Privacy Policy for the Health Family Platform

Last updated: 15 October 2025

Guidance

MEDICE Arzneimittel Pütter GmbH and its affiliated companies of MEDICE Health Family Holding GmbH (MHF for short) take the protection of your personal data very seriously. The following information is intended to give you an overview of how your personal data is processed on our Health Family Platform.

An overview of the individual chapters for better orientation can be found here:

• Preamble – Here you will find a brief overview of the content of the platform and data protection issues.

• Contact – How can you contact us quickly and easily?

• Data processing and storage – Which of your data is stored and processed, how, for what purpose, where, by whom and for how long?

• Legal basis – On what legal basis do we process your data?

• Data transfer – Under what conditions do we transfer your data to third parties?

• Data security – What do we do to protect your data as best as possible?

• Your rights – Here you will find an overview of all your rights as a data subject.

1. Preamble

With the Health Family platform, MHF offers a web-based platform that provides added value, offers and products for end customers, pharmacies, doctors and practice teams, as well as employees of the MEDICE Health Family.

The use of this platform may involve the processing of personal data. The data protection term "personal data" refers to all information relating to an identified or identifiable person. The IP address can also be considered personal data. An IP address is assigned to every device connected to the internet by the internet provider so that it can send and receive data. When you use the platform, we collect information that you provide yourself. In addition, during your visit to the platform, we automatically collect certain information about your use of the platform.

If the processing of personal data is necessary and there is no legal basis for such processing, we generally obtain your consent.

As the controller, we have implemented numerous technical and organisational measures to ensure the most complete protection of the personal data processed.

2. Contact

You can contact us directly via the service hotline +49 2371 937-0 or the service email address info[at]medice.de. Our service hours are Monday to Friday (except public holidays) from 7:15 a.m. to 5:30 p.m.

Your enquiry will be processed by our staff within two working days to no later than two weeks after receipt of your enquiry.

The controller within the meaning of Art. 4 (7) of the EU General Data Protection Regulation (hereinafter "GDPR"), the Federal Data Protection Act (hereinafter "BDSG") and other data protection regulations is:

MEDICE Arzneimittel Pütter GmbH & Co. KG
Kuhloweg 37
58638 Iserlohn
Telephone: +49 (0)2371 937 0
Email: info[at]medice.de

Authorised representatives:
Dr. med. Katja Pütter-Ammer
Dr. med. Dr. oec. Richard Ammer
Dr. rer. nat. Uwe Baumann
Annick Berreur-Igersheim
Eric Neyret

Internal Data Protection Officer:

If you have any questions about our data protection measures, the processing of your data or the protection of your rights as a data subject, you can contact our data protection team as follows:

MEDICE Arzneimittel Pütter GmbH & Co. KG
Data Protection
Kuhloweg 37
58638 Iserlohn
Telephone: +49 (0)2371 937 0
Email: datenschutz[at]medice.de

If you have any confidential concerns regarding data protection, you can contact our data protection officer directly at dsb[at]medice.de.

3. Data processing and storage

The following personal data may be collected and processed when you visit our platform:

3.1 Technology

When you use our platform for informational purposes only, we collect only those data that are technically necessary for the provision of the service. These are regularly data that your browser transmits to our server ("in so-called server log files"). Our platform collects a range of general data and information each time you or an automated system accesses a page. This general data and information is stored in the server's log files. The following may be collected:

1. browser types and versions used,

2. the operating system used by the accessing system,

3. the website from which an accessing system reaches our platform (so-called referrer),

4. the subpages accessed on our platform via an accessing system,

5. the date and time of access to the platform,

6. an abbreviated Internet Protocol address (anonymised IP address) and

7. the Internet service provider of the accessing system.

We do not draw any conclusions about your person when using this general data and information. Rather, this information is required in order to

1. deliver the content of our platform correctly,

2. optimise the content of our platform and the advertising for it,

3. ensure the long-term functionality of our IT systems and the technology of our platform, and

4. provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.

We therefore evaluate this collected data and information statistically on the one hand and with the aim of increasing data protection and data security in our company on the other, in order to ultimately ensure an optimal level of protection for the personal data we process. The anonymous data in the server log files is stored separately from all personal data provided by a data subject.

The legal basis for data processing is Art. 6 para. 1 lit. f) GDPR. Our legitimate interest follows from the purposes listed above.

3.2 Hosting by Amazon Web Services - AWS

We host our platform with Amazon Web Services (AWS). The provider is Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg.

