1        Chapter A – General Information

1.1       Who we are

Sanova Pharma GesmbH  Haidestraße 4, 1110 Vienna is responsible for the data processing. You can reach us by phone at +43 1 401 04 – 0.

1.2       Data Protection Officer

The Data Protection Officer for our company is Mr. Sebastian Niederauer M.A., phone number +43 1 40104 1524, e-mail address Datenschutz@sanova.at.

1.3       Information, rectification, erasure, withdrawal

Each data subject has the right of access to information under Art. 15 of the GDPR, the right to rectification under Art. 16 of the GDPR, the right to erasure under Art. 17 of the GDPR, the right to restriction of processing under Art. 18 of the GDPR and the right to data portability from Art. 20 of the GDPR. The restrictions according to the GDPR apply.

On written request, we will gladly inform you at any time about any personal data stored about you.

Please direct your inquiry to Mr. Sebastian Niederauer M.A., +43 1 40104 1524, e-mail address Datenschutz@sanova.at. Every request for information must be accompanied by a proof of identity (e.g. an official photo ID).

If the data about you processed by us is not correct, please inform us accordingly. We will correct it immediately and inform you.

In the event that you no longer wish us to process your data, please advise us using any format at +43 1 40104 1524, e-mail address Datenschutz@sanova.at. Of course we will delete your data immediately and inform you. If mandatory legal reasons preclude a deletion, you will be notified immediately.

1.4       Opportunity to file a complaint

Finally, please be informed that you have the opportunity to file a complaint with the Data Protection Authority.

 

2        Chapter B – Data processing not related to website use

2.1       Collection and processing of data

We process the personal data that you provide us as a customer, supplier and/or party interested (e.g. doctors) in our services (in particular Logistics 360 °, Health Care, Medical Systems, marketing, competitions, loyalty cards), for example as part of a request or to conclude a contract. On the other hand, we process personal data that we have legitimately obtained from publicly available sources (e.g. pharmacy directory, EUDRA GMP, land register, commercial register, trade register, press, media, websites) or that have been transmitted to us by on of our service provider.

Relevant personal data are personal details (first name and surname, address and other contact information, date of birth, nationality, health-related data, insurance number including date of birth, diagnosis and, if applicable, the insured person’s data) and identification information (such as identity card information). In addition, this may also include order data, data from the fulfilment of our contractual obligations (sales data in payment transactions, quantities, sales, prices, delivery dates, payment and reminder data as well as delivery times, credit limits, product information, information about your financial situation (e.g. credit rating), advertising and sales information, data about your use of our offered telecommunications media (e.g. time that our web pages or newsletter were retrieved) as well as any other data similar to the categories mentioned.

As a commission agent in the scope of our business area Logistics 360 °, we are entitled and obligated as contracting party of the respective pharmaceutical enterprise, to transmit the customer data processed by us for business fulfillment, in particular name, address, order, delivery and billing address, order date, ordered or delivered products or services, quantities, sales, prices, delivery dates, payment and reminder data and delivery deadlines for the purpose of fulfilling our contractual and statutory information obligations to the respective contracting party. The respective contracting party uses the above-mentioned data in the area of ​​controlling and for measures in market development, such as, in particular, the control of its sales force and the delivery of product information and offers.

If you as a patient order directly from us in the logistics services Logistics 360 °or we receive the order from your local health insurance, we process your data (especially first and last name, address, social security number including date of birth, diagnosis and possibly the data of the insured person) for the purpose of fulfilling the purchase contract. These data are only forwarded to other contracting parties (such as your local health insurance fund) and contracted service providers for the purpose of billing within the framework of the fulfillment of the contract.

2.2       Purpose of the data collection

The data is processed for the following purposes:

• Contract fulfilment and pre-contractual correspondence
• Corporate controlling
• Information about changes to the general terms and conditions or privacy policy
• Sending marketing information or invitations to events
• Notification in the context of a competition
• Processing of services
• Ensuring IT security and IT operations
• Video surveillance (used to collect evidence in the event of a criminal offence)
• Measures for building and plant safety (e.g. access control)
• Measures for business management and further development of services and products
• Visiting of our sales and our pharmaceutical representatives for advice on our products and services

 

The legal bases for the data processing are:

Consent pursuant to Art. 6 (1) (a) of the GDPR

Contract initiation and fulfilment. In order to process your orders to the fullest satisfaction, we need your data.

