Data protection declaration
Overview The protection of personal data and the responsible handling of information you entrust to us are an important and particular concern to us. medac GmbH (medac) processes personal data only in accordance with the legal regulations. These are in particular the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). With this data protection declaration, we inform you about medac as the controller for data protection (see 1.) and how, to what extent and for what purposes we process personal data
- when using our website (see section 2.),
- when applying for a job in our career portal (see section 3.),
- when concluding contracts with us (see section 4.),
- when registering for newsletters (see section 5.),
- when participating in events (see section 6.),
- when visiting our company page on a social network (see section 7.) and
- Drug safety and reporting of side effects (see section 9.).
Principles applicable to these processing operations and your rights see section 14. 1. Controller and Data Protection Officer Responsible person in terms of data protection law: medac GmbH, Theaterstraße 6, 22880 Wedel (Imprint) Data Protection Officer: medac GmbH, Dr. Anna-Kristina Roschek, Theaterstraße 6, 22880 Wedel, Phone +49 (0)4103 - 8006-0 2. Website: Processing of your personal data The processing of personal data to the extent described under section 2.1. is necessary in order to use the website. When you visit our website, we display a "cookie banner" to let you know that we use cookies and other tracking technology to improve the user experience on our website and for web analysis and interest-based advertising purposes. The associated data processing is described below. As indicated in the cookie banner, you consent to this use by clicking "accept". You can revoke this consent in full or in part at any time with effect for the future. The options available for this are described in detail below. As far as it is necessary in order for the operation of our Website, we may set cookies without your consent on the legal basis of our legitimate interests for the operation of our Website. All other cookies are set only after you have consented to the setting of the respective cookie via the cookie banner. Until you declare your consent, only technically necessary cookies will be set. With respect to the United States, we generally use U.S. providers that are certified under the EU-US Data Privacy Framework (for further detail see section 11). If a provider is not certified, we ensure that EU standard contractual clauses have been concluded with the providers. If a provider is not (yet) certified under the EU-US Data Privacy Framework, your consent via the cookie banner may also include data transfers to the USA in accordance with Article 49 (1) (a) GDPR The consent can be revoked in whole or in part at any time with effect for the future. The options available for this are described in detail below.
2.1 Data processing to enable website use When you visit our website, we collect the necessary data to enable you to use it (usage data). This includes your IP address and data on the start, end and subject of your use of the website and the technical information transmitted by your browser (e.g. browser type, operating system and previously visited website). This data is used to ensure a smooth connection, to evaluate system security and stability and for other administrative purposes in our legitimate interest (Article 6 (1) (f) GDPR) 2.2 Cookies When you visit our website, information may be stored on your computer in the form of a cookie. Cookies are small text files that are sent from a web server to your browser and stored on your computer's hard drive. This makes it possible for you to be recognized when you return to the website. In this way we can ensure better functionality of the site or carry out web analysis (see section 2.3.). There are various types of cookies. A distinction must be made between cookies placed by the website operator when you visit a website (also known as "first party cookies") and cookies placed by third parties (also known as "third party cookies"). We solely have technical control over the first mentioned cookies. On the other hand, there are cookies that are only stored on your computer during your visit to our website (also known as "session cookies") and cookies that are stored for a longer period of time. Most browsers are set to accept cookies automatically. You can deactivate the storage of cookies in your browser and can delete them from your hard disk at any time. We would like to point out that the use of our offers on the website without cookies is only possible to a limited extent. However, you can also adjust your browser to only prevent the setting of certain cookies (e.g. cookies from third parties), for example if you wish to prevent web tracking. You can find more information on this in the help function of your browser. You can find further information on cookies from third-party providers that are set or processed when you visit our website in section 2.3. and in the data protection declarations of the mentioned provider.
