N1 Data Protection - pharmedix – the experts for your health.

Introduction

The following data protection declaration is intended to clarify which types of personal data (hereinafter also referred to as ‘data’) we process, for what purposes and to what extent. The data protection declaration applies to all processing of personal data carried out by us, both in the framework of the provision of our services and in particular on our websites, in mobile applications and within external online features, such as our social media profiles (collectively referred to as the "online presence").
The terms used are not gender specific.
Version: 23/02/2021

Data controller

pharmedix GmbH
Hans-Henny-Jahnn-Weg 53
D-22085 Hamburg

Authorised representatives: Christian Strauch, Sven Zehender
Email address: info@pharmedix.de
Telephone: +49 40 / 33 46 594-0
Legal notice: https://www.n1.de/en/site-notice

Overview of processes

The table below summarises the types of data processed and the purposes for which they are processed and refers to the data subjects.

Types of data processed

· inventory data (e.g. names, addresses).
· content data (e.g. text entries, photographs, videos).
· contact details (e.g. e-mail, telephone numbers).
· meta/communication data (e.g. device information, IP addresses).
· usage data (e.g. websites visited, interest in content, access times).

Categories of data subjects

· prospective customers.
· communication partners.
· users (e.g. website visitors, users of online services).

Purposes of processing

· Provision of our online presence and user-friendliness.
· visit operation evaluation.
· Interest-based and behavioural marketing.
· Contact enquiries and communication.
· Conversion measurement (measurement of the effectiveness of marketing measures).
· Profiling (creation of user profiles).
· remarketing.
· Measurement of reach (e.g. access statistics, recognition of returning visitors).
· Tracking (e.g. interest- / behavior-related profiling, use of cookies).
· Contractual performance and services.

Applicable legal bases

Below we provide the legal bases of the General Data Protection Regulation (GDPR) on which we process personal data. Please note that, in addition to the rules of the GDPR, the national data protection rules may apply in your or our country of residence. Furthermore, if more specific legal bases are relevant in individual cases, we shall inform you of these in the privacy policy.

· Consent (Art. 6(1) (1) (a) GDPR) - The person concerned has given their consent to the processing of their personal data for a specific purpose or for several specific purposes.
· Fulfilment of the contract and pre-contractual enquiries (Art. 6(1) (1) (b.) GDPR) - The processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures that are carried out at the request of the data subject.
· Legitimate interests (Art. 6(1) (1) (f) GDPR) - The processing is necessary to safeguard the legitimate interests of the data controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, outweigh this.
National data protection regulations in Germany : In addition to the data protection regulations of the General Data Protection Regulation, national data protection regulations apply in Germany. This includes, in particular, the Law on the Protection against the Abuse of Personal Data in the Processing of Data (Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG)). In particular, the BDSG contains special rules on the right of access, the right of erasure, the right of appeal, the processing of specific categories of personal data, processing of data for other purposes and transmission and automated decision-making in individual cases, including profiling. It also regulates the processing of data for the purposes of the employment relationship (Paragraph 26 of the BDSG), in particular with regards to the creation, performance or termination of an employment relationship and the consent of employees. In addition, national laws on data protection may be applicable in the individual federal states.

Security measures

We shall take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the cost of implementation and the nature, extent, circumstances and purposes of the processing, the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, to ensure a level of protection commensurate with the risk.

Measures shall include, in particular, ensuring the confidentiality, integrity and availability of data through the monitoring of physical and electronic access to the data, as well as access to the data relating to them, input, transfer, securing availability and separation. We have also put in place procedures to ensure the exercising of rights of data subjects, the erasure of data and the response to data threats. In addition, we already take the protection of personal data into account in accordance with the principle of data protection in the development or selection of hardware, software and procedures, through technology design and data protection-friendly defaults.

Transmission and disclosure of personal data

In the course of our processing of personal data, the data may on occasion be transferred or disclosed to other entities, undertakings, legally independent organisational units or persons. Recipients of such data may include payment institutions in connection with payment transactions, service providers entrusted with IT tasks or service and content providers embedded in a website. In such a case, we observe the legal requirements and in particular conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.

