Authorized Representative Services

Privacy Policy

Welcome to the MDSS GmbH website. We appreciate your interest in our company. Protection of the personal data you entrust to us is a priority and we want you to feel safe and secure when you visit our website or use our online offers.

Data Processing Policy for our European Authorized representative (EC REP) Service and towards consumers

In order to fulfill our information obligation towards our clients and towards you as a consumer of the products we represent as per Art. 12, 13 of the General Data Protection Regulation (GDPR), we subsequently present you our information on data protection:

Who is responsible for data processing?
The responsible entity as per data privacy law is


Schiffgraben 41
30175 Hannover
Tel: +49 (0) 511 6262 8630

Which data do we process? And for which purposes?

If we have received data from you, we basically process them only for the purposes for which we have collected them. 

As a rule, these purposes are:

For our European Authorized Representative service in B2B relationship (EC REP-B2B):

  • Communication/support for the fulfillment of the contract
  • Documentation of necessary records and performance of a registration with the competent authorities   
  • Communication with the competent authorities  
  • Information on our products and services (customer surveys included), unless you have objected to the use of your data
  • Invoicing and debiting  
  • Fulfilment of warranty claims

For our European Authorized Representative service in B2C relationship (EC REP-B2C):

  • Communication/support for the fulfilment of the contract, e.g.: recording claims; Processing of claims or repair request and communication as the representative of the registered medical device
  • Documentation of the necessary records and processing of “European Medical Device Vigilance” procedures
  • Communication with the competent authorities for the above cases
  • Fulfillment of warranty claims

For our Free Sales Certificate (FSC) / Certificate of Free Sale (CFS) / Certificate of Marketability for non-European countries & Cosmetics Responsible Person (RP):

  • Communication/support for the fulfillment of the contract
  • Documentation of necessary records and performance of a registration with the competent authorities   
  • Communication with the competent authorities  
  • Information on our products and services (customer surveys included), unless you have objected to the use of your data
  • Invoicing and debiting 
  • Fulfillment of warranty claims

For our Advisory Services (AS) to interested parties:

  • Possible justification of the contractual relationship
  • Internal and external communication
  • Assertion of legal claims and defense in legal disputes
  • Information on our products and services (customer surveys included), unless you have objected to the use of your data
  • Statistical evaluations or market analysis

The data are in general:


  • Your master data (e.g. last name, first name, title, address form)
  • Contact data (e.g. email address, phone number, mobile phone number) 
  • Transaction data (e.g. IBAN, BIC, billing address)   
  • Data required for the registration procedure (e.g. access data for competent authorities, information on devices)

For EC REP B2C & AS:

  • Your master data (e.g. last name, first name, title, address form)
  • Contact data (e.g. email address, phone number, mobile phone number) 
  • Data on your request 

And other personal data you may provide to us in the course of our mutual (pre)contractual relation. 

Please note that we cannot enumerate all potential data. We do, however, collect only data which you actively provide to us, or which are publicly available. 

Data processing for other purposes is considered only if the required legal specifications according to Art. 6 Section 4 of the GDPR apply. In such a case, we will naturally fulfill possible information obligations according to Art. 13 Section 3 of the GDPR and Art. 14 Section 4 of the GDPR.

Which legal provisions is this based on?

  • Data processing for the performance of a contract (Art. 6 Section 1 lit. b of the GDPR)
  • Data processing based on the consideration of interests (Art. 6 Section 1 lit. f of the GDPR) 
  • Data protection for compliance with a legal obligation (Art. 6 Section 1 lit. c of the GDPR)
  • Data processing in order to protect the vital interests of the data subject or of another natural person(Art. 6 Section 1 lit. d of the GDPR)

If personal data is processed based on your consent, you have the right to withdraw your consent at any time, with effect for the future. You can send your withdrawal to the attention of our data protection officer mentioned further below.

We base our legitimate interest on the communication with contract relevant contact persons, retention of records beyond possible retention times, in order to provide you a consistent documentation, on claims management. We also use your data for marketing and opinion research purposes, in order to find out the interests and inquiries in regards to future products and services. If necessary, we process your data also for assertion of our legal claims and in our defense in case of legal disputes. Furthermore, we make use of the option of direct marketing as per Recital 47 of the GDPR, we pursue a legitimate interest to inform our clients about our services via communication channels, if said clients have actively contacted us in this matter.

As the affected person, you have the right to object to the processing of your personal data for these purposes, taking into account the provisions of Art. 21 of the GDPR.

How long are the data stored?

We process the data for as long as necessary for the respective purpose. 

If legal retention obligations apply – e.g. in commercial law or fiscal law – personal data are stored for the duration of the obligation. Once the retention period has elapsed, we will verify whether the necessity for processing persists. If it no longer applies, the data will be deleted. 

Depending on the country and the competent authority where we have performed a registration, different retention times apply. These are usually between ten and fifteen years.

