Merz attaches great importance to the protection of personal data. In the following data protection information, we inform you about who is responsible for the processing of your data (see section A). Further information is provided depending on the particular capacity in which you contact us, for example whether you are a visitor to our website or a customer of our products (see section B). In addition, you will receive general information on the processing of your data by Merz, in particular regarding sharing of your data, the data retention period and your rights in relation to the processing of your data (see sections C. to G.).
Merz processes your data in accordance with the data protection regulations of the German Federal Data Protection Act (“BDSG”) in the version in force from 25 May 2018 and Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”).
A. CONTROLLER FOR THE PROCESSING OF YOUR PERSONAL DATA
Controller for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR is Merz Therapeutics GmbH (“Merz”, “we”, “us”, “our”), a member of the Merz group of companies, given as contact address in the imprint or through direct communication with you.
B. DATA PROCESSING IN DIFFERENT PROCESSING CONSTELLATIONS
I. Visitors to our websites
- What data is collected and processed when you visit the Merz websites?
When the Merz websites are accessed, the Merz servers automatically store various data about the system accessing the site. This includes the type of browser used, the browser version, the operating system used, the website from which the Merz website is accessed, the subpages of the Merz website accessed, the date and time of access, the Internet protocol address (IP address), the Internet service provider and data that is comparable with this data. Merz uses this data to enable access to the website and to identify and correct any technical problems that may occur. The legal basis for the processing of personal usage data for this purpose is Art. 6 para. 1 sentence 1 lit. (b) GDPR. Merz further uses this data to prevent and, if necessary, tackle misuse of Merz products and services. In addition, Merz uses this data in anonymized form, i.e. without the capability of identifying the user, for statistical purposes and to improve the websites. The legal basis for this processing of personal usage data is Art. 6 para. 1 sentence 1 lit. (f) GDPR.
- What data is processed in areas with restricted access?
Certain areas of the Merz websites are accessible to medical professionals only and require prior registration. As part of the registration process, the user must provide certain information, such as username, e-mail address, etc. Merz uses this information solely for the purpose of setting up and managing the user account, identifying authorized users and in order to be able to make the desired function available to the user. The legal basis for the processing of the data described above is Art. 6 para. 1 sentence 1 lit. (b) GDPR.
- How are cookies used?
LinkedIn also transfers personal data to the US and other third countries outside the European Economic Area that are not covered by an adequacy decision of the EU Commission. Corresponding information can be found at: https://www.linkedin.com/help/linkedin/answer/62533?trk=microsites-frontend_legal_privacy-policy&lang=de. Accordingly, LinkedIn regularly uses the standard data protection clauses approved by the EU Commission in accordance with Art. 46 para. 2 lit. c GDPR. The collected data is transferred to LinkedIn servers and stored there for 90 days.
The legal basis for the processing is the consent of the user pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR.
As a user, you have the option to revoke your consent at any time with future effect by adjusting your cookie settings. Alternatively, you can change your settings at any time via the link “Cookie settings”. You will find the link in the footer on our website.
You can prevent the collection of the data generated by the cookies and related to your use of the website, as well as the processing of this data by LinkedIn, by declaring your withdrawal to LinkedIn using the following link https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. As a LinkedIn member, you can control the use of your data for advertising purposes via your account settings at the following link: https://www.linkedin.com/psettings/advertising/actions-that-showed-interest.
Joint Controllership of Merz and LinkedIn Ireland Unlimited Company for the use of LinkedIn Insights.
In order to better assess the success of our LinkedIn presence, to evaluate interactions on our page and in our group and to draw conclusions about our reach, we can access various statistical values using the LinkedIn Insights tool.
In this context, Merz and LinkedIn Ireland Unlimited Company act as joint controllers within the meaning of Art. 26 GDPR. For this purpose, we have concluded a Joint Controller Agreement with LinkedIn pursuant to Art. 26 GDPR. You can view the content of the agreement and the division of responsibilities between Merz and LinkedIn Ireland Unlimited Company at https://legal.linkedin.com/pages-joint-controller-addendum.
- How is Matomo used?
- Watching Vimeo videos
Videos from Vimeo are embedded on our websites. The Vimeo service is operated by Vimeo, Inc. 555 West 18th Street, New York, New York 10011, USA (“Vimeo”). When the user visits one of our pages on which a video is embedded via Vimeo, and the user has given us prior consent to the use of marketing cookies, a connection is established to the Vimeo servers. At the same time, the IP address, technical information (e.g. browser type, operating system, information to the end user device and its settings) and other data required for the service, as well as the information that the user has visited a specific page of our website and how he / she has interacted on this site, are transmitted to Vimeo. If the user interacts with the video (e.g. if the user clicks on the play button), this data is also transmitted to Vimeo. If the user has an account with Vimeo and is logged in at the time of his / her visit to our website, Vimeo can match the user’s browsing activity to his / her user account with Vimeo. The cookies used by Vimeo are stored for no longer than two years. Further information on data processing by Vimeo can be found at https://vimeo.com/privacy. The legal basis for the processing of personal data when using videos embedded via Vimeo is the consent of the user, Art. 6 para 1 sentence 1 lit. (a) GDPR. The user can withdraw his / her consent at any time. The cookies set by Vimeo can be deactivated or deleted by the user changing the cookie settings of his / her browser or deactivating marketing cookies in the cookie settings on our website.
