Datenschutz I MEDICE Health Academy

Privacy Policy

With the following information, we provide you with an overview of the processing of your personal data by MEDICE Arzneimittel Pütter GmbH & Co. KG within the MEDICE Health Academy (hereinafter referred to as "MEDICE" or "We") and your privacy rights when using the services on https://academy.medice-health-family.com/.

1. Who is responsible for data processing?

The responsible entity is:

MEDICE Arzneimittel Pütter GmbH & Co. KG

Kuhloweg 37

58638 Iserlohn

Phone: +49 2371 937-0

Fax: +49 2371 937-329

Email: info@MEDICE.de

Representatives of the responsible entity: Dr. med. Katja Pütter-Ammer, Dr. med. Dr. oec. Richard Ammer, Dr. rer. nat. Uwe Baumann, Annick Berreur-Igersheim, Eric Neyret

You can contact our Data Protection Officer at:

MEDICE Arzneimittel Pütter GmbH & Co. KG

Data Protection

Kuhloweg 37

58638 Iserlohn

Phone: +49 2371 937-0

Fax: +49 2371 937-329

Email: datenschutz@medice.de

2. What data does MEDICE use? And from which sources does this data originate?

We process personal data as part of providing the services on https://academy.medice-health-family.com/. These include the following types of data:

• First name

• Last name

• Email address

• Pharmacy postal code

• Postal address (for sending your rewards within the Health Family platform)

• Membership in a professional group

• MEDICE customer number

• Information from messages to MEDICE (e.g., quality and side effect reports)

• Activities within the learning platform, including your success status

Optional within the learning platform:

• Phone number

• Biography

• Organization

• Job title

• LinkedIn account

• Twitter/X account

• Profile picture and banner

3. What is MEDICE processing my data for (purpose of processing)? What legal basis is the processing based on?

We process the aforementioned personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG):

a. Based on your consent (Article 6(1) a GDPR)

• Registration for the MEDICE Health Academy

• Subscription to the email newsletter

b. To fulfill contractual obligations (Article 6(1) b GDPR)

The processing of your personal data is necessary for the provision of the MEDICE Health Academy services. This includes:

• Registration and professional group verification

• Provision of continuing education content

• Processing of rewards

• Conducting sweepstakes

• Issuance of a participation certificate

• Viewing reactions and success status between users within the learning environment

c. Based on legal requirements (Article 6(1) c GDPR) or in the public interest (Article 6(1) e GDPR)

As a pharmaceutical company, MEDICE is subject to various legal obligations that require data processing. These include statutory requirements (e.g., tax code, principles of proper accounting, pharmaceuticals law) and regulatory requirements (e.g., the European Medicines Agency, the Federal Institute for Drugs and Medical Devices, the relevant district government).

The purposes of the processing include, among others, fulfilling tax-related control and reporting obligations and operating the pharmacovigilance system.

d. Based on the balancing of interests (Article 6(1) f GDPR)

Where necessary, we process your data beyond the actual fulfillment of the contract to protect the legitimate interests of MEDICE or third parties. Examples include:

• Enforcing and defending legal claims

• Ensuring IT security and IT operations at MEDICE

• Preventing and investigating criminal offenses

4. Who has access to my data?

Within MEDICE, those departments that need your data to fulfill our contractual and legal obligations or to safeguard MEDICE's rights and legitimate interests have access to it.

Service providers and agents we engage may also receive data for these purposes if they adhere to our written data protection instructions.

We may only disclose information about you to third parties if required by law, if you have consented, if it is necessary for the assertion of our rights or legitimate interests, or if processors we have commissioned guarantee compliance with the provisions of the EU General Data Protection Regulation/Federal Data Protection Act.

Under these conditions, recipients of personal data may include:

• Companies of the MEDICE Health Family Holding GmbH, as far as necessary for the purpose of data processing

• Public authorities and institutions in case of a legal or regulatory obligation

• Processors to whom we transmit your personal data for the operation of the MEDICE Health Academy

• Persons bound to professional confidentiality (e.g., lawyers, tax advisors, auditors) to assist with the fulfillment of legal or regulatory obligations, as well as to pursue and defend legal claims and in criminal investigations

Other data recipients may include those entities to which you have given your consent for data transfer.

5. 360Learning Platform

The Health Academy uses the learning platform provided by 360Learning GmbH, Stephaniestr. 94, 76133 Karlsruhe, to offer a learning environment. Personal data, as described in Section 2, is processed. The 360Learning platform is similar to a physical classroom. Users can see your name, your success status, and possibly other data you have provided, such as your profile picture and banner, if you have uploaded image files or other information about yourself.

We have entered into a Data Processing Agreement with 360Learning GmbH to ensure the protection of your personal data. You can find more information about 360Learning GmbH's data protection here: https://360learning.cdn.prismic.io/360learning/3048e7ec-16a8-4895-bf1f-fdf8278406d2_Datenschutzbestimmungen_MAJ-23122022.pdf

6. Identity and Access Management Tool

We use the Single Sign-On service Keycloak.

In the identity and access management tool Keycloak, your login data is managed. By signing in and providing your consent to data protection as part of the login process, you consent to the processing of your data.

The legal basis for the processing of your personal data is your informed, voluntary consent according to Article 6(1) sentence 1 lit. a) and Article 9(2) lit. a) GDPR.