To which recipients do we disclose data?

In principle, we disclose your personal data to third parties (referred to as recipients) only if it is required for the performance of the mutual contract with you, if disclosure is permitted based on a consideration of interests as per Art. 6 Section 1 lit. f of the GDPR, if we are obliged to disclose them, or if you have given your consent. 

Such recipients are for example connected companies – including laboratories –, which provide support with fulfilling the contract, as well as external certification bodies (trade supervision or others, depending on the certification country) which receive data for registration in accordance with the legal provisions. 

Within the scope of the requirements of the fiscal and commercial law, we may also disclose data to consultants such as tax consultants, banks or other tax authorities. 

Third persons in our case do not include service providers and affiliated companies obliged to adhere to our requirements on data protection. For this purpose, we have concluded data processing contracts, and we ensure thereby that you can exercise your rights towards them as well. Such entities are e.g. IT service providers or software system companies for IT applications (e.g. external IT administrators, ERP system producers etc.) and qualified service providers in the area of document destruction.

Information on provision of personal data

Any data requested by us for the purpose of the registration process are necessary to ensure the performance of the registration. In each of these cases, collection, processing and use of personal data of the affected persons is based on a contractual relationship or the initiation of a contractual relationship, or on legal provisions. Data in excess thereof, such as contract person data, may not always be necessary, they could, however, fulfill our legitimate interest. You do not necessarily need to provide them to us and can oppose to their processing.

In order to process your inquiries, we are dependent on your information. When processing your inquiries, the processing of the personal data of the data subjects relates to a corresponding contractual relationship or to legal regulations.
You do not necessarily have to provide us with data that is not required by a legal regulation and you can object to the processing. When collecting the data, we will draw your attention to which data is required.

Where do we process data?

We process your personal data exclusively in data processing centers within the European Union (IONOS in Germany), thus the Data Protection Regulation applies at all times. Since this is a European legal requirement, no data will be passed on to authorities outside the European Union.

Manufacturers of the products may, however, be located outside the European Union.

As some registrations involve international registration authorities, your data must be transmitted to agencies and international organizations. The data transfer is subject to Art. 49 Section 1 of the GDPR as an individual case.

Principles of data processing when using „Zoom“ for online meetings and phone conferences

In order to fulfill our information obligations per Art. 12, 13 of the General Data Protection Regulation (GDPR) towards our clients, participants of webinars and our employees, we would like to present our information on data protection:

Purpose of Data Processing

We use the “Zoom” online tool to hold phone conferences, online meetings, video conferences, and webinars (hereinafter referred to as “online meetings”).

Legal Basis for Data Processing 

For the processing of data of MDSS GmbH employees, the legal basis for data processing is § 26 of the Federal Data Protection Act and Art. 6 Section 1 lit. f) of the GDPR. Our interest in these cases is the effective realization of “online meetings”. 

With respect to our clients and participants of webinars, the legal basis for data processing when holding “online meetings” is Art. 6 Section 1 lit. b) of the GDPR, as they are held within the scope of the contractual relationship. 

In case that no contract is in place, the legal basis is Art. 6 Section 1 lit. f). Here, too, our interest is the effective realization of “online meetings”. 

Types of Data Being Processed: 

User Information: 

First name, last name, phone number (optional), email address, password (when “single sign-on” is not used), profile picture (optional), Department (optional) 

Meeting Meta Data: 

Subject, Description (optional), participant IP address, device/hardware information 

For Recordings (optional): 

MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of all online meeting chats 

For Telephone Dial-In: 

Information on incoming and outgoing phone number, country, start and end time.  Further connection information, such as the IP address of the device, may be stored. 

How long is data stored? 

We process the data for as long as it is required for the respective purpose. 

Of course you can request information on stored personal data concerning you at any time (see below), and, if there is no necessity for further retention, request erasure of your data or restriction of processing. 

To which recipients are data transferred? 

If data from “online meetings” are not intended for transfer, we generally do not make them available to further recipients. 

As a service provider, “Zoom” is necessarily informed of the above mentioned data, to the extent to which it is intended within the scope of our processing contract with “Zoom”. 

Data Processing Outside the European Union 

The servers of the service provider “Zoom” are located in the U.S., therefore, data is processed in the U.S. (a third country). For this reason we have concluded a processing contract (as described above), which reflects the requirements of Art. 28 of the GDPR. 

