Data privacy
This Privacy Policy explains the nature, scope and purpose of the processing of personal data (hereinafter referred to as “data”) within our online service and the associated websites, functions and content, as well as external online presences, such as our social media profiles (hereinafter collectively referred to as the “online service”). With regard to the terms used, such as “processing” or “data controller”, please refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
Data controller
M.P.I. Pharmaceutica GmbH
An der Alster 47
20099 Hamburg
Germany
T: +49 (40) 30 37 24-0
F: +49 (40) 30 37 24-20
post(at)mpi-pharma.de
Contact details for the Data Protection Officer:
Martin Büsing
Senior Data Protection Consultant
HBSN GmbH
Berliner Str. 52 F
38104 Braunschweig
Tel.: +49 531 230400 00
Fax: +49 531 230400 04
Mobile: +49 175 1054595
E-mail: buesing@hbsn-gruppe.de
Website: www.hbsn-gruppe.de
Types of data processed:
- Customer details (e.g. names, addresses).
- Contact details (e.g. e-mail address, telephone numbers).
- Content data (e.g. text entries, photographs, videos).
- Usage data (e.g. websites visited, interest in content, times of access).
- Meta/communication data (e.g. device information, IP addresses).
Categories of data subjects
Visitors and users of the website (hereinafter, we refer to these individuals collectively as “users”).
Purpose of processing
- Provision of the online service, its functions and content.
- Responding to enquiries and communicating with users.
- Security measures.
- Audience measurement/marketing
Terminology used
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”); a natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers virtually every aspect of data handling.
“Pseudonymisation” means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
The term “data controller” refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Data processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
Relevant legal basis
In accordance with Article 13 of the GDPR, we are informing you of the legal basis for our data processing activities. Unless the legal basis is specified in the Privacy Policy, the following applies: The legal basis for obtaining consent is Article 6(1)(a) and Article 7 of the GDPR; the legal basis for processing data to fulfil our services, carry out contractual obligations and respond to enquiries is Article 6(1)(b) of the GDPR; the legal basis for processing to fulfil our legal obligations is Article 6(1)(c) of the GDPR, and the legal basis for processing to safeguard our legitimate interests is Article 6(1)(f) of the GDPR. Where the processing of personal data is necessary to protect the vital interests of the data subject or of another natural person, Article 6(1)(d) of the GDPR serves as the legal basis.
Security measures
In accordance with Article 32 of the GDPR, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the latest technological standards, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.
These measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access to, input of, and disclosure of the data, ensuring its availability and its segregation. We have also put procedures in place to ensure that data subjects’ rights are upheld, that data is deleted, and that we respond to any data breaches. Furthermore, we take the protection of personal data into account right from the development and selection of hardware, software and procedures, in accordance with the principle of data protection by design and by default (Article 25 of the GDPR).
Cooperation with data processors and third parties
Where, in the course of our data processing activities, we disclose data to other individuals or organisations (data processors or third parties), transfer it to them or otherwise grant them access to the data, this is done only on the basis of a legal authorisation (e.g. where the transfer of data to third parties, such as payment service providers, is necessary for the performance of a contract in accordance with Article 6(1)(b) of the GDPR), you have given your consent, a legal obligation requires it, or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).
Where we engage third parties to process data on the basis of a so-called “data processing agreement”, this is done in accordance with Article 28 of the GDPR.
Transfers to third countries
Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or where this occurs in connection with the use of third-party services or the disclosure or transfer of data to third parties, this will only take place if it is necessary to fulfil our (pre-) contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests. Subject to any statutory or contractual authorisations, we will only process data in a third country, or have it processed there, if the specific conditions set out in Articles 44 et seq. of the GDPR are met. This means that processing takes place, for example, on the basis of specific safeguards, such as an officially recognised determination that a level of data protection equivalent to that of the EU is in place (e.g. for the USA through the “Privacy Shield”) or compliance with officially recognised specific contractual obligations (so-called “standard contractual clauses”).
Rights of data subjects
You have the right to request confirmation as to whether the relevant data is being processed, and to obtain access to that data, as well as further information and a copy of the data, in accordance with Article 15 of the GDPR.
You have the right, pursuant to Article 16 of the GDPR, to request the completion of data concerning you or the rectification of inaccurate data concerning you.
In accordance with Article 17 of the GDPR, you have the right to request that the relevant data be erased without delay; alternatively, in accordance with Article 18 of the GDPR, you have the right to request that the processing of the data be restricted.
You have the right to request that the personal data you have provided to us be made available to you in accordance with Article 20 of the GDPR, and to request that it be transferred to other data controllers.
