Data protection information

Data protection information in accordance with the EU GDPR for natural persons

medigital GmbH

The following information provides an overview of how we process your personal data and your data protection rights. The specific data processed and how it is used depends largely on the transactions you have carried out with us and other business contacts (e.g. visits to our websites, telephone enquiries, sales representative visits, participation in competitions, ordering our products, etc.).

1.Who is responsible for data processing? Who is my contact person for this?

The responsible body is:
Medigital GmbH
Medice-Allee 1
58638 Iserlohn

Authorised representatives:
Dr Felix Lambrecht

You can contact our company data protection officer at:
Medigital GmbH
Data Protection Medice-Allee 1
58638 Iserlohn
Telephone: +49 (0)2371 937 0
Email address: medigital-privacy@medice.de

2.What data does Medigital use? And where does this data come from?

We process personal data that we receive from our prospective customers (including visitors to our websites), applicants, patients, customers, suppliers and service providers in the course of our business relationship. In addition, we process personal data that we have received from other companies in the MEDICE Health Family or from other third parties (e.g. credit agencies, authorities, partner companies) to the extent necessary for the provision of our services (e.g. for the execution of orders, the fulfilment of contracts, due to legal obligations or on the basis of your consent). On the other hand, we process personal data that we have obtained from publicly accessible sources (e.g. public registers, media, internet) in a permissible manner and are permitted to process.

Personal data from...

Interested parties include, for example

Master data, communication data, data for responding to general enquiries addressed to us or for initiating a business relationship (e.g. interest in a product, inclusion in an advertising distribution list), data on the use of our Internet offerings

Applicants include, for example

Master data, communication data, employment-related data (e.g. from cover letters, CVs, references), social data.

Patients include, for example

Master data, communication data, data for responding to medical enquiries addressed to us, data for fulfilling our legal reporting and documentation obligations (in particular health data) and data for quality control for our products. In clinical research, Medigital processes only anonymised or pseudonymised data.

Customers, suppliers and service providers include, for example Master data, communication data, data relating to the establishment and execution of a business relationship (e.g. creditworthiness data, tax information, bank details), data relating to completed and ongoing transactions, consent to advertising, visits by our sales representatives, data relating to compliance with legal regulations, proof of qualifications, data relating to the pursuit of legal claims.

3.Why does Medigital process my data (purpose of processing)? On what legal basis is the processing carried out?

We process the aforementioned personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG):

a. Based on your consent (Article 6(1)(a) GDPR)

If you have given us your consent to process personal data for specific purposes, the lawfulness of this processing is based on your consent. Consent that has been given can be revoked at any time. This also applies to the revocation of declarations of consent that were given to us before the EU General Data Protection Regulation came into force, i.e. before 25 May 2018.

Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected. Despite a revocation, the processing of your personal data may still be permissible if we are legally obliged to do so or if a balancing of interests in favour of Medigital is concluded. This may be the case in particular in the event of statutory retention periods and for the pursuit or defence of legal claims and for criminal prosecution.

Further information on the right of withdrawal can be found in section 7 of this document.

b. To fulfil contractual obligations (Article 6(1)(b) GDPR)

Personal data is processed for the purpose of supplying goods and services within the framework of the performance of our contracts with our customers or for the implementation of pre-contractual measures taken at your request. Further details on the purpose of data processing can be found in the respective contract documents and terms and conditions.

c. Due to legal requirements (Article 6(1)(c) GDPR)

or in the public interest (Article 6(1)(e) GDPR) In addition, as a pharmaceutical company, Medice is subject to various legal obligations that require data processing. These include legal requirements (e.g. the German Fiscal Code, generally accepted accounting principles, the German Medicines Act) and regulatory requirements (e.g. those of the European Medicines Agency, the German Federal Institute for Drugs and Medical Devices, the competent district government). The purposes of processing include, among other things, the fulfilment of tax control and reporting obligations, the operation of the pharmacovigilance system, product-related quality control, the traceability of product batches, the prevention of corruption, fraud and money laundering, and the assessment and management of risks within the MEDICE Health Family.

d. In the context of balancing interests (Article 6(1)(f) GDPR)

Where necessary, we process your data beyond the actual fulfilment of the contract to protect our legitimate interests or those of third parties. Examples include:

  • Consultation with and exchange of data with credit agencies (e.g. Schufa)

  • to determine creditworthiness and default risks

  • Review and optimisation of procedures for needs analysis and direct customer contact, including customer segmentation and order probabilities

  • Advertising or market and opinion research, provided you have not objected to the use of your data

  • Pursuit and defence of legal claims

  • Ensuring IT security and IT operations at Medigital

  • Prevention and prosecution of criminal offences Risk management in the MEDICE Health Family

4.Who has access to my data?

Within Medigital, those departments that need your data to fulfil our contractual and legal obligations have access to it.

