Merz attaches great importance to the protection of personal data. In the following data protection information, we inform you about who is responsible for the processing of your data (see section A). Further information is provided depending on the particular capacity in which you contact us, for example whether you are a visitor to our website or a customer of our products (see section B). In addition, you will receive general information on the processing of your data by Merz, in particular regarding sharing of your data, the data retention period and your rights in relation to the processing of your data (see sections C. to G.).
Merz processes your data in accordance with the data protection regulations of the German Federal Data Protection Act (“BDSG”) in the version in force from 25 May 2018 and Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”).
A. CONTROLLER FOR THE PROCESSING OF YOUR PERSONAL DATA
Controller for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR is Merz Therapeutics GmbH (“Merz”, “we”, “us”, “our”), a member of the Merz group of companies, given as contact address in the imprint or through direct communication with you.
B. DATA PROCESSING IN DIFFERENT PROCESSING CONSTELLATIONS
I. Visitors to our websites
- What data is collected and processed when you visit the Merz websites?
When the Merz websites are accessed, the Merz servers automatically store various data about the system accessing the site. This includes the type of browser used, the browser version, the operating system used, the website from which the Merz website is accessed, the subpages of the Merz website accessed, the date and time of access, the Internet protocol address (IP address), the Internet service provider and data that is comparable with this data. Merz uses this data to enable access to the website and to identify and correct any technical problems that may occur. The legal basis for the processing of personal usage data for this purpose is Art. 6 para. 1 sentence 1 lit. (b) GDPR. Merz further uses this data to prevent and, if necessary, tackle misuse of Merz products and services. In addition, Merz uses this data in anonymized form, i.e. without the capability of identifying the user, for statistical purposes and to improve the websites. The legal basis for this processing of personal usage data is Art. 6 para. 1 sentence 1 lit. (f) GDPR.
- How are cookies used?
- How is Matomo used?
- Watching YouTube videos
Videos from YouTube are embedded on our websites. YouTube is a service of the service provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) (“Google”). Merz uses the extended data protection settings of YouTube for the integration of videos, so that technical data of the user’s accessing system is not passed on to Google. Further information on the protection of personal data by Google is available at https://www.google.com/intl/de/policies/privacy. The legal basis for the processing of personal data with the integration of YouTube videos is Art. 6 para. 1 p. 1 lit. f GDPR. The user can prevent the transfer of his data to Google by not using the YouTube videos embedded on the Merz websites.
- How long will my personal data be stored?
Personal data of visitors to our website will be deleted when their data is no longer required for the purposes described above, unless longer storage is required by law. Usage data in the meaning described in Section B.I.1 above is regularly stored for a period of seven days. Cookies that are necessary for the operation of our website from a technical perspective are stored for a period of up to one year.
II. Adverse event reports from customers
We are grateful if you report to us any adverse reactions to our products. Such reports are of vital importance as regards public health. If you believe that you have experienced an adverse event while using one of our products, please let us know.
When you contact us, we may collect and process various (health) data relating to you. This includes, for example, information about the incident, age, gender, etc. The sole purpose of providing this data is to help us investigate the incident. For this purpose, your data will be passed on to Merz Therapeutics GmbH, which is responsible for the central administration of incoming adverse event reports within the Merz companies (with the exception of the Merz companies in the USA). Merz Therapeutics GmbH submits all adverse event reports from Europe to the European Medicines Agency. Where required by law, the data will also be shared with other competent authorities. The legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. (c) GDPR and Art. 9 para. 2 lit. (i) GDPR.
The adverse reaction reports shall be kept [for at least 10 years for public health reasons] after the product has ceased being marketed in any country.
C. PROCESSING WHEN DIRECT CONTACT IS MADE WITH MERZ (E.G. USING CONTACT FORM OR BY E-MAIL)
When you contact Merz, e.g. using a contact form on a website or by e-mail, the personal data you provide to Merz, e.g. e-mail address, name, content of the inquiry, etc., will be used exclusively for processing the particular inquiries. Your data may be passed on to other Merz companies if and to the extent necessary to respond to your inquiry.
The legal basis for the processing of the data described above is, depending on the content of the respective contact, Art. 6 para 1 sentence 1 lit. (b) or (f) GDPR. The sharing of data with other Merz companies for internal administrative purposes is also based on Art. 6 para 1 sentence 1 lit. (f) GDPR. Insofar as data is to be transferred to Merz companies outside of the European Union or the European Economic Area in order to respond to the inquiry, and if the Merz company is located in a country for which the European Commission has not decided that this country ensures an adequate level of data protection, the necessary guarantees for the protection of personal data are contained in the standard contractual clauses adopted by the European Commission. These can be viewed here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.
D. DISCLOSURE OF PERSONAL DATA TO (OTHER) THIRD PARTIES
For the technical processing of personal data, Merz is supported by specialized technical service providers. These service providers are carefully selected and are legally and contractually obligated to ensure a high level of data protection. The legal basis for the cooperation with these service providers is Art. 28 GDPR.
Merz will only pass on personal data to third parties for purposes other than those mentioned in this data protection notice if there is a legal obligation to do so (Art. 6 para 1 sen-tence 1 lit. (c) GDPR) or if you have given your express consent (Art. 6 para 1 sentence 1 lit. (a) GDPR).
If personal data is transferred by us to parties outside the European Union or the European Economic Area, these are either in a country for which the European Commission has decided that this country ensures an adequate level of data protection, or an adequate level of data protection is established by standard contractual clauses approved by the European Commission and concluded between us and the respective party. The standard contractual clauses can be viewed here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.
E. DURATION OF THE RETENTION OF YOUR DATA
Unless otherwise specified in this data protection notice, personal data will be deleted by Merz when it is no longer needed for the purposes for which it was processed and legal retention periods have expired. Contract-relevant data will be kept for up to ten years after termination of the respective contract with Merz.
F. RIGHTS IN RELATION TO PROCESSING
If you would like detailed information about or a copy of the personal data Merz has stored about you, you can contact Merz. You may also receive the data that you have provided to Merz in a structured, commonly used and machine-readable format in accordance with legal requirements, or you may request that Merz transfers this data to a third party. Should you discover that the personal data stored about you is incorrect or incomplete, you may at any time request that this data be corrected or completed without delay. Under the conditions specified in Art. 17 and 18 GDPR, you may also demand the deletion or restriction of the processing of personal data. If you have declared your consent to the processing of your personal data, you have the right to withdraw your consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until its withdrawal.
You also have the right to lodge a complaint with the competent data protection supervisory authority.
Insofar as the processing of your personal data is based on our legitimate interests within the meaning of Art. 6 para 1 sentence 1 lit. (f) GDPR, you have the right to object to the processing of personal data concerning you at any time for reasons related to your particular situation; this also applies to any profiling based on this provision. Merz will then no longer process the personal data, unless Merz can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of establishing, exercising or defending legal claims.
G. CONTACT INFORMATION
If you have any questions regarding the processing of personal data by Merz or if you wish to exercise your rights with respect to such processing, you may contact Merz at any time. For this purpose, it is sufficient to send a notification to:
Merz Therapeutics GmbH
Eckenheimer Landstrasse 100
60318 Frankfurt am Main
Merz’s data protection officer can be contacted at email@example.com.
In addition, we refer to our Merz Data Protection Notice in which we provide general information about the processing of personal data in various constellations (for example, whether you contact us as a visitor to our website, as a study participant, as a customer of our products or as a healthcare professional) (www.merz.com/fin).