Privacy policy

Privacy policy

The purpose of this privacy policy is to provide you with information about the nature, scope and purpose of processing of personal data (hereinafter referred to in short as “data”) in connection with our online presence and the related websites, functions and content, as well as our external online presence such as our social media profiles (hereafter collectively referred to as “online presence”). For definitions of terms used in this privacy policy, e.g. “processing” or “data controller”, please refer to the definitions set out in Article 4 of the General Data Protection Regulation (GDPR).

Data controller

M.P.I. Pharmaceutica GmbH
An der Alster 47
20099 Hamburg, Germany

T: +49 (40) 30 37 24-0
F: +49 (40) 30 37 24-20

Contact details for the data protection officer:
Daniel Kampmeier
Carl-Zeiss-Ring 21
85737 Ismaning, Germany
T: +49 (40) 89/9915220

Types of processed data:

– User data (e.g. names, addresses).
– Contact details (e.g. email, telephone numbers).
– Content data (e.g. text, images, videos).
– Usage data (e.g. visited websites, interest in content, access times).
– Meta/ communication data (e.g. device information, IP addresses).
Categories of data subjects

Visitors and users of the online presence (hereinafter we refer to data subjects collectively as “users”).
Purpose of processing

– Provisioning of the online presence, its functions and content.
– Answering contact requests and communication with users.
– Security measures.
– Reach measurement/ marketing


“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and covers virtually every aspect of dealing with data.

“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Relevant legal bases

In accordance with Article 13 GDPR we are required to inform you about the legal bases for our data processing. If the legal basis is not specified in the privacy policy, the following applies: the legal basis for obtaining consent is Article 6 (1) (a) and Article 7 GDPR, the legal basis for the performance of contract and the implementation of pre-contractual measures and responding to your inquiries is Article 6 (1) (b) GDPR, the legal basis for processing necessary for compliance with legal obligations Article 6 (1) (c) GDPR, and the legal basis for processing necessary to pursue our legitimate interests is Article 6 (1) (f) GDPR. The legal basis for processing necessary to protect the vital interests of the data subject or of another natural person is Article 6 (1) (d) GDPR.

Security measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement in accordance with Article 32 GDPR appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transmission, security of availability and its separation. We have also put in place procedures that ensure the exercise of data subject rights, erasure of data and response to data risks. Furthermore, we take into account the protection of personal data already during development or selection of hardware, software and procedures, in accordance with the principle of data protection by design and by default (Article 25 GDPR).
Cooperation with processors and third parties

If, in the context of our processing, we disclose data to other persons or companies (processors or third parties), transmit the data to them or otherwise grant access to the data, we will do so only if we are permitted by law, (e.g. where the transmission of the data to third parties, e.g. to payment service providers, is necessary for the performance of a contract pursuant to Article 6 (1) (b) GDPR), if you have given consent, if the processing is necessary for compliance with a legal obligation, or in pursuit of our legitimate interests (e.g. the use of agents, web hosting providers, etc.).

Where we engage third parties to process data on the basis of a so-called “data processing agreement”, we do so on the basis of Article 28 GDPR.

Transmission to third countries

Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA) or in the context of the use of third-party services or disclosure or transmission of data to third parties, processing will take place only if it is necessary to meet our pre-contractual or contractual obligations, if you have given consent to processing, for compliance with a legal obligation, or in pursuit of our legitimate interests. Without prejudice to legal or contractual permits, we process the data or have the data processed in a third country only if the requirements of Article 44 et seq. GDPR have been met. This means that processing is carried out, for example, on the basis of special guarantees, such as the officially recognised assessment of the adequacy of the level of data protection (e.g. the “Privacy Shield” in the US) or in compliance with officially recognised contractual obligations (so-called “standard contractual clauses”).

Rights of data subjects

Under Article 15 GDPR, you have the right to obtain confirmation of whether personal data concerning you are being processed, and, if so, access to the personal data and other information, as well as a copy of the personal data undergoing processing.

Under Article 16 GDPR, you have the right to have inaccurate personal data rectified and incomplete personal data completed.

You have the right to obtain the erasure of personal data concerning you without undue delay under Article 17 GDPR or, alternatively, you have the right to obtain restriction of processing under Article 18 GDPR.

