Our handling of your data and your rights according to the EU General Data Protection Regulation (GDPR)
We process your personal data exclusively in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Data Protection Act. In the following, we provide information about us and the nature, scope and purpose of the collection and use of data:
For a simpler overview, we have divided our Privacy Statement into the following areas:
A: General information
Contains all the information that we are obliged to provide you with, such as our contact details, the contact details of our Data Protection Officer and your rights as data subjects.
B: Data processing not related to website use
Contains all the information about data processing, if you are in a business relationship with us,if you visit us on site or if you contact us via other means.
C: Data processing when visiting our website
Contains all the information related to visiting or actively using our website, for example in the context of using our online application portal.
Chapter A – General Information
Who we are
Herba Chemosan Apotheker-AG Haidestraße 4, 1110 Vienna is responsible for the data processing. You can reach us by phone at +43 1 801 04 – 0.
Data Protection Officer
The Data Protection Officer for our company is Mr. Sebastian Niederauer M.A., phone number +43 1 40104 1524, e-mail address Datenschutz@herba-chemosan.at.
Information, rectification, erasure, withdrawal
Each data subject has the right of access to information under Art. 15 of the GDPR, the right to rectification under Art. 16 of the GDPR, the right to erasure under Art. 17 of the GDPR, the right to restriction of processing under Art. 18 of the GDPR and the right to data portability from Art. 20 of the GDPR. The restrictions according to the GDPR apply.
On written request, we will gladly inform you at any time about any personal data stored about you.
Please direct your inquiry to Mr. Sebastian Niederauer M.A., +43 1 40104 1524, e-mail address Datenschutz@herba-chemosan.at. Every request for information must be accompanied by a proof of identity (e.g. an official photo ID).
If the data about you processed by us is not correct, please inform us accordingly. We will correct it immediately and inform you.
In the event that you no longer wish us to process your data, please advise us using any format at +43 1 40104 1524, e-mail address Datenschutz@herba-chemosan.at. Of course we will delete your data immediately and inform you. If mandatory legal reasons preclude a deletion, you will be notified immediately.
Opportunity to file a complaint
Finally, please be informed that you have the opportunity to file a complaint with the Data Protection Authority.
Chapter B - Data processing not related to website use
Collection and processing of data
We process the personal data that you provide us as a customer, supplier and/or party interested (e.g. doctors) in our services (in particular Logistics 360 °, Health Care, Medical Systems, marketing, competitions, loyalty cards), for example as part of a request or to conclude a contract. On the other hand, we process personal data that we have legitimately obtained from publicly available sources (e.g. pharmacy directory, EUDRA GMP, land register, commercial register, trade register, press, media, websites) or that have been transmitted to us by on of our service provider.
Relevant personal data are personal details (first name and surname, address and other contact information, date of birth, nationality, health-related data, insurance number including date of birth, diagnosis and, if applicable, the insured person's data) and identification information (such as identity card information). In addition, this may also include order data, data from the fulfilment of our contractual obligations (sales data in payment transactions, quantities, sales, prices, delivery dates, payment and reminder data as well as delivery times, credit limits, product information, information about your financial situation (e.g. credit rating), advertising and sales information, data about your use of our offered telecommunications media (e.g. time that our web pages or newsletter were retrieved) as well as any other data similar to the categories mentioned.
As a commission agent in the scope of our business area Logistics 360 °, we are entitled and obligated as contracting party of the respective pharmaceutical enterprise, to transmit the customer data processed by us for business fulfillment, in particular name, address, order, delivery and billing address, order date, ordered or delivered products or services, quantities, sales, prices, delivery dates, payment and reminder data and delivery deadlines for the purpose of fulfilling our contractual and statutory information obligations to the respective contracting party. The respective contracting party uses the above-mentioned data in the area of controlling and for measures in market development, such as, in particular, the control of its sales force and the delivery of product information and offers.
If you as a patient order directly from us in the logistics services Logistics 360 °or we receive the order from your local health insurance, we process your data (especially first and last name, address, social security number including date of birth, diagnosis and possibly the data of the insured person) for the purpose of fulfilling the purchase contract. These data are only forwarded to other contracting parties (such as your local health insurance fund) and contracted service providers for the purpose of billing within the framework of the fulfillment of the contract.
