Data protection information for business customers

I. Purposes and legal bases of processing

1. Processing of your contact details

We process your contact details (such as surname, first name, academic degree, specialization/professional qualification, address, telephone numbers, email addresses, pharmacy operating license, and LANA or BGA number). We collect some of this data from you or from publicly available sources, and some of it is provided to us by our service providers.

We process the aforementioned data to the extent that it is necessary for the conclusion and fulfillment of contracts with you.

The legal basis is Art. 6 (1) (b) GDPR (if you are our contractual partner) or Art. 6 (1) (f) GDPR (if you are a contact person for the company that is our contractual partner). In the latter case, the legitimate interest is communication with you in connection with the conclusion and execution of the contract.

We also process the aforementioned data to safeguard the following legitimate interests: maintaining our business relationship with you and for scientific information, marketing, and market research purposes.

The legal basis is Art. 6 (1) (f) GDPR or Art. 6 (1) (a) GDPR (if you have given us your consent to processing).

In addition, we also process your contact details to fulfill relevant legal obligations (see I. 4. below).

2. Processing in connection with field service visits and surveys conducted by service providers commissioned by us

Following a visit by our field service or one of our external service providers, we process the date and content (e.g., order and POS data, as well as location-related data) of the visits that took place, as well as preferred visiting times and requests for and dispensing of drug samples. We also process data in the context of market research surveys, which we have carried out by an external service provider by way of order processing in accordance with Article 28 GDPR.

We process the aforementioned data to protect the following legitimate interests: maintaining our business relationship with you, managing our sales force, tailoring our sales force visits to your interests, evaluating the quality of visits, improving the presentation and design of our products, and for information and marketing purposes.

The legal basis is Art. 6 (1) (f) GDPR.

If you have given us your consent to do so, we also process your personal data in order to contact you by email, fax, telephone, or video call and to send you information and offers from companies in the Klosterfrau Group that are tailored to your individual interests.

The information and offers relate in particular to information and news about the company, product information, reports on new study results, appointments/visit announcements by our sales representatives for digital, telephone, and in-person sales appointments, brand- and product-independent support and service content and advice (e.g., practice organization, pharmacy marketing), digital sample and material request forms, information about media placements by Klosterfrau, training courses, invitations and/or information about events, congresses, lectures, trade fair visits, online seminars, or invitations to short surveys/market research surveys.

The legal basis is Art. 6 (1) (a) GDPR.

3. Processing in connection with competitions

We process the personal data you provide in connection with competitions (e.g., name, address details, answers to competition questions) exclusively for the purpose of conducting the competition and awarding the prizes.

The legal basis for this is Art. 6 (1) (b) GDPR.

You are not obliged to provide us with your personal data in the context of a competition. However, without your details, you may not be able to participate or the prize may not be sent to you.

4. Processing to fulfill a legal obligation

We process your personal data to the extent necessary to fulfill a legal obligation to which we are subject.

In particular, we process the date, number, and type of drug samples given to you, as well as the date and content of the red-hand letters sent to you. In addition, we process your name and contact details if you report any possible adverse effects or quality defects relating to our products. If we conduct observational studies within the meaning of Section 67 (6) of the German Medicines Act (AMG) in cooperation with you, we process your name, contact details, lifetime doctor number, and the type and amount of expense allowances actually paid to you in connection with observational studies for this purpose.

We process the aforementioned data in order to fulfill our legal obligations under the relevant statutory provisions, in particular Section 47 (4) AMG (sample fees), Section 11a (2) AMG (red-hand letters), Section 63c AMG and Section 3 MPSV, Article 23 of Regulation (EC) No. 1223/2009, Article 6 et seq., Article 19 of Regulation (EC) No. 178/2002 (LMBasisVO) (reports of adverse effects) and/or Section 67 (6) AMG (post-marketing surveillance).

The legal basis in each case is Art. 6 (1) (c) GDPR in conjunction with the relevant legal norms.

5. Processing for credit checks and data transfer to credit agencies

In individual cases, we process the data you provide (name, address, date of birth, and, if applicable, gender) relating to the application, execution, and termination of the business relationship, including for queries and credit checks based on mathematical-statistical methods at credit agencies, in order to check your creditworthiness before concluding a contractual relationship, and, if necessary, transfer data on non-contractual behavior or fraudulent behavior during the contractual relationship to a credit agency. The exchange of data with a credit agency also serves to verify identity. We can use the matching rates provided by the credit agency to determine whether a person is stored in its database at the address provided by the customer.

The legal basis is Art. 6 (1) (f) GDPR, insofar as this is necessary to safeguard our legitimate interests or those of third parties and does not outweigh your interests or fundamental rights and freedoms that require the protection of personal data. The legitimate interest is to protect us from payment defaults and to ensure that the credit agency informs third parties about negative payment experiences, thereby protecting them from their own disadvantages.

II. Recipients or categories of recipients of your data

Within our company, only those employees who need your personal data to fulfill our contractual and legal obligations have access to it. Your data will only be passed on to external parties if this is permitted or required by law, or if you have given your consent.