Marketing and advertising according to Art. 6 (1) (f) of the GDPR. As customers and parties interested in our diverse range of services, we would like to keep you up-to-date and well informed of the latest developments and offers concerning our products and distribution partners.

• Processing is necessary for health or social care or treatment or for the management of health and social systems and services on the basis of statutory provisions or under contract with a health professional (e.g. Pharmacovigilance).

Due to legal obligations pursuant to Art. 6 para. 1 lit. c GDPR

2.3       Consent (Article 6 (1) (a) of the GDPR)

If you have given us consent to process your personal data for specific purposes (e.g. approval as part of the customer loyalty card or online on our website), the lawfulness of such processing is based on your consent.

2.4       Withdrawal of consent

We process your personal data in order to operate direct advertising. You have the right to object to the processing of your personal data for the purpose of such advertising at any time; this also applies to profiling if it is associated with such direct advertising.

Every request for information must be accompanied by a proof of identity (e.g. an official photo ID).

Consent that has been granted may be withdrawn at any time in the future. This also applies to the withdrawal of consent granted to us before May 25, 2018. Please notify us of your withdrawal of consent by phone +43 1 40104 1524 or by e-mail to Datenschutz@Sanova.at.

2.5       Use and disclosure of personal data

If you have provided us with personal data, we will use it only for the purpose of processing contracts, invitations to various events, answering your inquiries and for technical administration. As part of our business relationship, you only need to provide the information necessary to establish, conduct, and terminate the relationship, or that we are required to collect by law. Without this data, we would normally have to refuse to execute the contract or fulfil the order, or would be unable to perform an existing contract and would have to terminate it if necessary.

Personal data will only be disclosed or transmitted by us to third parties (in particular health insurance companies, order- and transport service providers) if this is necessary to execute the contract or for billing purposes, or if you have given your prior consent.

Your personal data that has been stored will be deleted if you withdraw your consent to the storage, if your data is no longer necessary for the fulfilment of the purpose pursued with the storage, or if its storage is or becomes prohibited for other legal reasons. Data for billing and accounting purposes will not be deleted on request within the statutory retention obligation.

2.6       Data access

Within the company and within the mother company Herba Chemosan Apotheker-AG, the entities that require access to your data to fulfil our contractual and legal obligations, to maintain and uphold operations, and for advertising and marketing purposes (e.g. accounting, logistics and marketing) are those that have access to your data. Here, the principle of least privilege is used. Order processors employed by us (Art. 28. of the GDPR) may also receive data for these purposes. These are companies in the categories of accounting / tax consultants, IT services, logistics, telecommunications, data security service providers, advice and consulting, as well as sales and marketing).

With regard to the disclosure of your data to recipients outside the company, it should be noted that we only disclose your data if legal provisions permit this, you have given your consent and or if the order service provider has committed itself to us by contract to maintain secrecy and implement data protection measures.

2.7       Data retention and data security

The data will be processed in personal form for as long as reasonable for the purposes of its processing, in particular for the duration of our business relationship.

The data is also processed and stored on the basis of various storage and documentation obligations required by the Corporate Code, the Tax Code and other legal obligations. For example, accounting data is stored for a period of eight years. In addition, data is stored until the termination of any litigation in which the data is required as evidence. Personal data that we process in connection with our marketing services will be deleted after three years of the last contact with you.

The data is protected against unauthorised access with appropriate safeguards for each system architecture (privacy by design). The safeguards include, for example, encrypted transmission, encrypted storage, a role authorisation concept, a backup concept, and physical protection measures for the servers.

The security measures are continuously revised according to the technological development and are audited regularly.

2.8       Profiling (scoring)

We sometimes process your data automatically with the aim of evaluating certain personal aspects (profiling). For example, we use profiling to provide you with targeted information and advice on products. This allows for needs-based communication and advertising, including market and opinion research.

In any case, the decision-making process is not automated.

