This data protection declaration informs you about the type, scope, and purpose of the processing of personal data (hereinafter referred to as ‘data’) within our online offer and the websites, functions, and content associated with it, in addition to external online presences, such as our social media profiles (hereinafter jointly referred to as ‘online offer’). Regarding the terms used, such as ‘processing’ or ‘controller’, we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
ConPhyMed Pharmaceutical GmbH
Spectrum at University Medical Center Hamburg-Eppendorf
Commercial register: Hamburg Local Court – HRB 151746
VAT ID No. according to § 27a Umsatzsteuergesetz: DE 318616251
Responsible for the content according to § 10 paragraph 3 MDStV: Thomas Friedemann and Sebastian Hertz, address as above
Chief Executive Officer:
Dr. Thomas Friedemann
Types of data processed:
– Inventory data (e.g. names, addresses)
– Contact data (e.g. e-mail, telephone numbers)
– Content data (e.g. text input, photographs, videos)
– Usage data (e.g. web pages visited, interest in content, access times)
– Meta-/communication data (e.g. device information, IP addresses)
Purpose of processing
– Provision of the online offer, its functions, and contents
– Responding to contact requests and communicating with users
– Security measures
– Reach measurement/marketing
‘Personal data’ refers to any information relating to an identified or identifiable natural person (hereinafter ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier, such as a name, identification number, location data, online identifier (e.g. cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
‘Processing’ refers to any operation or set of operations that are performed on personal data, whether or not by automatic means. The term is broad and includes virtually any handling of data.
‘Pseudonymisation’ refers to the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures that ensure that the personal data are not attributed to an identified or identifiable natural person.
‘Profiling’ refers to any automated processing of personal data that consists of using such personal data to evaluate certain personal aspects relating to a natural person, namely to analyse or predict aspects relating to the natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or change of location.
‘Controller’ refers to the natural or legal person, public authority, agency, or other body that alone or jointly with others determines the purposes and means of the processing of personal data.
‘Processor’ refers to a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
Relevant legal basis
In accordance with Article 13 of the GDPR, we inform you of the legal basis for our data processing activities. If the legal basis is not mentioned in the privacy statement, the following applies: the legal basis for obtaining consent is Art. 6(1)(a) and Art. 7 GDPR, the legal basis for processing to fulfil our services and carry out contractual measures and respond to inquiries is Art. 6(1)(b) GDPR, the legal basis for processing to fulfil our legal obligations is Art. 6(1)(c) GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6(1)(f) GDPR. In the event that vital interests of the data subject or another natural person require the processing of personal data, the legal basis is Art. 6 (1) lit. d GDPR.
We take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 of the GDPR, taking into account the state of the art, implementation costs, nature, scope, circumstances, and purposes of the processing, and varying likelihood and severity of the risk to the rights and freedoms of natural persons.
The measures include safeguarding the confidentiality, integrity, and availability of data by controlling physical access to the data and access to, entry into, disclosure of, assurance of, availability of, and segregation of the data. Furthermore, we have established procedures to ensure the protection of data subjects’ rights, deletion of data, and response to data compromise.
We have taken the protection of personal data into account in the development and selection of hardware, software, and processes in accordance with the principles of data protection through technology design and data protection-friendly default settings (Article 25 of the GDPR).
Cooperation with processors and third parties
Disclosure of data to other persons and companies (order processors or third parties) in the course of our processing, transmit the data to them, or otherwise grant them access to the data shall only occur on the basis of a legal permission. For example, if a transmission of data to third parties, such as to payment service providers, is required for the performance of the contract pursuant to Art. 6  lit. b GDPR, you have consented, a legal obligation provides for this, or on the basis of our legitimate interests (e.g. when using agents, web hosts).
Any commissioning of third parties with the processing of data based on a so-called ‘order processing agreement’ occurs on the basis of Art. 28 GDPR.