Cookie | Category | Storage Period | Description |
__cfduid | Required | Session | Browser-Update.orgQueries the version of the internet browser used by the user to display a message about outdated browsers. |
_ga | Statistics | 14 months | Google Tag Manager by Google Registers a unique ID that is used to generate statistical data on how the visitor uses the website. |
_gat | Statistics | 1 minute | Google Used by Google Analytics to limit the request rate |
_gid | Statistics | 24 hours | Google Tag Manager by Google Registers a unique ID that is used to generate statistical data on how the visitor uses the website. |
sms_docchecklogin_redirect | Required | 10 minutes | DocCheck Allows checking on every page whether the user is logged in to DocCheck. |
fe_typo_user | Required | Session | medac This cookie is used to identify a session and store preferences based on a random number key. It does not store user data that can be used to identify individual users |
2.3. Pseudonymous user profiles for advertising and market research (web tracking and web analytics) We use web tracking systems for advertising, market research and to make your use of our website as pleasant as possible. Data about the use of our website is stored in pseudonymous user profiles (your IP address is anonymized). This enables us to further develop our website and to tailor the content even better to your needs. The pseudonymous user profiles are not merged with personal data. You can object to the creation of pseudonymous user profiles. To do this, you can prevent cookies from being set in your browser (see section 2.2.). On the other hand, you can install a plugin in your browser to protect your privacy, which offers the possibility to prevent tracking - e.g. AdBlock, Ghostery or NoScript (please note the data protection information of the respective plugin provider). Hereinafter, the tracking technologies used on our website (which may include cookies in particular, see section 2.2.) and the provider - who processes usage data in pseudonymous profiles for the respective purposes - are listed. In addition, the link to the provider's data protection declaration is provided and we explain to you how you can switch web tracking off or on by the service providers with effect for the future. Generally, a special cookie is stored on your terminal device to prevent the provider from collecting usage data from your terminal devices in the future; please note that you may have to place this cookie again if you delete cookies from your computer. 2.4 Google Analytics This website uses Google Analytics, a web analysis service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Google Analytics uses cookies (see section 2.2) to make the analyzation of how users use the website possible. The information generated by the cookie about your use of the website will generally be transmitted to and stored by Google on servers in the United States. However, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area and thus be made anonymous. Only in exceptional cases the full IP address is transmitted to a Google server in the US and shortened there. Google LLC is certified under the EU-US Data Privacy Framework (see section 11). On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services related to website activity and internet usage to the website operator. You can prevent the storage of cookies by making the appropriate settings in your browser software and rejecting them (see section 2.2.) or using a privacy plug-in (see section 2.3.). You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link (http://tools.google.com/dlpage/gaoptout?hl=en). Alternatively, you can prevent the collection by Google Analytics by setting a so-called "opt-out cookie" on your computer. Use the following link to do this: Set Opt-Out-Cookie
Alternatively, you can revoke your consent by clicking on the "Revoke Google Analytics" button. In this case, we set a technically necessary cookie that recognizes your revocation of consent when you visit our website.
Alternatively, you can revoke your consent by clicking on the "Revoke Google Analytics" button. In this case, we set a technically necessary cookie that recognizes your revocation of consent when you visit our website.
For more information about privacy at Google Analytics, please visit: https://www.google.de/intl/de/policies/.
