Privacy Policy for Websites and Marketing activities

The Hormosan Pharma GmbH (hereinafter "Hormosan", is pleased that you are visiting our website. Data protection and data security are very important to us. Therefore, we would like to inform you about the personal data we collect during your visit to our website and about the intended purposes.

As changes to the law or changes to our corporate processes may require an adaptation of this privacy statement, we ask you to read this privacy policy regularly. The privacy policy can be accessed any time under “Privacy Policy”, saved and printed out.

§ 1 Data Controller and Scope

Under the EU General Data Protection Regulation (hereinafter: GDPR) and under the UK General Data Protection Legislation (UK-GDPR), the body that determines how and why your personal data is processed is defined as the “controller”. The controller of your personal data is:

Hormosan Pharma GmbH
Hanauer Landstrasse 139 - 143
60314 Frankfurt am Main
Germany
Tel.: +49 (0) 69 - 478730
E-Mail: info@hormosan.de
Website: www.hormosan.de

This privacy policy applies to the online presence of Hormosan, which is available at www.hormosan.com and the various subdomains (hereinafter referred to as "our website").

§ 2 Data Protection Officer

The (external) Data Protection Officer of Hormosan can be contacted at:

Bird & Bird DPO Services SRL
Avenue Louise 235 b 1
1050 Brussels, Belgium
Email: dpo@lupin.com

§ 3 Principles of Processing Personal Data

Personal data are all information relating to an identified or identifiable natural person. This includes information such as your name, age, address, telephone number, date of birth, e-mail address, IP address or user behavior. Information that cannot (or only with a disproportionate effort) be referred to your person, e.g. by anonymizing the information, is not personal data. The processing of personal data (e.g. the collection, retrieval, use, storage or transmission) requires either as legal basis your consent, is based on legitimate interest or on the necessity to perform a legal obligation.

Processed personal data will be deleted as soon as the purpose of the processing has been fulfilled and no legally prescribed retention obligations are to be observed.

Hormosan will comply with data protection law. This means that the personal information we hold about you must be:
a) Used lawfully, fairly and in a transparent way;
b) Collected only for valid purposes that we have explained to you clearly and not used in any way that is incompatible with these purposes;
c) Relevant to the purposes we have told you about and limited to those purposes only;
d) Accurate and kept up to date;
e) Kept only for such time as is necessary for the purposes we have told you about; and
f) Kept securely.

In case we process your personal data for the provision of certain offers, please find below information about the specific processes, the scope and purpose of data processing, the legal basis for processing and the respective storage period.

§ 4 Data Processing

1. Website
a) Scope and Purpose of the Processing

When you access and use our website, we only collect the personal data that your browser automatically transmits to our server. This information is temporarily stored in a so-called log file.

The following personal data is recorded to the extent necessary for the provision of a functional website and our contents and services:

  • IP address of the requesting computer
  • Date and time of access
  • Name and URL of the retrieved file
  • The website from which access is made (referrer URL)
  • The used browser and, if applicable, the operating system of your computer as well as the name of your access provider

b) Legal Basis
Art. 6 para. 1 lit. f GDPR serves as the legal basis for the data processing. The processing of the mentioned data is necessary for the provision of our services and thus serves the protection of a legitimate interest of our company.

c) Data Deletion and Storage Time
The data subject’s personal data are deleted or blocked as soon as the purpose of the storage is fulfilled. The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection for the user. Further storage may take place in individual cases if this is required by law.

2. Registration / Customer Account
a) Scope and Purpose of the Processing
You have the possibility to register on our website for ordering service materials by entering your personal data. Access takes place via a DocCheck password (see below for further details). Your registration is required to complete your order for the following reasons:


We process the following personal data for the registration/customer account setup:

  • Name
  • E-mail address
  • Address
  • IP Address

b) Legal Basis
Your Personal data is processed in accordance with article 6 (1) lit. b GDPR for the fulfilment of your order for specialist information between you and Hormosan.

c) Storage Time
As soon as the processed data are no longer necessary for the execution of the order, they will be deleted. It may be necessary to store your personal data in order to comply with contractual or legal obligations even after the contract has been fulfilled. Further storage may be necessary in individual cases if this is required by law.

d) Cancellation
You have the possibility to cancel the registration and to change your personal data any time.