7. MEDICE Health Family Shop

To redeem your points, the MEDICE Health Academy has established an interface with the MEDICE Health Family Shop. For more information about the processing of your personal data within the MEDICE Health Family Shop, you can refer to: https://MEDICE-health-family.com/en/footer/privacy-policy

8. Newsletter Distribution

We use Brevo for sending newsletters. The provider is Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany.

Brevo organizes and analyzes the distribution of newsletters. The data you enter for the purpose of subscribing to the newsletter is stored on Sendinblue’s servers in Germany.

You can revoke your consent at any time. You can also prevent processing by unsubscribing from the newsletter. Additionally, you can prevent the storage of cookies by adjusting your web browser settings. By disabling JavaScript in your web browser or installing a JavaScript blocker (e.g., https://noscript.net or https://www.ghostery.com), you can prevent the storage and transmission of personal data. Please note that these measures may result in certain features of our online services no longer being available.

With the help of Brevo, we can analyze our newsletter campaigns. This allows us to see whether a newsletter message has been opened and which links were clicked. This helps us determine which links were clicked most frequently.

Additionally, we can recognize if certain predefined actions were performed after opening or clicking (conversion rate). For example, we can see whether you made a purchase after clicking the newsletter.

Brevo also enables us to categorize newsletter recipients into different groups (so-called "clustering"). Recipients can be categorized, for example, by age, gender, or location. This helps us tailor newsletters to specific target audiences.

You can find detailed information about Brevo’s features here: https://www.brevo.com/de/features/.

Data processing is based on your consent in accordance with Article 6(1) lit. a) GDPR. You can withdraw this consent at any time. The lawfulness of any data processing that has already occurred remains unaffected by the withdrawal.

The data you provided for the purpose of receiving the newsletter will be stored by us until you unsubscribe. After unsubscribing, your data will be deleted from both our servers and Brevo’s servers. Data stored for other purposes (e.g., email addresses for the members' area) will remain unaffected.

You can view Brevo’s data protection policy here: https://www.brevo.com/de/datenschutz-uebersicht/.

8. Will my data be transferred to a third country or an international organization?

The performance cookies described under 11. transfer personal data encrypted to servers of Google Ireland Limited in the USA. These US companies are certified under the EU-US Data Privacy Framework. Thus, an adequacy decision according to Article 45 GDPR is in place, allowing the transfer of personal data without further guarantees or additional measures.

9. How long will my data be stored?

We process and store your personal data as long as it is necessary to fulfill our contractual and legal obligations and to assert and defend legal claims.

If the data is no longer required for the fulfillment of contractual obligations, it will be regularly deleted unless its temporary further processing is necessary for the following purposes:

• Fulfillment of commercial, tax, and pharmaceutical law retention periods: 2-15 years

• Preservation of evidence within the framework of statutory limitation periods. According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods can last up to 30 years, with the regular limitation period being three years.

You can delete your account at any time. If you use the MEDICE Health Academy without receiving a reward, all your data will be removed. If we have sent you a reward, we will keep your address and information about the reward received for 10 years on our shipping list/shipping receipts.

If there is no activity for more than 2 years, you will be contacted by email and asked whether you still wish to use the MEDICE Health Academy. If so, you will have 3 months to log in. If not, your account will be deleted after a further 3 months of inactivity.

10. What data protection rights do I have?

As a data subject, you have:

• The right to access according to Article 15 GDPR,

• The right to rectification according to Article 16 GDPR,

• The right to erasure according to Article 17 GDPR,

• The right to restriction of processing according to Article 18 GDPR,

• The right to object according to Article 21 GDPR, and

• The right to data portability according to Article 20 GDPR.

You can revoke your consent for the processing of personal data at any time.

Your right to erasure can be easily exercised in the user account. There, you can click on "Delete account"; once your account is permanently deleted, it cannot be restored.

For the right to access and the right to erasure, the limitations under §§ 34 and 35 BDSG apply. Additionally, there is a right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR in conjunction with § 19 BDSG).

Please note the specific information on the right to object according to Article 21 GDPR:

You have the right to object at any time to the processing of personal data concerning you, based on Article 6(1) e GDPR (processing in the public interest) and Article 6(1) f GDPR (processing based on balancing of interests), for reasons relating to your particular situation.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

To exercise your right to object and for any questions, you can reach our Data Protection Officer at the contact details listed in Section 1 of this Privacy Notice.

11. Is there a requirement for me to provide data?

As part of registration and use of the MEDICE Health Academy, you must provide the mandatory personal data mentioned above. Without this information, registration and use of the portal will not be possible. Subscribing to the email newsletter is voluntary and not required for portal use.

12. Is automated decision-making (including profiling) used?

No automated decision-making (including profiling) is used.

13. Is there "profiling"?

No.

14. Cookies

Our website uses cookies to ensure basic functions and optimal user experience. These are strictly necessary cookies required for the operation of the website. These cookies do not store personal data and only allow basic functions such as navigating the page and accessing protected areas.

Since we do not use cookies that require consent, such as tracking or marketing cookies, your consent is not necessary. If you wish to prevent the use of cookies entirely, you can configure this in your browser settings. Please note that in this case, certain functions of our website may no longer be fully available.

________________________________________

MEDICE reserves the right to update this Privacy Notice at any time and republish it on www.academy.medice-health-family.com.