Go to main content
Lithuania

Contents

1. GENERAL INFORMATION

2. INFORMATION FOR VISITORS TO OUR WEBSITE

3. INFORMATION FOR APPLICANTS

4. INFORMATION FOR EMPLOYEES

5. INFORMATION FOR CUSTOMERS/SUPPLIERS

 6. INFORMATION FOR TEST SUBJECTS

7. INFORMATION FOR EVENT PARTICIPANTS

8. INFORMATION FOR VISITORS TO OUR OFFICES

9. INFORMATION FOR WHISTLEBLOWERS

1. GENERAL INFORMATION

We are AOP Orphan Pharmaceuticals GmbH, Leopold-Ungar-Platz 2, 1190 Vienna (Austria), tel.: + 43 1 503 72 44, fax: +43 10 503 72 44 5, email: office@aoporphan.com and are represented by our CEO's Dr. Martin Steinhart and Bernhard Nachbaur, LL.M.

 

Furthermore, in accordance with Article 37(4) GDPR, we have appointed a data protection officer:

 

Christian Zange, AOP Orphan Pharmaceuticals GmbH
Leopold-Ungar-Platz 2, 1190 Vienna, Austria
E-mail: data-protection@aoporphan.com

We transfer your data to affiliated companies and external service providers who assist us with the following tasks: saving and administering data; IT support; holding events; taking employee photographs; payroll accounting; legal advice; business advice; and employee recruitment. We ensure that such service providers are carefully selected, contractually bound in accordance with data protection regulations and regulatly audited.

We may transfer personal data and/or have your personal data transferred to a third country or to an international organisation outside of the European Union s (“third country entity”). In such cases, in accordance with Article 44 GDPR, we must guarantee that the level of data protection afforded by the GDPR is not undermined. However, we would like  to point out that such third country entity can be either a controller or a processor.

 

If we refer to an adequacy decision in this policy, this means that the third country entity is in a country, territory or specificied sector that the Commission deems to have an adequate level of protection. This guarantee is derived from Article 45 GDPR.

 

If we refer to the standard contractual clauses in this policy, this means that the third country entity accepts the EU standard contractual clauses and is therefore contractually bound to ensuring the level of protection as set out under the General Data Protection Regulation. This guarantee is derived from Article 46(1) and (5) GDPR.

 

If in this policy we refer to the fact that you have consented to the transfer of data to the third country entity, this means that you were informed of all potential risks of such transfers for which there is no adequacy decision or other guarantee, and agreed to the data transfer in spite of this. This guarantee is derived from Article 49(1)(a) GDPR. For the sake of  transparency, we will explain the corresponding risks separately.

In addition to the above Section 1.3. “Transfer of personal data outside of the European Union”, we would like to draw your attention to the special situation in relation to third country entities based in the USA. In the case of transfers to third country entites based in the USA, the possibility of referring to the EU standard contractual clauses is limited. Therefore, if we intend in this context to refer to the EU standard contractual clauses (or are already doing so), we wish to point out the following:

 

We will only transfer your personal data to third country entities in the US on the basis of EU standard contractual clauses after conducting a thorough examination of the relevant facts. First we carry out a risk assessment by determining the type and sensitivity of the relevant data, the scope of data processing, the purpose of data processing and the susceptibility to misuse. Then we check whether the contractual assurances of the US third country entity and the technical and organisational measures taken by such entity (e.g. data processing exclusively in EU-based data processing centres, encryption technology) would sufficiently minimise the identified risks. We will only refer to the EU standard contractual clauses if we are satisfied that, as an exception, they are also a sufficient guarantee in the case of a third country body in the US.

In addition to the above Section 1.3  “Transfer of personal data outside of the European Union”, we wish to draw your attention to another special situation in relation to entities based in the USA. In the case of transfers to third country entities based in the USA, the possibility of referring to the EU standard contractual clauses is limited. For this reason, in some cases the only option is to ask you for your consent to such transfer. Before you give your consent, we ask you to take note of the following risks and to consider them when deciding whether or not to give your consent:

 

We wish to stress that a data transfer to the USA without the protection of an adequacy decision, should the situation arise, carries considerable risks. We particularly wish to point out the following risks:

 

(1) In the USA there is no standard data protection law, and especially none that is comparable with the applicable data protection law in the EU. This means that both US companies and government bodies have more opportunities to process your personal data, in particular for marketing, profiling and carrying out (criminal) investigations. Our scope for action against this is considerably limited.

(2) US lawmakers have granted numerous access rights to your personal data (see Section 702 of the FISA or Executive Order 12333 in conjunction with PPD-28), which are not compatible with our understanding of the law. In particular, there are no proportionality checks prior to access that can be compared to those carried out in the European Union.

(3) Citizens of the European Union cannot expect any effective protection of their rights in the USA.

(4) As a general rule, we will only request such consent from you if we have arrived at the conclusion that the third country entity in the US cannot effectively act on the authority of EU standard contractual clauses.

 

We are merely making this statement as a precaution. It only applies if we refer to it in this policy. There is also a possibility that we will not exercise this option.

Under the GDPR, you have certain rights, which are summarized below. In particular, you have the right to obtain information about the processing of your personal data and to request the deletion of your personal data. You have the right to restrict processing, to object to the processing of your personal data and to data portability. Furthermore, you have the option to file a complaint about us with the competent supervisory authority. Please note that these rights are not absolute and may be subject to conditions and provisos set out in the relevant data protection legislation. We therefore cannot guarantee that any request from you in connection with the rights set out above will be agreed to.

2. INFORMATION FOR VISITORS TO OUR WEBSITE

Section 2 of this privacy policy is directed at all individuals who visit our website.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In terms of the processing of your data when using this website, we are controllers within the meaning of the GDPR; see the information about us and our data protection officers above under point 1.1.

We only process your personal data on the basis of a legal obligation to process data to the extent that we refer to Article 6(1)(c) GDPR in this privacy policy.

2.4.1. General information on the purpose and legal basis of the processing operations described herein:

(1) The purpose of the processing operations described below is described separately for each tool.

(2) The legal basis for the corresponding data processing is your consent in accordance with Article 6(1)(a) GDPR. According to this provision, the processing of your personal data is permitted if you have given your consent to the processing of your personal data for one or more specific purposes.

(3) You may give your consent via a cookie banner or by clicking on a checkbox.

(4) No profiling takes place unless expressly mentioned below.

 

2.4.2. General information on the data retention period within the scope of the processing operations described herein:

(1) We store your personal data until you withdraw your consent.

(2) If you withdraw your consent, we will save the information pertaining to your consent (i.e. that fact that you gave your consent as well as when and how you consented) (status opt in), until all limitation periods under civil law in relation to any claims arising from the GDPR have lapsed, which is generally three years after withdrawal of your consent. The legal basis for this is Article 6(1)(c) GDPR in conjunction with Article 5(2) GDPR or Article 6(1)(f) GDPR in conjunction with Section 1489 of the Austrian Civil Code (ABGB).

(3) Only in the event that we enter into a contractual relationship following processing of your personal data based on your consent, will we store some of your data, as applicable, until our legal retention period comes to an end. The legal basis is Article 6(1)(c) GDPR, Section 131 and 132 of the Austrian Tax Code and Section 212 of the Austrian Commercial Code (UGB). Where applicable, we are obliged to retain:

(i) your personal data  contained in books and records under Section 131 and 132 of the Austrian Tax Code for seven years, whereby the retention period as a rule starts at the end of the calendar year in which the applicable document was created (Article 6(1)(c) GDPR in conjunction with section 132 of the Austrian Tax Code);

(ii) your personal data contained in books, inventories, opening balances, annual accounts including management reports, consolidated accounts including group management reports, business letters received, copies of business letters sent and receipts for bookings in the books that we are obliged to keep in accordance with Section 190 of the Austrian Commercial Code for seven years, whereby the retention period generally starts at the end of the calendar year in which the applicable document was created (Article 6(1)(c) GDPR in conjunction with Section 212 of the Austrian Commercial Code).