Below, we list the categories of external recipients of your data:

• Affiliated companies within the corporate group, insofar as they act as service providers for us and, for example, provide IT services, insofar as this is necessary for the provision of our services, or if and to the extent that they require the data to fulfill our contractual and legal obligations or on the basis of our legitimate interests. This may be for economic, administrative, or other internal business purposes; this only applies insofar as your interests or fundamental rights and freedoms requiring the protection of personal data do not outweigh these purposes.
• Private entities outside the corporate group, such as in particular:
  • Payment service providers and banks, to collect outstanding payments from accounts or pay out refunds
  • Call centers and complaint handlers, to receive and process your inquiries and complaints
  • Agencies (e.g., online and offline), printing companies, and letter shops that support us in carrying out advertising measures (e.g., competitions, promotions, sending invitations and letters, etc.).
  • IT service providers that store data, support the administration and maintenance of systems, and file archivists and destroyers.
  • Logistics service providers for the delivery of goods, etc.
  • Credit agencies when requesting credit information
  • Debt collection agencies and legal advisors
  • Service providers in the context of recording reports of side effects
  • License partners
  • Market research companies
• Public authorities and institutions, insofar as we are legally obliged to do so. For example, as part of our legal obligation, we notify reported quality defects in our products (e.g., complaints and counterfeits) to the state authorities responsible for the companies of the Klosterfrau Group. We report your data collected by us in the context of non-interventional studies or observational studies (see I.4. above) to the competent authorities to which we are required to report under our legal obligations.

III. Transfer to third countries

We only transfer data to countries outside the European Union or the European Economic Area (so-called third countries) if this is necessary or legally permitted or required, if you have given us your consent, or within the scope of commissioned processing.

If service providers in the third country are used, they are obligated to comply with the level of data protection in Europe by agreeing to the EU standard contractual clauses. Alternatively, we transfer the data on the basis of an adequacy decision of the European Commission.

For further information, please contact our data protection officer.

IV. Duration of storage of your personal data

We only process your personal data for as long as is necessary to fulfill the purposes listed in section I. and then delete the data, unless we are obliged to store the data for a longer period.

For reasons of product safety, we are obliged to store data relating to safety-relevant events for up to 10 years beyond the marketability of the product for testing purposes, depending on the status of the product as a drug, medical device, cosmetic, or foodstuff, in accordance with legal requirements.

In addition, we are subject to various storage and documentation obligations, which arise in particular from the German Commercial Code (HGB) and the German Fiscal Code (AO). The periods specified therein for storage and documentation are up to ten years beyond the end of the business relationship or the pre-contractual legal relationship.

Furthermore, special legal provisions may require a longer retention period, such as the preservation of evidence within the framework of statutory limitation periods. According to Sections 195 et seq. of the German Civil Code (BGB), the regular limitation period is three years, but limitation periods of up to 30 years may also apply.

V. No automated decision-making in individual cases (including profiling)

We do not use any procedures for purely automated decision-making in individual cases (including profiling) pursuant to Art. 22 GDPR. If we do use such a procedure in individual cases in the future, we will inform you separately.

VI. Your data protection rights

Under certain conditions, you can assert your data protection rights against us:

Right of access: You are entitled to request confirmation from us at any time within the scope of Article 15 of the GDPR as to whether we are processing personal data relating to you; if this is the case, you are also entitled within the scope of Article 15 of the GDPR to receive information about this personal data as well as certain other information (including processing purposes, categories of personal data, categories of recipients, planned storage period, the origin of the data, the use of automated decision-making and, in the case of third country transfers, the appropriate safeguards).

Right to rectification: In accordance with Art. 16 GDPR, you are entitled to demand that we rectify the personal data stored about you if it is inaccurate or incorrect.

Right to erasure: You have the right, under the conditions of Art. 17 GDPR, to demand that we delete personal data concerning you without undue delay. The right to erasure does not exist, among other things, if the processing of the personal data is necessary for (i) the exercise of the right to freedom of expression and information, (ii) compliance with a legal obligation to which we are subject (e.g. legal obligations to retain records) or (iii) the assertion, exercise or defense of legal claims.

Right to restriction of processing: You are entitled to demand that we restrict the processing of your personal data under the conditions of Art. 18 GDPR.

Right to data portability: You are entitled, under the conditions of Art. 20 GDPR, to demand that we hand over to you the personal data concerning you that you have provided to us in a structured, common and machine-readable format.

Right of withdrawal: You have the right to withdraw your consent to the processing of personal data at any time with effect for the future.
 

Information about your right to object according to Art. 21 GDPR

1. You have the right to object at any time to the processing of your data which is carried out on the basis of Art. 6 (1) (f) GDPR (data processing on the basis of a balance of interests), if there are grounds for doing so which arise from your particular situation. This also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.

2. We also process your personal data in individual cases for the purpose of direct advertising. If you do not wish to receive advertising, you have the right to object to this at any time; this also applies to profiling, insofar as it is associated with such direct advertising. We will observe this objection for the future.

We will no longer process your data for direct marketing purposes if you object to processing for these purposes.

You can send requests to exercise your aforementioned data protection rights either to the controller using the contact details provided above or by email to datenschutzanliegen@klosterfrau.de. Alternatively, you can contact our external data protection officer using the following contact details:

Mr. Alexander Bugl, Bugl & Kollegen Gesellschaft für Datenschutz und Informationssicherheit mbH, Eifelstraße 55, 93057 Regensburg, Germany, Tel. +49 941-630 49 789, Email: Datenschutz.buglundkollegen@klosterfrau.de.

You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Status: February 12, 2021