Privacy policy

Below you will find information on the handling of personal data at Komtur Pharmaceuticals. Personal data is any data with which you can be personally identified. Personal data is collected and processed for various purposes. We explain here what we do this for in detail, on what legal basis this is done and what rights you have as a person affected by our processing.

Please do not hesitate to contact us if you have any questions regarding data protection.

Content

1. Responsible body and general information
2. Privacy information for website visitors
3. Privacy information for business partners
4. Privacy information for applicants
5. Privacy information for the use of our KOMfinder
6. Changes to this privacy information

1. Responsible body and general information

Responsible entity

Komtur Pharmaceuticals Headquarters
Am Flughafen 6
79108 Freiburg im Breisgau, Germany

Phone: +49 (0)761 504 23 0
E-mail: info[@]komtur[.]com

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, e-mail addresses, etc.).

Data Protection Officer

We have appointed a data protection officer for our company. You can reach him via the above address (Attn. Data Protection Officer) or directly by e-mail to datenschutz[@]komtur[.]com.

General information on the legal basis for data processing

If you have consented to data processing, we process your personal data on the basis of Art. 6 (1) lit. a GDPR or Art. 9 (2) lit. a GDPR, if special categories of data according to Art. 9 (1) GDPR (e.g. health data) are processed. In the case of explicit consent to the transfer of personal data to third countries, the data processing is also based on Art. 49 (1) lit. a GDPR. If you have consented to the storage of cookies or to the access to information in your terminal device (e.g. via device fingerprinting), the data processing is additionally carried out on the basis of Section 25 (1) TTDSG. The consent can be revoked at any time.

If your data is required for the performance of a contract or for the implementation of pre-contractual measures, we process your data on the basis of Art. 6 (1) lit. b GDPR or Art. 6 (1) lit. f GDPR (this is the usual case if you are in contact with us as the contact person of a legal entity that is our contractual partner). Our legitimate interest lies in processing contracts and pre-contractual measures with our business partners in a targeted and transparent manner, for which the processing of contact data of contact persons is usually necessary and appropriate.

Furthermore, we process your data if this is necessary for the fulfillment of a legal obligation on the basis of Art. 6 (1) lit. c GDPR.

Furthermore, data processing may be based on our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Information about the relevant legal basis in each individual case is provided in the following paragraphs of this privacy policy.

Your rights as a person affected by the processing of your data

Revocation of your consent to data processing

Many data processing operations are only possible with your express consent. You can revoke consent you have already given at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

Right to object to data collection in special cases and to direct marketing (Art. 21 GDPR)

If the data processing is based on Art. 6 (1) lit. e or lit. f GDPR, you have the right to object to the processing of your personal data at any time on grounds relating to your particular situation. If you object, we will no longer process your personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims (objection under Art. 21 (1) GDPR).

Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.

Information, deletion and correction

Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient and the purpose of data processing and, if necessary, a right to correction or deletion of this data. For this purpose, as well as for further questions on the subject of personal data, you can contact us at any time.

Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. For this purpose, you can contact us at any time. The right to restriction of processing exists in the following cases:

If you dispute the accuracy of your personal data stored by us, we usually need time to verify this. For the duration of the review, you have the right to request the restriction of the processing of your personal data.

If the processing of your personal data happened/is happening unlawfully, you may request the restriction of data processing instead of erasure.

If we no longer need your personal data, but you need it to exercise, defend or enforce legal claims, you have the right to request restriction of the processing of your personal data instead of deletion.

If you have lodged an objection pursuant to Art. 21 (1) GDPR, a balancing of your and our interests must be carried out. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.

If you have restricted the processing of your personal data, this data may - apart from being stored - only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the European Union or a Member State.

Right of appeal to the competent supervisory authority

In the event of breaches of the GDPR, data subjects shall have a right of appeal to a supervisory authority, in particular in the Member State of their habitual residence, their place of work or the place of the alleged breach. The right of appeal is without prejudice to other administrative or judicial remedies.

2. Information for the visit and use of our website

SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or requests that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Cookies

Our Internet pages use so-called "cookies". Cookies are information and do not cause any damage to your end device. They are stored either temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your end device. Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or until they are automatically deleted by your web browser.