3        Chapter C – Data processing when visiting our website

For the technical provision of the website it is necessary that we process certain, automatically transmitted information from you so that your browser can display our website and you can use the website. This information is automatically collected each time you visit our website and stored in our server log files. This information relates to the computer system of the visiting computer. In the process, the following information is collected:

• IP address;
• Date and time of access
• Name and URL of the visited website
• Website/application from which access was made (referrer URL)
• Operating system and information about the internet browser used (for example, browser version, language settings, and installed add-ons)
• Name of the access provider

In addition to ensuring a smooth connection establishment and convenient use of our website, the collected data is also used to ensure the system security of the website.

3.1       Cookies

Cookies are small text files that are sent when you visit a website and stored on the hard drive of the user of the website. If the corresponding server of our website is visited again by the user of the website, the browser of the user of the website sends the previously received cookie back to the server. The server can then evaluate the information obtained by this procedure in various ways. For example, cookies can be used to control advertisements or facilitate navigation on a website. If the user of the website wishes to prevent the use of cookies, he/she can do so by making his/her changes locally in the Internet browser used on his/her computer, i.e. the program for opening and displaying web pages (for example Internet Explorer, Mozilla Firefox, Opera or safari).

When using cookies, we primarily distinguish between five categories:

1. Strictly necessary cookies:
   These cookies are necessary for the basic functions of the website and cannot be switched off. Cookies in this category relate for example to functions such as setting your privacy preferences, logging in, filling in forms or selecting language preferences.
2. Performance cookies:
   These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.
3. Functional cookies:
   These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies, then some or all these services may not function properly.
4. Marketing cookies:
   These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. If you do not allow these cookies, you will experience less targeted advertising.
5. Social media cookies:
   These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies, you may not be able to use or see these social media services.

To manage your cookie preferences, we use the Cookie Management solution from the company OneTrust. With this solution you can always inform us about your cookie preferences.

In addition, almost all browsers allow you to completely block cookies, remove existing cookies, or alert you to cookies, to prevent them from being placed on your device. You can find more information in the documentation or in the help file of your browser or at www.aboutcookies.org.

Please note that blocking cookies can significantly affect the use of the website. Some of our website functions cannot be offered without the use of cookies.

When storing cookies, a distinction is made between so-called session cookies and persistent cookies. Session cookies are deleted after leaving our website. Persistent cookies have different lifespans, which you can find in the cookie overview within the OneTrust cookie banner. You can always delete cookies set in your browser via your browser settings.

3.1.1 Google Tag Manager

Our website uses Google Tag Manager, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager enables us to centrally manage and deliver various tags and scripts. No personal data is collected or processed directly by Google Tag Manager. Tag Manager is only used to activate other tools and technologies (e.g. tracking and analysis tools) that can collect data.

If you object to the use of certain cookies or tracking tools, Google Tag Manager ensures that these tools remain deactivated.

Further information on Google Tag Manager can be found in Google’s privacy policy: Google: https://policies.google.com/privacy?hl=de&gl=at

3.2. Analysis tools Matomo, Facebook, Google Ads

This website uses Matomo (formerly Piwik), a web analysis service provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand. Matomo uses ‘cookies’, which are text files placed on the consumer’s computer, to help the website analyse how users use the site. The information generated by the cookie about the consumer’s use of this website (including their IP address) is transmitted to a Matomo server in Germany and stored there. Matomo will use this information to evaluate the use of the website, to compile reports on website activity for website operators and to provide other services related to website activity and internet usage.
Matomo may also transfer this information to third parties if required by law or if third parties process this data on behalf of Matomo. Matomo may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Matomo’s behalf.

The consumer can prevent the installation of cookies by selecting the appropriate settings in their internet browser; however, in this case, not all functions of this website may be fully usable. Furthermore, use can be made of a so-called opt-out cookie via the Cookie Consent Manager Onetrust.

By using the website, the consumer agrees to the processing of data collected about them by Matomo in the manner described above and for the purpose stated above.