When you visit our platform, your personal data is processed on AWS servers. This may also involve the transfer of personal data to AWS's parent company in the United States.

Your data is processed for the purpose of displaying our website in accordance with Art. 6 (1) (f) GDPR.

The parent company Amazon.com.Inc. is certified as a US company under the EU-US Data Privacy Framework. This means that an adequacy decision pursuant to Art. 45 GDPR is in place, so that personal data may be transferred without further guarantees or additional measures. To protect your data, we have also concluded agreements on order processing based on the European Commission's standard contractual clauses.

For more information on AWS's privacy policy, please visit: https://aws.amazon.com/de/privacy/?nc1=f_pr

3.3 Amazon CloudFront (content delivery network)

We use Amazon CloudFront, a web service provided by Amazon Web Services Inc., 410 Terry Avenue North, 98109, Seattle, Washington, USA.

Amazon CloudFront is a content delivery network (CDN). It directs the transfer of information between your browser and our platform via the CloudFront network. This reduces the latency with which we can deliver static and dynamic web content. It also improves the security of our platform through data traffic encryption and access controls.

CloudFront also stores cookies on your computer to optimise the service. CloudFront collects statistical data about visits to our platform.

This includes, among other things:

• IP address

• Page accessed

• Referrer URL

• Browser type

• Operating system

• Device type

The legal basis for the processing of your personal data by CloudFront is your informed, voluntary consent in accordance with Art. 6 (1) (a) GDPR, as well as our legitimate interest in using CloudFront to optimise and improve security, and to use the content delivery network so that we do not have to operate one ourselves.

The personal data will be stored by Amazon Web Services for as long as necessary to achieve the described purpose.

The parent company Amazon.com.Inc. is certified as a US company under the EU-US Data Privacy Framework. This constitutes an adequacy decision pursuant to Art. 45 GDPR, meaning that personal data may be transferred without further guarantees or additional measures. To protect your data, we have also concluded agreements on order processing based on the European Commission's standard contractual clauses.

For more information, please visit:
https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

For more detailed information about CloudFront, please visit: https://aws.amazon.com/de/cloudfront/

3.4 Cookies

3.4.1 General information about cookies

Cookies are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our platform.

The cookie stores information that is related to the specific device used. However, this does not mean that we immediately become aware of your identity.

The use of cookies serves to make the use of our offer more pleasant for you. For example, we use so-called session cookies to recognise that you have already visited individual pages of our platform. These are automatically deleted after you leave our platform.

In addition, we also use temporary cookies to optimise user-friendliness, which are stored on your device for a specific period of time. If you visit our platform again to use our services, it will automatically recognise that you have already been with us and what entries and settings you have made so that you do not have to enter them again.

On the other hand, we use cookies to statistically record the use of our platform and to evaluate our offer for you for the purpose of optimisation. These cookies enable us to automatically recognise that you have already visited our platform when you visit it again. The cookies set in this way are automatically deleted after a defined period of time. The respective storage period of the cookies can be found in the settings of the consent tool used.

3.4.2 Legal basis for the use of cookies

The data processed by the cookies, which is necessary for the proper functioning of the platform, is therefore necessary to safeguard our legitimate interests and those of third parties in accordance with Art. 6 (1) lit. f) GDPR.

For all other cookies, you have given your consent in accordance with Art. 6 (1) (a) GDPR via our opt-in cookie banner.

3.4.3 Information on avoiding cookies in common browsers

You can delete cookies, allow only selected cookies or deactivate cookies completely at any time via the settings of your browser.

Further information is available on the support pages of the respective providers:

• Chrome: https://support.google.com/chrome/answer/95647?tid=311178978.

• Safari: https://support.apple.com/de-at/guide/safari/sfri11471/mac?tid=311178978.

• Firefox: https://support.mozilla.org/de/kb/cookies-und-Plattform-daten-in-firefox-loschen?tid=311178978.

• Microsoft Edge: https://support.microsoft.com/de-de/microsoft-edge/cookies-in-microsoft-edge-l%C3%B6schen-63947406-40ac-c3b8-57b9-2a946a29ae09.

3.4.4 Werkbank Consent Management and Identity and Access Management Tool

We use Vinegar, a self-hosted consent management platform (CMP) from Werkbank GmbH, Viktoriastraße 75, 44787 Bochum, to manage user consent to cookies and other tracking technologies on our platform. This tool ensures compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws by allowing users to review and adjust their cookie settings at any time.