An adequate level of data protection is guaranteed by conclusion of the so-called EU standard contractual clauses. Furthermore, “Zoom” also offers information on data protection


On this website data is collected and stored using the web analysis service software Matomo (, a service of the provider InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand, ("Matomo") on the basis of our legitimate interest in the statistical analysis of user behaviour for optimisation and marketing purposes in accordance with Art. 6 Para. 1 lit. f DSGVO. From this data, pseudonymized user profiles can be created and evaluated for the same purpose. Cookies may be used for this purpose. Cookies are small text files that are stored locally in the cache of the visitor's Internet browser. Among other things, the cookies enable the recognition of the Internet browser. The data collected with Matomo technology (including your pseudonymised IP address) is processed on our servers.
The information generated by the cookie in the pseudonymous user profile is not used to personally identify the visitor of this website and is not combined with personal data about the bearer of the pseudonym.
If you do not agree with the storage and evaluation of this data from your visit, you can object to the storage and use of this data at any time. In this case a so-called opt-out cookie is stored in your browser, which means that Matomo does not collect any session data. Please note that the complete deletion of your cookies means that the opt-out cookie is also deleted and may have to be reactivated by you.

Cookies used on our Website

When you enter our website, you will be asked by a banner for your consent to data processing through cookies. The consent refers to the following listed cookies and represents a consent according to Art. 6 (1) lit. a GDPR.

If you make a decision, we set a cookie with you around this decision to store. This cookie bears the name "_pk_id.1.6a50" and is stored for 28 days. After the 28 days have expired, you will have to give your consent again or object to the processing on a new visit.


We use a cookie banner on this website to obtain your consent to the storage of certain cookies on your end device or to the use of certain technologies and to document this in accordance with data protection regulations. The provider of this technology is: a service provider by InnoCraft Ltd., 150 Willis St, 6011 Wellington, Neuseeland, („Mataomo"). 

When you visit our website, the following personal data is transferred to the provider: 

  • Your consent(s) or withdrawal of your consent(s) 
  • your IP address 
  • Information about your browser 
  • Information about your device
  • Time of your visit to the website 

Furthermore, we store a cookie in your browser in order to be able to allocate the given consent or its revocation to you. The data collected in this way will be stored until you request us to delete it, or the purpose for storing the data no longer applies. Mandatory statutory retention requirements remain unaffected. It is used to obtain the legally required consent for the use of certain technologies. 

Legal basis: Art. 6 Para. 1 c GDPR.

Social Media Buttons

We also want our website to display information, that we share on social networks on this website and give you the possibility to share out information on your social media accounts. For this we use plugins of the providers of the respective services. If you click on the plugin to share a post over the network, a connection will be established with the respective service. This contribution is then made visible in your user account according to your privacy settings for the service - e.g. only to a certain group of people in the network or publicly.

The default settings of the plugins would immediately transfer your personal data to the social network server when you access the website, regardless of whether you click or tap on the plugin or are registered as a user in the social network. To avoid this, we used the Shariff tool. With Shariff the connection to the server of the service is only established when you click on the plugin.

Shariff is provided by c't and heise online as open source software. More information can be found here:

The legal basis for data processing by social networks after the integration of the Shariff tool is Art. 6 para. 1 lit. a) DSGVO. The use of the plugins for advertising purposes only takes place after your active consent.

We currently use the Twitter button with Shariff: The social plugin of the social network Twitter is used on the website. By clicking on the "Twitter" button, you can share a post with your contacts on Twitter and our current tweets on the website will be displayed.

If you are logged in to your Twitter account when you activate the plugin, the data transferred will be assigned to your user account and the shared post will be displayed there.

Twitter is a service of Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. Twitter Inc. is certified under the EU-US Privacy Shield, an agreement that ensures compliance with EU privacy laws. You can access Twitter's privacy statement at the following link:

Your rights as “data subject”

You have the right to obtain information on the personal data processed by us, as per Art. 15 GDPR. If a request for information is not submitted in writing, please understand that we may request documentation proving your identity. 

Furthermore, you have the right of rectification, erasure or restriction of processing, whenever legally permitted according to Art. 16, 17 and 18 of the GDPR. 

An automated individual decision-making as per Art. 22 of the GDPR does not apply.

Furthermore, you have the right of objection to processing within the scope of the legal provisions. The same applies to the right of data portability. In particular, you have the right of objection according to Art. 21 Section 1 and 2 of the GDPR against processing of your data in connection with Art. 6 Section 1 lit. f of the GDPR. You can file the objection informally to the attention of our data protection officer at the following addresses:

Our data protection officer:

We have designated an external data protection officer for our company. You can reach them at the following contact:

Right of appeal

You have the right to complain about the processing of your personal data by our company to a supervisory authority in charge of data protection.

  • UK Responsible Person

    6 Wilmslow Road, Rusholme, Manchester M14 5TP, UK

    +44 7898 375115

  • U.S. Agent

    IL 60630

    +1 (312) 975-1694

  • Cosmetics Responsible Person

    Schiffgraben 41
    30175 Hannover

    +49 511 6262 8630

  • CH-REP

    Laurenzenvorstadt 61
    5000 Aarau

  • Importer

    Limmerstraße 15
    30451 Hannover

    +49 511 62 62 86 30


Schiffgraben 41
30175 Hannover


Stay informed