However, if the processed data are necessary for the fulfilment of a contract or for the implementation of pre-contractual measures, premature deletion of the data is only possible insofar as this does not conflict with contractual or statutory obligations.


3. Contact form / Medical Hotline / Costumer Service

a) Scope and Purpose of Processing

You have the opportunity to contact our medical hotline (service@hormosan.de) or our costumer service (customerservice@hormosan.de) using a form provided on our website. In the course of sending your inquiry via the contact form, reference is made to this data protection declaration in order to obtain your consent. If you use the contact form, the following personal data will be processed:

  • E-mail address
  • Information about your (medical) inquiry and, if applicable, your health data

 The purpose of entering your e-mail address is to assign your request and to be able to reply to you. When using the contact form, your personal data will not be forwarded to third parties.

b) Legal Basis
The data processing described above for the purpose of establishing contact is carried out voluntarily in accordance with Art. 6 para. 1 lit. a GDPR on the declaration of consent submitted by you as below:

Declaration of consent
By entering my data and clicking the "send" button I declare my consent to the use of my e-mail address for answering my contact request.
I can withdraw my consent to the processing of personal data collected during the registration process at any time.

c) Storage Time
As soon as the request you have made has been dealt with and the relevant facts have been finally clarified, your personal data processed by the contact form will be deleted. Further storage may take place in individual cases if this is required by law.


4. Ordering service materials for patients

a) Scope and Purpose of the Processing
We offer patients the opportunity to order Information Brochures/Service Articles by entering their personal data. The following data are collected as part of the ordering process:

  • Name
  • Address
  • E-mail Address
  • IP Address

Furthermore, you can provide us with further data on a voluntary basis. However, this is marked accordingly.

b) Legal Basis
Art. 6 para. 1 lit. b GDPR serves as the legal basis as the processing of your personal data is required in order to fulfil your order Information Brochures/Service Articles.

c) Storage Time
As soon as the processed data are no longer necessary for the execution of the order, they will be deleted. It may be necessary to store your personal data in order to comply with contractual or legal obligations even after the contract has been fulfilled. Further storage may be necessary in individual cases if this is required by law.

5. Healthcare Professional (“HCP”) Data Base
a) Scope and Purpose of the Processing
We collect and process publicly available information in connection with your professional activities in order to contact you personally, for example through visits or by mail, and to inform you about our products.
For this purpose, the following categories of personal data are processed by us:

  • Name,
  • Specialty,
  • Institution,
  • Address,
  • Phone,
  • Fax,
  • Website address,
  • Email address,
  • Interests if made available

How do we collect your personal data?

We obtain this data from third parties who compile the data for the purpose of providing a database of healthcare professionals or collect the data ourselves from the following publicly available sources: government and public records, institutional websites (hospitals, universities, medical facilities), medical databases and registries, and other online professional profiles and web sources related to your professional activity.

b) Legal Basis
The legal basis for processing this personal data is our legitimate interest in offering our goods or services to healthcare professionals, healthcare providers or other experts who directly or indirectly offer services related to our products and to provide information about our products and services, and as required by law (Art. 6 para. 1 lit. f DSGVO).

c) How long do we keep your personal data?
The data subject's personal data are deleted or blocked as soon as the purpose of the storage is fulfilled. We will review the data regularly at least on an annual basis and delete or anonymize the data after this period, unless there is a conflicting interest on our part (such as your request to stop contacting us).

§ 5 Recipient of personal data and Third Party Transfers

We only share your personal information with third parties if:

  • you have given your express consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR,
  • it is legally permissible and necessary for the fulfilment of a contractual relationship with you pursuant to Art. 6 (1) sentence 1 lit. b GDPR,
  • there is a legal obligation to pass on the data in accordance with Art. 6 (1) sentence 1 lit. c GDPR,
  • the disclosure pursuant to Art. 6 (1) sentence 1 lit. f GDPR is necessary to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data.

With whom do we share your personal data?