You also have the right, under Article 77 of the GDPR, to lodge a complaint with the relevant supervisory authority.
Right of withdrawal
You have the right to withdraw any consent you have given in accordance with Article 7(3) of the GDPR with effect for the future
Right to object
You may object to the future processing of your personal data at any time in accordance with Article 21 of the GDPR. In particular, the objection may be raised against processing for the purposes of direct marketing.
Cookies and the right to object to direct marketing
“Cookies” are small files that are stored on users’ computers. Various types of information can be stored in cookies. The primary purpose of a cookie is to store information about a user (or the device on which the cookie is stored) during or after their visit to a website. Cookies that are deleted once a user leaves a website and closes their browser are known as temporary cookies, or “session cookies” or “transient cookies”. Such a cookie can, for example, be used to store the contents of a shopping basket in an online shop or a login status. Cookies that remain stored even after the browser is closed are referred to as “permanent” or “persistent”. For example, the login status can be saved so that users can access it again after several days. Similarly, such a cookie may store information about users’ interests, which is used for audience measurement or marketing purposes. “Third-party cookies” are cookies provided by providers other than the data controller operating the website (whereas, if only the controller’s own cookies are used, these are referred to as “first-party cookies”).
We may use temporary and permanent cookies, and provide further information on this in our Privacy Policy.
If users do not wish to have cookies stored on their computer, they are asked to disable the relevant option in their browser’s settings. Stored cookies can be deleted in your browser’s settings. Disabling cookies may result in this website not functioning properly.
A general objection to the use of cookies for online marketing purposes can be lodged with a wide range of services, particularly in the case of tracking, via the US website http://www.aboutads.info/choic... or the EU page http://www.youronlinechoices.c.... Furthermore, you can prevent cookies from being stored by disabling them in your browser settings. Please note that you may not be able to use all the features of this website.
Deletion of data
The data we process will be erased or its processing restricted in accordance with Articles 17 and 18 of the GDPR. Unless otherwise expressly stated in this Privacy Policy, the data we hold will be deleted as soon as it is no longer required for its intended purpose and there are no legal retention obligations preventing its deletion. Unless the data is deleted because it is required for other, legally permissible purposes, its processing will be restricted. This means that the data is restricted and will not be processed for any other purposes. This applies, for example, to data that must be retained for commercial or tax reasons.
In accordance with German legal requirements, records must be retained for a period of 10 years in particular, pursuant to Sections 147(1) of the German Fiscal Code (AO), 257(1) Nos. 1 and 4, (4) of the German Commercial Code (HGB) (books, records, management reports, accounting documents, trading ledgers, documents relevant for taxation, etc.) and for 6 years in accordance with Section 257(1) Nos. 2 and 3, (4) of the German Commercial Code (HGB) (business correspondence).
In accordance with Austrian law, records must be retained for a period of 7 years in particular, pursuant to Section 132(1) of the Austrian Federal Tax Code (BAO) (accounting records, receipts/invoices, accounts, supporting documents, business papers, statements of income and expenditure, etc.), for 22 years in relation to land, and for 10 years in the case of documents relating to electronically supplied services, telecommunications, radio and television services provided to non-business customers in EU Member States for which the Mini One-Stop Shop (MOSS) is used.
Business-related processing
In addition, we process:
– Contract data (e.g. subject matter of the contract, term, customer category).
– Payment details (e.g. bank details, payment history)
from our customers, prospective customers and business partners for the purposes of providing contractual services, customer support, marketing, advertising and market research.
Contractual services
We process the data of our contractual partners and prospective clients, as well as other clients, customers, or contractual partners (collectively referred to as “contractual partners”) in accordance with Article 6(1)(b) of the GDPR, in order to provide them with our contractual or pre-contractual services. The data processed in this context, as well as the nature, scope, purpose and necessity of its processing, are determined by the underlying contractual relationship.
The data processed includes the master data of our contractual partners (e.g. names and addresses), contact details (e.g. e-mail addresses and telephone numbers), as well as contractual data (e.g. services used, contract terms, contractual correspondence, names of contact persons) and payment details (e.g. bank details, payment history).
As a general rule, we do not process special categories of personal data, unless such data forms part of commissioned or contractual processing.
We process data that is necessary for the establishment and performance of contractual obligations and will inform you of the necessity of providing such data, unless this is already obvious to the contractual partners. Information will only be disclosed to external individuals or organisations if required under the terms of a contract. When processing data provided to us in connection with a contract, we act in accordance with the client’s instructions and the relevant legal requirements.