Vinegar collects and processes the following data:

• User consent settings for cookies and tracking technologies

• Anonymised user IDs to store settings across sessions

• Timestamps of consent actions

The collected data is processed and stored on the servers of our service provider Werkbank GmbH. There are no plans to transfer the data to third parties or to countries outside the EU. To this end, a corresponding agreement on data processing on behalf of the client in accordance with Art. 28 GDPR has been concluded with the service provider.

3.4.5 Cookies used on this platform

Below you will find a list of the cookies currently used on this platform. This list contains the names of the individual cookies, a brief description of their function, their duration and information on whether or not these cookies are subject to consent in accordance with the EU Cookie Directive.

The names of the individual cookies displayed under the page settings may vary, depending on factors such as which browser you are using, which websites you visited before visiting this platform, or whether you were redirected to this platform from a website or social media page.

• Cookie name: Vinegar
  Provider: Werkbank GmbH
  Duration: 1 year
  Description: Vinegar: This tool is used to obtain and document your consent to the use of cookies in your browser. For more information about Vinegar, see section 3.4.4.
  Consent requirement: No

• Cookie name: Google Analytics / Remarketing
  Provider: Google Ireland Limited
  Duration: 2 years
  Description: Google Analytics/Remarketing: This function is used to monitor data traffic, search queries and visits to this platform. It serves to distinguish between users. If cookies have been accepted, they are personalised for analysis and performance purposes. If they have been rejected, they remain anonymous. For more information about Google Analytics/Remarketing, see section 3.10.
  Consent requirement: Anonymous data: No; Personalised data: Yes

• Cookie name: Google Tag Manager
  Provider: Google Ireland Limited
  Duration: 1 day
  Description: Google Tag Manager: By using Google Tag Manager, we can automatically track which button, link or personalised image you have actively clicked on. The aim is to make our platform content more interesting. Further information on Google Tag Manager can be found in section 3.11.
  Consent requirement: Yes

• Cookie name: Matomo
  Provider: InnoCraft Ltd.
  Duration: 13 months
  Description: Matomo: We use this software tool for web analysis, i.e. to collect, gather and evaluate data about the behaviour of visitors to our platform. Further information about Matomo can be found in section 3.10.
  Consent requirement: Yes

3.5 Contacting us / Contact form

When you contact us (e.g. by telephone, contact form or email), your personal data (such as your first and last name, email address or telephone/fax number) will be collected and processed.

The data collected when using a contact form can be seen on the respective contact form. All data fields marked as mandatory are required to process your request. If you do not provide this information, we will not be able to process your request. The provision of additional data is voluntary. Alternatively, you can also send us a message via the contact email address info[at]medice.de.

The data collected will be stored and used exclusively for the purpose stated in the contact form or for establishing contact and the associated technical administration.

The legal basis for the processing of the data is our legitimate interest in responding to your request in accordance with Art. 6 (1) lit. f) GDPR. If your contact request is aimed at concluding a contract, the additional legal basis for the processing is Art. 6 (1) lit. b) GDPR. When data is collected via a contact form, your data is transmitted in encrypted form.

After your enquiry has been processed, all data collected in the course of contacting us will be deleted. This is the case if it can be inferred from the circumstances that the matter in question has been conclusively clarified and there are no legal obligations to retain the data.

3.6 Health Family Platform offers

In order to use some of the offers on the Health Family platform, it is necessary for you to register by providing personal data and creating a user account. Your registration enables us to offer you content or services that, due to their nature, can only be offered to registered users.

This data is only collected with your voluntary, informed consent in accordance with Art. 6 (1) (a) GDPR.

Depending on which of the Health Family Platform's services you use, different personal data will be collected and processed for different purposes.

All necessary information can be found here:

Health Family Shop

Health Academy

PTA Family

3.6.1 Single sign-on

Single sign-on (SSO) is an authentication process that allows users to access multiple applications with a single set of login credentials. With SSO, users no longer need to remember multiple login credentials for different applications.

This means:

When you register for our services, the data collected during registration is also stored and managed in the Keycloak identity and access management tool connected to the platform. The identity and access management tool is managed by the service provider Werkbank GmbH (Viktoriastraße 75, 44787 Bochum), which is subject to MEDICE's instructions.

This enables you to authenticate yourself for other offers on this platform without having to register again.