 

2.4.3. Information on withdrawing your consent:

(1) If we obtain your consent for processing, you have the right to withdraw such consent at any time effective for the future. You can do this by contacting us via the contact details under Section  1.1 “controller” above.

(2) Furthermore, we wish to point out that within the scope of obtaining consent, we will continue to process your personal data. On the one hand, such data includes identifying features (such as your name, email address and IP address) and, on the other hand, consent log data (time, status and scope of consent). We base this data processing on Article 6(1)(c) GDPR in conjunction with Article 7(1) GDPR. This is because it is necessary to prove that you have given your consent.

 

2.4.4 Data processing when using Mamoto

(1) To analyse your user behaviour on our website, we use the open source web analysis platform Matomo (formerly Piwik). Here is a brief description of this processing operation: the tool sets a cookie on your computer which enables your browser to be recognised. Cookies are text files that are saved on your computer and enable your use of the website to be analysed. Although we save the data obtained on a server of our own within the European Union and therefore the provider does not obtain any data from you, as a precaution we wish to inform you that you can find further information on the data protection provided by this tool here: https://matomo.org/gdpr-analytics. Find out more about how data is processed by this tool here: https://matomo.org/feature-overview/.  

(2) When using Matomo we process the following data listed below. : your IP address (anonymised); the subpage viewed and the time it is viewed; the page from which you accessed our website (referrer); information about the browser and plugins used; which operating system and screen resolution are used; the time spent on our website and the pages selected from the subpage viewed. In doing so, we anonymise your data. If you wish to deactivate these cookies, please click below: 

2.4.5. Data processing when using Facebook.

(1) We use the above-mentioned social media site. It is provided by: Facebook Inc., 1601 S. California Avenue, Palo Alto, CA 94304, USA. If you are based outside of the USA and/or Canada, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland is responsible. We neither have an influence on the data collected or the data processing operations, nor do we know the full scope of the data collection, the purpose of the processing or the retention periods. Furthermore, we do not have any information on the deletion of the data collected by this provider. When you click on our company pages, it is possible that the provider may save your data as a user profile and use it for advertising and market research purposes and/or to configure their website according to their needs. You have the right to oppose to the creation of such a user profile, whereby in order to exercise said right you must contact the provider. You can find the provider's privacy policy here: https://www.facebook.com/policy.php.

(2) To the extent we are able to influence the data processing, the purpose of such processing is to present our company, to analyse your usage behaviour in terms of your interaction with our company page on the social media site and to communicate with you via this platform (if applicable, for advertising purposes).

(3) The categories of personal data that we process depend on the specific use of this social media site, as described in paragraph 4.

(4) In addition to our general statements regarding the legal basis, we also wish to inform you of the following: if you have your own profile on this social media site, the legal basis is your consent within the meaning of Article 6(1)(a) GDPR, which you have granted to the social network provider. In all other cases, the legal basis is Article 6(1)(f) GDPR, according to which your data may be processed provided that it is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require the protection of personal data, in particular where the data subject is a child. It is in our economic interest to provide links to our company webpages, whereby you click on such links yourself and of your own free will. In all other respects the provider is responsible.

(5) If and insofar as we analyse visitor interaction with our company page, in this respect we are jointly responsible with Facebook under data protection law, in accordance with Article 26 GDPR. If and insofar as we instruct Facebook to process data for us beyond this, we are considered to be a controller within the meaning of Article 28 GDPR. These data processing operations are not precluded by the fact that the data, where applicable, is processed by a provider outside of the European Union. This is because your personal data is only processed by this tool if you agree to the associated data transfer to the USA (see Article 49(1)(a) GDPR). This applies to us if we control the data processing. Please ensure that you read our risk warnings beforehand (see General Part/Special situation: consent to data transfer to third country entities based in the USA, including risk warnings). If the provider controls the processing (for example, if your visit to the social network is not the result of an action on our website), we do not transfer any data to the USA, so we do not need to provide any further guarantee within the meaning of Article 44 et seq. GDPR. Here, in any case, there is a relationship between us and the provider of the social network within the meaning of Article 26 GDPR.

(6) We also wish to notify you of the following regarding data processing:

  • We have a company page on this social network and, where applicable, analyse the following: whether and how you have visited said company page; whether and how you react to our posts on social networks; and whether and how you communicate with us via the channels provided there. In this respect, the consent that you have given to this provider applies.
  • Furthermore, we have provided a link to our company page on this provider’s platform on our website. If you click on this link, you will access our profile. In view of such processing we refer to our previous statements regarding visiting our company page hosted by this provider.
  • We also use Facebook Ads.
    • With the help of this advertising tool (Facebook Ads) on Facebook we can draw attention to our attractive offers. In relation to advertising campaign data, we can find out how successful the individual advertising measures are. This enables us to follow your interests, show you advertising that is relevant to you, make our website more interesting for you and calculate advertising costs fairly.
    • The advertising media is supplied by the provider. If you access our website via an advertisement that the provider has shown you, the tool will save a cookie on your PC. This cookie is not intended to identify you personally.  The analysis values saved by this cookie may include:  the unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant to post-view conversions) and opt-out information (sign that the user no longer wants to be addressed).
    • Through the tool, your browser automatically creates a direct link to the provider’s server. We have no influence on the scope and further use of the data collected when using this tool and therefore inform you accordingly of what we know: through the integration of this tool’s advertising media, the provider is able toreceive the information that you have viewed the corresponding part of our website or have clicked on one of our adverts. If you have registered for a service offered by this provider, they can associate the visit with your account. Even if you have not registered with this provider or have not logged in, there is a chance that the provider might acquire and save your IP address.
    • You can prevent such tracking as follows:
      • by using the corresponding settings in your browser software – in particular rejecting third-party cookies prevents you from seeing advertisements from third-party providers
      • by deactivating the cookies
    • In this respect, we have engaged the provider in accordance with Article 28 GDPR.
    • You can find out more about how these ads work and the associated data processing at: https:// facebook.com/business/ads

2.4.6. Data processing when using LinkedIn.

(1) We use the above-mentioned social media site. It is provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. We neither have an influence on the data collected or the data processing operations, nor do we know the full scope of the data collection, the purpose of the processing or the retention periods. Furthermore, we do not have any information on the deletion of the data collected by this provider. When you click on our company pages, it is possible that the provider may save your data as a usage profile and use it for advertising and market research purposes and/or to configure their website according to their needs. You have the right to object to the creation of such a user profile, whereby in order to exercise said right you must contact the provider. You can consult the provider's privacy policy here: https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv.

(2) To the extent we are able to influence the data processing, the purpose of such processing is to present our company, to analyse your usage behaviour in terms of your interaction with our company page on the social media site and to communicate with you via this platform (if applicable, for advertising purposes).The categories of personal data that we process depend on the specific use of this social media site, as described in paragraph 4.

(3) In addition to our general statements regarding the legal basis, we also wish to inform you of the following: if you have your own profile on this social media site, the legal basis is your consent within the meaning of Article 6(1)(a) GDPR, which you have granted to the social network provider. In all other cases, the legal basis is Article 6(1)(f) GDPR, according to which your data may be processed provided that it is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child. It is in our economic interest to provide a link to our company pages, whereby you click on such links yourself and of your own free will. Furthermore, the provider is responsible.