Transfers to third countries
If we process data in a third country (i.e. outside the European Union [EU] or the European Economic Area [EEA]) or if this occurs in the context of the use of third-party services or disclosure, or transfer of data to third parties, this will only occur to fulfil our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or allow the processing of data in a third country only if the specific requirements of Art. 44 et seq. GDPR are met. This means that the processing is performed, for example, on the basis of special guarantees, such as the officially recognised determination of a level of data protection that corresponds to the EU (e.g. for the USA through the ‘Privacy Shield’) or in compliance with officially recognised special contractual obligations (so-called ‘standard contractual clauses’).
Rights of the data subjects
You have the right to request confirmation of whether the data in question are being processed, to be informed about this data, and to receive further information and a copy of the data in accordance with Article 15 of the GDPR.
According to. Art. 16 GDPR, you have the right to request the completion of data concerning you or the correction of incorrect data concerning you.
In accordance with Art. 17 GDPR, you have the right to request that data concerning you be deleted without delay, or alternatively, in accordance with Art. 18 GDPR, to request restriction of the processing of the data.
You have the right to request that data concerning you that you have provided to us be received in accordance with Art. 20 GDPR and to request that it be transferred to other data controllers.
You have the right to lodge a complaint with the competent supervisory authority in accordance with Art. 77 GDPR.
Right of revocation
You have the right to revoke any consent given in accordance with Art. 7 (3) GDPR with effect for the future.
Right of objection
You may object to the future processing of data relating to you in accordance with Art. 21 GDPR at any time. The objection can be made specifically against processing for direct marketing purposes.
Cookies and right to object to direct advertising
‘Cookies’ are small files that are stored on users’ computers. Various information can be stored within cookies. The primary purpose of a cookie is to store information about a user (or the device on which the cookie is stored) during or after their visit to an online offer. Temporary cookies (i.e. ‘session cookies’ or ‘transient cookies’) are deleted after a user leaves an online offer and closes their browser. For example, such a cookie may store the contents of a shopping cart in an online store or a login status. Cookies that remain stored after the browser is closed are referred to as ‘permanent’ or ‘persistent’ cookies. For example, login status can be stored if users visit the site after several days. Likewise, the interests of users can be stored in these cookies, which are used for range measurement or marketing purposes. ‘Third-party cookies’ are cookies that are stored by providers other than the responsible party that operates the online offer; cookies stored only by the responsible party that operates the online offer are referred to as ‘first-party cookies’.
If users do not wish for cookies to be stored on their computer, they are instructed to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted via the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.
Deletion of data
The data we process will be deleted or restricted in its processing in accordance with Articles 17 and 18 GDPR. Unless expressly stated within the scope of this data protection declaration, the data we store will be deleted as soon as the data are no longer required for their intended purpose and the deletion does not conflict with any statutory retention obligations. If the data are not deleted because they are required for other legally permissible purposes, data processing will be restricted (i.e. the data are blocked and not processed for other purposes). For example, this applies to data that must be retained for reasons of commercial or tax law.
According to legal requirements in Germany, data are stored for 10 years in accordance with §§ 147 para. 1 AO, 257 para. 1 nos. 1 and 4, para. 4 HGB (books, records, management reports, accounting vouchers, commercial books, documents relevant for taxation) and 6 years according to § 257 para. 1 nos. 2 and 3, para. 4 HGB (commercial letters).
According to legal requirements in Austria, data are stored for 7 years in accordance with § 132 para. 1 BAO (accounting records, vouchers/invoices, accounts, receipts, business papers, statement of income and expenditure), for 22 years in connection with real estate, and for 10 years for documents in connection with electronically provided services and telecommunications, radio, and television services provided to non-entrepreneurs in EU member states and for which the Mini-One-Stop-Shop is used.
We process our customers’ data as part of our contractual services, which include conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes/handling, server administration, data analysis/consulting services, and training services.