Our offers for which you can log in via SSO include:

• Health Family Shop

• Health Academy

• PTA Family

• Professional access

• ADHD platform/digital hospital

The legal basis for the transfer and processing of your data is your voluntary consent in accordance with Art. 6 (1) (a) GDPR.

The data collected is processed and stored on the servers of the service provider Werkbank GmbH. There are no plans to transfer the data to third parties or to countries outside the EU. To this end, a corresponding agreement on data processing on behalf of the service provider has been concluded in accordance with Art. 28 GDPR.

3.7 Profiling

We process your data in a partially automated manner with the aim of evaluating certain aspects of your person (profiling).

We use profiling in the following cases, for example:

• We use evaluation tools to provide you with targeted information and advice about products. These enable needs-based communication and advertising, including market and opinion research.

• We may use scoring as part of the assessment of your creditworthiness. This takes into account experience from the previous business relationship.

3.8 Marketing and newsletter distribution

As part of our marketing activities, we send out digital newsletters containing information about products, events, promotions, offers and advertising from the MEDICE Health Family product ranges.

These product ranges cover the following topics:

• Women's health (Remifemin, Remifemin Feuchtcreme, Remifemin mono, Remifemin plus, Remisens, Femicur N, femfeel App, Remifemin Companion App, Cystinol, Aualibra, Healthy Woman, Cystinol, Aqualibra; Apps/digitale Gesundheitslösungen: femfeel, Remifemin Companion – Medigital GmbH)

• Skin health (Medigel (Gel, Wundreinigungsspray), Soventol (Cremogel, Creme, Spray, Gel, Anti-Juck-Stift, Anti-Juck-Spray, Protect), Skin-Aktionsnewsletter, Brand- und Wundgel, Exoderil (Creme, Gel)) 

• Intestinal health (Medigel (Gel, Wundreinigungsspray), Soventol (Cremogel, Creme, Spray, Gel, Anti-Juck-Stift, Anti-Juck-Spray, Protect), Skin-Aktionsnewsletter, Brand- und Wundgel, Exoderil (Creme, Gel)) 

• Colds (Medigel (Gel, Wundreinigungsspray), Soventol (Cremogel, Creme, Spray, Gel, Anti-Juck-Stift, Anti-Juck-Spray, Protect), Skin-Aktionsnewsletter, Brand- und Wundgel, Exoderil (Creme, Gel)) 

• Nephrology (Vafseo, Abseamed, Anti-Kalium Na, Calcitriol Nefro, Calciumacetat-Nefro, CC-Nefro, FerMed, Nefrocarnit, Nephrotrans, Phosphonorm, Sevemed; Apps/digitale Gesundheitslösungen: beCintia, MediOrganizer – Medigital GmbH)

• Pain (Melabon K)

• Health Family Platform (Shop and bonus programme)

• Health Academy (Medibee/Health Academy, HCP-Trainings)

• PTA Family (PTA Family Service Communication, Medibee/Health Academy, HCP Training)

• Mental Health

  • ADHD (Medikinet, Agakalin, Attentin, Kinecteen, Medikinet retard, Mellozan, ADHD network/portal; apps/digital health solutions: hiToco, hiFoon – Medigital GmbH; brainjo – brainjo GmbH; Attexis – GAIA AG)

  • Sleep disorders (apps/digital health solutions: hiPanya – Medigital GmbH)

  • Nervous restlessness (Sedacur forte)

  • Depression (apps/digital health solutions: online therapy ‘Depression’ – Selfapy GmbH)

  • Nutrition (apps/digital health solutions: online therapy ‘Bulimia’, ‘Binge Eating’ – Selfapy GmbH)

  • Panic/anxiety disorders (apps/digital health solutions: online therapy for panic disorder and generalised anxiety disorder – Selfapy GmbH)

  • Chronic pain (apps/digital health solutions: online therapy for chronic pain – Selfapy GmbH)

Our marketing activities are primarily aimed at customer loyalty and retention, information sharing, market and opinion research, improving our offerings, and automating communication.

Your contact details (name, email address) are used to send the newsletter. Tools and software solutions from various mailing service providers are used for this purpose.

These are:

• Brevo

  We use the mailing service provider Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany. You can view Brevo's privacy policy at: https://www.brevo.com/de/datenschutz-uebersicht/.