Purpose of the data collection
The data is processed for the following purposes:
- Contract fulfilment and pre-contractual correspondence
- Corporate controlling
- Sending marketing information or invitations to events
- Notification in the context of a competition
- Processing of services
- Ensuring IT security and IT operations
- Video surveillance (used to collect evidence in the event of a criminal offence)
- Measures for building and plant safety (e.g. access control)
- Measures for business management and further development of services and products
- Visiting of our sales and our pharmaceutical representatives for advice on our products and services
The legal bases for the data processing are:
Consent pursuant to Art. 6 (1) (a) of the GDPR
Contract initiation and fulfilment. In order to process your orders to the fullest satisfaction, we need your data.
Marketing and advertising according to Art. 6 (1) (f) of the GDPR. As customers and parties interested in our diverse range of services, we would like to keep you up-to-date and well informed of the latest developments and offers concerning our products and distribution partners.
- Processing is necessary for health or social care or treatment or for the management of health and social systems and services on the basis of statutory provisions or under contract with a health professional (e.g. Pharmacovigilance).
Due to legal obligations pursuant to Art. 6 para. 1 lit. c GDPR
Consent (Article 6 (1) (a) of the GDPR)
If you have given us consent to process your personal data for specific purposes (e.g. approval as part of the customer loyalty card or online on our website ), the lawfulness of such processing is based on your consent.
Withdrawal of consent
We process your personal data in order to operate direct advertising. You have the right to object to the processing of your personal data for the purpose of such advertising at any time; this also applies to profiling if it is associated with such direct advertising.
Every request for information must be accompanied by a proof of identity (e.g. an official photo ID).
Consent that has been granted may be withdrawn at any time in the future. This also applies to the withdrawal of consent granted to us before May 25, 2018. Please notify us of your withdrawal of consent by phone +43 1 40104 1524 or by e-mail to Datenschutz@Herba-chemosan.at.
Use and disclosure of personal data
If you have provided us with personal data, we will use it only for the purpose of processing contracts, invitations to various events, answering your inquiries and for technical administration. As part of our business relationship, you only need to provide the information necessary to establish, conduct, and terminate the relationship, or that we are required to collect by law. Without this data, we would normally have to refuse to execute the contract or fulfil the order, or would be unable to perform an existing contract and would have to terminate it if necessary.
Personal data will only be disclosed or transmitted by us to third parties (in particular health insurance companies, order- and transport service providers) if this is necessary to execute the contract or for billing purposes, or if you have given your prior consent.
Your personal data that has been stored will be deleted if you withdraw your consent to the storage, if your data is no longer necessary for the fulfilment of the purpose pursued with the storage, or if its storage is or becomes prohibited for other legal reasons. Data for billing and accounting purposes will not be deleted on request within the statutory retention obligation.
Within the company and within the mother company Herba Chemosan Apotheker-AG, the entities that require access to your data to fulfil our contractual and legal obligations, to maintain and uphold operations, and for advertising and marketing purposes (e.g. accounting, logistics and marketing) are those that have access to your data. Here, the principle of least privilege is used. Order processors employed by us (Art. 28. of the GDPR) may also receive data for these purposes. These are companies in the categories of accounting / tax consultants, IT services, logistics, telecommunications, data security service providers, advice and consulting, as well as sales and marketing).
With regard to the disclosure of your data to recipients outside the company, it should be noted that we only disclose your data if legal provisions permit this, you have given your consent and or if the order service provider has committed itself to us by contract to maintain secrecy and implement data protection measures.
Data retention and data security
The data will be processed in personal form for as long as reasonable for the purposes of its processing, in particular for the duration of our business relationship.
The data is also processed and stored on the basis of various storage and documentation obligations required by the Corporate Code, the Tax Code and other legal obligations. For example, accounting data is stored for a period of eight years. In addition, data is stored until the termination of any litigation in which the data is required as evidence. Personal data that we process in connection with our marketing services will be deleted after three years of the last contact with you.
The data is protected against unauthorised access with appropriate safeguards for each system architecture (privacy by design). The safeguards include, for example, encrypted transmission, encrypted storage, a role authorisation concept, a backup concept, and physical protection measures for the servers.
The security measures are continuously revised according to the technological development and are audited regularly.
We sometimes process your data automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling to provide you with targeted information and advice on products. This allows for needs-based communication and advertising, including market and opinion research.
