M.P.I. Pharmaceutica GmbH
An der Alster 47
20099 Hamburg, Germany
T: +49 (40) 30 37 24-0
F: +49 (40) 30 37 24-20
Contact details for the data protection officer:
CAPCAD SYSTEMS AG
85737 Ismaning, Germany
T: +49 (40) 89/9915220
Types of processed data:
– User data (e.g. names, addresses).
– Contact details (e.g. email, telephone numbers).
– Content data (e.g. text, images, videos).
– Usage data (e.g. visited websites, interest in content, access times).
– Meta/ communication data (e.g. device information, IP addresses).
Categories of data subjects
Visitors and users of the online presence (hereinafter we refer to data subjects collectively as “users”).
Purpose of processing
– Provisioning of the online presence, its functions and content.
– Answering contact requests and communication with users.
– Security measures.
– Reach measurement/ marketing
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and covers virtually every aspect of dealing with data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Relevant legal bases
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement in accordance with Article 32 GDPR appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transmission, security of availability and its separation. We have also put in place procedures that ensure the exercise of data subject rights, erasure of data and response to data risks. Furthermore, we take into account the protection of personal data already during development or selection of hardware, software and procedures, in accordance with the principle of data protection by design and by default (Article 25 GDPR).
Cooperation with processors and third parties
If, in the context of our processing, we disclose data to other persons or companies (processors or third parties), transmit the data to them or otherwise grant access to the data, we will do so only if we are permitted by law, (e.g. where the transmission of the data to third parties, e.g. to payment service providers, is necessary for the performance of a contract pursuant to Article 6 (1) (b) GDPR), if you have given consent, if the processing is necessary for compliance with a legal obligation, or in pursuit of our legitimate interests (e.g. the use of agents, web hosting providers, etc.).
Where we engage third parties to process data on the basis of a so-called “data processing agreement”, we do so on the basis of Article 28 GDPR.
Transmission to third countries
Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA) or in the context of the use of third-party services or disclosure or transmission of data to third parties, processing will take place only if it is necessary to meet our pre-contractual or contractual obligations, if you have given consent to processing, for compliance with a legal obligation, or in pursuit of our legitimate interests. Without prejudice to legal or contractual permits, we process the data or have the data processed in a third country only if the requirements of Article 44 et seq. GDPR have been met. This means that processing is carried out, for example, on the basis of special guarantees, such as the officially recognised assessment of the adequacy of the level of data protection (e.g. the “Privacy Shield” in the US) or in compliance with officially recognised contractual obligations (so-called “standard contractual clauses”).
Rights of data subjects
Under Article 15 GDPR, you have the right to obtain confirmation of whether personal data concerning you are being processed, and, if so, access to the personal data and other information, as well as a copy of the personal data undergoing processing.
Under Article 16 GDPR, you have the right to have inaccurate personal data rectified and incomplete personal data completed.
You have the right to obtain the erasure of personal data concerning you without undue delay under Article 17 GDPR or, alternatively, you have the right to obtain restriction of processing under Article 18 GDPR.
Under Article 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us and have the right to transmit those data to another controller.
Under Article 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.
Right of withdrawal
Under Article 7 (3) GDPR, you have the right to withdraw your consent with effect for the future
Right to object
Under Article 21 GDPR, you have the right to object to the future processing of data concerning you at any time. Users have, in particular, the right to object to the processing of their data for direct marketing purposes.
Cookies and the right to object to direct marketing
“Cookies” are small files that are stored on users’ computers. Cookies can store a variety of information. Cookies are primarily used to store information about users (or devices on which the cookies are stored) during or after their visit to a website. Temporary cookies, “session cookies” or “transient cookies”, are cookies which will be deleted after the user leaves a website and closes his/her browser. These types of cookies are used e.g. to store the content of the shopping basket in an online store or the login status. Cookies that are referred to as “permanent” or “persistent” are cookies that remain stored even after the browser has been closed. For example, the login status can be stored if users visit it after several days have passed. Such cookies can also be used to store the interests of users for reach measurement or marketing purposes. “Third-party cookies” are cookies that are set by providers other than the data controller operating the website (where cookies are set only by the controller they are referred to as “first-party cookies”).
You can prevent cookies from being stored on your computer by deactivating the relevant option in your browser settings. You can also delete previously stored cookies in the system settings of your browser. Please note that if you block cookies, this may limit the functionality of our website.
Erasure of data
In accordance with legal requirements in Germany, the retention period is typically 10 years under Article 147 (1) of the German Tax Code (AO), Article 257 (1) (1) and (4), and Section 4 of the German Commercial Code (HGB) (books, records, management reports, accounting, tax-related records, etc.) or six years under Article 257 (1) No (2) and (3), and Section 4 HGB (business correspondence).
In accordance with legal requirements in Austria, the retention period is usually seven years pursuant to Article 132 (1) of the Austrian Federal Fiscal Code (BAO) (accounting documents, receipts / invoices, accounts, receipts, business documents, income statements, etc.), or 22 years in connection with real estate and 10 years in the case of documents relating to electronically supplied services, telecommunications, broadcasting and television services provided to non-businesses in EU member states and for which the Mini-One-Stop-Shop (MOSS) is used.