We process your data in the context of the use of cookies on the basis of the following legal grounds:

to safeguard our legitimate interests in accordance with Art. 6 (1) lit. f GDPR. Our legitimate interest in this regard is to be able to provide you with an appealing, technically functional and user-friendly website for our company and to ensure the system security of the website. Our legitimate interest also includes the regular analysis of website visits in order to tailor the website offering to your needs;
to ensure the proper functioning of the website, in particular to implement appropriate technical and organisational measures and to fulfil a legal obligation to which we are subject, Art. 6(1)(c) GDPR; and
if you have given your consent to the processing of the data, in accordance with Art. 6(1)(a) GDPR. This applies in particular to marketing cookies and tracking methods from third-party providers.
To safeguard our legitimate interests pursuant to Art. 6(1)(f) GDPR. Our legitimate interest is to take your cookie preferences into account when providing our website and thereby to ensure the protection of your privacy and your personal data in accordance with your wishes and
to ensure the proper functioning of the website, in particular to implement appropriate technical and organisational measures and to fulfil a legal obligation to which we are subject, Art. 6 (1) (c) GDPR.

3.2.1 Facebook Pixel

We use Facebook Pixel on our website, an analysis tool from Meta Platforms Ireland Limited, Merrion Road, Ballsbridge, Dublin D04 X2K5, Ireland. Facebook Pixel enables us to track the behaviour of users who have been redirected to our website via a Facebook advertisement. This data is used to measure and optimise the effectiveness of our advertising campaigns.

Facebook processes the data independently and may link it to your Facebook account. The data may be transferred to third countries, including the USA. For more information, please refer to Facebook’s data policy: https://www.facebook.com/privacy/policy/

You can object to the use of the Facebook Pixel at any time by adjusting your settings in the cookie banner.

3.2.2 Google Ads

We use Google Ads, a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, to show you relevant advertisements and measure the success of our advertising measures. In doing so, personal data such as your IP address or information about your usage behaviour may be collected and processed.

The data may be transferred to third countries, in particular the USA. You have the option to object to the processing of your data within the scope of Google Ads at any time by making the appropriate settings in our cookie banner or by using the Google advertising settings: https://adssettings.google.com/.

3.3 OneTrust

Scope of processing, purpose and storage period

For the purpose of managing your personal cookie preferences, we use the OneTrust Cookie Preference Manager from OneTrust LLC, 1200 Abernathy Rd NE Suite 300, Atlanta GA 30328, USA (OneTrust). This manages and stores your cookie preference settings according to your wishes. To do this, you will be asked about your cookie preferences when you first visit our website and can agree to or reject the use of cookies.

If you delete your internet browser history, all cookies (including opt-out cookies) will be deleted. In this case, you will be asked about your cookie preferences again when you visit our website again.

The Cookie Preference Manager used on the website only shows the status of the last settings you made in the Cookie Preference Manager. Other cookie settings you have made are not displayed (e.g. general blocking of all cookies via your internet browser settings).

Your IP address is used so that the Cookie Preference Manager can process your cookie preferences accordingly. When using mobile devices (e.g. smartphones), the advertising identifier stored there is used.

OneTrust stores your cookie preferences for a maximum of 12 months or until you delete your internet browser history.

OneTrust cookies are classified as strictly necessary cookies.

We process your data to implement the management of your cookie preferences on the basis of the following legal grounds:

To safeguard our legitimate interests in accordance with Art. 6 (1) (f) GDPR. Our legitimate interest is to take your cookie preferences into account when providing our website and thereby to ensure the protection of your privacy and your personal data in accordance with your wishes and
to ensure the proper functioning of the website, in particular to implement appropriate technical and organisational measures and to fulfil a legal obligation to which we are subject, Art. 6 (1) lit. c GDPR.

3.4 Links to third-party websites

Some sections of our website contain links to third-party websites. These websites are subject to their own data protection principles. We are not responsible for their operation, including the handling of data by third-party providers. If you send information to or via such third-party websites, you should check the privacy policies of these websites before providing them with information that can be attributed to you personally.