In any case, the decision-making process is not automated.Chapter C - Data processing when visiting our website back to top
Chapter C - Data processing when visiting our website
For the technical provision of the website it is necessary that we process certain, automatically transmitted information from you so that your browser can display our website and you can use the website. This information is automatically collected each time you visit our website and stored in our server log files. This information relates to the computer system of the visiting computer. In the process, the following information is collected:
- IP address;
- Date and time of access
- Name and URL of the visited website
- Website/application from which access was made (referrer URL)
- Operating system and information about the internet browser used (for example, browser version, language settings, and installed add-ons)
- Name of the access provider
In addition to ensuring a smooth connection establishment and convenient use of our website, the collected data is also used to ensure the system security of the website.
When using cookies, we primarily distinguish between five categories:
- Strictly necessary cookies:
These cookies are necessary for the basic functions of the website and cannot be switched off. Cookies in this category relate for example to functions such as setting your privacy preferences, logging in, filling in forms or selecting language preferences.
- Performance cookies:
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.
- Functional cookies:
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies, then some or all these services may not function properly.
- Marketing cookies:
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. If you do not allow these cookies, you will experience less targeted advertising.
- Social media cookies:
These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies, you may not be able to use or see these social media services.
To manage your cookie preferences, we use the Cookie Management solution from the company OneTrust. With this solution you can always inform us about your cookie preferences.
In addition, almost all browsers allow you to completely block cookies, remove existing cookies, or alert you to cookies, to prevent them from being placed on your device. You can find more information in the documentation or in the help file of your browser or at www.aboutcookies.org.
When storing cookies, a distinction is made between so-called session cookies and persistent cookies. Session cookies are deleted after leaving our website. Persistent cookies have different lifespans, which you can find in the cookie overview within the OneTrust cookie banner. You can always delete cookies set in your browser via your browser settings.
Scope of processing, purpose and storage duration
If you delete your internet browsing history, all cookies (including opt-out cookies) will be deleted. In this case you will be asked again for your cookie preferences when you visit our website again.
The Cookie Preference Manager used on the website only shows the status of the last settings made by you in the Cookie Preference Manager. Any other cookie settings set by you will not be shown (for example, general blocking of all cookies via your internet browser settings).
Your IP address will be used so that the Cookie Preference Manager can process your cookie preferences accordingly. When using mobile devices (for example smartphone), the advertising identifier stored there is used.
OneTrust stores your cookie preferences for a maximum of 12 months or until you delete the internet browsing history.
OneTrust cookies are classified as strictly necessary cookies.
We process your data to implement the management of your cookie preferences on the basis of the following legal bases:
to safeguard our legitimate interests in accordance with Article 6 Para. 1 lit. f GDPR. Our legitimate interest is to take your cookie preferences into account when making our website available, thereby ensuring the protection of your privacy and your personal data according to your wishes, and
to ensure the proper operation of the website, in particular to implement appropriate technical and organisational measures and to fulfill a legal obligation to which we are subject, Article 6 Para. 1 lit. c GDPR.
Links to third-party websites
Some sections of our website contain links to third-party websites. These websites are subject to their own data protection principles. We are not responsible for their operation, including data handling by third parties. If you send information to or by means of these third-party sites, you should review the privacy statements of those sites before providing any information that may be associated with you.
Social media sites/our activity in social media
In addition to this website, we also maintain presences in various social media sites, which you can only reach via direct links on our website. Social plugins are not used . If you visit one of our presences on social media, personal data may be transferred to the provider of this social network. It is possible that in addition to storing the data you have concretely entered in this social media, also further information may be processed by the provider of the social network. If you are logged in with your personal user account of the respective network while visiting such a website, this network can match the visit to this account.
The data that you have entered on our social media presences and are publicly accessible data (for example, comments, pictures, likes, messages to us, etc.) are exclusively used by us to interact with you. Our legitimate interest is based on Article 6 Para. 1 lit. f GDPR and is to provide you with appropriate platforms, on which we can share current information with you and you can contact you. Comments, pictures and likes made by you on our social media presences are stored by the operator of the social media presence, as long as our social media presence account exists or alternatively directly by the operator of the respective site for the given duration. In addition, the operators of social media networks can process the information that you have entered. This further processing cannot be influenced by us. For information on the purpose and scope of the data collection as well as the storage duration by the operator of the social media network, as well as your rights in this regard, please refer to the regulations of the responsible party:
- Agreement on joint responsibility of the Facebook Fan Page: https://www.facebook.com/legal/terms/page_controller_addendum