2.5 Google Tag Manager This website uses Google Tag Manager to manage website tags. A tag is a JavaScript snippet that is used to send information from a website to third parties, particularly as part of web tracking. The Google Tag Manager tool itself does not collect any personally identifiable information. The tool triggers other tags that may themselves collect data (e.g. the Google Analytics tag). Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, it will remain for all tracking tags implemented with Google Tag Manager. This makes it easier to effectively address your need against tracking practices. 2.6 Data Processing When You Use Other Features of the Website In general, the provision of personal data is not necessary for the use of our website. With the exception of the cases described in section 2, data collection and processing will only take place if you voluntarily provide us with your data. If you do not provide us with any other personal data, you may not be able to use the functions described in this section. Otherwise there will be no consequences for you. We process your personal data if you use the following functions: 2.6.1 Processing of your data when you contact us for business purposes If you contact us as an interested party, supplier, service provider or other business partner, we process your personal data such as contact data or correspondence to the extent that this is necessary to process your enquiry (legitimate interest according to Art. 6 (1) (f) GDPR) or to initiate or process the respective transaction (Art. 6 (1) (b) GDPR) and, if necessary, store the data within the scope of statutory storage obligations (due to statutory obligations according to Art. 6 (1) (c) GDPR. The same applies if you are an employee of an interested party, supplier, service provider or other business partner and we receive your personal data in this context; the legal basis in this case is our legitimate interest in establishing or carrying out the business relationship with your employer (Art. 6 (1) (f) GDPR). 2.6.2 Contact form When you contact us via the contact form, we store your details (your name, e-mail address, telephone number if necessary, and the text of your request) and process them in order to process your request. As far as it is necessary in order to answer your request or your request is directed towards this, we may transfer your details to another company of the medac group (e.g. if your request relates to a contract or a customer relationship with another company of the medac group or its products). The legal basis for this data processing is - depending on the subject of your request - the admissibility of the processing within the framework of contract initiation, a contract or our legitimate interest in providing a contact form for general requests (Art. 6 (1) (a) or (f) GDPR). 2.6.3 Areas reserved for professional visitors Professional visitors of our website (doctors, pharmacists and members of certain other health care professions) can access closed areas of our online offer. When you access areas of our website that are reserved for professional visitors, we ask you to indicate which professional visitor group you belong to. This query is used to ensure that you are authorized to use the area of our website reserved for expert visitors. We also perform an analysis of which professional visitor groups make use of our areas reserved for professional visitors. For this analysis, we use Google Analytics (see in detail under section 2.4).
Professional visitors to our website (doctors, pharmacists and members of certain other health care professions) with a German IP address can access closed areas of our online offer if they have previously registered accordingly. This registration is done via DocCheck. With the password that you receive, you gain access to the closed areas of our website. Expert visitors with IP addresses from countries other than Germany will be forwarded to the areas reserved for expert visitors after querying the expert visitor group without any further registration process. DocCheck password protection Cookie information DocCheck uses so-called "cookies" - text files that are stored in the user's browser - to facilitate the use of the services. The information generated by these cookies is only transferred to DocCheck servers and is not shared with the website operator or any other third party. There is no data transfer to countries outside the EU. Cookie 1 Doccheck_user_id Allows a single sign-on for all DocCheck logins. Lifetime = 1 session Cookie 2 Doccheck_scu_data Serves to provide suitable content on the basis of pseudonymised identification data (e.g. occupation, country, language). Lifetime = 1 year Log Data As part of the use of DocCheck password protection, DocCheck collects the so-called log data (IP address, access date, access time, referrer URL, information on hardware and software used such as browser features, device information such as resolution) of the user, starting from the website of the information provider which integrates the login into the website via "embed" or iFrame. This data is not used to draw conclusions about the person, but serve to ensure the correct display of the website or iFrame content and/or the security of the DocCheck services. We expressly point out that DocCheck is another service provider to whom medac passes you on within the scope of the registration form provided on its website. medac has no influence on the collection, processing and use of your data by DocCheck. Please inform yourself on the DocCheck pages about the measures taken there to protect your personal data: http://info.doccheck.com/de/privacy/ 2.7 Podcast Our website offers embedded podcasts to professional users shared via SlidePresenter, a tool provided by SlidePresenter GmbH, Kennedyallee 93, 60596 Frankfurt am Main. These can be retrieved if you have logged in with your Doc-Check credentials. When you play the podcast, information may be transmitted to SlidePresenter. When you visit our website, no personal data is generally passed on. The purpose and scope of the collection and use of data by SlidePresenter, your rights in this regard, and settings for protecting your personal data are described in SlidePresenter's privacy policy at "https://slidepresenter.com/datenschutzerklaerung/ and https://slidepresenter.com/datensicherheit/%22 Subscription to our podcast When you as a professional user register to subscribe to our podcast, we process your email address and send you a confirmation link to complete the subscription process. We will also inform you by email about new podcast episodes available on our website. The legal basis is your consent pursuant to Art. 6 (1) (a) GDPR. You can unsubscribe and revoke your consent at any time. You will find an option to declare your revocation in every email we send you. 2.8 Video integration through Vimeo On our website we have also embedded videos via the provider Vimeo. Vimeo is a platform for video hosting. Service provider is Vimeo Inc., 555 West 18th Street New York, NY 10011, USA; website: vimeo.com; privacy policy: vimeo.com/privacy (only available in English). Vimeo also uses Cookies (see section 2.2 and 2.3 above) If you call up a page on our website on which a video with Vimeo has been embedded, your IP address and possibly other technically necessary personal data will be transmitted to Vimeo. In the process, your data will be transmitted to the USA. Vimeo Inc. is not (yet) certified under the EU-US Data Privacy Framework (for more information on third country transfers, see section 11). Data transfers are made on the basis of standard contractual clauses of the EU Commission, which contractually obligate Vimeo to process data in accordance with data protection law. The legal basis for the use of the services of Vimeo is our legitimate interest in the functional presentation of the website, Art. 6 (1) (f) GDPR. If you have any questions about the balance of interests, please contact one of the contact addresses listed in section 1 above. Vimeo only sets cookies if you have previously given your consent via the cookie banner. In this case, the legal basis is your consent pursuant to Art. 6 (1) (a) GDPR.