Under Article 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us and have the right to transmit those data to another controller.

Under Article 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.

Right of withdrawal

Under Article 7 (3) GDPR, you have the right to withdraw your consent with effect for the future

Right to object

Under Article 21 GDPR, you have the right to object to the future processing of data concerning you at any time. Users have, in particular, the right to object to the processing of their data for direct marketing purposes.

Cookies and the right to object to direct marketing

“Cookies” are small files that are stored on users’ computers. Cookies can store a variety of information. Cookies are primarily used to store information about users (or devices on which the cookies are stored) during or after their visit to a website. Temporary cookies, “session cookies” or “transient cookies”, are cookies which will be deleted after the user leaves a website and closes his/her browser. These types of cookies are used e.g. to store the content of the shopping basket in an online store or the login status. Cookies that are referred to as “permanent” or “persistent” are cookies that remain stored even after the browser has been closed. For example, the login status can be stored if users visit it after several days have passed. Such cookies can also be used to store the interests of users for reach measurement or marketing purposes. “Third-party cookies” are cookies that are set by providers other than the data controller operating the website (where cookies are set only by the controller they are referred to as “first-party cookies”).

We may use temporary and permanent cookies and provide information about the cookies we use in the privacy policy.

You can prevent cookies from being stored on your computer by deactivating the relevant option in your browser settings. You can also delete previously stored cookies in the system settings of your browser. Please note that if you block cookies, this may limit the functionality of our website.

In general, users can exercise their right to object to the use cookies for online marketing purposes for a range of services, in particular tracking, by using the US website the EU website Furthermore, you can disable the storage of cookies by changing your browser’s settings. Please note that if you do this, you may not be able to use all the functions and features of this website.

Erasure of data

The data we process will either be erased or restricted in processing in accordance with Articles 17 and 18 GDPR. Unless explicitly stated in this privacy policy, the data we store will be erased as soon as the data are no longer necessary in relation to the purposes for which they were collected and this does not conflict with statutory retention requirements. Where the data is not erased because it is necessary for other and legally permissible purposes, the processing of the data will be restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that has to be retained for business or tax reasons.

In accordance with legal requirements in Germany, the retention period is typically 10 years under Article 147 (1) of the German Tax Code (AO), Article 257 (1) (1) and (4), and Section 4 of the German Commercial Code (HGB) (books, records, management reports, accounting, tax-related records, etc.) or six years under Article 257 (1) No (2) and (3), and Section 4 HGB (business correspondence).

In accordance with legal requirements in Austria, the retention period is usually seven years pursuant to Article 132 (1) of the Austrian Federal Fiscal Code (BAO) (accounting documents, receipts / invoices, accounts, receipts, business documents, income statements, etc.), or 22 years in connection with real estate and 10 years in the case of documents relating to electronically supplied services, telecommunications, broadcasting and television services provided to non-businesses in EU member states and for which the Mini-One-Stop-Shop (MOSS) is used.

Business-related processing

In addition we process
– Contract data (e.g. subject matter and term of the contract, customer category).
– Payment data (e.g. bank details, payment history)
from our customers, prospects and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising and market research.

Contractual services

We process the data of our contractual partners and prospective customers as well as other customers, clients or contractual partners (hereinafter referred to collectively as “contractual partners”) in accordance with Article 6 (1) (b) GDPR where the processing is necessary for the performance of a contract or to take steps prior to entering into a contract. The type of data processed, the nature, scope, purpose and necessity of processing are determined by the underlying contractual relationship.

The processed data includes the master data of our contractual partners (e.g. names and addresses), contact data (e.g. email addresses and telephone numbers) as well as contract data (e.g. services used, terms of the contracts, contractual communications, names of contact persons) and payment data (e.g. bank details, payment history).

In principle, we do not process special categories of personal data, unless their processing is required and provided for under the terms of a contract.

We process data, which are necessary for establishment and performance of the contractual services, and we advise our contractual partners on the need to disclose these data where this is not evident. We disclose data to external persons or companies only if doing so is necessary under the contract. When processing the data provided to us under a contract, we act in accordance with the instructions of the client as well as the legal requirements.

