Data protection

A. CONTROLLER FOR THE PROCESSING OF YOUR PERSONAL DATA

Controller for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR is Merz Therapeutics GmbH (“Merz”, “we”, “us”, “our”), a member of the Merz group of companies, given as contact address in the imprint or through direct communication with you.

B. DATA PROCESSING IN DIFFERENT PROCESSING CONSTELLATIONS

I. Visitors to our websites

1. What data is collected and processed when you visit the Merz websites?
   When the Merz websites are accessed, the Merz servers automatically store various data about the system accessing the site. This includes the type of browser used, the browser version, the operating system used, the website from which the Merz website is accessed, the subpages of the Merz website accessed, the date and time of access, the Internet protocol address (IP address), the Internet service provider and data that is comparable with this data. Merz uses this data to enable access to the website and to identify and correct any technical problems that may occur. The legal basis for the processing of personal usage data for this purpose is Art. 6 para. 1 sentence 1 lit. (b) GDPR. Merz further uses this data to prevent and, if necessary, tackle misuse of Merz products and services. In addition, Merz uses this data in anonymized form, i.e. without the capability of identifying the user, for statistical purposes and to improve the websites. The legal basis for this processing of personal usage data is Art. 6 para. 1 sentence 1 lit. (f) GDPR.
2. How are cookies used?
   The Merz websites use cookies. Cookies are small text files that are stored on the user’s data carrier and exchange certain settings and data with the Merz system via the browser. A cookie usually contains the name of the domain from which the cookie data was sent, information about the age of the cookie, and an alphanumeric identifier. As far as the cookies are technically necessary to operate our websites and to enable users to use its functions, the legal basis for using such cookies is Art.6 para. 1 sentence 1 lit. (b) GDPR
3. How is Matomo used?
   With your consent, we also use the web analytics service Matomo (formerly Piwik) from InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769 („Matomo“) on our website. Matomo uses cookies for analysing the usage of the website. The information generated by the cookies about the use of this website is stored on servers of Matomo located in the European Union. The cookies collect the following information about the users: Usage data (e.g. websites visited, interests in content, times of access), location (country, region, city) and meta / communication data (e.g. information about the device and browser, IP address). The IP address of the user is anonymized before storage. The cookies used by Matomo expire after 13 months at the latest. You can find further information about the data processing performed by Matomo under https://matomo.org/privacy-policy/. The legal basis for the processing of personal data via the use of the web analytics service Matomo is the user’s consent, Art. 6 para. 1 sentence 1 lit. (a) GDPR. The user can withdraw his / her consent at any time. The cookies placed by Matomo can be deactivated or deleted if the user adapts the cookie settings of his / her browser or deactivates marketing cookies in the cookie settings on our website.
4. Watching YouTube videos
   Videos from YouTube are embedded on our websites. YouTube is a service of the service provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) (“Google”). Merz uses the extended data protection settings of YouTube for the integration of videos, so that technical data of the user’s accessing system is not passed on to Google. Further information on the protection of personal data by Google is available at https://www.google.com/intl/de/policies/privacy. The legal basis for the processing of personal data with the integration of YouTube videos is Art. 6 para. 1 p. 1 lit. f GDPR. The user can prevent the transfer of his data to Google by not using the YouTube videos embedded on the Merz websites.
5. How long will my personal data be stored?
   Personal data of visitors to our website will be deleted when their data is no longer required for the purposes described above, unless longer storage is required by law. Usage data in the meaning described in Section B.I.1 above is regularly stored for a period of seven days. Cookies that are necessary for the operation of our website from a technical perspective are stored for a period of up to one year.

II. Adverse event reports from customers

We are grateful if you report to us any adverse reactions to our products. Such reports are of vital importance as regards public health. If you believe that you have experienced an adverse event while using one of our products, please let us know.
When you contact us, we may collect and process various (health) data relating to you. This includes, for example, information about the incident, age, gender, etc. The sole purpose of providing this data is to help us investigate the incident. For this purpose, your data will be passed on to Merz Therapeutics GmbH, which is responsible for the central administration of incoming adverse event reports within the Merz companies (with the exception of the Merz companies in the USA). Merz Therapeutics GmbH submits all adverse event reports from Europe to the European Medicines Agency. Where required by law, the data will also be shared with other competent authorities. The legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. (c) GDPR and Art. 9 para. 2 lit. (i) GDPR.
The adverse reaction reports shall be kept [for at least 10 years for public health reasons] after the product has ceased being marketed in any country.

