Privacy Policy

Our handling of your data and your rights according to the EU General Data Protection Regulation (GDPR)

We process your personal data exclusively in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Data Protection Act. In the following, we provide information about us and the nature, scope and purpose of the collection and use of data:

Who we are
Herba Chemosan Apotheker-AG, Haidestraße 4, 1110 Vienna is responsible for the data processing. You can reach us by phone at +43 1401 04-0.

The Data Protection Officer for our company is Mr Sebastian Niederauer M.A. , phone number +43 1 40104 1524, e-mail address

Collection and processing of data
We process the personal data that you provide us as a customer,  supplier and/or party interested in our services (marketing, competitions, loyalty cards), for example as part of a request or to conclude a contract. On the other hand, we process personal data that we have legitimately obtained from publicly available sources (e.g. pharmacy directory, EUDRA GMP, land register, commercial register, trade register, press, media, websites).

Relevant personal data are personal details (first name and surname, address and other contact information, date of birth, nationality, health-related data) and identification information (such as identity card information). In addition, this may also include order data, data from the fulfilment of our contractual obligations (financial data in payment transactions, credit limits, product information, information about your financial situation (e.g. credit rating), advertising and sales information, data about your use of our offered telecommunications media (e.g. time that our web pages or newsletter were retrieved) as well as any other data similar to the categories mentioned.

Purpose of the data collection
The data is processed for the following purposes:

• Contract fulfilment and pre-contractual correspondence

• Corporate controlling

• Information about changes to the general terms and conditions or privacy policy

• Sending marketing information (e.g. Chefinfo) or invitations to events

• Notification in the context of a competition

• Processing of services (e.g. Sanodat, Marketing Department)

• Ensuring IT security and IT operations

• Video surveillance (used to collect evidence in the event of a criminal offence)

• Measures for building and plant safety (e.g. access control)

• Measures for business management and further development of services and products

• Visiting of our sales representatives for advice on our products and services

The legal bases for the data processing are:

• Consent pursuant to Art. 6 (1) (a) of the GDPR

• Due to legal obligations pursuant to Art. 6 para. 1 lit. c GDPR

• Contract initiation and fulfilment. In order to process your orders to the fullest satisfaction, we need your data.

• Marketing and advertising according to Art. 6 (1) (f) of the GDPR. As customers and parties interested in our diverse range of services, we would like to keep you up-to-date and well informed of the latest developments and offers concerning our products and distribution partners.

• Processing is necessary for health or social care or treatment or for the management of health and social systems and services on the basis of statutory provisions or under contract with a health professional.

Consent (Article 6 (1) (a) of the GDPR)
If you have given us consent to process your personal data for specific purposes (for example, disclosure of data to manufacturers under the promotional discounts), the lawfulness of such processing is based on your consent.

Withdrawal of consent
We process your personal data in order to operate direct advertising. You have the right to object to the processing of your personal data for the purpose of such advertising at any time; this also applies to profiling if it is associated with such direct advertising. Every withdrawal of consent for information must be accompanied by a proof of identity (e.g. an official photo ID).

Consent that has been granted may be withdrawn at any time in the future. This also applies to the withdrawal of consent granted to us before May 25, 2018. Please notify us of your withdrawal of consent by phone +43 1 40104 1524 or by e-mail to

Use and disclosure of personal data
If you have provided us with personal data, we will use it only for the purpose of processing contracts, invitations to various events, answering your inquiries and for technical administration. As part of our business relationship, you only need to provide the information necessary to establish, conduct, and terminate the relationship, or that we are required to collect by law. Without this data, we would normally have to refuse to execute the contract or fulfil the order, or would be unable to perform an existing contract and would have to terminate it if necessary.

Personal data will only be disclosed or transmitted by us to third parties if this is necessary to execute the contract or for billing purposes, or if you have given your prior consent.

Your personal data that has been stored will be deleted if you withdraw your consent to the storage, if your data is no longer necessary for the fulfilment of the purpose pursued with the storage, or if its storage is or becomes prohibited for other legal reasons. Data for billing and accounting purposes etc. will not be deleted on request within the statutory retention obligation.