(4) If and insofar as we analyse visitor interaction with our company page, in this respect we are jointly responsible with this provider under data protection law, in accordance with Article 26 GDPR. If and insofar as we instruct this provider to process data for us beyond this, we are considered to be a controller within the meaning of Article 28 GDPR. These data processing operations are not precluded by the fact that the data, where applicable, is processed by a provider outside of the European Union, as the case may be in collaboration with LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA. This is because your personal data is only processed by this tool if you agree to the associated data transfer to the USA (see Article 49(1)(a) GDPR). This applies to us if we control the data processing. Please ensure that you read our risk warnings beforehand (see General Part/Special situation: consent to data transfer to third country entities based in the USA, including risk warnings). If the provider controls the processing (for example, if your visit to the social network is not the result of an action on our website), we do not transfer any data to the USA, so we do not need to provide any further guarantee within the meaning of Article 44 et seq. GDPR. Here, in any case, there is a relationship between us and the provider of the social network within the meaning of Article 26 GDPR.

(5) We also wish to notify you of the following regarding data processing:

  • We have a company page on this social network and, where applicable, analyse the following: whether and how you have visited said company page; whether and how you react to our posts on social networks; and whether and how you communicate with us via the channels provided there. In this respect, the consent that you have given to this provider applies.
  • Furthermore, we have linked our company page under this provider to our website. If you click on this link, you will access our profile. In view of such processing we refer to our previous statements regarding visiting our company page hosted by this provider.
  • We also use LinkedIn Ads.
    • With the help of this advertising tool (LinkedIn Ads), we can use this provider's social network to draw attention to our attractive offers. In relation to the advertising campaign data, we can find out how successful the individual advertising measures are. This enables us to follow your interests, show you advertising that is relevant to you, make our website more interesting for you and calculate advertising costs fairly.
    • The advertising media is supplied by the provider. If you access our website via an advertisement that this provider has shown you, the tool will save a cookie on your PC. Such cookie is not intended to identify you personally. The analysis values saved by this cookie may include: the unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant to post-view conversions) and opt-out information (sign that the user no longer wants to be addressed).
    • Through the tool, your browser automatically creates a direct link to the provider’s server. We have no influence on the scope and further use of the data collected when using this tool and therefore inform you accordingly of what we know: through the integration of  this tool’s advertising media, the provider is able to receive the information that you have viewed the corresponding part of our website or have clicked on one of our adverts. If you have registered for a service offered by this provider, they can associate the visit with your account. Even if you have not registered with this provider or have not logged in, there is a chance that the provider might acquire and save your IP address.
    • You can prevent such tracking as follows:
      • by using the corresponding settings in your browser software – rejecting third-party cookies in particular prevents you from seeing advertisements from third-party providers
      • by deactivating the cookies
    • You can see further information on how these ads work and the associated data processing at: https://business.linkedin.com /marketing-solutions/ads.

2.4.7. Data processing when using Xing.

(1) We use the above-mentioned social media site. It is provided by New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany. We neither have an influence on the data collected or the data processing operations, nor do we know th

e full scope of the data collection, the purpose of the processing or the retention periods. Furthermore, we do not have any information on the deletion of the data collected by this provider. When you click on our company pages, it is possible that the provider may save your data as a usage profile and use it for advertising and market research purposes and/or to configure their website according to their needs. You have the right to object to the creation of such a user profile, whereby in order to exercise said right you must contact the provider. You can consult the provider's privacy policy here: https://privacy.xing.com/en/privacy-policy. You can find out more about how this provider protects your data here: https://privacy.xing.com/en.

(2) To the extent we are able to influence the data processing, the purpose of such processing is to present our company, to analyse your usage behaviour in terms of your interaction with our company page on the social media site and to communicate with you via this platform (if applicable, for advertising purposes).The categories of personal data that we process depend on the specific use of this social media site, as described in paragraph 4.

(3) In addition to our general statements regarding the legal basis, we also wish to inform you of the following: if you have your own profile on this social media site, the legal basis is your consent within the meaning of Article 6(1)(a) GDPR, which you have granted to the social network provider. In all other cases, the legal basis is Article 6(1)(f) GDPR, according to which your data may be processed provided that it is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child. It is in our economic interest to provide a link to our company pages, whereby you click on such links yourself and of your own free will. Otherwise, the provider is responsible.

(4) If and insofar as we analyse visitor interaction with our company page, in this respect we are jointly responsible with this provider under data protection law, in accordance with Article 26 GDPR.

(5) We also wish to notify you of the following regarding data processing:

  • We have a company page on this social network and, where applicable, analyse the following: whether and how you have visited said company page; whether and how you react to our posts on social networks; and whether and how you communicate with us via the channels provided there. In this respect, the consent that you have given to this provider applies.

2.4.8. Data processing when using Twitter.

(1) We use the above-mentioned social media site. It is provided by Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland. We neither have an influence on the data collected or the data processing operations, nor do we know the full scope of the data collection, the purpose of the processing or the retention periods. Furthermore, we do not have any information on the deletion of the data collected by this provider. When you click on our company pages, it is possible that the provider may save your data as a usage profile and use it for advertising and market research purposes and/or to configure their website according to their needs. You have the right to object to the creation of such a user profile, whereby in order to exercise said right you must contact the provider. You can consult the provider's privacy policy here: https://twitter.com/en/privacy.

(2) To the extent we are able to influence the data processing, the purpose of such processing is to present our company, to analyse your usage behaviour in terms of your interaction with our company page on the social media site and to communicate with you via this platform (if applicable, for advertising purposes).The categories of personal data that we process depend on the specific use of this social media site, as described in paragraph 4.

(3) In addition to our general statements regarding the legal basis, we also wish to inform you of the following: if you have your own profile on this social media site, the legal basis is your consent within the meaning of Article 6(1)(a) GDPR, which you have granted to the social network provider. In all other cases, the legal basis is Article 6(1)(f) GDPR, according to which your data may be processed provided that it is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in particular where the data subject is a child. It is in our economic interest to provide a link to our company pages, whereby you click on such links yourself and of your own free will. Otherwise, the provider is responsible.

(4) If and insofar as we analyse visitor interaction with our company page, in this respect we are jointly responsible with this provider under data protection law, in accordance with Article 26 GDPR. If and insofar as we instruct this provider to process data for us beyond this, we are considered to be a controller within the meaning of Article 28 GDPR. These data processing operations are not precluded by the fact that the data, where applicable, is processed by a provider outside of the European Union, as the case may be in collaboration with Twitter, Inc., 1355 Market Street #900, San Francisco, California 94103 USA. This is because your personal data is only processed by this tool if you agree to the associated data transfer to the USA (see Article 49(1)(a) GDPR). This applies to us if we control the data processing. Please ensure that you read our risk warnings beforehand (see General Part/Special situation: consent to data transfer to third country bodies entities in the USA, including risk warnings). If the provider controls the processing (for example, if your visit to the social network is not the result of an action on our website), we do not transfer any data to the USA, so we do not need to provide any further guarantee within the meaning of Article 44 et seq. GDPR. Here, in any case, there is a relationship between us and the provider of the social network within the meaning of Article 26 GDPR.

(5) We also wish to notify you of the following regarding data processing:

  • We have a company page on this social network and, where applicable, analyse the following: whether and how you have visited said company page; whether and how you react to our posts on social networks; and whether and how you communicate with us via the channels provided there. In this respect, the consent that you have given to this provider applies.
  • Furthermore, we have linked our company page under this provider to our website. If you click on this link, you will access our profile. In view of such processing we refer to our previous statements regarding visiting our company page hosted by this provider.

2.4.9. Data processing when using Google Ads.

(1) We use the above-mentioned social media application. It is provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043. If you are based within the European Economic Area, your data is also processed by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. You can consult the provider's privacy policy here: https://policies.google.com/privacy?fg=1.