Service providers and vicarious agents employed by us may also receive data for these purposes if they comply with our written data protection instructions. These are mainly companies from the categories listed below.

We may only pass on information about you if required to do so by law, if you have given your consent, or if processors commissioned by us guarantee compliance with the provisions of the EU General Data Protection Regulation/Federal Data Protection Act.

Under these conditions, recipients of personal data may include, for example:

  • Companies belonging to the MEDICE Health Family, insofar as this is necessary for the purpose of data processing.

  • Public authorities and institutions (e.g. European Medicines Agency, Federal Institute for Drugs and Medical Devices, the competent district government, European Central Bank, tax authorities, Federal Central Tax Office, public prosecutors) in the event of a legal or official obligation.

  • Processors to whom we transfer personal data for the purpose of conducting our business relationship with you, e.g. for services related to archiving, field service, document processing, call centre services, controlling, compliance, pharmacovigilance, data destruction, purchasing, debt collection, customer management, lettershops, marketing, media technology, reporting, support/maintenance of IT applications, risk controlling, telephony, goods dispatch, website management, payment transactions.

  • Persons bound to professional secrecy (including solicitors, tax advisors, auditors) for support in fulfilling legal or official obligations, as well as for pursuing and defending legal claims and in criminal prosecution. Other data recipients may be those entities for which you have given your consent to data transfer.

5. Is data transferred to a third country or to an international organisation?

Data is only transferred to countries outside the EU or the EEA (so-called third countries) if this is necessary within the framework of a business relationship (e.g. payment orders, delivery of goods), required by law (e.g. tax or pharmaceutical reporting obligations), you have given us your consent, or in rare cases within the framework of commissioned data processing. If service providers in third countries are used, they are obliged to comply with the level of data protection in Europe in addition to written instructions by agreeing to the EU standard contractual clauses.

6.How long will my data be stored?

We process and store your personal data for as long as is necessary to fulfil our contractual and legal obligations and to pursue and defend legal claims.

If the data is no longer required for the fulfilment of contractual obligations, it is regularly deleted, unless its temporary further processing is necessary for the following purposes: Compliance with commercial, tax and pharmaceutical law retention periods: 2–15 years Preservation of evidence within the framework of the statute of limitations. According to Sections 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being three years.

7.What data protection rights do I have?

As a data subject, you have

  • the right to information under Article 15 GDPR,

  • the right to rectification under Article 16 GDPR,

  • the right to erasure under Article 17 GDPR,

  • the right to restriction of processing under Article 18 GDPR,

  • the right to object under Article 21 GDPR, and

  • the right to data portability under Article 20 GDPR.

The restrictions set out in Sections 34 and 35 of the Federal Data Protection Act (BDSG) apply to the right to information and the right to erasure. In addition, you have the right to lodge a complaint with a data protection supervisory authority (Article 77 GDPR in conjunction with Section 19 BDSG).

You can revoke your consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent that were given to us before the EU General Data Protection Regulation came into force, i.e. before 25 May 2018. Please note that the revocation only applies to the future. Processing that took place before the revocation is not affected.

Please note the separate information on the right to object under Article 21 GDPR at:
Right to object and withdraw consent pursuant to Art. 21 and Art. 17 GDPR​

8. Am I obliged to provide data?

Within the framework of a business relationship with Medigital, you must provide the personal data that is necessary for establishing and conducting a business relationship and fulfilling the associated contractual obligations, or that we are legally obliged to collect. Without this data, we will usually be unable to accept a business relationship or other order, or will be obliged to terminate it.

9.To what extent is automated decision-making (including profiling) used?

As a matter of principle, we do not use fully automated decision-making in accordance with Article 22 of the GDPR to establish and execute a business relationship. Should we use these procedures in individual cases, we will inform you separately if this is required by law.

10. Is profiling carried out?

We process your data partially automatically with the aim of evaluating certain aspects of your person (profiling). We use profiling in the following cases, for example: We use evaluation tools to provide you with targeted information and advice on products.

These enable needs-based communication and advertising, including market and opinion research. We may use scoring to assess your creditworthiness. This takes into account experience from previous business relationships, publicly available data and information from credit agencies.

Medigital reserves the right to update this privacy policy from time to time and republish it on medice.de.

11.Security measures

In accordance with legal requirements and taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing, as well as the varying likelihood and severity of threats to the rights and freedoms of natural persons, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, transfer, availability and separation relating to it. Furthermore, we have established procedures to ensure that data subjects' rights are exercised, data is deleted and responses are made to data breaches. We also take the protection of personal data into account when developing or selecting hardware, software and procedures in accordance with the principle of data protection, through technology design and data protection-friendly default settings.

SSL encryption (https): We use SSL encryption to protect your data transmitted via our online offering. You can recognise such encrypted connections by the prefix https:// in the address bar of your browser.