2.9 Google Maps On some of our pages there is a plugin which shows map sections of Google Maps. Google Maps is provided by Google LLC. (Hereinafter: "Google"), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. For this purpose, a connection is established between your browser and Google's servers - as if you were visiting the Google search engine's website. Google is responsible for its own data processing. Tracking by Google on our website does not take place. Further information on the use of Google Maps can be found in the Google Maps Terms of Use. Information on the protection of your privacy can be found at https://www.google.de/intl/de/policies/. 3. Advertisements in online portals; the use of job portals and career platforms; the medac career portal We use advertisements in print and online media to draw attention to job vacancies. In this process, we also use online platforms such as job portals and career networks (e.g. Xing or LinkedIn), which may use conventional usage analysis techniques for visiting websites. The respective operator of the online portal is responsible for the related data processing; for more detailed information, please check their privacy declaration. We also use the job portals and career networks within the framework provided by the respective operator to find and contact potential applicants. The legal basis for this is our legitimate interest in efficient recruitment (Art. 6 (1) (f) GDPR). As part of online applications, we collect personal data about you. This particularly includes your personal data with contact information as well as a description of your education, work experience and skills. In addition, you have the option of providing us with electronically stored documents such as certificates or letters. You have the option of creating an online applicant profile so that you do not have to enter your data more than once in the case of multiple applications. This information will only be used by the respective human resource managers of medac and exclusively within the scope of the application procedure and for the purpose of processing your application. If your application remains unsuccessful, this data will be deleted six months after completion of the application process, unless you have expressly agreed to a longer storage period. The legal basis for the processing in order to make a decision on the establishment of an employment relationship is Art. 88 GDPR in conjunction with Art. 6 (1) (b) GDPR. 4. Conclusion and implementation of contracts In order to conclude or execute contracts with you, we process personal data relating to you as far as it is necessary for the execution of the contract with you. For this purpose the provision of your personal data is necessary. You are not obliged to provide your personal data, but if you do not provide it, the establishment and implementation of the contractual relationship may not be possible or only possible to a limited extent. Otherwise there will be no consequences for you. The legal basis for this is Art. 6 (1) (b) GDPR. 5. Newsletter and email advertising If you register for our newsletter or for information about products, developments and events at medac, we process your e-mail address and send you a confirmation e-mail with a confirmation link that you must click to subscribe to our newsletter or information about products, developments and events. The legal basis for this is Art. 6 (1) (a) GDPR.
We will add you to our mailing list to send you advertising for our similar goods or services by e-mail if you purchase goods or services from us and have not previously objected to this processing of your e-mail address. You can unsubscribe from the newsletter at any time and object to the e-mail advertising at any time. You will find an unsubscribe option in every newsletter and every other promotional email we send you.