(2) To the extent we are able to influence the data processing, the purpose of such processing is to present our company, to analyse your usage behaviour in terms of your interaction with our company page on the social media site and to communicate with you via this platform (if applicable, for advertising purposes).This means of advertising is supplied by Google via ad servers. We use ad server cookies via which the specific parameters for measuring success such as inclusion of the advertisements or clicks by the user can be measured. If you access our website via a Google advertisement, Google Ads will save a cookie on your PC. Usually these cookies become invalid after 30 days and are not intended to identify you personally. Alongside this cookie, as a rule, the unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant to post-view conversions) and opt-out information (sign that the user no longer wants to be addressed) are saved as analysis values. These cookies enable Google to recognise your Internet browser. If a user visits certain pages on the website of an Ads customer and the cookie saved on their computer has not yet expired, Google and the customer can see that the user has clicked on the advertisement and was redirected to this site. Each Ads customer is assigned a different cookie. This means that cookies cannot be tracked by Ads customer websites. We ourselves do not collect or process any personal data in the above-mentioned advertising channels. We merely receive statistical analyses from Google. Based on these analyses, we can see which of the advertising measures used are the most effective. We do not receive any further data from the use of the advertising materials and, in particular, we cannot identify users based on this information. Through the marketing tools used, your browser automatically creates a direct link to the Google server. We have no influence on the scope and further use of the data collected by Google when the tool is used and therefore inform you accordingly of what we know: Including ads enables Google to be informed that you have viewed the corresponding part of our website or have clicked on one of our adverts. If you have registered for a service offered by Google, Google can associate the visit with your account. Even if you have not registered with Google or have not logged in, there is a chance that the provider might acquire and save your IP address.

(3) You can prevent such tracking as follows: a) by using the corresponding settings in your browser software – rejecting third-party cookies in particular prevents you from seeing advertisements from third-party providers; b) deactivating conversion tracking cookies by adjusting your browser settings so that cookies from the domain “www.googleadservices.com” are blocked, https://www.google.com/settings/ads, although this setting is deleted when you delete your cookies; c) by deactivating interest-related advertisements from the provider, which are part of the “About Ads” self-regulation campaign, via the link  http://www.aboutads.info/choices, although this setting is deleted when you delete your cookies; d) by permanently deactivating it in your Firefox, Internet Explorer or Google Chrome browser via the link  http://www.google.com/settings/ads/plugin. In this case, we wish to point out that some functions may no longer be available.

(4) These data processing operations are not precluded by the fact that the data, where applicable, is processed by a provider outside of the European Union; as the case may be, in collaboration with Google LLC. This is because you have expressly given your consent to the transfer of the data to the USA (Article 49(1)(a) GDPR). Please ensure that you read our risk warnings beforehand under “General Part/Special situation: consent to data transfer to third country entities based in the USA, including risk warnings.”

2.4.10. Data processing when using YouTube.

(1) We use the above-mentioned video platform or video portal on our website. It is provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043. If you are based within the European Economic Area, your data is also processed by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. You can consult the provider's privacy policy here: https://policies.google.com/privacy?fg=1.

(2) Here is a brief description of this processing operation: plugins from the YouTube video portal are embedded on our website. When viewing a page on which one or more YouTube video clips are embedded, a direct link is created between your browser and a YouTube server. These videos are all embedded in “extended data protection mode”. No data about you as a user are transferred to YouTube if you do not play any videos. The data mentioned in paragraph 3 are only transferred if you play the videos. We do not have any influence over this data transfer. If you use a Google account and do not wish your profile to be associated with YouTube, you must log out before pressing the button.

(3) Here, as a rule, we process the following aspects of your data: when you visit the website, YouTube receives the information that you have viewed the corresponding subpage of our website. This happens regardless of whether YouTube provides a user account that you have logged into or whether there is no user account. If you are logged into Google, your data will be directly associated with your account. YouTube saves your data as a usage profile and uses them for advertising and market research purposes and/or to configure its website according to requirements. Such an analysis is particularly carried out (even for users who are not logged in) to produce tailored advertising and to inform other users of the social website about your activities on our website. You have the right to object to the creation of such a user profile, whereby in order to exercise said right you must contact YouTube. You can see further information on the purpose and scope of data collection and processing by YouTube in the privacy policy. There you will also receive further information regarding your rights and setting options to protect your privacy:https://policies.google.com/privacy?hl=en-GB&gl=en.

(4) We also have a company page with this provider. If you interact with this company page, it is possible that the provider might process your data as described in paragraph 3.

(5) These data processing operations are not precluded by the fact that the data, where applicable, is processed by a provider outside of the European Union; as the case may be, in collaboration with Google LLC. This is because you have expressly given your consent to the transfer of the data to the USA (Article 49(1)(a) GDPR). Please ensure that you read our risk warnings beforehand under “General Part/Special situation: consent to data transfer to third country entities based in the USA, including risk warnings.”

2.4.11. Data processing when using Vimeo.

(1) We use the above-mentioned video platform or video portal on our website. It is provided by Vimeo, LLC, 555 West 18th Street, New York, New York 10011, USA. You can see the provider's privacy policy here: https://vimeo.com/privacy.  

(2) Here is a brief description of this processing operation: plugins from the Vimeo video portal are embedded on our website. Each time you visit a page  on which one or more Vimeo video clips are embedded, a direct link is created between your browser and a Vimeo server in the USA. 

(3) When using Vimeo we process the following data: information about your visit and IP address are saved. By interacting with the Vimeo plugin (e.g. by clicking on the play button), this information is also transferred to Vimeo and stored there. Furthermore, Vimeo calls up the tracker Google Analytics via an iFrame in which the video is viewed. This tracking is carried out by Vimeo and we do not have access to it. 

(4) We also have a company page with this provider. If you interact with this company page, it is possible that the provider might process your data as described in paragraph 3.

(5) These data processing operations are not precluded by the fact that the data, where applicable, is processed by a provider outside of the European Union; this is because you have expressly given your consent to the transfer of the data to the USA (Article 49(1)(a) GDPR). Please ensure that you read our risk warnings beforehand under “General Part/Special situation: consent to data transfer to third country entities based in the USA, including risk warnings.”

2.4.12. Data processing when using Sendinblue.  

(1) We use the above-mentioned marketing automation service provider. It is provided by Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin. You can find out how this provider protects your data here: https://sendinblue.com/legal/privacypolicy/ and here: https://www.sendinblue.com/gdpr/.    


(2)Here, as a rule, we process the following aspects of your data: all data that we use for advertising, as previously described in this privacy policy.  
 

2.5.1. General information on the purpose and legal basis of the processing operations described below.

(1) The purpose of the processing operations described below is to enter into, perform and/or terminate contracts and, where applicable, legal relationships that are free of charge such as the use of a login area.

(2) The legal basis for the corresponding data processing is Article 6(1)(b) GDPR. According to this provision, the processing of your personal data is also permitted without your consent if such processing is required in order to perform a contract to which you are a contractual party or to undertake pre-contractual measures.

(3) No profiling takes place unless expressly mentioned below.

2.5.2. General information on the data retention period within the scope of the processing operations described below.

(1) We save the data if it is required to be able to enter into, perform and, where applicable, to terminate the contract.

(2) If we enter into a contractual relationship with you (including a user relationship with our login area), we save the data for the duration of the contract and until our legal retention periods expire. The legal basis is Article 6(1)(c) GDPR, Sections 131 and 132 of the Austrian Tax Code and Section 212 of the Austrian Commercial Code (UGB). Where applicable, we are obliged to retain:

  1. Your personal data containted in books and records under Sections 131 and 132 of the Austrian Tax Code for seven years, whereby the retention period as a rule starts at the end of the calendar year in which the applicable document was created (Article 6(1)(c) GDPR in conjunction with Section 132 of the Austrian Tax Code)
  2. your personal data contained in  books, inventories, opening balances, annual accounts including management reports, consolidated accounts including group management reports, business letters received, copies of business letters sent and receipts for bookings in the books that we are obliged to keep in accordance with Section 190 of the Austrian Commercial Code for seven years, whereby the retention period generally starts at the end of the calendar year in which the applicable document was created (Article 6(1)(c) GDPR in conjunction with Section 212 of the Austrian Commercial Code).

