I. Name and Address of the Controller
The controller as defined by the General Data Protection Regulation, Member States’ other national data protection legislation, and other data protection regulations is:
Heidelberg Pharma AG
Schriesheimer Str. 101
Tel.: +49 6203 1009-0
II. Name and Address of the Data Protection Officer:
Data Protection Officer
Schriesheimer Str. 101
Tel.: +49 6203 1009-36
III. General Information on Data Processing
1. The scope of personal data processing
As a general rule, we collect and use the personal data of our users only to the extent that doing so is necessary for processing contact requests submitted by e-mail. In doing so, we process only personal data made available to us by users by e-mail through the contact request. As a rule, we collect and use personal data of our users only with the consent given by the user.
2. The legal basis for processing personal data
As far as we obtain the data subject’s consent for processing personal data, Art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR) is the legal basis.
For processing personal data required for the fulfilment of a contract to which the data subject is party, Art. 6 (1) (b) of the GDPR is the legal basis. This also applies to processing operations required for steps prior to entering into a contract.
Where processing personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 (1) (c) of the GDPR is the legal basis.
If processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party and the data subject’s interests, fundamental rights and freedoms do not override said legitimate interests, Art. 6 (1) (f) of the GDPR is the legal basis for processing.
3. Erasure of data and duration of retention
The data subject’s personal data is erased or blocked as soon as the purpose for storing it no longer exists. Data may be stored longer if such storage is provided for by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. Data is also blocked or erased when a retention obligation established by said regulations has expired, except where entering into a contract or the performance of a contract requires the continued retention of the data.
IV. Provision of the Website and Creation of Log Files
1. Description and scope of data processing
Every time our website is accessed, our system automatically records data and certain items of information from the computer system accessing the website.
During this process, the following information is collected:
- The date and time of access
The data is stored in our system’s log files. This does not include the IP addresses of the user or other data that allow the data to be attributed to a user. This data is not stored together with any of the user’s personal data.
2. How long we store data
Once the data is no longer required to achieve the purpose for which it was collected, it is erased. Where data is recorded for the purpose of providing the website, data is erased when the respective session has ended.
3. Opting out and removal
It is absolutely necessary to record data in order to provide the website, and it is absolutely necessary to store the data in log files to ensure the operation of the website. As a result, users do not have an opt-out option if they visit the website.
1. Description and scope of data processing
Cookies are generally text files that are stored in the Internet browser or by the Internet browser on the user's computer system.
In order to make browsing the website easier for users, a so-called session ID (session identifier) is used, which is allocated to each user at the beginning of each use of the website. This session ID is used by the website server to recognize the same user respectively their access device/browser if their IP address has changed in the meantime or the user has switched from one webpage of the website to the next The session ID does not constitute an item of personal data, since the session ID does not allow the user to be identified. The session ID cookie we use is only valid until the end of a session. When the user exits the browser, the session ID cookie is automatically deleted. The following data is temporarily stored in our session ID cookie:
- Log-in information (temporarily encrypted until the end of the session)
The cookie does not store any of the user's personal data.
2. The purpose of the cookie use
Technically required cookies are used in order to simplify the use of websites for users. Some features of our website cannot be provided without using cookies. These features require that the browser is recognized even after changing webpages of our homepage.
We require cookies for the following applications:
(1) Recognizing the access device/browser after changing the IP address
(2) Recognizing the access device/browser after switching webpages of our website
3. Retention period, erasure and disabling
IV. E-mail Contact
1. Description and scope of data processing
We can be contacted by using the e-mail addresses provided on our website. In this case, the user’s personal data communicated with the e-mail will be saved.
In this context, this data will not be shared with third parties. The data is used solely to process the conversation.
2. The legal basis for the data processing
The legal basis for processing the data, that is transferred when sending an e-mail, is Art. 6 (1) (f) of the GDPR. If the e-mail contact is aimed at entering into a contract, Art. 6 (1) (b) is also a legal basis for the processing.
