1. Controller
The controller responsible for the processing of personal data on this website is:
aap JOINTS GmbH
Wilhelm-von-Siemens-Str. 23, Staircase F / 1st Floor
12277 Berlin
Germany
Phone: +49 30 403 638 200
Fax: +49 30 403 638 219
Email: info@aap-joints.com
For general inquiries, complaints, and service requests, we also use the contact addresses published on the website: complaints@aap-joints.com and service@aap-joints.com.
Data Protection Officer:
Wilhelm-von-Siemens-Str. 23, Staircase F / 1st Floor
12277 Berlin
Germany
Email: datenschutz@aap-joints.com
2. Purposes, Categories of Data, and Legal Bases
We process personal data only to the extent permitted by law. Which data we process depends on how you use our website.
| Processing | Typical Data | Purpose | Legal Basis |
|---|---|---|---|
| Provision of the website and server operation | IP address, date/time, accessed URL, browser/device data, referrer, log data | Technical provision, stability, IT security, error analysis | Art. 6(1)(f) GDPR |
| Cookies, local storage, consent management | Consent status, cookie/storage identifiers, technical settings | Management and documentation of your choices, delivery of permissible content | Art. 6(1)(c) GDPR in conjunction with Art. 7(1) GDPR, alternatively Art. 6(1)(f) GDPR; Section 25(2) TDDDG |
| Optional analytics, video, and third-party content | IP address, device/browser data, usage data, IDs, interaction data | Statistics, audience measurement, media integration, convenience functions | Art. 6(1)(a) GDPR; Section 25(1) TDDDG |
| Contact requests / distributor inquiries | Name, email, phone number, region, message, communication content | Handling your request, initiating a contract, business communication | Art. 6(1)(b) GDPR or Art. 6(1)(f) GDPR |
| Complaints, service, vigilance, post-market surveillance | Contact and case data, product information, case/process data; in individual cases also health data | Product safety, quality management, fulfillment of regulatory obligations, defense of legal claims | Art. 6(1)(c) and (f) GDPR; for health data additionally Art. 9(2)(i) and/or (f) GDPR |
| Applications | Name, contact details, cover letter, CV, certificates, uploads, application status | Conducting the application process | Art. 6(1)(b) GDPR, Art. 88 GDPR, Section 26 BDSG |
In addition, Section 25 TDDDG applies to access to information on your terminal device or storage there. Under this provision, storage or access that is not strictly necessary is generally permitted only with consent. The website publishes a distributor form, internal application forms, an external Personio careers page, and a section for post-market surveillance.
3. Hosting, Server Log Files, and Technical Provision
When you access this website, your browser automatically transmits technical information to the web server. This includes, in particular, your IP address, the date and time of access, the specific page accessed, referrer information, browser type, version, operating system, and comparable technical usage data.
These data are processed in order to technically provide the website, ensure system security, detect misuse, defend against attacks, and remedy errors. The legal basis is Art. 6(1)(f) GDPR.
STRATO infrastructure is used for hosting. A data processing agreement pursuant to Art. 28 GDPR has been concluded.
4. Cookies, Local Storage, and Consent Management
Our website uses cookies, local storage, and comparable technologies. Some of these are technically necessary to provide the website, store your language settings or the status of a notice, and document your consent decision. Other technologies serve statistical, analytical, convenience, or media purposes and are used only where a corresponding legal basis exists.
Where their use is not technically necessary, they are used only on the basis of your consent pursuant to Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. We rely on Section 25(2) TDDDG and Art. 6(1)(c) or (f) GDPR for technically necessary technologies.
According to the current technical setup, Piwik PRO Consent Manager is used for managing consents.