2.5.3. What happens when you register and use the login area?

(1) Our website also contains a login area which is reserved for use by medical experts, which in Austria include doctors, pharmacists and qualified nurses, among others; in accordance with the Austrian Medicinal Products Act (AMG) we are obliged to provide access to information on prescription medicines and medical information exclusively to medical experts and only in a password-protected area. If you register to access the login area as a medical expert, we will collect the data that you provide during the registration process.

2.5.4. Internal area with DocCheck® registration

(1) Here is a brief description of this processing operation: on our website you have the option of registerring to use an internal area and then logging in and eventually logging out again. When you register to access the internal area, we will collect the data that you provide during the registration process. Within the internal area, we log your actions insofar as this is necessary for the contractual relationship. When you log out, we delete the data, provided that there is no retention period (see our statements above under “General information on the data retention period within the scope of the processing operations described below”).

(2) The log in to the internal area takes place via DocCheck® as we are only permitted to provide access to the information on medicinal products available there to medical and pharmaceutical professionals. To do this, you must have previously registered as a user with DocCheck®, independently from us and our website. This service is provided by DocCheck Medical Services GmbH, Vogelsanger Straße 66, 50823 Cologne. When using DocCheck, the agreements between you and DocCheck regarding data protection under the DocCheck privacy policy apply: https://more.doccheck.com/en/privacy/ .

Your login data will be verified directly on DocCheck servers; we are unable to read this data. We do not receive any personal data about you as a user of DocCheck, unless you have explicitly given your consent to the transfer of such data (e.g. under “DocCheck Personal”).

2.6.1. General information on the purpose and legal basis of the processing operations described below.

(1) The purpose of the processing operations listed below is described separately for each tool. This is a significant reason for our legitimate interest in this processing.

(2) The legal basis for the corresponding data processing is Article 6(1)(f) GDPR. According to this provision, the processing of your personal data is also permitted without your consent if it is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.

(3) No profiling takes place unless expressly mentioned below.

2.6.2. General information on the data retention period within the scope of the processing operations described below.

(1) We save the data until our purpose ceases to apply, which is always the case if you have raised a justified objection (see “Information on the right to object.”).  

(2) If we enter into a contractual relationship subsequent to processing, which is based on legitimate interest, we will save the data until our legal retention period comes to an end. The legal basis is Article 6(1)(c) GDPR, Section 131 and 132 of the Austrian Tax Code and Section 212 of the Austrian Commercial Code (UGB). Where applicable, we are obliged to retain:

  1. Your personal data contained in books and records under Sections 131 and 132 of the Austrian Tax Code for seven years, whereby the retention period as a rule starts at the end of the calendar year in which the applicable document was created (Article 6(1)(c) GDPR in conjunction with Section 132 of the Austrian Tax Code)
  2. Your personal data contained in books, inventories, opening balances, annual accounts including management reports, consolidated accounts including group management reports, business letters received, copies of business letters sent and receipts for bookings in the books that we obliged are to keep in accordance with Section 190 of the Austrian Commercial Code for seven years, whereby the retention period as a rule starts at the end of the calendar year in which the applicable document was created (Article 6(1)(c) GDPR in conjunction with Section 212 of the Austrian Commercial Code).

2.6.3. Information on the right to object.

(1) If in this privacy policy we base data processing on Article 6(1)(f) GDPR, that is, for the purposes of legitimate interests, you have the right to object to such processing at any time. You can do this by contacting us via the contact details  under the Section  “Controller”. If the objection is justified, we will stop processing.

(2) If the legitimate interest is based on interest in direct advertising or marketing, your objection is always justified if you are identified.

2.6.4. Use of the website for information purposes.

(1) If you only use our website for information purposes, that is, if you neither register as a user nor transfer information otherwise, we will collect the following data from you: IP address; date and time of the enquiry; time zone difference from Greenwich Mean Time (GMT); contents of the request (specific page); access status/HTTP status code; the amount of data transferred; website from which the request is sent; browser, operating system and its interface, language and browser software version.  We obtain this data directly from your browser using cookies.

(2) The purpose of this processing is to make our website available and to perform statistical analysis.

2.6.5. Data processing when handling your data protection enquiries.

(1) You have the right to assert a data protection claim against us (see above under Section  1.6 – “What are your rights?”). If you do this, we will receive and process your request and reply to you. Contrary to the above-mentioned information regarding the retention period, we will save the data until 31 December of the third calendar year after the year in which you made your request. This follows from Article 6(1)(f) GDPR in conjunction with the relevant provisions regarding the limitation period under civil law.

(2) In this case, as a general rule, we process the following aspects of your data: your contact details and all data required to process your request.

2.6.6.  How do we use Adobe Typekit?

(1) On our website we use external fonts by means of Adobe Typekit. This a service provided by Adobe Systems Inc, 345 Park Avenue San Jose, California 95110-2704, USA. You can see general information on how the service provider processes data in Adobe’s privacy policy at: https://www.adobe.com/privacy/policy.html (Adobe). When you visit our website, your browser uploads the necessary fonts directly from Adobe so that they are displayed correctly on your end device. When the link to Adobe is created, Adobe is informed that our website has been viewed from your IP address. The service provider declares that it neither sets nor uses cookies on websites in order to provide its fonts. You can see detailed information about this, such as how they are used as well as whether and to whom the service provider passes data when Adobe Typekit is used at: https://www.adobe.com/privacy/policies/adobe-fonts.html (Adobe Typekit). The use of this service is not precluded by the fact that the provider is based outside of the EU as the provider has committed to complying with the standard contractual clauses. The purpose of the processing and therefore the object of our legitimate interest is to enable optimum provision of our services without any technical hitches and particularly to guarantee a uniform font on our website.

2.6.7. How do we use Inova software?

(1) We use the software tool “Inova”. It is provided by Inova Software SA (INOVA), 50, cours de la République, Immeuble les Gémeaux 2, 69100 Villeurbanne, France. You can find out more about how this provider protects your data at: https://inova.io/security-and-performance/ and https://inova.io/privacy/. We use this tool to establish contact and communicate with you and, where applicable, to form a business relationship.

We carefully selected Inova as a provider. We then engaged the provider in accordance with Article 28(3) GDPR and will also audit them in the future with or without cause. This provider exclusively processes your data according to our instructions. With regard to the details, we refer to the above statements.

2.6.8. Transient cookies.

(1) We use transient cookies on our website. These particularly include session cookies. These cookies save a session ID which enables different requests from the visitor’s browser to be assigned to the same session. This enables the visitor’s computer to be recognised when the visitor returns to the website.

(2) The purpose, which also gives rise to our legitimate interest, can be described as follows: cookies enable the website to be viewed and used correctly.

(3) Here, we may process the following aspects of your data: session cookies. These cookies save a session ID which enables different requests from your browser to be assigned to the same session. This enables your computer to be recognised when you return to the website. Session cookies are deleted when you log out or close the browser.

3. INFORMATION FOR APPLICANTS

3.1.1. In the application stage we collect the data that you provide, which generally includes: your name; your contact details; additional data from your application; and where necessary what we find out from the interview and the trial working day. The legal basis for this is Article 6(1)(b) GDPR, according to which the processing of application data is permitted even without the applicant’s consent if it is needed in order to make a decision on the establishment of an employment relationship.