3. The purpose of the data processing
We process personal data contained in the e-mails solely to respond to your contact request. This constitutes a required, legitimate interest in processing the data.
4. How long we store data
Once the data is no longer required to achieve the purpose for which it was collected, it is deleted. For the personal data sent via e-mail, this is the case once the respective conversation with the user has ended. The conversation has ended once it can be determined based on the circumstances that the issue in question has been settled in its entirety.
5. Opting out and removal
Users contacting us by e-mail can object to the storage of their personal data at any time. In such case, the conversation cannot be continued.
All personal data that has been stored in connection with establishing contact will be erased immediately in this case and will no longer be processed unless the controller can demonstrate compelling legitimate grounds for the processing which override the user’s interests, rights and freedoms or unless the processing serves the establishment, exercise or defense of legal claims.
VII. Rights of the Data Subject
If your personal data is processed, you are a “data subject” as defined by the GDPR, and you are entitled to the following rights vis-à-vis the controller:
1. Right of access
You can request that the controller provides you with confirmation as to whether personal data concerning yourself is processed by us.
If such processing takes place, you can request information from the controller regarding the following points:
(1) the purpose for which your personal data is being processed;
(2) the categories of personal data that are being processed;
(3) the recipients and/or categories of recipients to whom the personal data concerning yourself has been or will be disclosed;
(4) the planned retention period of personal data concerning you, if it is not possible to provide specific information about this, the criteria used to determine the retention period;
(5) the existence of the right to request from the controller rectification or erasure of the personal data concerning you or a right of restriction of processing of personal data concerning the data subject or to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) where the personal data is not collected from the data subject, any available information as to its source;
(8) the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Additionally, you have the right to request information as to whether your personal data will be transmitted to a non-EU country or international organization. In this connection, you may request that you will be informed of the appropriate safeguards associated with the transmission pursuant to Art. 46 of the GDPR.
2. Right to rectification
Where the processed personal data concerning yourself is incorrect or incomplete, you have the right vis-à-vis the controller to have this data rectified and/or completed. The controller shall make the correction without undue delay.
3. Right to erasure
a) Obligation to erase
You have the right to obtain from the controller the erasure of the personal data concerning you without undue delay, and the controller has the obligation to erase such data without undue delay where one of the following grounds applies:
(1) The personal data concerning you is no longer necessary for the purpose for which it was collected or otherwise processed;
(2) You withdraw your consent on which the processing is based according to Art. 6 (1) (a) or Art. 9 (2) (a), and there is no other legal ground for the processing.
4. Right to notification
Where you have asserted vis-à-vis the controller the right of rectification or erasure, the controller has the obligation to notify all recipients to whom personal data concerning you has been disclosed of such rectification or erasure of data, unless this proves impossible or involves disproportionate effort.
You have the right vis-à-vis the controller to be notified of those recipients.
5. Right to data portability
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. Additionally, you have the right to transmit such data to another controller without hindrance by the controller to which the personal data has been made available, provided
(1) the processing is based on consent pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) of the GDPR, or on a contract pursuant to Art. 6 (1) (b), and
(2) the processing is carried out by automated means.
6. Right to withdraw consent granted under data privacy law
You have the right to withdraw your consent granted under data privacy law at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent performed before its withdrawal. After receipt of the withdrawal, the controller will erase the personal data concerning you and will no longer process it unless the controller can demonstrate compelling, legitimate grounds for the processing that override your interests, rights and freedoms or unless processing serves the establishment, exercise, or defense of legal claims.
7. Right to lodge a complaint with a supervisory authority
Any further administrative or judicial remedies notwithstanding, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data concerning yourself infringes the GDPR.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 of the GDPR.
The following supervisory authority has jurisdiction over Heidelberg Pharma:
The State Commissioner for Data Protection and Freedom of Information of Baden Württemberg
Postfach 10 29 32, 70025 Stuttgart
Königstrasse 10a, 70173 Stuttgart
Tel.: +49 711 61 55 41 – 0
Fax: +49 711 61 55 41 – 15