• Mailgun

  We use the Mailgun email service from MessengerPeople GmbH, St.-Martin-Straße 63, 81669 Munich, as a self-hosted on-premise software solution. For more information on Mailgun's privacy policy, please visit: Our current privacy policy | Mailgun

• Salesforce

  We use CRM solutions from salesforce.com Inc. ("salesforce"), One Market Street, Suite 300, San Francisco, CA 94105, USA. We use these CRM (customer relationship management) solutions to manage customer and consent data, for sales management, and for the automated dispatch of newsletters. Salesforce.com Inc. is a US company certified under the EU-US Data Privacy Framework, which means that the adequacy decision of the EU Commission pursuant to Art. 45 GDPR applies and thus confirms an adequate level of data protection. Further information on Salesforce can be found at: https://www.salesforce.com/de/company/privacy/ 

MEDICE Arzneimittel Pütter GmbH & Co. KG only uses service providers with whom a corresponding contract agreement in accordance with Art. 28 GDPR exists.

The legal basis for the processing of your data in the context of sending the newsletter is either a contractual agreement concluded with you (e.g. when participating in a competition) in accordance with Art. 6 (1) (b) or your voluntary consent in accordance with Art. 6 (1) (a) GDPR.

You can revoke your consent at any time without giving reasons and unsubscribe from the newsletter. For this purpose, there is a corresponding link/contact in every newsletter.

The legal basis for sending newsletters as a result of the sale of goods or services is Section 7(3) UWG. You can also unsubscribe from the newsletter at any time. For this purpose, there is a corresponding link in every newsletter.

3.9 Our activities on social networks

We have our own pages on social networks so that we can communicate with you there and inform you about our services.

We are not the original provider of these pages, but merely use them within the scope of the options offered to us by the respective providers.

As a precaution, we would therefore like to point out that your data may also be processed outside the European Union or the European Economic Area. Use may therefore involve data protection risks for you, as it may be more difficult to safeguard your rights, e.g. to information, deletion, objection, etc., and processing on social networks is often carried out directly for advertising purposes or to analyse user behaviour by the providers, without us being able to influence this. If usage profiles are created by the provider, cookies are often used or your usage behaviour is assigned to your own member profile on social networks.

The processing of personal data described above is carried out in accordance with Art. 6 (1) (f) GDPR on the basis of our legitimate interest and the legitimate interest of the respective provider in communicating with you in a modern way and informing you about our services. If you have to give your consent to the respective providers for data processing as a user, the legal basis refers to Art. 6 (1) lit. a) GDPR in conjunction with Art. 7 GDPR.

As we do not have access to the providers' databases, we would like to point out that it is best to exercise your rights (e.g. to information, correction, deletion, etc.) directly with the respective provider. Further information on the processing of your data in social networks is listed below for each of the social network providers we use:

Facebook:
When you visit our Facebook pages, where we present our company or individual products from our range, certain information about you is processed. The controller responsible for data processing in Germany is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Further information about the processing of personal data by Facebook can be found at: Meta Privacy Policy – How Meta collects and uses user data | Privacy Centre | Manage your privacy on Facebook, Instagram and Messenger | Facebook Privacy 

Instagram:
When you visit our Instagram pages, where we present our company or individual products from our range, certain information about you is processed. The data controller in Germany is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Further information about the processing of personal data by Instagram can be found at: https://instagram.com/legal/privacy/

LinkedIn:
When you visit our LinkedIn pages, where we present our company or individual products from our range, certain information about you is processed. The controller responsible for data processing in Germany is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Further information about the processing of personal data by LinkedIn can be found at: LinkedIn Privacy Policy  

Vigilance reports via social networks

Occasionally, users, their relatives or healthcare professionals may comment on our products in comments or messages. These comments/messages also count as vigilance reports in which we collect personal data such as contact details (names of the reporting persons and persons affected by the adverse event), time of occurrence of the adverse event or off-label use, as well as underlying and concomitant conditions from you.

We are obliged to collect, report and archive these side effect reports in accordance with Section 63c of the German Medicines Act (AMG) and Regulation (EU) 2017/745 on medical devices (MDR). This serves to protect our patients and to ensure a high standard of quality and safety for our products.

Your data will only be passed on to third parties (e.g. competent authorities) in pseudonymised form (without reference to your person) within the framework of the legal reporting requirements for side effect reports.

3.10 Web analysis

Google Analytics 4 (GA4)

On our platform, we use the web analytics service Google Analytics 4 (GA4) provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

This creates pseudonymised usage profiles and uses cookies (see section 3.4 "Cookies").

The following data on platform usage is collected from you by the cookies, among other things:

• IP address (short-term collection without permanent storage)

• Location data

• Browser type/version

• Operating system used

• Referrer URL (previously visited page)

• Time of server request

• The pseudonymised data may be transferred by Google to a server in the USA and stored there.