Data processing in third countries

If we process data either in a third country (i.e., a country outside the European Union (EU), the European Economic Area (EEA)) or in the context of using third-party services, or disclose or transmit data to other persons, offices or companies, this shall be carried out only in accordance with the legal requirements.
Subject to express consent or contractually or legally required transmission, we process or have the data processed only in third countries with a recognised level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Application of cookies

Cookies are text files that contain data from visited websites or domains and which are stored on the user's computer by a browser. A cookie is primarily used to store information about a user during or after their visit to an online presence. Such information may include language settings on a web page, login status, a basket of goods, or the location where a video was viewed. The term cookies also includes other technologies that perform the same functions as cookies (e.g. if user information is stored using pseudonymous online identifiers, also known as "user IDs").

A distinction is made between the following types of cookies and functions:
· Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offering and closed his browser.
· Permanent cookies: Permanent cookies are saved even after the browser has been closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. The interests of users used for reach measurement or for marketing purposes can also be stored in such a cookie.
· First-party cookies: First-party cookies are set by us.
· Third-Party cookies) : Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.
· Necessary (also: essential) cookies: On the one hand, cookies may be absolutely necessary for the operation of a website (e.g. to save logins or other user input or for security reasons).
· Statistics, marketing and personalization cookies : Cookies are usually used when the interests of a user or his behaviour (e.g. viewing specific content, using functions, etc.) are stored on individual websites in a user profile. Such profiles are used to provide users with information, such as content that is appropriate to their potential interests. This is also referred to as "tracking", i.e. tracking of the potential interests of users. Insofar as we use cookies or "tracking" technologies, we shall inform you separately of these in our privacy policy or within the context of obtaining consent.

Notes on legal bases: The legal basis on which we process your personal data with the help of cookies depends on whether we ask you for your consent. If so, and you agree to use cookies, the legal basis for processing your data is the declared consent. Otherwise, the data processed using cookies will be processed on the basis of our legitimate interests (e.g. in a business operation of our online presence and its improvement) or if the use of cookies is necessary to fulfil our contractual obligations.
Storage period: If we do not provide you with any explicit information on the storage duration of permanent cookies (e.g. in the context of a so-called cookie opt-in), please assume that the storage duration may be up to two years.

General information on revocation and objection (opt-out): Depending on whether the processing is based on consent or legal permission, you have the option at any time to revoke your already given consent or to object to the processing of your data using cookie technologies (collectively referred to as “opt-out”). You may declare your objection by using your browser settings, such as disabling cookies (which may also limit the functionality of our online presence). An objection to the use of cookies for online marketing purposes can also be declared using a variety of services, especially in the case of tracking, via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/. In addition, you can receive further tips on how to object within the context of the information on the service providers and cookies used.

Processing of cookie data based on consent : Before we process or have data processed in the context of the use of cookies, we ask the user for their consent, which can be revoked at any time. Before consent has been granted, cookies are used which are absolutely necessary for the operation of our online presence.
· Processed data types: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
· Data subjects: Users (e.g. website visitors, users of online services).
· Legal bases: Consent (Art. 6(1) (1) a GDPR), legitimate interests (Art. 6(1) (1) f. GDPR).

Provision of online presence and web hosting

In order to provide our website securely and efficiently, we use one or more web-hosting providers whose servers (or servers they manage) can access the online presence. For these purposes, we may use infrastructure and platform services, computing capacity, storage and database services, as well as security services and technical maintenance.
The data processed in the context of the provision of the hosting services may include any information relating to the users of our online presence arising from use and communications. This regularly includes the IP address, which is necessary in order to be able to deliver website content to browsers, and any entries made within the framework of our online presence or from websites.

Collection of access data and log files: We ourselves (or our web hosting provider) collect data every (server log files) time the server is accessed. The server log files may include the name and address of the accessed websites and files, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and usually IP addresses and the enquiring provider.

The server log files can be used, on the one hand, for security purposes, e.g. to avoid overloading the server, especially in the case of distributed denial of service attacks (DDoS attacks) and, on the other hand, to prevent the servers from becoming overloaded and destabilising.

· Processed data types: Content data (e.g. text input, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
· Data subjects: Users (e.g. website visitors, users of online services).
· Legal bases: legitimate interests (Art. 6(1) (1) f. GDPR).