C. PROCESSING WHEN DIRECT CONTACT IS MADE WITH MERZ (E.G. USING CONTACT FORM OR BY E-MAIL)

When you contact Merz, e.g. using a contact form on a website or by e-mail, the personal data you provide to Merz, e.g. e-mail address, name, content of the inquiry, etc., will be used exclusively for processing the particular inquiries. Your data may be passed on to other Merz companies if and to the extent necessary to respond to your inquiry.
The legal basis for the processing of the data described above is, depending on the content of the respective contact, Art. 6 para 1 sentence 1 lit. (b) or (f) GDPR. The sharing of data with other Merz companies for internal administrative purposes is also based on Art. 6 para 1 sentence 1 lit. (f) GDPR. Insofar as data is to be transferred to Merz companies outside of the European Union or the European Economic Area in order to respond to the inquiry, and if the Merz company is located in a country for which the European Commission has not decided that this country ensures an adequate level of data protection, the necessary guarantees for the protection of personal data are contained in the standard contractual clauses adopted by the European Commission. These can be viewed here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.

D. DISCLOSURE OF PERSONAL DATA TO (OTHER) THIRD PARTIES

For the technical processing of personal data, Merz is supported by specialized technical service providers. These service providers are carefully selected and are legally and contractually obligated to ensure a high level of data protection. The legal basis for the cooperation with these service providers is Art. 28 GDPR.
Merz will only pass on personal data to third parties for purposes other than those mentioned in this data protection notice if there is a legal obligation to do so (Art. 6 para 1 sen-tence 1 lit. (c) GDPR) or if you have given your express consent (Art. 6 para 1 sentence 1 lit. (a) GDPR).
If personal data is transferred by us to parties outside the European Union or the European Economic Area, these are either in a country for which the European Commission has decided that this country ensures an adequate level of data protection, or an adequate level of data protection is established by standard contractual clauses approved by the European Commission and concluded between us and the respective party. The standard contractual clauses can be viewed here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.

E. DURATION OF THE RETENTION OF YOUR DATA

Unless otherwise specified in this data protection notice, personal data will be deleted by Merz when it is no longer needed for the purposes for which it was processed and legal retention periods have expired. Contract-relevant data will be kept for up to ten years after termination of the respective contract with Merz.

F. RIGHTS IN RELATION TO PROCESSING

If you would like detailed information about or a copy of the personal data Merz has stored about you, you can contact Merz. You may also receive the data that you have provided to Merz in a structured, commonly used and machine-readable format in accordance with legal requirements, or you may request that Merz transfers this data to a third party. Should you discover that the personal data stored about you is incorrect or incomplete, you may at any time request that this data be corrected or completed without delay. Under the conditions specified in Art. 17 and 18 GDPR, you may also demand the deletion or restriction of the processing of personal data. If you have declared your consent to the processing of your personal data, you have the right to withdraw your consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until its withdrawal.
You also have the right to lodge a complaint with the competent data protection supervisory authority.

Insofar as the processing of your personal data is based on our legitimate interests within the meaning of Art. 6 para 1 sentence 1 lit. (f) GDPR, you have the right to object to the processing of personal data concerning you at any time for reasons related to your particular situation; this also applies to any profiling based on this provision. Merz will then no longer process the personal data, unless Merz can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of establishing, exercising or defending legal claims.

G. CONTACT INFORMATION

If you have any questions regarding the processing of personal data by Merz or if you wish to exercise your rights with respect to such processing, you may contact Merz at any time. For this purpose, it is sufficient to send a notification to:

Merz Therapeutics GmbH
Data Protection
Eckenheimer Landstrasse 100
60318 Frankfurt am Main
Germany

Merz’s data protection officer can be contacted at dataprotection@merz.com.

In addition, we refer to our Merz Data Protection Notice in which we provide general information about the processing of personal data in various constellations (for example, whether you contact us as a visitor to our website, as a study participant, as a customer of our products or as a healthcare professional) (www.merz.com/fin).