication.

Where we provide addresses and contact details of companies and organizations in this privacy policy, we would like to point out that the addresses may change over time and ask that you check the information before contacting us.