Merz attaches great importance to the protection of personal data.
Merz processes your data in accordance with the data protection provisions set forth in the German Federal Data Protection Act (Bundesdatenschutzgesetz–BDSG), specifically in the version applicable as of 25 May 2018, and in Regulation (EU) 2016/679 (General Data Protection Regulation–GDPR).
A. Responsibility for the processing of your personal data
The data controller that is responsible for the processing of your personal data within the meaning of Art. 4 (7) GDPR is Merz Pharmaceuticals GmbH (hereinafter “Merz”).
B. Data that is processed as part of various data processing situations
- What types of data are processed when a person visits a Merz website?
When a person visits a Merz website, Merz’s servers automatically store various data conveyed via that person’s accessing system. These data include the type of browser, the browser version and the operating system used, the website from which the Merz website is accessed, the Merz website sub-pages that are accessed, the date and time of such access, the internet protocol address (IP address), the internet service provider and any data comparable with the aforementioned data. Merz uses these data to render its website accessible, to identify and remedy any technical problems that may arise, and to prevent and, if necessary, take action against any abuse of Merz’s services. Merz moreover uses this data in anonymised form–that is, without being able to infer the user’s identity from the data provided–for statistical purposes and for purposes of improving its websites. The legal basis for processing personal usage data is Art. 6 (1) Sentence 1 (f) GDPR.
- Which data are processed in areas with restricted access?
Certain areas of Merz’s websites can only be accessed by medical professionals and are subject to advance registration. The registration process requires users to provide certain information, such as their user name, e-mail address, etc. Merz uses this information exclusively for purposes of creating and managing user accounts, identifying authorized users, and offering users the functions they require. The legal basis for processing the personal data described above is provided in Art. 6 (1) Sentence 1 (b)
- How are cookies used?
Users can deactivate or restrict the transmission of cookies by changing the settings of their internet browsers accordingly. Any cookies already stored can be erased at any time. Such erasure can be automated. If a user deactivates cookies for the Merz websites, he/she may not be able to make full use of all the websites’ functions.
- How is Google Analytics used?
The user can prevent Google from collecting and processing the cookie-generated data relating to his/her use of the website by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de. Another means of preventing Google Analytics from processing data is by clicking on the following link: http://www.google.com/settings/ads/onweb/?hl=de this link sets an opt-out cookie, which then prevents Google Analytics from collecting the user’s data during any future visits to Merz websites. Users can deactivate or restrict the transmission of cookies by changing the internet browser settings accordingly. Any cookies already stored can be erased at any time. Such erasure can be automated. If a user is willing to accept cookies used by Merz, but not cookies used by Merz’s service providers and partners, then he/she can select the “Block only third party cookies” setting in his/her browser.
- Use of Google Maps
This website uses the Google Maps API, which for example displays the locations of Merz companies and of nearby medical specialists to the user. If the user accesses the Google Maps maps on the Merz websites, certain technical data pertaining to the user’s accessing system (e.g. your postal code or IP address) will be transmitted to servers of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google is certified under the EU-U.S. Privacy Shield framework. For further information on Google’s data privacy policies, go to https://www.google.com/intl/de/policies/privacy. The legal basis for processing personal data using Google Maps is provided in Art. 6 (1) Sentence 1 (f) GDPR.
The user can also take measures to prevent the transmission of his/her data to Google, namely by refraining from using the maps integrated into the Merz websites.
- Social media plug-ins
The Merz websites use social media plug-ins of Facebook (https://www.facebook.com/celluliteinstitute/). Social media plug-ins can be recognised by the logo of the respective plug-in provider that they feature and, in the case of Facebook, also by the additional “Like” and “Share” buttons.
The providers of social media plug-ins usually use such plug-ins to record the IP address and other activities of the users as soon as they access the corresponding web pages. To prevent this, the Merz websites use the so-called Shariff solution. This solution only allows the user’s data to be forwarded once that user clicks on the plug-in. If the user is simultaneously logged into his/her account with the social network that operates the plug-in featured on the Merz websites, then the data in question may be linked to that user’s account. Further information on the protection of personal data by the providers of plug-ins is available at https://www.facebook.com/about/privacy. The legal basis for processing personal data in connection with social media plug-ins is provided in Art. 6 (1) Sentence 1 (f) GDPR.
The user can also take measures to prevent the transmission of his/her data to the providers of social media plug-ins, namely by refraining from clicking on plug-ins integrated into the Merz websites.
- For how long will my personal data be stored?
The personal data concerning visitors to our website will be erased as soon as knowledge thereof is no longer required for the purposes described above, unless statutory provisions stipulate that the data be stored for a longer period. Usage data is generally stored for a period of 4 days.
C. Processing where direct contact with Merz IS made (e.g. via contact form or email)
If you contact Merz directly, e.g. via a contact form on a website or via email, then the personal data you transmit to Merz as a result, e.g. your email address, your name, the content of your enquiry, etc., will be used solely for processing the respective enquiry. Your data may be passed on to other Merz companies if this is necessary to respond to your inquiry. Only the data required for such response is passed on. An overview of the Merz companies is provided here https://www.merz.com/about-merz/locations/. Depending on the manner in which contact was made, the legal basis for processing the aforementioned data is Art. 6 (1) Sentence 1 (b) or (f) GDPR. If data is transmitted to Merz companies outside the European Union or European Economic Area in order to respond to your inquiry, then Merz undertakes that it has adopted the European Commission’s standard contractual clauses for these countries and has thus provided the requisite additional safeguards for the protection of personal data. These can be accessed and perused here: https://eur-lex.europa.eu/eli/dec/2004/915/oj.
D. Passing on personal data to (other) third parties
Merz relies on the support of specialized technical service providers for the technical processing of personal data. These service providers are carefully selected and are legally and contractually committed to ensuring a high level of data protection. The legal basis for our partnerships with these service providers is Art. 28 GDPR.
In individual cases, Merz works with companies and other entities that have special expertise in specific areas or subject knowledge (such as tax auditors, lawyers, and consulting firms, for example). These entities are either subject to a professional duty of confidentiality or have been obliged by Merz to maintain confidentiality. If it is necessary to pass personal data on to these agencies, then the legal basis for this is Art. 6 (1) Sentence 1 (f) GDPR.
E. Duration of the retention of your data
F. Rights in relation to data processing
If you would like detailed information on the personal data that has been stored by Merz about you, you can contact Merz. You may also request to receive information about any data that you have provided to Merz in accordance with applicable law in a structured, commonly used, and machine-readable format, or you may also request Merz to submit such information to a third party. If you discover that personal information that has been stored about you is incorrect or incomplete, you may request that such data be immediately corrected or completed at any time. If the requirements stipulated in Art. 17 and 18 GDPR are met, you may also request the erasure of your personal data or that processing of it be restricted. You also have the right to lodge a complaint with the relevant supervisory authority for data protection issues.
In so far as the processing of your personal data is based on legitimate interests as per Art. 6 (1) Sentence 1 (f) GDPR, you are invariably entitled to object to such processing based on reasons arising from your particular situation. This entitlement also applies to any profiling that is conducted on the basis of the above provision. Merz will then no longer process the personal data unless Merz can prove compelling legitimate grounds for data processing that override your interests, rights and freedoms, or the data processing is for the purpose of establishing, exercising or defending legal claims. If personal data is processed for the purposes of direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising. This also applies to any profiling insofar as it is associated with such direct advertising.
G. Contact data
If you have any questions about how Merz processes personal data or about exercising your rights against data processing, you can contact Merz at any time. Please send all inquiries to: firstname.lastname@example.org. The data privacy officer at Merz can be contacted at: email@example.com.