- How long will my personal data be stored?
Personal data of visitors to our website will be deleted when their data is no longer required for the purposes described above, unless longer storage is required by law. Usage data in the meaning described in Section B.I.1 above is regularly stored for a period of seven days. Cookies that are necessary for the operation of our website from a technical perspective are stored for a period of up to one year.
II. Adverse event reports from customers
We are grateful if you report to us any adverse reactions to our products. Such reports are of vital importance as regards public health. If you believe that you have experienced an adverse event while using one of our products, please let us know.
When you contact us, we may collect and process various (health) data relating to you. This includes, for example, information about the incident, age, gender, etc. The sole purpose of providing this data is to help us investigate the incident. For this purpose, your data will be passed on to Merz Therapeutics GmbH, which is responsible for the central administration of incoming adverse event reports within the Merz companies (with the exception of the Merz companies in the USA). Merz Therapeutics GmbH submits all adverse event reports from Europe to the European Medicines Agency. Where required by law, the data will also be shared with other competent authorities. The legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. (c) GDPR and Art. 9 para. 2 lit. (i) GDPR.
The adverse reaction reports shall be kept [for at least 10 years for public health reasons] after the product has ceased being marketed in any country.
C. PROCESSING WHEN DIRECT CONTACT IS MADE WITH MERZ (E.G. USING CONTACT FORM OR BY E-MAIL)
When you contact Merz, e.g. using a contact form on a website or by e-mail, the personal data you provide to Merz, e.g. e-mail address, name, content of the inquiry, etc., will be used exclusively for processing the particular inquiries. Your data may be passed on to other Merz companies if and to the extent necessary to respond to your inquiry.
The legal basis for the processing of the data described above is, depending on the content of the respective contact, Art. 6 para 1 sentence 1 lit. (b) or (f) GDPR. The sharing of data with other Merz companies for internal administrative purposes is also based on Art. 6 para 1 sentence 1 lit. (f) GDPR. Insofar as data is to be transferred to Merz companies outside of the European Union or the European Economic Area in order to respond to the inquiry, and if the Merz company is located in a country for which the European Commission has not decided that this country ensures an adequate level of data protection, the necessary guarantees for the protection of personal data are contained in the standard contractual clauses adopted by the European Commission. These can be viewed here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.
D. DISCLOSURE OF PERSONAL DATA TO (OTHER) THIRD PARTIES
For the technical processing of personal data, Merz is supported by specialized technical service providers. These service providers are carefully selected and are legally and contractually obligated to ensure a high level of data protection. The legal basis for the cooperation with these service providers is Art. 28 GDPR.
Merz will only pass on personal data to third parties for purposes other than those mentioned in this data protection notice if there is a legal obligation to do so (Art. 6 para 1 sen-tence 1 lit. (c) GDPR) or if you have given your express consent (Art. 6 para 1 sentence 1 lit. (a) GDPR).
If personal data is transferred by us to parties outside the European Union or the European Economic Area, these are either in a country for which the European Commission has decided that this country ensures an adequate level of data protection, or an adequate level of data protection is established by standard contractual clauses approved by the European Commission and concluded between us and the respective party. The standard contractual clauses can be viewed here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.
E. DURATION OF THE RETENTION OF YOUR DATA
Unless otherwise specified in this data protection notice, personal data will be deleted by Merz when it is no longer needed for the purposes for which it was processed and legal retention periods have expired. Contract-relevant data will be kept for up to ten years after termination of the respective contract with Merz.
F. RIGHTS IN RELATION TO PROCESSING
If you would like detailed information about or a copy of the personal data Merz has stored about you, you can contact Merz. You may also receive the data that you have provided to Merz in a structured, commonly used and machine-readable format in accordance with legal requirements, or you may request that Merz transfers this data to a third party. Should you discover that the personal data stored about you is incorrect or incomplete, you may at any time request that this data be corrected or completed without delay. Under the conditions specified in Art. 17 and 18 GDPR, you may also demand the deletion or restriction of the processing of personal data. If you have declared your consent to the processing of your personal data, you have the right to withdraw your consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until its withdrawal.
You also have the right to lodge a complaint with the competent data protection supervisory authority.
Insofar as the processing of your personal data is based on our legitimate interests within the meaning of Art. 6 para 1 sentence 1 lit. (f) GDPR, you have the right to object to the processing of personal data concerning you at any time for reasons related to your particular situation; this also applies to any profiling based on this provision. Merz will then no longer process the personal data, unless Merz can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of establishing, exercising or defending legal claims.
G. CONTACT INFORMATION
If you have any questions regarding the processing of personal data by Merz or if you wish to exercise your rights with respect to such processing, you may contact Merz at any time. For this purpose, it is sufficient to send a notification to:
- Merz Therapeutics GmbH
Eckenheimer Landstrasse 100
60318 Frankfurt am Main
- Merz’s data protection officer can be contacted at email@example.com.
In addition, we refer to our Merz Data Protection Notice in which we provide general information about the processing of personal data in various constellations (for example, whether you contact us as a visitor to our website, as a study participant, as a customer of our products or as a healthcare professional) (www.merz.com/fin).