3.1.2. In the event that we form an employment relationship, we will save your application data until the end of the legal retention periods. Said retention periods are as follows:

Data categoryRetention period
Data concerning income tax and the obligation to pay, Section 132(1) of the Austrian Tax Code:7 years
Data concerning the obligation to pay social security contributions, Section 68 of the General Social Security Act (ASVG):3 or 5 years
Liability for severance pay claims and company pensions following transfer of business, Section 6(2) of the Employment Contract Law Harmonization Act (AVRAG):5 years
Records and reports of work accidents, Section 16 of the Internal Protection Law for Employees (ASchG):5 years
Report on the provision of personnel, Section 13(3) Law on Temporary Employment (AÜG):5 years
Data concerning your right to the issue of a recommendation, Section 1478 General Civil Code (ABGB):until you waive your right or otherwise 30 years

3.1.3. In the event that an employment relationship is regrettably not established, we save your application data for six months after rejection. The legal basis for this is Article 6(1)(f) GDPR. According to this provision, processing is permitted for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. We derive our legitimate interest from Section 15(1) of the Act on Equal Treatment (GIBG). According to this provision, any claim for damages based on the GIBG must be asserted within a period of six months. This period begins during the application process from the moment of rejection. From our point of view, if we are not made aware of any complaint six months after rejection, we shall assume that there is none and that we may save the data until then in order to protect our legitimate interests (defence against any claim for damages). Should you claim the prohibition of discrimination has been violated, we may save the data until proceedings are over – also to protect our legitimate interests (defence against a claim for damages).

3.1.4. If we receive your consent, we will save your data until you withdraw your consent, which you may do at any time effective for the future (see Section 1.1 above – “Who are we?”).

3.1.5. There is no legal obligation to collect this data in the application stage. However, it is possible that the lack of a piece of data or all data may result in it being requested again or in the event of a permanent lack of such data recruitment may be impossible.

The “Careers” areas of our website includes an area in which you can apply to the jobs listed there if you are interested in working for our company.

In this area of our website we use the recruiting tool “jobbase.io”, which is provided by Prescreen International GmbH, Mariahilfer Straße 17, 1060 Vienna, https://prescreen.io/en/. We carefully selected this provider and entered into a contract data processing agreement with them pursuant to Article 28 GDPR. You can also find details on the legal and technical framework conditions at https://prescreen.io/en/features/information-on-integration/.

Both for any applications received via this recruiting tool and any other, where applicable, unsolicited applications received via other contact channels, we refer to the other statements in this policy.

4. INFORMATION FOR EMPLOYEES

4.1.1. During and after the formation of the employment relationship we may collect the following data: name; surname; maiden name; date of birth; place of birth; country of birth; contact details; health status (particularly with regard to any disabilities); nationality; gender; social security number (where applicable, social security ID); marital status; employee number (social security fund); staff number; start date; place of work; job title; job description; status; main/secondary job; tax registration data; account details; health insurance; doctor’s certificate information; work email address; work mobile; access data to different clients and hardware. The legal basis for this is Article 6(1)(b) GDPR, according to which the processing of employee data is permitted even without the employee’s consent if it is needed in order to maintain or terminate the employment relationship.

4.1.2. We will save your data – as far as necessary – for the entire duration of your employment relationship, however in any case until the relevant legal retention period expires. Such retention periods are as follows:

Data categoryRetention period
Data concerning income tax and the obligation to pay, Section 132(1) of the Austrian Tax Code:7 years
Data concerning the obligation to pay social security contributions, Section 68 of the General Social Security Act (ASVG):3 or 5 years
Liability for severance pay claims and company pensions following transfer of business, Section 6(2) of the Employment Contract Law Harmonization Act (AVRAG):5 years
Records and reports of work accidents, Section 16 of the Internal Protection Law for Employees (ASchG):5 years
Report on the provision of personnel, Section 13(3) Law on Temporary Employment (AÜG):5 years
Data concerning your right to the issue of a recommendation, Section 1478 General Civil Code (ABGB):until you waive your right or otherwise 30 years

4.1.3. Furthermore, in reference to provisions under labour and employment law, we are obliged to collect the above-mentioned data. Consequently, if this data is missing, it may mean that we are unable to maintain a proper working relationship with you.

4.2.1. We may ask to take or use a photograph of you. If you agree to this, we will take the photograph, link it to your name and may publish it on any one of our websites or Intranet sites, on social networks and in printed materials such as company brochures.

4.2.2. The legal basis for this, where applicable, is your consent in accordance with Article 6(1)(a) GDPR, which you may withdraw at any time effective for the future; you can do this by contacting us via any one of the above-mentioned contact channels (see Section 1.1 above – “Who are we?”).

4.2.3. This processing is not precluded by the prohibition in accordance with Article 9(1) GDPR since we, among other things, ensure that your consent also includes permission to process data within the meaning of Article 9(1) GDPR, so that the exception under Article 9(2)(a) GDPR applied in this respect.

We have appointed an external tax consultancy firm for the purposes of tax recording, payroll accounting and other tax-related activities. Insofar as data is processed by this firm, this does not constitute commissioned data processing but a transfer of functions which is justified by Article 6(1)(f) GDPR. With regard to your rights to object, we refer to Section 1.6 – “What are your rights?”.

4.4.1. We process data regarding the start and end of and any interruption to your daily working hours as well as break times, and link this information to your name.

4.4.2. The legal basis for this is Article 6(1)(c) GDPR.

4.4.3. We save this information until the end of the corresponding retention period (see Section 4.1.2 above).

4.5.1. We offer you the option to participate in a workplace pension scheme. Within this context, we use the FINABRO company portal application, which is provided by FINABRO GmbH, Liechtensteinstraße 55/8, 1090 Vienna (Austria), whom we have engaged to carry out processing in accordance with Article 28 GDPR. You can find out more here: https://www.finabro.at and here: https://www.finabro.at/bav/unternehmen/. Here, we process all data required to perform, enter into and terminate the legal relationship and provide the workplace pension scheme, including your name and address, data relevant to your salary account, and your employment status.

4.5.2. The legal basis for this is Article 6(1)(a) GDPR, therefore solely your consent, which you may withdraw at any time by contacting us via any of the above-mentioned contact channels (see Section 1.1 above – “Who are we?”).

We save this information until the end of the corresponding retention period (see Section  4.1.2 above) or until you withdraw your consent, whichever comes first.

4.6.1. We use the tool “Adobe Sign”, which is provided by: Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24 (Ireland). Further contact information here: https://www.adobe.com/de/about-adobe/impressum.html. Here is a brief description of this processing operation: when you request access to our products, we may obtain your signature via this signature provider. We have engaged this provider in accordance with Article 28 GDPR. You can consult this provider's privacy policy here: https://www.adobe.com/privacy.html. You can find out more about how this provider protects your data here: https://www.adobe.com/de/privacy/policies-business/esign.html.  

4.6.2. Here, we may process the following aspects of your data: we use this provider to document your signature and the time that the signature was provided. You can find out more about how they process information at: https://acrobat.adobe.com/sign.html and under the subheading “Purchasing products and/or booking services”

4.6.3. The provider is a subcontractor of Adobe Inc., San Francisco, 345 Park Avenue, San Jose, California 95110 (USA). This subcontracting is not precluded by the fact that the subcontractor processes the data outside of the EU. This is because your personal data linked with the provision of your signature on this website will only be processed if you agree to the associated data transfer to the USA (see Article 49(1)(a) GDPR). Please ensure that you read our risk warnings beforehand (see General Part/Special situation: consent to data transfer to third country entitied based in the USA, including risk warnings). 