In this context, we process inventory data (e.g. customer master data, such as names or addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), contract data (e.g. subject matter of contract, term), payment data (e.g. bank details, payment history), usage data and metadata (e.g. in the context of evaluating and measuring the success of marketing measures). As a matter of principle, we do not process special categories of personal data unless these are components of commissioned processing. Data subjects include our customers, prospective customers, and their customers, users, website visitors, or employees in addition to third parties. The purpose of the processing is the provision of contractual services, billing, and our customer service. The legal basis for the processing results from Art. 6 para. 1 lit. b GDPR (contractual services) and Art. 6 para. 1 lit. f GDPR (analysis, statistics, optimisation, security measures). We process data that are necessary for the justification and fulfilment of contractual services, and we highlight the necessity of their indication. Disclosure to external parties only occurs if it is necessary in the context of an order. When processing the data provided to us as part of an order, we act in accordance with the instructions of the client and the legal requirements of a contract processing pursuant to Art. 28 GDPR and do not process the data for any purposes other than those specified in the order.
We delete the data after the expiry of legal warranty and comparable obligations. The necessity of keeping the data is reviewed every 3 years; in the case of legal archiving obligations, deletion takes place after their expiry (6 years according to § 257 para. 1 HGB and 10 years according to § 147 para. 1 AO). In the case of data disclosed to us by the client as part of an order, we delete the data in accordance with the specifications of the order, generally after completion of the order.
Administration, financial accounting, office organisation, and contact management
We process data in the context of administrative tasks and organisation of our operations, financial accounting, and compliance with legal obligations, such as archiving. In this regard, we process the same data that we process while providing our contractual services. The processing bases are Art. 6 para. 1 lit. c. GDPR, Art. 6 para. 1 lit. f. GDPR. Customers, interested parties, business partners, and website visitors are affected by the processing. The purpose and our interest in the processing lies in the administration, financial accounting, office organisation, and archiving of data (i.e. tasks that serve the maintenance of our business activities, performance of our tasks and provision of our services). The deletion of data regarding contractual services and contractual communication corresponds to the information mentioned in these processing activities. In this context, we disclose or transfer data to tax authorities, consultants, such as tax advisors or auditors, and other fee offices and payment service providers.
Furthermore, based on our business interests, we store information about suppliers, event organisers, and other business partners (e.g. for the purpose of contacting them in the future). This data, most of which is company related, is generally stored permanently.
Business analyses and market research
To operate our business economically and to be able to recognise market trends and customer and user wishes, we analyse the data from business transactions, contracts, and inquiries. In doing so, we process inventory data, communication data, contract data, payment data, usage data, and metadata based on Art. 6 para. 1 lit. f. GDPR, whereby the data subjects include customers, interested parties, business partners, visitors, and users of the online offer.
The analyses are conducted for the purpose of business evaluations, marketing, and market research. In doing so, we may take into account the profiles of registered users with details, for example, of the services they have used. The analyses serve us to increase user-friendliness, optimisation of our offer, and business management. The analyses serve us alone and are not disclosed externally unless they are anonymous analyses with aggregated values.
If these analyses or profiles are personal, they are deleted or anonymised upon termination of the user or after 2 years from the conclusion of the contract. Furthermore, the overall business analyses and general trend analyses are prepared anonymously wherever possible.
When contacting us (e.g. by contact form, e-mail, telephone, or via social media), the user’s details are processed for the purpose of handling the contact request and its processing pursuant to Art. 6 (1) lit. b) GDPR. The user’s details may be stored in a customer relationship management system or comparable inquiry organisation.
We delete the inquiries if they are no longer necessary; we review the necessity every 2 years. Furthermore, legal archiving obligations apply.
We use hosting services to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, security services, and technical maintenance services, which we use for the purpose of operating this online offer.
In this context, we or our hosting provider process the inventory data, contact data, content data, contract data, usage data, metadata, and communication data of customers, interested parties, and visitors of this online offer based on our legitimate interests in an efficient and secure provision of this online offer pursuant to Art. 6 para. 1 lit. f GDPR in conjunction with Art. 28 GDPR. Art. 28 GDPR (conclusion of order processing contract).
Collection of access data and log files
We, or our hosting provider, collect data based on our legitimate interests within the meaning of Art. 6 para. 1 lit. f. GDPR about each access to the server on which this service is located (so-called ‘server log files’). The access data include the name of the accessed website, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address, and the requesting provider.