Making contact

When contacting us (e.g. via contact form, email, telephone or social media), the information provided by the requesting persons is processed, insofar as this is necessary to respond to the contact enquiries and any measures requested.
Responses to contact enquiries within the context of contractual or pre-contractual relations shall be given either in order to fulfil our contractual obligations or for the purpose of answering (pre)contractual enquiries and also on the basis of the legitimate interests in answering the enquiries.

· Processed data types: Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos).
· Data subjects: Communication partner.
· Processing purposes: Contact enquiries and communication.
· Legal bases: Contractual performance and pre-contractual requests (Art. 6(1) (1) (b) GDPR), legitimate interests (Art. 6(1) (1) (f) GDPR).

Online marketing

We process personal data for online marketing purposes, which can include, in particular, the marketing of advertising space or the presentation of advertising and other content (collectively referred to as "content") based on the potential interests of users and the measurement of their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (a so-called "cookie") or similar procedures are used to save user information relevant to the presentation of the aforementioned content. This information can include, for example, content viewed, websites visited, online networks used, however also communication partners and technical information such as the browser used, the computer system used and information on usage times. Insofar as users have consented to the collection of their location data, these may also be processed.
The IP addresses of the users are also saved. However, to protect users we use available IP masking processes (i.e. pseudonymisation by truncating the IP address). In general, no identifiable user data (such as e-mail addresses or names) are stored in the context of the online marketing process. Instead, pseudonyms are used. This means that we and the providers of online marketing processes do not know the actual identity of the users, but only the information stored in their profiles.

The information in the profiles is usually stored in the cookies or by means of similar procedures. These cookies can also generally be subsequently read on other websites that use the same online marketing process, analysed to display content, as well as supplemented with additional data and stored on the online marketing process provider's server.

Exceptionally, plain data may be assigned to the profiles. Such is the case, for example,when users are members of a social network whose online marketing process we use and the network connects the users' profiles with the aforementioned information. We ask you to note that users can make additional agreements with the providers, e.g., by granting consent during registration.
In principle, we only have access to summarised information about the success of our advertisements. However, within the scope of conversion measurements we can check which of our online marketing processes have led to a conversion, i.e., for example, to the conclusion of a contract with us. Conversion measurement is used solely to analyse the success of our marketing measures.
Unless otherwise stated, we ask you to assume that the cookies used will be stored for a period of two years.

Notes on legal bases: Insofar as we ask the users for their consent to the use of third-party providers, the legal basis for data processing is such consent. For all else, user data will be processed on the basis of our legitimate interests (i.e., interest in efficient, economic and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this Data Privacy Declaration.

· Processed data types: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
· Data subjects: Users (e.g. website visitors, users of online services), interested parties.
· Processing purposes: Tracking (e.g. interest/behaviour-related profiling, use of cookies), remarketing, visitor action evaluation, interest-based and behaviour-related marketing, profiling (creation of user profiles), conversion measurement (measurement of the effectiveness of marketing measures), measurement of reach (e.g. access statistics, recognition of returning visitors).
· Security measures: IP masking (pseudonymisation of the IP address).
· Legal bases: Consent (Art. 6(1) (1) a GDPR), legitimate interests (Art. 6(1) (1) (f) GDPR).
· Objecting (opt-out option): We refer to the data protection notices of the respective providers and the possibilities of objection given to the providers (an “opt-out”). Unless an explicit opt-out option has been specified, you have the option of switching off cookies in your browser settings. However, this may restrict the features of our online presence. We therefore also recommend the following opt-out options, which are offered in summary for the respective areas: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-regional: https://optout.aboutads.info.

Services and service providers used:

· Google Analytics: Online marketing and web analysis; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy policy: https://policies.google.com/privacy; Objection option (opt-out): Opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=de, settings for displaying advertisements: https://adssettings.google.com/authenticated.

Presence in social networks (social media)

We maintain an online presence within social networks and process user data in this context in order to communicate with the active users there or to offer information about us.
We would like to point out that this might lead to user data being processed outside the European Union, which can pose risks for users because this might hinder the enforcement of users' rights, for example.