The information is used to evaluate the use of the platform, to compile reports on platform activities and to provide other services related to platform use and internet use for the purposes of market research and the needs-based design of the platform. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of the platform.

These processing operations are carried out exclusively with your express consent in accordance with Art. 6 (1) (a) GDPR via the corresponding cookie banner.

The default data storage period set by Google is 14 months. Otherwise, personal data is stored for as long as it is necessary to fulfil the purpose of processing. The data is deleted as soon as it is no longer required to achieve the purpose.

The parent company Google LLC is certified as a US company under the EU-US Privacy Framework, which means that the adequacy decision of the EU Commission pursuant to Art. 45 GDPR applies and thus confirms an adequate level of data protection.

For more information on Google LLC's privacy policy regarding the use of GA4, please visit: https://support.google.com/analytics/answer/12017362?hl=de

Google Analytics Remarketing

We have integrated Google Remarketing services on this platform. The operator of Google Remarketing services is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Remarketing is a feature of Google AdWords that enables a company to display advertisements to Internet users who have previously visited the company's website. The integration of Google Remarketing therefore allows a company to create user-related advertising and consequently display interest-relevant advertisements to the Internet user.

The purpose of Google Remarketing is to display interest-based advertising. Google Remarketing enables us to display advertisements via the Google advertising network or on other websites that are tailored to the individual needs and interests of Internet users.

Google Remarketing places a cookie on the IT system of the person concerned. By placing the cookie, Google is able to recognise visitors to our platform when they subsequently visit websites that are also members of the Google advertising network. Each time you visit a website on which the Google Remarketing service has been integrated, your internet browser automatically identifies itself to Google. As part of this technical process, Google obtains knowledge of personal data such as your IP address or surfing behaviour. This personal data is stored by Google in the United States of America. Google may pass on this personal data collected via the technical process to third parties.

These processing operations are carried out exclusively with your express consent in accordance with Art. 6 (1) (a) GDPR via the corresponding cookie banner.

The parent company Google LLC is certified as a US company under the EU-US Privacy Framework, which means that the adequacy decision of the EU Commission pursuant to Art. 45 GDPR applies and thus confirms an adequate level of data protection.

For more information on Google LLC's privacy policy regarding the use of remarketing, please visit: https://www.google.de/intl/de/policies/privacy/

Matomo

We have integrated the open source web analytics service Matomo from InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, into this platform. Matomo is a software tool for web analysis, i.e. for collecting, gathering and evaluating data on the behaviour of visitors to websites or applications.

Among other things, data is collected about which website a data subject came to a website from (known as the referrer), which subpages of the website were accessed, how often and for how long a subpage was viewed. This is used to optimise the website and for cost-benefit analysis of internet advertising.

The software is operated on the server of the controller, and the log files, which are sensitive in terms of data protection, are stored exclusively on this server.

Matomo sets cookies on your IT system. Setting the cookie enables us to analyse the use of our platform. Each time the platform is accessed, the Matomo component automatically prompts the internet browser on your IT system to transmit data to our server for the purpose of online analysis. As part of this technical process, we obtain personal data, such as the IP address of the data subject, which we use, among other things, to track the origin of visitors and clicks. We do not pass this personal data on to third parties.

These processing operations are carried out exclusively with your express consent in accordance with Art. 6 (1) (a) GDPR via the corresponding cookie banner.

The privacy policy of InnoCraft Ltd. can be found at: https://matomo.org/privacy/

3.11 Plugins and other services

Google Tag Manager

We use the Google Tag Manager service on this platform. Google Tag Manager is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is part of the Google group of companies, headquartered at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

This tool allows "tags" (i.e. keywords that are embedded in HTML elements) to be implemented and managed via an interface. By using Google Tag Manager, we can automatically track which button, link or personalised image you have actively clicked on and can then record which content on our platform is of particular interest to you.

The tool also triggers other tags, which may in turn collect data. Google Tag Manager does not access this data. If you have deactivated tracking at the domain or cookie level, this will remain in effect for all tracking tags implemented with Google Tag Manager.

These processing operations are carried out exclusively with your express consent in accordance with Art. 6 (1) (a) GDPR via the corresponding cookie banner.

The parent company Google LLC is certified as a US company under the EU-US Data Privacy Framework. This means that an adequacy decision pursuant to Art. 45 GDPR is in place, so that personal data may be transferred without further guarantees or additional measures.