In some cases, cookies from third-party companies may also be stored on your terminal device when you enter our site (third-party cookies). These enable us or you to use certain services of the third-party company (e.g. cookies to manage your cookie settings - see below).

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. language settings, consent management). Other cookies are used to evaluate user behavior or display advertising.

Cookies that are necessary to carry out the electronic communication process, to provide certain functions that you have requested (e.g. for the shopping cart function) or to optimize the website (e.g. cookies to measure the web audience) (necessary cookies) are stored on the basis of Art. 6 (1) lit. f GDPR, unless another legal basis is specified. The website operator has a legitimate interest in storing necessary cookies for the technically error-free and optimized provision of its services. If consent to the storage of cookies and comparable recognition technologies has been requested, the processing is based exclusively on this consent (Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG); the consent can be revoked at any time.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. When deactivating cookies, the functionality of this website may be limited.

If cookies are used by third-party companies or for analysis purposes, we will inform you about this separately within the framework of this data protection declaration and, if necessary, request your consent.

Consent with Usercentrics

This website uses the consent technology (so-called "cookie banner") of Usercentrics to obtain your consent to the storage of certain cookies on your terminal device or to the use of certain technologies and to document this in accordance with data protection law. The provider of this technology is Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, website: https://usercentrics.com/de/ (hereinafter "Usercentrics").

When you enter our website, the following personal data is transferred to Usercentrics:

• Your consent(s) or revocation of your consent(s)
• Your IP address
• Information about your browser
• Information about your terminal device
• Time of your visit to the website

Furthermore, Usercentrics stores a cookie in your browser in order to be able to assign the consent given to you or its revocation. The data collected in this way is stored until you request us to delete it, delete the Usercentrics cookie yourself or the purpose for storing the data no longer applies. Mandatory legal storage obligations remain unaffected.

Usercentrics is used to obtain the legally required consent for the use of certain technologies. The legal basis for this is Art. 6 (1) lit. c GDPR.

Data processing

We have concluded a data processing agreement (DPA) with the above-mentioned provider. This is a contract required by data protection law, which ensures that the provider only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

Hosting

We host our website with Mittwald. The provider is the Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4-6, 32339 Espelkamp, Germany (hereinafter referred to as Mittwald).

For details, please view the data privacy policy of Mittwald: https://www.mittwald.de/datenschutz.

We use Mittwald on the basis of Art. 6 (1) lit. f GDPR. We have a legitimate interest in the most reliable depiction of our website possible. If appropriate consent has been obtained, the processing is carried out exclusively on the basis of Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG, insofar the consent includes the storage of cookies or the access to information in the user's end device (e.g., device fingerprinting) within the meaning of the TTDSG. This consent can be revoked at any time.

Data processing

We have concluded a data processing agreement (DPA) with the above-mentioned provider. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

Server log files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

• Browser type and version
• Operating system used
• Referrer URL
• Host name of the accessing computer
• Time of the server request
• IP address

This data is not merged with other data sources.

The collection of this data is based on Art. 6 (1) lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website - for this purpose, the server log files must be collected.

Web analysis with Matomo

This website uses the open source web analytics service Matomo. Matomo uses technologies that enable cross-page recognition of the user to analyze user behavior (e.g. cookies or device fingerprinting). The information collected by Matomo about the use of this website is stored on our server. The IP address is anonymized before storage.

With the help of Matomo, we are able to collect and analyze data about the use of our website by website visitors. This allows us to find out, among other things, when which page views were made and from which region they come. We also collect various log files (e.g. IP address, referrer, browsers and operating systems used) and can measure whether our website visitors perform certain actions (e.g. clicks, purchases, etc.).

The use of this analysis tool is based on Art. 6 (1) lit. f GDPR. The website operator has a legitimate interest in analyzing user behavior in order to optimize both its website and its advertising. Insofar as a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) as defined by the TTDSG. The consent can be revoked at any time.

IP anonymization

We use IP anonymization for the analysis with Matomo. In this case, your IP address is shortened before analysis so that it can no longer be clearly assigned to you.

Hosting

We use Matomo via the CDN (Content Delivery Network) of the manufacturer. We have concluded a data processing agreement (DPA) with the manufacturer InnoCraft Ltd, 7 Waterloo Quay, PO Box 625, 6140 Wellington, New Zealand*. Details on data protection at InnoCraft for the operation of the Matomo cloud can be found here: https://matomo.org/matomo-cloud-privacy-policy/.