User data are also generally processed for market research and advertising purposes. For example, user profiles can be created based on user behaviour and the user interests derived from these. The usage profiles can in turn be used, for example, to display advertisements which presumably correspond to the interests of the users both within and outside the platforms. For these purposes, cookies are usually stored on the user's computer, in which the user's usage behaviour and interests are stored. Furthermore, data can also be stored in user profiles separate from the devices used by the users (especially if the users are members of the respective platforms and are logged in).

For a detailed description of the respective forms of processing and the options for objection (opt-out), we refer you to the privacy policies and information of the respective network operators.
We would like to point out that requests for information and the assertion of user rights are also most effectively directed to the providers. Only the providers have access to the user data and can take appropriate measures and provide information directly. Should you still require assistance, you can contact us.

· Processed data types: Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information , IP addresses).
· Data subjects: Users (e.g. website visitors, users of online services).
· Processing purposes: Contact requests and communication, tracking (e.g. interest/behaviour-related profiling, use of cookies), remarketing.
· Legal bases: legitimate interests (Art. 6(1) (1) (f) GDPR).

Services and service providers used:

· LinkedIn: Social network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website: https://www.linkedin.com; Data protection declaration: https://www.linkedin.com/legal/privacy-policy; Objection/opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
· Xing: Social network; Service provider: XING AG, Dammtorstrasse 29-32, 20354 Hamburg, Germany; Website: https://www.xing.de; Data protection declaration: https://privacy.xing.com/de/datenschutzerklaerung.

Plug-ins and embedded features and content

Our online presence includes functional and content elements that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may, for example, be graphics, videos or social media buttons as well as posts (hereinafter uniformly referred to as "Content").

The integration always presupposes that the third-party providers of such content process the IP address of the user since they could not send the content to their browser without the IP address. The IP address is therefore required to present such content or features. We strive to only use content whose respective provider uses the IP address solely to deliver content. Third parties may also use so-called pixel tags (invisible graphics, also known as web beacons) for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain technical information about the browser and operating system, websites to be referred to, times the site is accessed and other information about the use of our online presence, and also may be linked to such information from other sources.

· Processed data types: Usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
· Data subjects: Users (e.g. website visitors, users of online services).
· Processing purposes: Provision of our online presence and user-friendliness, contractual performance and services.
· Legal bases: legitimate interests (Art. 6(1) (1) (f) GDPR).
Services and service providers used:
· Google Fonts: We integrate fonts (“Google Fonts”) from the provider Google, whereby user data is used solely for the purpose of displaying the fonts in the user’s browser. Integration takes place on the basis of our legitimate interests in technically safe, maintenance-free and efficient use of fonts and their uniform representation as well as consideration of possible licensing restrictions for their integration. Company: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://fonts.google.com/; Privac policy: https://policies.google.com/privacy.

Deletion of data

The data we process shall be deleted in accordance with the statutory provisions as soon as the consent granted for processing is revoked or other permissions lapse (e.g. if the purpose of processing this data has lapsed or it is not necessary for the purpose).

If the data are not deleted because they are required for other and legally permissible purposes, their processing is limited to such purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons or whose storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.

Further information on the deletion of personal data can also be found in the individual data protection notices of this data protection declaration.

Changes and updates to this data protection declaration

We ask you to inform yourself regularly about the contents of our data protection declaration. We will adapt our data protection declaration when changes in the data processing we carry out make this necessary. We will inform you when these changes require either your cooperation (for example, consent) or other separate notification.

If we provide addresses and contact information of companies and organisations in this Privacy Policy, please note that the addresses may change over time, so we ask you to check the information before contacting us.

Rights of data subjects

As a data subject, you have various rights under the GDPR, which result in particular from Art. 15 to 21 GDPR:
· The right to object: You have the right, for reasons arising from your specific situation, to object, at any time, to the processing of personal data concerning you which is carried out in accordance with Art. 6 (1) e) or f) of the GDPR, including profiling based on those provisions. If the personal data relating to you is processed for direct marketing purposes, you have the right to object at any time to such processing your personal data for such marketing purposes; this also applies to profiling insofar as it is associated with such direct marketing.
· Right of withdrawal of consent: You have the right to withdraw your consent at any time.
· Right to information: You have the right to request confirmation as to whether the data in question is being processed and to information concerning this data as well as to further information and copying of the data in accordance with legal requirements.
· The right to correction: You have the right, in accordance with the legal requirements, to demand the completion of the data concerning you or the correction of the incorrect data concerning you.
· Right to deletion and restriction of processing: In accordance with the statutory provisions, you have the right to demand that the relevant data be deleted immediately, or alternatively to demand a restriction of the processing of the data in accordance with the statutory provisions.
· Right to data portability: You have the right to receive data concerning you which you have provided to us in a structured, common and machine-readable format in accordance with the legal requirements, or to demand that they be transferred to another data controller.
· Complaining to the supervisory authority: You also have the right, in accordance with the statutory provisions, to complain to a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place where the alleged infringement has been committed, if you are of the opinion that the processing of your personal data violates the provisions of the GDPR.