5. INFORMATION FOR CUSTOMERS/SUPPLIERS

5.1.1. During initial contact we collect the data that you provide. We may  collect the following: name; contact details; data related to the offer where applicable; data relating to your position in your or your employer’s company where applicable. Only you know the reason for such contact – the reaction to this is specific to the purpose of the processing. If it is a matter of a specific contractual relationship, whether it is related to its initiation, performance or termination, the legal basis for processing is Article 6(1)(b) GDPR. In this case, we will save the data in any event until the end of the legal retention period, which is as a rule seven years. In all other cases, the legal basis is Article 6(1)(f) GDPR, according to which personal data may be processed even without the consent of the individual concerned if such processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Communication outside of a contractual relationship is in our mutual interest. We will save your data until the purpose derived from the legitimate interest is fulfilled.

5.1.2. Should we enter into a contractual relationship, then we will process your data for the purpose of performing and, where applicable, terminating the contractual relationship. As a rule, this particularly involves data related to the contract. In this respect, the legal basis for processing is Article 6(1)(b) GDPR. In this case, we will save the data in any event until the end of the legal retention period, which is as a rule seven years.

5.2.1. We will use the above-mentioned data (see Section 5.1 above – “How do we process your data during and after initial contact?”) and communication content related to the contract to send you marketing materials. Our marketing approach involves all communication channels that you have provided details for. In terms of content, when exercising our specific line of business, the marketing materials include all statements made by us with the aim of promoting the sale of our goods or the delivery of our services. These particularly include but are not limited to the following: regular and sporadic newsletters; invitations; customer satisfaction surveys; and offers for specific products and services.

5.2.2. The legal basis for this is Article 6(1)(f) GDPR. According to this provision, we are able to process your data if it is necessary for the purposes of the legitimate interests pursued by us, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data. Our legitimate interest is our interest in direct marketing as described in Section  5.2.1. The fact that our interest in direct marketing is creditable within the scope of Article 6(1)(f) GDPR, is clarified at the end of recital clause 47 of the General Data Protection Regulation. This states that: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” Furthermore, we derive our interests from the fact that we were in a legal relationship or still are in such a relationship, where applicable, meaning that at present you widely expect to receive marketing materials. Your interests are adequately protected as we hereby fully inform you of and acknowledge your unconditional right to object, and have set up the necessary technical procedures for this purpose. You have the right to object to this processing at any time by contacting us via any one of the above-mentioned contact channels (see Section 1.1  “Who are we?”) or by clicking on the unsubscribe link at the end of any marketing message that you receive from us.

5.2.3. Regarding the retention period, Section  5.1 (“How do we process your data during and after initial contact?”) applies. If you object to processing for marketing purposes, further use of the data for such purposes shall cease.

5.2.4. There is no legal obligation to process such data for marketing purposes.

5.3.1. It is possible that our company or parts of it may undergo changes under company law. In this case, among other things, we have the option to restructure by selling parts of our company (demerger) or by forming a merger with another company. In the event of a demerger, we shall continue to exist as a company, transferring part of our assets to one or more other existing or new legal entities. In the event of a merger, we will transfer our entire company to another existing or newly founded legal entity.

5.3.2. Regardless of the type of change that we decide upon under company law, it is possible that the data we have collected from you will be transferred to the new legal entity – in return for payment where applicable. There is even a chance that this is the main reason for the change under company law and is a significant factor as far as pricing is concerned.

5.3.3. However, your consent is not necessary for the transfer of your data as described under Section  5.3.2. This is because the principle of data protection law that every processing of personal data must be based on consent does not apply to this transfer. This legal principle arising from Article 5(1)(a) GDPR requires your data to be processed. Disclosure by transfer, distribution or another means of provision comes into question here. However, the terms “transfer”, “distribution” and “other means of provision” all imply that the data is sent by the controller – in this case us – to another body. And in the event of a demerger or merger, as far as your data is concerned, the new legal entity would not be a third party within the meaning of Article 4(10) GDPR.

5.4.1. It is possible that our company or parts of it may undergo other changes under company law. In this case, there is the possibility that an asset deal may take place. An asset deal is defined as the acquisition of a company through the transfer of its assets.

5.4.2. If at the time of transferring your data we still have contractual obligations, which are linked to your use of our products, the processing of your personal data associated with the asset deal is justified by Article 6(1)(f) GDPR. According to this provision, the data processing involved is permitted if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Such an interest in processing is the case here. The question as to whether such an interest exists is to judged by the purpose of processing and must, on the one hand, take into account legal, economic and idealistic interests and, on the other hand, be broadly interpreted with a view to the basic (union) rights. In this case, it is our interest that the users of our products continue to be served after the asset deal has taken place. This is also consistent with your interests. You can of course object to such processing at any time by contacting us via any one of the above-mentioned contact channels (see Section 1.1 above – “Who are we?”).

5.4.3. If, at the time of transferring your data, we have already fulfilled all contractual duties related to your use of our products, your data will only be transferred if there are any post-contractual obligations or if it is likely that you still have requirements (e.g. service requirements). In this case, the processing of your personal data associated with the asset deal is justified by Article 6(1)(f) GDPR. Here, the interest arises from the fact that if any post-contractual obligations are to be fulfilled or you still have requirements, there is an interest in such a transfer.

5.4.4. We reserve the right to additionally request your consent if other cases of data transfer come into question for the purpose of restructuration under company law. In this respect, we will process data from your contact details known to us in order to request your consent to receiving marketing materials. The legal basis for this processing is Article 6(1)(c) GDPR. According to this provision, we are permitted to process your data when it is necessary in order to fulfil a legal obligation that we are subject to. The legal obligation that we are subject to follows from Article 7(1) GDPR or Article 5(1) GDPR. According to these provisions, we are legally obliged to document the fact that we have obtained your consent. We can only do this if we collect your data for verification purposes. We save the data provided that it is necessary for verification purposes. If you confirm your consent, the retention period will not end until you withdraw your consent or until any claims under civil law expire, which is as a rule after thirty years.

5.5.1. We use the tool “Adobe Sign”, which is provided by: Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24 (Ireland). Further contact information here: https://www.adobe.com/uk/about-adobe/contact/offices.html   Here is a brief description of this processing operation: when you request access to our products, we may obtain your signature via this signature provider. We have engaged this provider in accordance with Article 28 GDPR. You can consult this provider's privacy policy here: https://www.adobe.com/privacy.html. You can find out more about how this provider protects your data here: https://www.adobe.com/privacy/policies-business/esign.html .  

5.5.2. In this case, as a general rule, we process the following aspects of your data: we use this provider to document your signature and the time that the signature was provided. You can find out more about how they process information at: https://acrobat.adobe.com/ sign.html and under the subheading “Purchasing products and/or booking services”

5.5.3. The provider is a subcontractor of Adobe Inc., San Francisco, 345 Park Avenue, San Jose, California 95110 (USA). This subcontracting is not precluded by the fact that the subcontractor processes the data outside of the EU. This is because your personal data associated with the provision of your signature on this website will only be processed if you agree to the associated data transfer to the USA (see Article 49(1)(a) GDPR). Please ensure that you read our risk warnings beforehand (see General Part/Special situation: consent to data transfer to third country entities based in the USA, including risk warnings).

 6. INFORMATION FOR TEST SUBJECTS

6.1.1. We cannot rule out the possibility of your data being collected and processed within the scope of a clinical trial/test. In this case, there is a possibility that we will process the following:

a) personal data, by which you can be directly identified (e.g. name, maiden name, address, social security number, photographs, etc.)

b) pseudonymised personal data, by which any information that enables a specific individual to be identified is either removed, replaced by a pseudonym or rendered unrecognisable. However, despite complying with these measures, it cannot be fully ruled out that said individual may be able to be inadmissibly identified

c) anonymised data by which any identification of the specific individual can be ruled out

Where necessary, either we or the subcontractors that we appoint (e.g. trial doctors) collect this data directly from you, either by means of an interview, by analysing the medical examinations that you undergo or by analysing medical documents that you have provided us with or which we have obtained from third parties on the basis of a duty of confidentiality and corresponding consent on your part.