Further information on Google Tag Manager and Google's privacy policy can be found at: https://www.google.com/intl/de/policies/privacy/

Google Web Fonts

We use so-called web fonts provided by Google to ensure a uniform presentation of fonts on our platform. When you visit a page, your browser loads the required web fonts into your browser cache in order to display texts and fonts correctly.

For this purpose, the browser you are using must connect to MEDICE's access-protected servers in Germany, and we learn that this website has been accessed via your IP address. We use this data exclusively for the display of fonts on this platform. Your data will not be processed for other purposes or passed on to third parties.

The legal basis for processing your data is our legitimate interest in ensuring a uniform font display on our website in accordance with Art. 6(1)(f) GDPR.

If your browser does not support web fonts, a standard font from your computer will be used.

For more information on Google LLC's privacy policy regarding the use of web fonts, please visit: https://policies.google.com/privacy?hl=de.

3.12 Purposes of processing

Personal data is processed for the following purposes:

• to protect the rights and interests of the MEDICE Health Family and third parties (e.g. users)

• to fulfil contractual obligations or in the context of pre-contractual measures

• for communication and establishing contact

• to fulfil legal obligations

• to provide and permanently guarantee the technical functionality and user-friendliness of the platform

• to provide the services of the Health Family platform

• in rare cases, to defend against legal claims or to combat fraud

• for market research and marketing purposes

• to process and verify vigilance reports

3.13 Storage and deletion periods

Unless otherwise specified in this privacy policy, we only store your personal data for as long as is necessary to fulfil the aforementioned processing purposes, to fulfil our contractual or legal obligations, or to pursue and defend against legal claims.

The statutory retention obligations arise in particular from commercial or tax law, as well as from regulations governing medicinal products and medical devices.

3.14 Cooperation between the parent company and other subsidiaries

In order to pursue the legitimate interests of MEDICE Health Family Holding GmbH pursuant to Art. 6 (1) (f) GDPR in optimising the advertising and sales market presence of our parent company and subsidiaries, it may be necessary for us to share certain personal data within MEDICE Health Family Holding GmbH. This applies in particular to possible contact details, information about your interests and customer profile, and your use of our products and services.

The joint processing of this data takes place within the framework of joint responsibility in accordance with Art. 26 GDPR. The companies involved within MEDICE Health Family Holding GmbH have set out in an agreement how the respective tasks and responsibilities relating to the processing of personal data are distributed and who fulfils which obligations in accordance with the GDPR.

The shared data may be used to:

• Optimise our marketing and sales strategies.

• To conduct market research and analyses in order to further improve our products and services.

The companies involved within MEDICE Health Family Holding GmbH ensure that appropriate technical and organisational measures are taken to protect your personal data. The transfer and processing of your data is always carried out in accordance with the applicable data protection regulations.

Further information on data protection, your rights as a data subject and data processing by MEDICE Arzneimittel Pütter GmbH & Co. KG as the parent company of MEDICE Health Family Holding GmbH can be found at:
Privacy Policy MEDICE Pütter GmbH & Co. KG

If you have any questions about the joint processing of your data within MEDICE Health Family Holding GmbH or would like to exercise your data protection rights, you can contact our data protection team at any time at datenschutz[at]medice.de.

4. Legal basis

The legal basis for the processing of your personal data may be your informed, voluntary consent in accordance with Art. 6 (1) (a) in conjunction with Art. 7 GDPR/§ 25(1) TDDDG, the performance of a contract to which you are a party, or the performance of pre-contractual measures pursuant to Art. 6(1)(b) GDPR, the fulfilment of a legal obligation pursuant to Art. 6(1)(c) (in the case of drug safety reports in conjunction with Art. 9 (2) (i) GDPR, §22 (1) No. 1 (c) BDSG-neu and §63c AMG), or the protection of our legitimate interests or those of a third party pursuant to Art. 6 (1) (f) GDPR.

5. Data transfer

We only pass on your personal data to third parties if:

you have given us your express consent to do so in accordance with Art. 6 (1) (a) GDPR,

the transfer is permissible under Art. 6 para. 1 lit. f) GDPR to safeguard our legitimate interests and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,

there is a legal obligation to disclose the data in accordance with Art. 6 (1) (c) GDPR, and

this is legally permissible and necessary for the performance of contractual relationships with you in accordance with Art. 6 (1) (b) GDPR.