6.1 Participation in events If you register to participate in a Medac event or if Medac supports your participation in a third party event, we will process your personal data as far as it is necessary for the execution of the event and your participation. This requires the provision of your personal data. You are not obliged to provide your personal data, but if you do not provide it, your participation in the event may not be possible or only possible to a limited extent, or Medac may not be able to support you or only to a limited extent. The legal basis for this is Art. 6 (1) (b) and (a) GDPR. If your participation in the event serves the purpose of acquiring a certificate in order to be allowed to administer the corresponding drug, and if you have consented to this during the event or at a later point in time (e.g. when placing an order), we will store your name and the certificate receipt together with the number. We process this data in the context of order processes in order to simplify these, to spare you the need to provide proof of your certificate with each order and to fulfil the obligations arising from the approval of the medicinal product. The legal basis for this processing is Art. 6 (1) (a) GDPR.
In some cases, we use Microsoft Forms to register for an event. For this purpose, we have embedded Microsoft Forms in the website for the event. Microsoft Forms is an online service provided by Microsoft Ireland Operations Ltd, One Microsoft Court, South County Business Park, Leopardstown, Dublin ("Microsoft") as part of Microsoft 365. The data processing includes data transfers to Microsoft and personal data is stored on Microsoft's cloud servers in a third country, namely the United States. Microsoft Corporation is certified under the EU-US Data Privacy Framework. For more information, please refer to section 11. We have concluded the necessary contracts with Microsoft for the processing, in particular a data processing agreement.
For more information about Microsoft Forms, visit https://support.office.com/en-us/forms. For more information about Microsoft's processing of personal data, visit https://support.microsoft.com/en-us/office/security-and-privacy-in-microsoft-forms-7e57f9ba-4aeb-4b1b-9e21-b75318532cd9.
6.2 Photo/video and sound recordings at events
At events, we may take photo/video and audio recordings (collectively, "recordings") of participants. This may be a livestream to conduct a hybrid event. We also use recordings for marketing purposes in all internal and external print and online media published by us or our affiliates. These include, in particular, our intranet, our corporate website, our social media channels primarily YouTube, X (formerly Twitter) and LinkedIn, and our podcast. The recordings may also be used for training purposes for employees and external parties, in particular participants in other events. If the recordings are used for other purposes in individual cases, we will inform you about this when you register for the event. As part of your registration, we will obtain your consent for the taking and use of the recordings.
If the recordings show natural persons or groups of natural persons, this involves the collection and processing of personal data. The legal basis is your consent pursuant to Art. 6 (1) (a) GDPR. You are not obliged to consent and can revoke your consent at any time with effect for the future by declaration to medac, e.g. by e-mail to communications@medac.de. If possible, we will set up a correspondingly designated area at the event that is excluded from recordings. When you are in this area, we do not record you.
Please note that medac is only obliged to delete or block recordings in the event of a revocation for important reasons that override the interests of medac. For example, printed company presentations or recordings showing you in a group could therefore continue to be used even if you revoke your consent. In the case of publication on the internet, despite deletion of the published recordings in the event of revocation, we cannot rule out the possibility that they will continue to be accessible to third parties - e.g. via the archive function of search engines.
We use video conferencing tools in particular YouTube, Teams and Zoom for audio and video recordings for events. Recipients of personal data in this case, in particular your user name and email address, are Google LLC., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA, Microsoft and/or Zoom Video Communications Inc., 55 Almaden Blvd, Suite 600, San Jose, CA 95113. We have concluded corresponding data protection agreements with these providers, in particular data protection agreements pursuant to Art. 28 GDPR. The data is stored in Europe. Nevertheless, access from third countries, in particular the USA, for support and maintenance purposes cannot be completely ruled out. Google LLC and Microsoft Corporation are certified under the EU-US Data Privacy Framework. Zoom Video Communications Inc. is not (yet) certified. Further information on transfers to countries outside the EEA can be found in section 11.
7. Joint controllers with social network operators We maintain company pages on the social networks of Facebook, Instagram, LinkedIn, X (formerly Twitter), YouTube and Xing. As the operator of these pages, we are responsible for the collection (but not for the further processing) of the data of visitors to our company pages jointly with the respective operator of the social network within the meaning of the General Data Protection Regulation (GDPR)
- Facebook: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
- Instagram: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
- LinkedIn: LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Irland,
- YouTube: Google LLC., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
- X (formerly Twitter): Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland
- Xing: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany.