Further information: Piwik PRO Privacy Policy
5. Services Used and External Content
To the extent that external content or optional services are integrated into the website, we and/or the respective providers process personal data. Below you will find the main services currently taken into account.
| Service | Purpose | Typical Data | Legal Basis | Provider Information |
|---|---|---|---|---|
| Piwik PRO Consent Manager | Consent management | Consent status, technical IDs, browser/device data | Section 25(2) TDDDG, Art. 6(1)(c) / (f) GDPR | Piwik PRO Privacy Policy |
| Piwik PRO Analytics | Audience measurement, statistics, analytics | IP address, cookie IDs, browser/device data, page views, session data, interactions | Art. 6(1)(a) GDPR, Section 25(1) TDDDG | Piwik PRO Privacy Policy, Disclosure / Help |
| Google Fonts (if not hosted locally) | Display of fonts | IP address, requested URL, HTTP headers, browser/OS data, referrer | Art. 6(1)(a) GDPR, Section 25(1) TDDDG | Google Fonts – Privacy & Data Collection, Google Privacy Policy |
| YouTube | Integration of external videos | IP address, device/browser data, usage data, referrer, interactions | Art. 6(1)(a) GDPR, Section 25(1) TDDDG | Google Privacy Policy |
| Vimeo | Integration of external videos | IP address, device/browser data, usage data, interactions | Art. 6(1)(a) GDPR, Section 25(1) TDDDG | Vimeo Privacy Policy |
| Comply (if integrated on subpages) | Privacy/consent widgets | IP address, log data, technical identifiers, cookie/local-storage information | Depending on the function: Section 25(2) TDDDG or Art. 6(1)(a) GDPR / Section 25(1) TDDDG | Comply Privacy Policy |
| Personio | External applicant management | Application data, contact data, uploads, usage and log data of the recruiting page | Art. 6(1)(b) GDPR, Art. 88 GDPR, Section 26 BDSG | Personio Privacy Policy, aap JOINTS Recruiting Privacy |
6. Contact Requests, Distributor Inquiries, and General Communication
If you contact us by email, telephone, fax, post, or via a form, we process the data you provide in order to handle your request. This applies in particular to general inquiries, distributor inquiries, service requests, and complaints.
A distributor/contact form is integrated on the homepage. According to the current status, it requests in particular your name, email address, region of interest, and a message. The processing is carried out to handle the request, to initiate business relations, and to communicate with interested parties or business partners. The legal basis is Art. 6(1)(b) GDPR insofar as the request is aimed at the conclusion or performance of a contract; otherwise, Art. 6(1)(f) GDPR applies.
We delete your data as soon as processing has been completed and there are no statutory retention obligations or legitimate interests in further storage.
7. Complaints, Service, Vigilance, and Post-Market Surveillance
As a company operating in the medical devices sector, we also process personal data for handling complaints, service inquiries, product-related incidents, vigilance reports, and matters in the field of post-market surveillance (PMS). For this purpose, a separate section entitled “Post-Market Survey” is published on the website; it also offers contact via esurvey@aap-joints.com.
To the extent necessary for handling a specific case, special categories of personal data may also be processed, in particular health-related information. This is done only insofar as it is necessary for fulfilling regulatory obligations, ensuring product safety, quality assurance, investigating an incident, or for the establishment, exercise, or defense of legal claims.
The legal basis is Art. 6(1)(c) and (f) GDPR and, where health data are concerned, Art. 9(2)(i) and/or (f) GDPR. We ask that health-related data not be transmitted via general contact forms unless this is necessary.
Where regulatory documentation obligations for implantable medical devices apply, retention periods of up to 15 years may be required.
8. Applications and Recruiting
8.1 Applications via Internal Application Forms
Job postings with application forms are published on the website. According to the current status, these forms request in particular Full Name, Email, Phone, Cover Letter, and an upload of a CV/Resume. We process these data exclusively for conducting the application process, communicating with applicants, and deciding on the establishment of an employment relationship.
The legal basis is Art. 6(1)(b) GDPR in conjunction with Art. 88 GDPR and Section 26 BDSG. If you voluntarily provide us with further information, we also process this exclusively for the application process.
8.2 Applications via Personio
The careers page also refers to an external recruiting page at aap-joints-gmbh.jobs.personio.com. If you access this recruiting page or submit an application there, personal data are processed via the Personio platform. In addition, the information published there by aap JOINTS and the general privacy notices of Personio apply.
As a rule, we process your application data only for filling the specific advertised position. Access is granted only to those persons involved in the application process.