3.5 Social media presences operated by us / Our presence on social media

In addition to this website, we also maintain presences on various social media platforms, which you can only access via direct links on our website. Social plugins are not used. When you visit one of our social media presences, personal data may be transmitted to the provider of that social network. It is possible that, in addition to storing the data you specifically enter on that social media platform, further information may also be processed by the social network provider. If you are logged in with your personal user account for the respective network while visiting such a website, this network can assign the visit to this account.

The data you enter on our social media sites and which is publicly accessible (e.g. comments, images, likes, messages to us, etc.) is used by us exclusively for interaction with you. Our legitimate interest is based on Art. 6 (1) lit. f GDPR and consists of offering you appropriate platforms on which we can display current information and you can contact us. Comments, images and likes entered by you on our social media sites are stored by the operator of the social media site for as long as our social media account exists or, alternatively, directly by the operator of the respective site for the duration specified by the operator. In addition, the operators of the social media sites may further process the information you have entered. We have no influence over this further processing. For information on the purpose and scope of data collection and the storage period by the operator of the social media presence, as well as your rights in this regard, please refer to the provisions of the respective controller at:

• Google Privacy Policy: https://policies.google.com/privacy?hl=en&gl=en
• Facebook:
  • Privacy Policy: https://de-de.facebook.com/about/privacy/
  • Agreement on joint responsibility of the Facebook Fan Page: https://www.facebook.com/legal/terms/page_controller_addendum
• Twitter Privacy Policy: https://twitter.com/de/privacy
• LinkedIn Privacy Policy: https://www.linkedin.com/legal/privacy-policy

• Youtube Privacy Policy: https://policies.google.com/privacy?hl=en&gl=en

3.6 Server log files

When you visit our website, we store certain connection data (e.g. IP address, date and duration of visit, pages visited on our website, data regarding your browser and operating system, and the website from which you visited us) for the purpose of system and data security. By using this website, you consent to the use of the data collected about you in accordance with our privacy policy.

3.7 Duration of data storage

Your data will only be stored for as long as is necessary to fulfil the above-mentioned purposes. As soon as the respective purpose no longer applies or you revoke your consent to processing, your data will be deleted, unless statutory retention periods prevent this.

3.8 Your rights

You have the right to request information about the personal data we have stored at any time and to request its correction or deletion. You may also object to the further processing of your data for reasons arising from your particular situation.

3.9.1 Rights of data subjects

As a data subject, you have the following rights under the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG):

Right of access
Right to rectification
Right to erasure (‘right to be forgotten’)
Right to restriction of processing
Right to data portability
Right to object

Right of access

You have the right to request confirmation as to whether personal data concerning you is being processed. If this is the case, you have the right to obtain access to this personal data and the following information:

the purposes of the processing;
the categories of personal data that are being processed;
the recipients or categories of recipients to whom the personal data have been or will be disclosed;
the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data concerning you or restriction of processing;
the existence of the right to lodge a complaint with a supervisory authority;
any available information on the origin of the data if the personal data is not collected from the data subject;
the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Right to rectification

You have the right to request the immediate rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

Right to erasure (‘right to be forgotten’)

You have the right to request that personal data concerning you be erased without delay, and we are obliged to erase personal data without delay if one of the following reasons applies:

The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.

You withdraw your consent on which the processing was based in accordance with Article 6(1)(a) or Article 9(2)(a) of the GDPR, and there is no other legal basis for the processing.

You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR.

The personal data has been processed unlawfully.

The erasure of the personal data is necessary to comply with a legal obligation under Union or Member State law to which we are subject.

The personal data has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

Right to restriction of processing

You have the right to request the restriction of processing if one of the following conditions applies:

You contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data.

The processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead.

We no longer need the personal data for the purposes of processing, but you need it to assert, exercise or defend legal claims.

You have objected to processing pursuant to Article 21(1) GDPR, as long as it is not yet clear whether the legitimate reasons of our company outweigh yours.

Right to data portability

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another controller without hindrance from us, provided that:

the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR, and
the processing is carried out by automated means.

Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

Changes to the data protection provisions

We reserve the right to change this privacy policy at any time in order to adapt it to changes in the legal situation or in the event of changes to the service and data processing. The current version is available on our website. In the event of significant changes affecting your rights or the processing of your personal data, we will inform you in good time by email or by a notice on our website.