The data collected includes
- Information about the types of content visitors view or interact with, or the actions they take; and
- Information about the devices visitors use (e.g., IP addresses, operating system, browser type, language settings, cookie data).
- Social networks also collect and use information to provide analytics services, known as "page insights," to page operators to provide them with insights into how people interact with their pages and with content associated with them.
We have concluded a special agreement with the respective operator of the social network:
Meta (Facebook and Instagram): "Information about Page Insights," https://www.facebook.com/legal/terms/page_controller_addendum
LinkedIn: "Page Insights Joint Controller Addendum" legal.linkedin.com/pages-joint-controller-addendum.
Youtube: Google's privacy policy and terms of use
X (formerly Twitter): The general terms and conditions of X/Twitter and the guidelines referred to therein.
Xing: Xing's terms and conditions and the policies referenced therein.
In each case, these regulate in particular which security measures the operator must observe and in which the operator has agreed to fulfill the rights of data subject (i.e. users can, for example, address their right of access and their right to erasure directly to the operator of the social network).
The rights of users (in particular the right of access, erasure, restriction and right to lodge a complaint to the supervisory authority), are not restricted by the agreements with the respective operator. You can assert your rights (right to access, correction, erasure, restriction of processing, data portability, objection and right to lodge a complaint to the supervisory authority) both against us and against the respective operator of the social network.
- Purposes of processing: contact requests and communication, tracking (e.g. interest/behavioral profiling, use of cookies), remarketing, reach measurement (e.g. access statistics, recognition of returning visitors).
- Legal basis: The legal basis for data processing is our legitimate interest in ensuring that our offer and our company are present on the internet as comprehensively as possible, as well as the possibility of communicating with you via social networks (Art. 6 (1) lit. f GDPR).
- Data subjects: Website visitors, visitors from our company pages on social networks.
In the case of Facebook, Instagram, YouTube, X (formerly Twitter) and LinkedIn, it is possible that some of the information collected may also be processed outside the European Union in the USA. Meta Platforms, Inc (Facebook, Instagram) and Goolge LLC are certified under the EU-US Data Privacy Framework. X Corp. and LinkedIn are not (yet) certified. For further information on third country transfers, see section 11.
For more information on the processing of personal data, please refer to the privacy notices of Meta (Facebook, Instagram), YouTube, LinkedIn, Twitter, and Xing.
8. Links to third party websites
Our website embeds links to third-party websites. When you click on a website link, you leave our website and the browser of your device sets up a direct connection with the servers of the respective website. The respective privacy policies of this website then apply.
9. Drug safety and reports of side effects When you make a drug safety or a report on side effects, we collect personal data related to the report, such as personal information about you and your circumstances, your state of health, the medicines you are taking, and any side effect you have experienced. You are under no obligation to provide your personal information, but if you do not provide it, it may not be possible to include it and take it into account. The legal basis for the processing of your personal data is Art. 6 (1) (c) GDPR in conjunction with section 63 (b) German Drug Law (Arzneimittelgesetz AMG). 10. Transmission to third parties We only pass on the personal data described here if it is necessary for the provision of our service or if it is required by law. Within the scope of the purposes mentioned here, personal data will be forwarded to service providers who work for us and support us in particular in the provision of services. In addition to their legal obligation to comply with all data protection regulations, these service providers are bound by further contractual data protection requirements. In particular, this includes an obligation as a processor according to Article 28 GDPR. Otherwise, we will only transfer personal data to other recipients if we have a legal permit to do so or you have given your prior consent. You may revoke any consent you may have given at any time with effect for the future. We will only pass on your data to government agencies within the framework of legal obligations or on the basis of an official order or court decision and only to the extent that this is permissible under data protection law. 11. Transmission to countries outside the EU As far as necessary for our purposes, we may also transmit your data to recipients outside the European Union (EU) and the European Economic Area (EEA). This is particularly the case if we have to transfer this data to recipients in countries as part of contract processing or due to statutory regulations. Except for the processing operations described in section 2.4, 2.8, 6.1 and 6.2 we will not share your data with any third party located outside the EU or the EEA.. The processing operations listed in section 2.4, 2.8, 6.1 and 6.2 involve the transfer of data to the servers of the providers we have commissioned, Google LLC, Vimeo Inc., Microsoft Corporation, and Zoom Video Communications Inc. Some of these servers are located in the US. If the servers are located in Europe, it cannot be completely excluded that data is transmitted to the US, because the provider is a US provider. Google LLC and Microsoft Corporation are certified under the EU-US Privacy Framework, which allows for the safe transfer of data to these U.S. providers. Vimeo Inc. and Zoom Video Communications Inc. are not (yet) certified. For a complete list of companies certified under the EU-US Privacy Framework, please visit www.dataprivacyframework.gov/s/participant-search.