In addition we process
– Contract data (e.g. subject matter and term of the contract, customer category).
– Payment data (e.g. bank details, payment history)
from our customers, prospects and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising and market research.
We process the data of our contractual partners and prospective customers as well as other customers, clients or contractual partners (hereinafter referred to collectively as “contractual partners”) in accordance with Article 6 (1) (b) GDPR where the processing is necessary for the performance of a contract or to take steps prior to entering into a contract. The type of data processed, the nature, scope, purpose and necessity of processing are determined by the underlying contractual relationship.
The processed data includes the master data of our contractual partners (e.g. names and addresses), contact data (e.g. email addresses and telephone numbers) as well as contract data (e.g. services used, terms of the contracts, contractual communications, names of contact persons) and payment data (e.g. bank details, payment history).
In principle, we do not process special categories of personal data, unless their processing is required and provided for under the terms of a contract.
We process data, which are necessary for establishment and performance of the contractual services, and we advise our contractual partners on the need to disclose these data where this is not evident. We disclose data to external persons or companies only if doing so is necessary under the contract. When processing the data provided to us under a contract, we act in accordance with the instructions of the client as well as the legal requirements.
When users use our online services, we may store the IP address and the time of the respective user action. The storage is based on our legitimate interests, as well as the interests of the user in the protection against misuse and other unauthorised use. We do not, in principle, disclose this data to third parties, unless this is necessary to pursue our claims in accordance with Article 6 (1) (f) GDPR or we are required to do so by law in accordance with Article 6 (1) (c) GDPR.
We will erase the data if the data is no longer necessary to meet our contractual and/or statutory duty of care and to comply with our warranty and comparable obligations, whereby we review the necessity to store the data every three years; in all other respects, the statutory retention requirements apply.
Administration, financial accounting, office organisation, contact management
We process data for purposes of performing our administrative and business management tasks, financial accounting and compliance with legal obligations, such as archiving. In this regard we process the same data that we process as part of the performance of our contractual services. The legal basis for processing is Article 6 (1) (c) and (f) GDPR. Data subjects in this context are customers, prospective customers, business partners and website visitors. The purpose of and our interest in processing lies in the administration, financial accounting, office organisation, archiving of data, i.e. tasks, which serve to maintain our business activities, performance of our tasks and provision of our services. The erasure of data in relation to contractual performance and contractual communications reflects the data specified during these processing activities.
In this regard, we disclose or transmit data to tax authorities, consultants, such as tax consultants or auditors, as well as other fee offices and payment service providers.
Furthermore, we store information on suppliers, organisers and other business partners based on our business interests, e.g. to contact them later. In principle, we store this data, which is mainly company-related, on a long-term basis.
When users contact us (by email, post, in person, by telephone or through social media) we collect user information to process the contact request in accordance with Article 6 (1) (b) GDPR (contractual/pre-contractual relationships), Article 6 (1) (f) GDPR (other queries). User information can be stored in our customer relationship management system (“CRM system”) or a similar system.
We will erase your inquiries when they are no longer needed. We review this need every two years; in all other respects, the statutory retention requirements apply.
Google is certified under the Privacy Shield framework which offers a guarantee of compliance with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf to analyse your usage of our online presence, generate reports about activities on this online presence and to provide additional services related to the use of this online presence and the Internet. It may also use the processed data to create pseudonymised user profiles.
We use Google Analytics only with activated IP anonymisation. This means that Google will truncate your IP address within member states of the European Union or other parties to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to Google servers in the United States and truncated there.
Google will not associate the IP address of the user transmitted by the user’s browser with any other data held by Google. Users can prevent cookies from being stored by changing their browser settings; Furthermore, users can prevent Google from collecting and processing cookie-generated data and data about their use of the online presence by downloading and installing the browser add-on provided under the following link: https://tools.google.com/dlpage/gaoptout.
The personal data of users will be erased or anonymised after 14 months.
Integration of services and content from third parties
Based on our legitimate interests (i.e. our interest in analysing, optimising and running our online presence in a commercially viable manner within the meaning of Article 6 (1) (f) GDPR), we make use of content or services offered by third-party providers to integrate the content and services such as videos or fonts (hereinafter collectively referred to as “content”).
This always requires that the user IP addresses are visible to the third-party providers of such content, because they cannot send the content to users’ browsers without the IP address. In other words, the IP address is necessary to display this content. We make every reasonable effort to use only content from providers who use IP addresses only to deliver content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. These pixel tags are used to evaluate information such as traffic patterns of users as they navigate the pages of this website. The pseudonymous information can be stored in cookies on users’ devices and can include e.g. technical information about the browser and the operating system, referring websites, time spent on the website and further information on the use of our website and can be linked to such information from other sources.
Created with Datenschutz-Generator.de by RA Dr. Thomas Schwenke