When you use our online services, we may store your IP address and the time of the relevant user action. Data is stored on the basis of our legitimate interests, as well as the users’ interests in protection against misuse and other unauthorised use. We do not, as a matter of principle, disclose this data to third parties, unless this is necessary for the pursuit of our claims in accordance with Article 6(1)(f) of the GDPR or there is a legal obligation to do so in accordance with Article 6(1)(c) of the GDPR.
Data will be deleted once it is no longer required for the fulfilment of contractual or statutory obligations, or for dealing with any warranty claims or similar obligations; the necessity of retaining the data is reviewed every three years; otherwise, the statutory retention obligations apply.
Administration, financial accounting, office organisation, contact management
We process data in connection with administrative tasks, the organisation of our business, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process in the course of providing our contractual services. The legal basis for processing is Article 6(1)(c) of the GDPR and Article 6(1)(f) of the GDPR. This processing affects customers, prospective customers, business partners and website visitors. The purpose of, and our interest in, processing data lies in administration, financial accounting, office organisation and data archiving – in other words, tasks that serve to maintain our business operations, carry out our duties and provide our services. The erasure of data relating to contractual services and contractual communications is carried out in accordance with the details provided for these processing activities.
In this context, we disclose or transfer data to the tax authorities, advisers such as tax advisers or auditors, as well as other fee-charging bodies and payment service providers.
Furthermore, in the interests of our business operations, we store details of suppliers, event organisers and other business partners, for example, for the purpose of contacting them at a later date. We generally store this data, most of which relates to businesses, on a permanent basis.
Establishing contact
When you contact us (e.g. via the contact form, e-mail, telephone or social media), your personal data will be processed for the purpose of handling your enquiry and its follow-up in accordance with Article 6(1)(b) (in the context of contractual or pre-contractual relationships) and Article 6(1)(f) (other enquiries) of the GDPR.. User data may be stored in a customer relationship management system (“CRM system”) or a similar enquiry management system.
We delete the enquiries once they are no longer required. We review the necessity of this every two years; furthermore, the statutory archiving requirements apply.
Google Analytics
We use Google Analytics, a web analytics service provided by Google LLC (“Google”), on the basis of our legitimate interests (i.e. our interest in the analysis, optimisation and commercial operation of our online offering within the meaning of Article 6(1)(f) of the GDPR). Google uses cookies. The information generated by the cookie regarding users’ use of the website is usually transmitted to a Google server in the USA and stored there.
Google is certified under the Privacy Shield Framework and thereby guarantees compliance with European data protection law (https://www.privacyshield.gov/...).
Google will use this information on our behalf to analyse how users use our website, to compile reports on activity within the website, and to provide us with other services relating to the use of the website and internet usage. The processed data may be used to create pseudonymous user profiles.
We only use Google Analytics with IP anonymisation enabled. This means that Google truncates users’ IP addresses within the Member States of the European Union or in other signatory states to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there.
The IP address transmitted by the user’s browser is not combined with any other data held by Google. Users can prevent cookies from being stored by adjusting the settings in their browser software; users can also prevent Google from collecting the data generated by the cookie and relating to their use of the online service, as well as from processing this data, by downloading and installing the browser plug-in available via the following link: http://tools.google.com/dlpage....
For further information on Google’s use of data, as well as options for managing your settings and opting out, please refer to Google’s Privacy Policy (https://policies.google.com/te...) and the settings for Google’s display of advertisements (https://adssettings.google.com...).
Users’ personal data will be deleted or anonymised after 14 months.
Integration of third-party services and content
Within our online offering, we use third-party content and service providers on the basis of our legitimate interests (i.e. our interest in the analysis, optimisation and commercial operation of our online offering within the meaning of Article 6(1)(f) of the GDPR) to integrate content or services from third-party providers, such as videos or fonts (hereinafter collectively referred to as “content”).
This always requires that the third-party providers of this content collect users’ IP addresses, as they would be unable to send the content to their browsers without them. The IP address is, therefore, required to display this content. We endeavour to use only content where the respective providers use the IP address solely for the purpose of delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Pixel tags enable us to analyse information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may include, amongst other things, technical information about the browser and operating system, referring websites, the time of the visit and further details regarding the use of our online service, as well as being linked to such information from other sources.
Google Maps
We incorporate maps from the “Google Maps” service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The data processed may include, in particular, users’ IP addresses and location data; however, this data is not collected without their consent (which is usually given via the settings on their mobile devices). The data may be processed in the USA. Privacy Policy: https://www.google.com/policie..., Opt-out: https://adssettings.google.com....
Created using the online service “Datenschutz-Generator.de” by Dr Thomas Schwenke, Solicitor