Definition of terms

This section gives you an overview of the terms used in this data privacy declaration. Many of the terms are taken from legislation and are primarily defined in Art. 4 of the GDPR. The legal definitions are binding. The following explanations, on the other hand, are intended primarily to aid comprehension. The terms are listed in alphabetical order.
· visit operation evaluation: Conversion Tracking is a procedure used to determine the effectiveness of marketing measures. For this purpose, a cookie is usually stored on the users' devices within the websites on which the marketing measures are carried out and then retrieved again on the target website. For example, we can see whether the advertisements we have placed on other websites have been successful.
· IP masking: “IP masking” is a method in which the last octet, i.e. the last two digits of an IP address, is deleted so that the IP address can no longer be used to uniquely identify a person. Thus IP masking is a means of pseudonymising processing methods, especially in online marketing
· Interest-based and behavioural marketing: Interest-based and/or behaviour-based marketing is the type of marketing for which the potential interests of users in advertisements and other content are predetermined as precisely as possible. This is done on the basis of information about their previous behaviour (e.g. visiting certain websites and lingering on them, purchasing behaviour or interaction with other users), which are stored in a profile. Cookies are usually used for these purposes.
· Conversion measurement: : Conversion measurement is a procedure used to determine the effectiveness of marketing measures. For this purpose, a cookie is usually stored on the users' devices within the websites on which the marketing measures are carried out and then retrieved again on the target website. For example, we can see whether the advertisements we placed on other websites were successful.
· Personal data: “Personal Data” refers to any information relating to an identified or identifiable natural person (hereinafter “Data Subject”); a natural person is regarded as identifiable if he can be directly or indirectly identified, especially by means of association with an identifier such as a name, with an identification number, with location data, with an online identifier (e.g. cookies) or with one or several special features reflecting the physical, physiological, genetic, psychological, economic, cultural, or social identity of that natural person.
· Profiling: "Profiling" refers to any type of automated processing of personal data that includes using these personal data to analyse, evaluate or predict certain personal aspects relating to a natural person. (Depending on the type of profiling, this includes information relating to age, gender, location data and movement data, interaction with websites and their content, shopping behaviour, social interactions with other people) (e.g. interests in certain content or products, clicking behaviour on a website or his/her whereabouts). Cookies and web beacons are often used for profiling purposes.
· Measurement of reach: Measurement of reach (also referred to as web analytics) is used to evaluate the flow of visitors to an online presence and can include the behaviour or interests of visitors in certain information, such as the content of websites. With the help of the web analytics, website owners can see, for example, what time visitors visit their website and what content they are interested in. This enables them, for example, to better adapt the content of the website to the needs of their visitors. For reach analysis, pseudonymous cookies and web beacons are often used to recognise returning users and thus to receive more precise analyses of the use of an online presence.
· Remarketing: “Remarketing”, also known as “retargeting”, is used when, for example, for advertising purposes not is taken of which products a user was interested in on a website in order to remind the user of these products on other websites, for example in advertisements.
· Tracking: "Tracking" refers to the behaviour of users that you can trace across several online presences. As a rule, information on behaviour and interest in terms of the use made of an online presence is stored in cookies or on servers of the providers of tracking technologies (profiling). This information can then be used, for example, to display advertisements to users that are likely to correspond to their interests.
· Data controller: "Data Controller" refers to the natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
· Processing: "Processing" means any operation carried out with or without the aid of automated procedures or any such series of operations in connection with personal data. The term is broad and covers virtually every aspect of dealing with data, be it collection, evaluation, storage, transmission or deletion.