Further information: aap JOINTS Recruiting Privacy, Personio Privacy Policy
9. Recipients, Processors, and Third-Country Transfers
We transfer personal data only to the extent legally permitted. Recipients may include, in particular:
- hosting and IT service providers
- consent and analytics service providers
- providers of integrated media and web services
- recruiting service providers
- authorities, courts, legal advisers, insurers, or other bodies, insofar as this is necessary to fulfill legal obligations or pursue legal claims
Where we use service providers as processors, this is done, where necessary, on the basis of a data processing agreement pursuant to Art. 28 GDPR.
When services such as Google/YouTube, Vimeo, or—depending on the configuration—analytics and consent services are integrated, a transfer of personal data to countries outside the EU/EEA cannot be ruled out. In these cases, processing takes place only in compliance with Art. 44 et seq. GDPR. The relevant privacy information of the providers is decisive, for example regarding adequacy decisions, standard contractual clauses, or other appropriate safeguards.
10. Retention Periods and Deletion Deadlines
We store personal data only for as long as this is necessary for the respective purposes or as long as statutory retention obligations exist. Unless expressly stated otherwise, the following periods apply to this website:
| Data Category | Deletion Period / Retention Period |
|---|---|
| Server log files | Generally a maximum of 7 days |
| Records of consent and proof of consent | Generally up to 3 years from the end of the year of the last declaration/change/withdrawal, insofar as the proof is required for the fulfillment or defense of legal obligations |
| General contact inquiries without contractual relevance | Generally 12 months after final handling |
| Contract- and business-related communication | Regularly 6 years, insofar as these are commercial or business letters |
| Booking records, invoices, and tax-relevant documents | Regularly 8 years; documents subject to a 10-year statutory retention period remain stored for 10 years |
| Application data | Generally 6 months after completion of the application process |
| Applicant data in the talent pool | Maximum 12 months from consent, unless deleted earlier or withdrawn earlier |
| Piwik PRO analytics data | No more than 25 months, unless earlier deletion or anonymization occurs |
| Complaint, vigilance, service, and PMS data | In accordance with regulatory obligations and for product safety, regularly up to 15 years |
| Session cookies | Until the end of the browser session |
| Persistent cookies / local storage | Until expiry of the period specified in the consent tool or until deletion by you in the browser |
Longer retention periods may be considered if data are needed for the establishment, exercise, or defense of legal claims, or if statutory retention obligations prevent deletion. The current statutory retention periods under the German Commercial Code (HGB) and the German Fiscal Code (AO) currently provide, in particular, for 6, 8, and 10 years; STRATO states up to 7 days for website log data, and Piwik PRO states 25 months for analytics depending on configuration.
11. Obligation to Provide Data
The provision of technical data when accessing the website is necessary so that the website can be delivered at all. Without these data, a visit to the website is technically not possible.
The provision of further data, for example in contact or application forms, is generally voluntary. Without the information marked as mandatory fields, however, we may not be able to process your inquiry or application.
12. No Solely Automated Decision-Making
There is no solely automated decision-making within the meaning of Art. 22 GDPR.
13. Your Rights
Subject to the statutory requirements, you have in particular the following rights:
- right of access under Art. 15 GDPR
- right to rectification under Art. 16 GDPR
- right to erasure under Art. 17 GDPR
- right to restriction of processing under Art. 18 GDPR
- right to data portability under Art. 20 GDPR
- right to object under Art. 21 GDPR
- right to withdraw consent with effect for the future under Art. 7(3) GDPR
If we process data on the basis of Art. 6(1)(f) GDPR, you may object on grounds relating to your particular situation.
14. Right to Lodge a Complaint with a Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.
For private companies in Germany, the competent authority is generally the respective state data protection authority. For aap JOINTS GmbH, headquartered in Berlin, this is:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59–61
10555 Berlin
Germany
Phone: +49 30 13889-0
Fax: +49 30 2155050
Email: mailbox@datenschutz-berlin.de
Website: https://www.datenschutz-berlin.de/
15. External Links
Our website contains links to external websites and third-party services, for example to Personio or other external content. The respective operators are solely responsible for the content and privacy practices of these external providers. Please inform yourself separately there.
16. Updates and Changes to This Privacy Policy
We reserve the right to amend this Privacy Policy if legal requirements, technical integrations, our processes, or the website change. The current version published on this website shall apply.
Version: 31 March 2026