* For New Zealand, there is an adequacy decision of the EU Commission pursuant to Art. 46 (5) sentence 2 GDPR.

Contact form

If you send us inquiries via the contact form, your data from the inquiry form including the contact data you provided there will be stored by us for the purpose of processing the inquiry and in case of follow-up questions. We do not pass on this data without your consent.

The processing of this data is based on Art. 6 (1) lit. b GDPR, if your request is related to the performance of a contract with yourself or is necessary for the performance of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the requests addressed to us (Art. 6 (1) lit. f GDPR) or on your consent (Art. 6 (1) lit. a GDPR) if this has been requested; the consent can be revoked at any time.

The data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to store it, or the purpose for storing the data no longer applies (e.g. after we have completed processing your request). Mandatory legal provisions - in particular retention periods - remain unaffected.

We use "Basin" as a technical service provider for our web form. We have concluded a data processing agreement (DPA) with the manufacturer Moonshot Ventures Inc, 30060 Harris Rd, Abbotsford BC V4X 1V6, Canada*. Details of Moonshot's privacy policy for operating our web form can be found here: https://usebasin.com/privacy.

* For Canada there is an adequacy decision of the EU Commission according to Art. 46 (5) sentence 2 GDPR.

Request by e-mail, phone or fax

If you contact us by e-mail, telephone or fax, your inquiry including all resulting personal data (name, inquiry) will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent.

The processing of this data is based on Art. 6 (1) lit. b GDPR, if your request is related to the performance of a contract with yourself or is necessary for the implementation of pre-contractual measures with you. In all other cases, the processing is based on our legitimate interest in the effective processing of the requests addressed to us (Art. 6 (1) lit. f GDPR) or on your consent (Art. 6 (1) lit. a GDPR) if this has been requested; the consent can be revoked at any time.

The data you send to us via contact requests will remain with us until you request us to delete it, revoke your consent to store it, or the purpose for storing the data no longer applies (e.g. after your request has been processed). Mandatory legal provisions - in particular legal retention periods - remain unaffected.

3. Information for business partners

If you or the company you work for want to do business with Komtur Pharmaceuticals, we first need some basic information about the company and the respective contact persons.

Data processed and legal basis:

• Company
• Owner / Managing Director / Legal form
• Address of the company / pharmacy: street, zip code, city
• Business email address, phone and fax number
• Position in the company
• Payment method, including account data, if direct debit is desired
• VAT ID number
• Wholesale license for pharmaceuticals or pharmacist license
• Transaction data (contract data)

We process this data on the basis of Art. 6 (1) lit. b GDPR (contract performance, if you are directly the contractual partner of Komtur Pharmaceuticals) or Art. 6 (1) lit. f GDPR (legitimate interest, which is to process the orders and inquiries of the company for which you work in a targeted and efficient manner).

Furthermore Art. 6 (1) c GDPR in conjunction with. §4a (1) AM-HandelsV (suppliers) and §6 (1) AM-HandelsV (customers), as well as the EU-GDP guidelines chapter 5.2 (qualification of suppliers) and chapter 5.3 (qualification of customers).

Within the scope of the business relationship, further data is naturally processed that can usually be assigned to one or more identifiable person(s). This is usually communication data, order data, appointments and log data.

Disclosure of your data:

Your data will be forwarded within the Komtur Group to the departments that require it for the respective task processing (contract and data management, order processing, project management, logistics, accounting, quality assurance, procurement).

In order to be able to deliver your ordered products, it is necessary that we pass on address and contact data to shipping service providers, freight carriers and, if necessary, to customs authorities.

In addition, it may be necessary for contract performance purposes that we pass on your data to manufacturers or distributors. If your consent is required for this, we will obtain it separately in advance.

External contractors and service providers (order processors): To perform our tasks and fulfill our contracts, we sometimes use external contractors and service providers. These may include, for example, document shredders and IT service providers.

For the processing of payments and for the fulfillment of our tax obligations, your data required for this purpose will be passed on to the respective credit institutions, tax advisors and the tax office,

Data transfer to third countries:

Data is only transferred to third countries (countries outside the EU and the European Economic Area EEA) if this is necessary for the respective task fulfillment. This is done only in compliance with the data protection requirements prescribed for this purpose.