Log file information is stored for security reasons (e.g. for the clarification of abuse or fraud) for a maximum of 7 days and then deleted. Data for which further storage is required for evidentiary purposes are excluded from deletion until the final clarification of the respective incident.
Integration of third-party services and content
Within our online offer, we use content or service offers of third parties based on our legitimate interests (i.e. interest in the analysis, optimisation, and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. GDPR) to integrate content or services offered by third-party providers, such as videos or fonts (hereinafter uniformly referred to as ‘content’).
This always requires that the third-party providers of this content are aware of the IP address of the user, as without the IP address, the third party could not send the content to the user’s browser. Therefore, the IP address is required for the display of this content. We endeavour to use only the content of providers that use IP addresses only for the delivery of the content. Third-party providers may also use so-called ‘pixel tags’ (invisible graphics, also known as ‘web beacons’) for statistical or marketing purposes. The pixel tags can be used to evaluate information, such as visitor traffic on the pages of the website. The pseudonymous information may be stored in cookies on the user’s device and may contain, among others, technical information about the browser and operating system, referring websites, time of visit, and other information about the use of our online offer. In addition, the pseudonymous information may be combined with such information from other sources.
For integration and display of video content, our website uses plugins from YouTube. The provider of the video portal is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA.
When a page with an integrated YouTube plugin is called up, a connection to the YouTube servers is established. YouTube thereby learns which of our pages you have accessed.
YouTube can assign your surfing behaviour directly to your personal profile if you are logged into your YouTube account. You have the option to prevent this by logging out of YouTube beforehand.
YouTube is used to provide an appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR.
Information on data processing in connection with Google Analytics
This website uses Google Analytics, a web analytics service provided by Google Ireland Limited. If the data controller on this website is located outside of the EEA or Switzerland, Google Analytics data processing is conducted by Google LLC. Google LLC and Google Ireland Limited are hereinafter referred to as ‘Google’.
Google Analytics is used exclusively with the extension ‘_anonymizeIp()’ on this website. This extension ensures anonymisation of the IP address by shortening and excludes a direct personal reference. Through the extension, the IP address is shortened beforehand by Google within member states of the EU or in other contracting states of the Agreement on the EEA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened thereafter. The IP address transmitted by the corresponding browser within the scope of Google Analytics is not merged with other Google data.
On behalf of the site operator, Google will use the resulting information to evaluate the use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the site operator (Art. 6 para. 1 lit. f GDPR). The legitimate interest in the data processing lies in the optimisation of this website, analysis of the use of the website, and adaptation of the content. The interests of the users are sufficiently protected by pseudonymisation.
Google LLC is certified under the so-called Privacy Shield (list entry here); on this basis, Google LLC ensures an adequate level of data protection. The data sent and linked to cookies, user IDs (e.g. user ID), and advertising IDs are automatically deleted after 50 months. The deletion of data for which the retention period has been reached takes place automatically once a month.
The collection by Google Analytics can be prevented by the site visitor adjusting the cookie settings for this website. The collection and storage of the IP address and the data generated by cookies can also be objected to at any time with effect for the future. The corresponding browser plugin can be downloaded and installed at the following link: https://tools.google.com/dlpage/gaoptout.
The site visitor can prevent the collection by Google Analytics on this website by clicking on the following link. An opt-out cookie will be set, which will prevent future collection of data when visiting this website.
Real Cookie Banner
To manage cookies and similar technologies (tracking pixels, web beacons, etc.) and related permissions, we use the consent tool “Real Cookie Banner”. Details on how “Real Cookie Banner” works can be found at https://devowl.io/knowledge-base/real-cookie-banner-data-processing/.
Legal bases for the processing of personal data in this context are Art. 6 para. 1 lit. c DS-GVO and Art. 6 para. 1 lit. f DS-GVO. Our legitimate interest is the management of the cookies and similar technologies used and the related consents.
The disclosure of personal data is neither contractually required nor necessary for the conclusion of a contract. You are not obliged to provide the personal data. If you do not provide the personal data, we cannot manage your consents.