6.1.2. We process this data in order to conduct the clinical trial/test. This processing involves collecting, saving, analysing and transferring said data where applicable. In terms of data transfer, the following also applies: access to the data by which you can be directly identified (see 6.1.1 a) is granted to the medical staff involved in the trial/test (e.g. trial doctor and other staff at the test centre).

6.1.3. The legal basis for the processing described under 6.1.1 and 6.1.2 is your consent within the meaning of Article 6(1)(a) GDPR. You can withdraw your consent to the collecting and processing of your data at any time without justification. Once you have withdrawn your consent, no more personal data will be collected. The data collected up to the moment of withdrawal can, however, continue to be processed within the scope of the clinical trial.

6.1.4. We save your data for twenty-five years, with the period starting when the clinical trial ends or is stopped. The legal basis for this is Article 6(1)(c) GDPR in conjunction with Section 46(2) of the Austrian Medicinal Products Act and Article 58 of Regulation (EU) No. 536/2014.

6.2.1. Within the scope of this clinical trial, the transfer of pseudonymised data to countries outside of the EU (third country) is sometimes, but not always, foreseeable.

6.2.2. In these cases, we only transfer the data to controllers or processors who process the data in locations for which the Commission has made an adequacy decision (Article 45 GDPR). If this requirement is not fulfilled, we only transfer the data if the controllers or processors provide appropriate safeguards (Article 46 GDPR), for instance, by agreeing to the EU standard contractual clauses.

6.3.1. In addition to Section  6.1.2, we wish to point out the following: as well as the medical staff involved, both national and international authorised health authorities that are under a duty of confidentiality and the relevant competent ethics committees may search this data provided that it is necessary for ensuring that the clinical trial is being conducted properly and, where necessary, to protect the lives and health of the test/trial participants.

6.3.2. The legal basis is Article 6(1)(c) GDPR in conjunction with the respective, binding legal provision. As a rule, but not always, this will be Article 46(5) of the Austrian Medicinal Products Act.

6.4.1. According to the GDPR, you have basic rights to information, rectification, erasure, restriction of processing, data portability and objection, provided that this does not render impossible or seriously impair the achievement of the objectives of the clinical trial and provided that it is not contradicted by other legal provisions (see “What are your rights?”).

6.4.2. Contrary to Sections 6.3.1 and 1.6, however, the following must be taken into account: based on provisions under the Austrian Medicinal Products Act and Medicinal Devices Act, you do not have the right to deletion of your data processed within the scope of this clinical trial/study as set out in the GDPR. Furthermore, according to the Medicinal Products Act, in the case of a clinical trial, the right to data portability is rendered ineffective. 

7. INFORMATION FOR EVENT PARTICIPANTS

7.1.1. During initial contact we collect the data that you provide. The data collected may include the following: name; contact details; professional details; and event status data. Only you know the reason for such contact; the reaction to this is specific to the purpose of the processing. If it is a matter of a specific contractual relationship, in this case participation in our event, whether it is related to its initiation, performance or termination, the legal basis for processing is Article 6(1)(b) GDPR. In this case, we will save the data until the end of the legal retention period, which in our company is as a rule seven years. In all other cases, the legal basis is Article 6(1)(f) GDPR, according to which personal data may be processed even without the consent of the individual concerned if such processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Communication outside of a contractual relationship is in our mutual interest. We will save your data until the purpose derived from the legitimate interest is fulfilled.

7.1.2. Should we enter into a contractual relationship relating to event participation, then we will process your data for the purpose of performing and where applicable terminating the contractual relationship. As a rule, this involves data relating to the contract in particular. In this respect, the legal basis for processing is Article 6(1)(b) GDPR. In this case, we will save the data until the end of the legal retention period, which in our company is as a rule seven years.

7.2.1. Where necessary, we have appointed our own employees and external service providers to take photographs and/or videos at the event in question. These photographs and/or videos are intended to be published on our website and intranet, in our social network profiles, newsletters and other media, for marketing purposes.

7.2.2. There is no legal obligation to collect this data. If we do not take any photographs and/or videos, this will not affect you.

7.2.3. The legal basis is your consent within the meaning of Article 6(1)(a) GDPR in conjunction with Article 7 GDPR. Before taking any photographs and/or videos, our employees or the employees of the external service provider will expressly ask you for your consent. We will only take a photograph and/or video of you if you agree. We wish to point out that you can withdraw this consent at any time by contacting us via any one of the above-mentioned contact channels (see Section 1.1 above – “Who are we?”).

7.2.4. We also wish to point out that your consent, where applicable, also includes the processing of special categories of personal data within the meaning of Article 9(1) GDPR, meaning that the processing prohibited according to Article 9(1) GDPR does not apply (see Article 9(2)(a) GDPR). 

8. INFORMATION FOR VISITORS TO OUR OFFICES

8.1.1. If you visit our offices, we will collect the following information from you upon arrival: name; surname; email address (optional); mobile number (optional); AOP Orphan contact person; arrival date; arrival time; departure date; and departure time. We may also, if necessary, collect data that serves in the fight against the COVID-19 pandemic and compliance with official requirements. In this case, you will enter the data in an online form (where applicable and if available by scanning a QR code with a mobile end device). We will save the data for up to six months after your respective visit to our office.

 

8.1.2. The legal basis is Article 6(1)(b) GDPR (performance of contract or pre-contractual measures) and for the processing of personal data in connection with the fight against COVID-19 paandemic the legal basis is Article 6(1)(c) in conjunction with Article 32 GDPR. The provision of personal data is required by contract or by law in connection with the fight against the COVID-19 pandemic. If this data is not provided, our offices cannot be entered.

 8.2.1. In this case, we use the following provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 (USA). Further contact options here: https://support.microsoft.com/. Here is a brief description of this processing operation: we have engaged this provider in accordance with Article 28 GDPR. You can consult this provider's privacy policy here: https://privacy.microsoft.com//privacystatement.

 

8.2.2. In this context, we use the tool “Microsoft Forms” to create the form.

 

8.2.3 Engagement of this provider is not precluded by the fact that they are based outside of the EU. This is because the provider has committed to complying with the standard contractual clauses. 

9. INFORMATION FOR WHISTLEBLOWERS

9.1.1. We save such (personal) data that you provide via the whistleblower tool (online) or in person. You have the option of submitting your information anonymously or personalized.
 

9.1.2. The origin of the data is exclusively information that you have made available to us voluntarily, for example by handing over a business card.


9.1.3. We process the data to fulfill our legal obligations and to contact you if necessary.

9.2.1. The legal basis for the collection, storage and use of the data is Article 6(1)(c) GDPR in conjunction with Directive (EU) 2019/1937, which applies directly until its implementation into Austrian law. In this respect, there is a statutory processing obligation.

9.2.2. Insofar as we keep the information for verification purposes, Article 6(1)(f) GDPR is the legal basis. Our legitimate interest arises from the obligation to follow up and clarify any grievances and to be able to defend ourselves against claims in this context. We will save the data until the end of the relevant retention period under civil law, that is, as a rule, three years after the receipt of your report. The legal basis for this is Article 6(1)(c) GDPR in conjunction with Article 1489 of the General Civil Code (ABGB). In this regard, there is no legal obligation to process your such data.

We use the tool “Lexis WhistleComplete”, a service offered by LexisNexis Verlag ARD ORAC GmbH & Co KG (Austria). You can issue your report to this tool, which will enable us to access your report and, in certain cases, allows subcontractors to carry out an initial assessment.