If a vendor is not certified under the EU-U.S. Privacy Framework, we ensure that these U.S. vendors are bound by the EU Commission's Standard Contractual Clauses, which require them to process data in a privacy compliant manner. Data transfers from the EU and the EEA to U.S. vendors are subject to the stricter U.S. rules on government surveillance programs, even with respect to non-certified U.S. companies, pursuant to Executive Order 14086, which was issued as a condition of the European Commission's adequacy decision for the EU-US Data Privacy Framework. If you have any questions in this regard, please contact our Privacy Officer (see section 1 for contact information). 12. Data security medac has taken the necessary technical and organisational measures to protect the personal data you provide against loss, destruction, manipulation and unauthorised access. To protect the personal data of our users, we use a secure online transmission procedure, the so-called "Secure Socket Layer" (SSL) transmission. You can recognise this by the fact that an "s" is appended to the address component http:// ("https://") or a green, closed lock symbol is displayed in the browser. By clicking on the symbol, you will receive information about the SSL certificate used. SSL encryption ensures the secure and complete transmission of your data. 13. Deletion We delete your personal data as soon as they are no longer required for the previously named purposes of processing, in the case of an objection there are no compelling reasons worthy of protection on the part of medac, or in the case of a revocation there is no other legal basis for the processing. In certain cases, e.g. if there is a legal obligation to retain data, your personal data will initially be blocked and deleted upon expiry of the retention period. 14. Your rights Data protection law grants you a number of rights with regard to data relating to your person (so-called data subject rights). In general these are
- the right to access about personal data we have stored about you (Art. 15 GDPR),
- the right to rectify inaccurate data (Art. 16 GDPR),
- the right to delete data that may no longer be stored (Art. 17 GDPR),
- the right to restrict the processing in certain cases (Art. 18 GDPR),
- the right to data portability, i.e. to transfer data they have provided in electronic form to you or to a third party (Art. 20 GDPR), and
- the right to revoke consent given, if applicable, with effect for the future (Art. 7 (3) GDPR). Please note that in the event of a revocation, we will continue to retain your consent. This is because even after revocation and deletion of your personal data, we must be able to prove consent. The legal basis for the (also continued) storage of consent is Art. 6 (1) (c) in conjunction with. Art. 5 (1) (a), (2), Art. 7 (1) GDPR and Art. 6 (1) (f) GDPR.
Furthermore, you can object to processing if it is based on legitimate interests (Art. 6 (1) (f) GDPR) or Art. 6 (1) € GDPR (Art. 21 (1) GDPR) or for direct marketing purposes (Art. 21 (2) GDPR), for which you must provide a specific reason, except in the case of direct marketing. If and to what extent these rights exist in the individual case and which conditions apply is determined by law, i.e. by the GDPR and the BDSG. You also have the right to lodge a complaint to a data protection authority. If you have any questions or complaints about data protection at medac, we recommend, in the first instance, that you contact our data protection officer (see section 1). 15. No automated case- by – case decision We do not use your personal data for automated case-by-case decisions according to Article 22 (1) GDPR. 16. Amendments to the data protection declaration New legal requirements, business decisions or technical developments may require changes to our privacy policy. The data protection declaration will then be adapted accordingly. You will always find the latest version on our website.
Version: September 2023