When users use our online services, we may store the IP address and the time of the respective user action. The storage is based on our legitimate interests, as well as the interests of the user in the protection against misuse and other unauthorised use. We do not, in principle, disclose this data to third parties, unless this is necessary to pursue our claims in accordance with Article 6 (1) (f) GDPR or we are required to do so by law in accordance with Article 6 (1) (c) GDPR.

We will erase the data if the data is no longer necessary to meet our contractual and/or statutory duty of care and to comply with our warranty and comparable obligations, whereby we review the necessity to store the data every three years; in all other respects, the statutory retention requirements apply.

Administration, financial accounting, office organisation, contact management

We process data for purposes of performing our administrative and business management tasks, financial accounting and compliance with legal obligations, such as archiving. In this regard we process the same data that we process as part of the performance of our contractual services. The legal basis for processing is Article 6 (1) (c) and (f) GDPR. Data subjects in this context are customers, prospective customers, business partners and website visitors. The purpose of and our interest in processing lies in the administration, financial accounting, office organisation, archiving of data, i.e. tasks, which serve to maintain our business activities, performance of our tasks and provision of our services. The erasure of data in relation to contractual performance and contractual communications reflects the data specified during these processing activities.

In this regard, we disclose or transmit data to tax authorities, consultants, such as tax consultants or auditors, as well as other fee offices and payment service providers.

Furthermore, we store information on suppliers, organisers and other business partners based on our business interests, e.g. to contact them later. In principle, we store this data, which is mainly company-related, on a long-term basis.


When users contact us (by email, post, in person, by telephone or through social media) we collect user information to process the contact request in accordance with Article 6 (1) (b) GDPR (contractual/pre-contractual relationships), Article 6 (1) (f) GDPR (other queries). User information can be stored in our customer relationship management system (“CRM system”) or a similar system.

We will erase your inquiries when they are no longer needed. We review this need every two years; in all other respects, the statutory retention requirements apply.

Google Analytics

Based on our legitimate interests (i.e. our interest in analysing, optimising and running our online presence in a commercially viable manner within the meaning of Article 6 (1) (f) GDPR), we use Google Analytics, a web analysis service provided by Google LLC (“Google”). Google uses cookies. The information generated by the cookie about your use of the online presence is usually transmitted to and stored by Google on servers in the United States.

Google is certified under the Privacy Shield framework which offers a guarantee of compliance with European data protection legislation (

Google will use this information on our behalf to analyse your usage of our online presence, generate reports about activities on this online presence and to provide additional services related to the use of this online presence and the Internet. It may also use the processed data to create pseudonymised user profiles.

We use Google Analytics only with activated IP anonymisation. This means that Google will truncate your IP address within member states of the European Union or other parties to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to Google servers in the United States and truncated there.

Google will not associate the IP address of the user transmitted by the user’s browser with any other data held by Google. Users can prevent cookies from being stored by changing their browser settings; Furthermore, users can prevent Google from collecting and processing cookie-generated data and data about their use of the online presence by downloading and installing the browser add-on provided under the following link:

For more information about Google’s data usage, settings options and the right to object, please refer to Google’s privacy policy ( and Google’s ads settings (

The personal data of users will be erased or anonymised after 14 months.

Integration of services and content from third parties

Based on our legitimate interests (i.e. our interest in analysing, optimising and running our online presence in a commercially viable manner within the meaning of Article 6 (1) (f) GDPR), we make use of content or services offered by third-party providers to integrate the content and services such as videos or fonts (hereinafter collectively referred to as “content”).

This always requires that the user IP addresses are visible to the third-party providers of such content, because they cannot send the content to users’ browsers without the IP address. In other words, the IP address is necessary to display this content. We make every reasonable effort to use only content from providers who use IP addresses only to deliver content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. These pixel tags are used to evaluate information such as traffic patterns of users as they navigate the pages of this website. The pseudonymous information can be stored in cookies on users’ devices and can include e.g. technical information about the browser and the operating system, referring websites, time spent on the website and further information on the use of our website and can be linked to such information from other sources.

Google Maps

We integrate maps from “Google Maps” from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data may include, in particular, IP addresses and location data of the users, which are collected only with user consent (typically through settings of their mobile devices. Google may process the data in the USA. Privacy policy:, Opt-out:

Created with by RA Dr. Thomas Schwenke