Data access
Within the company, the entities that require access to your data to fulfil our contractual and legal obligations, to maintain and uphold operations, and for advertising and marketing purposes (e.g. accounting, sales, purchasing, logistics, Sanodat and marketing) are those that have access to your data. Here, the principle of least privilege is used. Order processors employed by us (Art. 28. of the GDPR) may also receive data for these purposes. These are companies in the categories of accounting / tax consultants, IT services, logistics, telecommunications, data security service providers, advice and consulting, as well as sales and marketing

With regard to the disclosure of your data to recipients outside the company, it should be noted that we only disclose your data if legal provisions permit this, you have given your consent and or if the order service provider has committed itself to us by contract to maintain secrecy and implement data protection measures.

Your data will only be forwarded to a third country in the course of order processing in individual cases, in accordance with data protection regulations. For US based order processors, the EU Commission has confirmed the adequacy of the level of protection (decision of 12.7.2016). There is no transmission to international organization.

Data retention and data security
The data will be processed in personal form for as long as reasonable for the purposes of its processing, in particular for the duration of our business relationship.

The data is also processed and stored on the basis of various storage and documentation obligations required by the Corporate Code, the Tax Code and other legal obligations. For example, accounting data is stored for a period of eight years. In addition, data is stored until the termination of any litigation in which the data is required as evidence. Personal data that we process in connection with our marketing services will be deleted after four years of the last contact with you.

The data is protected against unauthorised access with appropriate safeguards for each system architecture (privacy by design). The safeguards include, for example, encrypted transmission, encrypted storage, a role authorisation concept, a backup concept, and physical protection measures for the servers.

The security measures are continuously revised according to the technological development and are audited regularly.

Information, rectification, erasure, withdrawal
Each data subject has the right of access to information under Art. 15 of the GDPR, the right to rectification under Art. 16 of the GDPR, the right to erasure under Art. 17 of the GDPR, the right to restriction of processing under Art. 18 of the GDPR and the right to data portability from Art. 20 of the GDPR. The restrictions according to the GDPR apply.

On written request, we will gladly inform you at any time about any personal data stored about you.

Please direct your inquiry to Mr. Sebastian Niederauer M.A., +43 1 40104 1524, e-mail address

If the data about you processed by us is not correct, please inform us accordingly. We will correct it immediately and inform you.

In the event that you no longer wish us to process your data, please advise us using any format at +43 1 40104 1524, e-mail address Of course we will delete your data immediately and inform you. If mandatory legal reasons preclude a deletion, you will be notified immediately.

Profiling (scoring)
We sometimes process your data automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling to provide you with targeted information and advice on products. This allows for needs-based communication and advertising, including market and opinion research.

In any case, the decision-making process is not automated.

Cookies are small text files that are sent when you visit a website and stored on the hard drive of the user of the website. If the corresponding server of our website is visited again by the user of the website, the browser of the user of the website sends the previously received cookie back to the server. The server can then evaluate the information obtained by this procedure in various ways. For example, cookies can be used to control advertisements or facilitate navigation on a website. If the user of the website wishes to prevent the use of cookies, he/she can do so by making his/her changes locally in the Internet browser used on his/her computer, i.e. the program for opening and displaying web pages (for example Internet Explorer, Mozilla Firefox, Opera or safari).

Server log files
When you visit our website, we store certain connection information (such as IP address, date and duration of visit, pages visited on our website, data regarding your browser and operating system used, and the website from which you visit us) for system and data security purposes. By using this website, you consent to the use of the information collected about you in accordance with our privacy policy.

GOOGLE Analytics
This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about the use of the website by the consumer (including the IP address) is transmitted to and stored by Google on servers in the United States. Google will use this information to evaluate the use of the website, to create reports on website activity for website operators, and to provide additional services associated with the use of the website and of the Internet. Google may also transfer this information to third parties if required by law or if the third parties process this data on behalf of Google. Google will in no case associate the consumer's IP address with other Google data. The consumer can prevent the installation of the cookies by a corresponding setting in the Internet browser; in this case, not all the features of the pharmacy's website may be fully available. By using the website, the consumer agrees to the processing of the data collected about him/her by Google in the manner described above and for the aforementioned purpose.

You may refuse the use of the cookies by selecting the appropriate settings on your browser. However, please note that if you do this, you may not be able to use the full functionality of this website. Furthermore you can prevent Google's collection and use of your data by downloading and installing the browser plug-in available under

You can also refuse the use of Google Analytics on this website by clicking on the following link. An opt-out cookie will be set on the computer, which prevents the future collection of your data when visiting this website:

Google Analytics deaktivieren

Further information concerning Google's terms of use and privacy statement can be found at or at

Opportunity to file a complaint
Finally, please be informed that you have the opportunity to file a complaint with the Data Protection Authority.