Within the scope of the processing operations described in this privacy policy, personal data may be transferred to the United States. Companies in the United States only have an adequate level of data protection if they are certified under the EU-US Data Privacy Framework and thus the adequacy decision of the EU Commission pursuant to Art. 45 GDPR applies.

We have explicitly mentioned this in the privacy policy for the service providers concerned. In order to protect your data in all other cases, we have concluded agreements on order processing based on the standard contractual clauses of the European Commission. If the standard contractual clauses are not sufficient to establish an adequate level of security, your consent pursuant to Art. 49(1)(a) GDPR may serve as the legal basis for the transfer to third countries. This does not apply to data transfers to third countries for which the European Commission has issued an adequacy decision pursuant to Art. 45 GDPR.

Under these conditions, recipients of personal data may include, for example:

• Companies affiliated with MHF, insofar as this is necessary for the purpose of data processing.

• Public authorities and institutions (e.g. European Central Bank, tax authorities, Federal Central Tax Office, public prosecutors) in the event of a legal or official obligation.

• Processors to whom we transfer personal data in order to conduct our business relationship with you, e.g. for services related to archiving, document processing, call centre services, controlling, compliance, data destruction, purchasing, debt collection, customer management, lettershops, marketing, media technology, reporting, support/maintenance of IT applications, risk controlling, telephony, goods dispatch, platform management, payment transactions.

• Persons bound to professional secrecy (including solicitors, tax advisors, auditors) for support in fulfilling legal or official obligations, as well as for pursuing and defending legal claims and in criminal prosecution.

Other data recipients may be those entities to which you have given your consent for data transfer.

MHF guarantees that your data will only be passed on to entities that can demonstrate an appropriate data protection concept in accordance with the applicable regulations and laws and with which, if necessary, appropriate contractual agreements have been concluded in accordance with Art. 26 and Art. 28 GDPR.

6. Data security

The security of your personal information is very important to us.

Every time data is collected, stored, used and transferred, there are confidentiality risks (e.g. the possibility of identifying the person concerned). These risks cannot be completely ruled out and increase the more data can be linked together. MHF assures you that it will do everything possible in line with the state of the art to protect the transfer of your data.

To this end, we take the following technical and organisational measures, among others:

• SSL/TLS encryption: Personal data is only transmitted via connections that are encrypted using state-of-the-art technology. We implement the applicable requirements of the German Federal Office for Information Security and use this technology to protect the transmission of your data. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

• Different passwords for all internally used software tools

• Multi-factor authentication for access to internal systems and information

• Virus protection for all IT hardware used

• Firewall for our internal company network

• Regular training on data security and protection for all employees

• Regular updates of all software components

• Regular data backups to ensure availability

• Regular risk analyses of the relevant IT systems

7. Your rights

When processing your personal data, our goal is to guarantee your data protection rights at all times. Our service hours and all contact details can be found under point 2, "Contact".

You can exercise the following rights in relation to your personal data:

• You can request information about the processing of your data.

• You can request the correction of your personal data if it is incorrect or incomplete.

• You can request the restriction of the processing of your personal data. (1) For the duration of the verification of the accuracy of the data. (2) If the processing is unlawful and you refuse to have it deleted. (3) If the data is no longer required by the controller for the purposes of processing, but you need it to assert, exercise or defend legal claims. (4) In the event of an objection to data processing, as long as the corresponding balancing of interests has not been clarified.

• You may request that the data collected about you be transferred to you or to a body designated by you.

• If there are grounds for complaint, you may lodge a complaint with the competent data protection authority.

• The contact details of the data protection supervisory authorities of all federal states can be found at the following Internet address:

  https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

• You may request the deletion of the data collected about you.

• You may object to the processing of your personal data at any time without giving reasons. If the processing is based on Art. 6 (1) (e) or (f) GDPR.

• You can revoke your consent to data processing at any time without giving reasons.

Right to object/revoke consent vis-à-vis MEDICE Health Family

You will not suffer any disadvantages as a result of an objection/revocation. The objection is valid with effect for the future; previous data transfers remain lawful. From now on, your data will only be processed by MHF to a limited extent if this is required by the relevant legal provisions under Art. 6 (1) (c) and our legitimate interest under Art. 6 (1) (f) GDPR.

If you have any further questions about how we handle your personal data or would like to exercise your other rights, please contact our data protection team at datenschutz[at]medice.de.

For confidential matters relating to data protection, you can contact our data protection officer directly at dsb[at]medice.de.