Storage period:

Your data will be stored by us for the duration of our business relationship.

Financial accounting data is stored for at least 10 years in accordance with the requirements of the German Fiscal Code (AO). Section 147 (4) AO applies to the start of the period.

Your rights:

If you, as a data subject, leave the company with which Komtur Pharmaceuticals has a business relationship, you are welcome to inform us of this. We will then block your contact data for future use.

In addition, the rights mentioned under point 1 of this data protection information apply.

4. If you are applying for a job at Komtur Pharmaceuticals

We offer you the opportunity to apply to us (e.g. by e-mail, by post or via online application form). In the following, we inform you about the scope, purpose and use of your personal data collected as part of the application process. We assure you that the collection, processing and use of your data will be carried out in accordance with applicable data protection law and all other statutory provisions and that your data will be treated in strict confidence.

Scope and purpose of data collection

If you send us an application, we will process your associated personal data (e.g. contact and communication data, application documents, notes taken during interviews, etc.) insofar as this is necessary to decide on the establishment of an employment relationship. The legal basis for this is Article 6 (1) lit. b GDPR (general contract initiation) and - if you have given your consent - Article 6 (1) lit. a GDPR. The consent can be revoked at any time. Your personal data will only be passed on within our company to persons who are involved in processing your application.

If the application is successful, the data submitted by you will be stored in our data processing systems on the basis of Art. 6 (1) lit. b GDPR for the purpose of implementing the employment relationship.

Data retention period

If we are unable to make you a job offer, if you reject a job offer, or if you withdraw your application, we reserve the right to retain the data you have provided on the basis of our legitimate interests (Art. 6 (1) lit. f GDPR) for up to 6 months from the end of the application process (rejection or withdrawal of the application). Subsequently, the data will be deleted and the physical application documents destroyed. This storage serves in particular as evidence in the event of a legal dispute. If it is apparent that the data will be required after the 6-month period has expired (e.g. due to an impending or pending legal dispute), the data will not be deleted until the purpose for continued storage no longer applies.

A longer storage can also take place if you have given a corresponding consent (Art. 6 (1) lit. a GDPR) or if legal storage obligations oppose the deletion.

Inclusion in the applicant pool

If we do not make you a job offer, it may be possible to include you in our applicant pool. In the event of inclusion, all documents and details from the application will be transferred to the applicant pool in order to contact you in the event of suitable vacancies.

Inclusion in the applicant pool takes place exclusively on the basis of your express consent (Art. 6 (1) lit. a GDPR). The provision of consent is voluntary and is not related to the current application process. You can revoke your consent at any time. In this case, the data will be irrevocably deleted from the applicant pool, unless there are legal reasons for retention.

The data from the applicant pool will be irrevocably deleted no later than two years after consent has been given.

5. Use of our online portal KOMfinder

As a special service, we offer our customers a portal for checking the availability of medicines (https://komfinder.com/).

You must register on this website in order to use the site's functions. We use the data entered for this purpose (title, first name, last name, company-e-mail-address) only for the purpose of using the respective offer or service for which you have registered. The mandatory information requested during registration must be provided in full. Otherwise, we will reject the registration.

For important changes, for example in the scope of the offer or in the case of technically necessary changes, we use the e-mail address provided during registration to inform you in this way.

The processing of the data entered during registration is based on your consent (Art. 6 (1) lit. a GDPR). You can revoke your consent at any time. For this purpose, an informal communication by e-mail to us is sufficient. The legality of the data processing already carried out remains unaffected by the revocation.

The data collected during registration will be stored by us as long as you are registered on our website and will then be deleted. Legal retention periods remain unaffected.

Hosting

KOMfinder is hosted on a Komtur-owned server in a German data centre.

Server log files

This server automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

• Browser type and version
• Operating system used
• Referrer URL
• Host name of the accessing computer
• Time of the server request
• IP address

This data is not merged with other data sources.

The collection of this data is based on Art. 6 (1) lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website - for this purpose, the server log files must be collected.

6. Changes to this privacy information

We will revise this data protection notice in the event of changes to this website or other occasions that make this necessary. You will always find the current version on this website.

As of: 03.2023