  • We may share your personal data with our contracted service providers who provide services such as IT, system administration and hosting. For the HCP Data Base, we store your personal data within the CRM tool provided by Veeva Systems Inc., 4280 Hacienda Drive Pleasanton, CA 94588 United States, which involves the storage, processing and transfer of your personal data within and outside the European Economic Area (EEA).
  • In cases where we transfer your personal data outside the EEA, we will ensure that an adequate level of data protection is provided in accordance with this Privacy Policy and applicable data protection laws. This includes transfers of your personal data to countries whose level of data protection has been determined to be adequate by the European Commission. (For more information, please visit https://ec.europa.eu/info/law/law-topic/data-protection_de).
  • If we transfer your data to service providers in the US or other countries where the level of data protection has not been deemed adequate by the European Commission or where there are no agreements in place to ensure an adequate level of data protection, we will include appropriate safeguards (e.g. standard contractual clauses approved by the European Union https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en) in our agreements with them and/or verify that they have appropriate controls in place to ensure an adequate level of data protection for Europe.

§ 6 Cookies

a) Scope and Purpose of Processing
We use cookies on our website. Cookies are small files which are sent by us to the browser of your terminal device and stored there as part of your visit to our internet pages. Some functions of our website cannot be offered without the use of technically necessary cookies. Other cookies allow us to perform various analyses. Cookies are, for example, able to recognize the browser you are using when you visit our website again and to transmit various information to us. We can use cookies to make our internet offer more user-friendly and effective, for example, by tracking your use of our website and by determining your preferred settings (e.g. country and language settings). In case third parties use cookies to process information, they will collect the information directly from your browser. Cookies do not cause any damage to your device. They cannot run programs or contain viruses.
Our website uses transient cookies, which are automatically deleted when you close your browser. This type of cookie allows us to collect your session ID allowing you to assign different browser requests to a common session and enabling us to recognize your end device during visits to websites in one session.

b) Legal Basis
Due to the described purposes of use the legal basis for the processing of personal data using cookies lies in Art. 6 para. 1 lit. f GDPR.

c) Storage Time
As soon as the data transmitted by the cookies is no longer necessary for the purposes described above, this information will be deleted. Further storage may take place in individual cases if this is required by law.

d) Browser Settings
Most browsers are already set to accept cookies by default. However, you can change your browser settings so that it only accepts certain cookies or no cookies at all. However, we would like to point out that you may no longer be able to use all the functions of our website if cookies are disabled by your browser settings on our website.

You can also use your browser settings to delete cookies already stored in your browser. Furthermore, it is possible to set your browser so that it informs you before cookies are stored. Since the different browsers may differ in their respective functions, we ask you to use the respective help menu of your browser for the setting options.

If you would like a comprehensive overview of all third-party access to your Internet browser, we recommend that you install specially developed plug-ins.

e) Login for closed user groups (DocCheck®)
This website uses the login service of DocCheck Medical Services GmbH ("DocCheck"). DocCheck uses so-called "cookies" - text files that are stored in the user's browser - to facilitate the use of the services. The information generated by these cookies is only transmitted to DocCheck servers and is not shared with the website operator or any other third party. There is no data transfer to countries outside the EU.

Cookie 1
Doccheck_user_id
Allows a single sign-on for all DocCheck logins.
Lifetime = 1 session

Cookie 2
Doccheck_scu_data
Serves to provide suitable content on the basis of pseudonymised identification data (e.g. occupation, country, language).
Lifetime = 1 year

The techniques used and their purpose including the underlying data processing processes can be found in the DocCheck® cookie notices.

Log data
As part of the use of DocCheck password protection, DocCheck collects the so-called log data (IP address, access date, access time, referrer URL, information on hardware and software used such as browser features, device information such as resolution) of the user, starting from the website of the information provider which integrates the login into the website via "embed" or iFrame.

These data are not used to draw conclusions about the person, but serve to ensure the correct display of the page or iFrame contents and/or the security of the DocCheck services.

When using DocCheck, the agreements between you and DocCheck apply, and with regard to data protection, the DocCheck Privacy Policy: www.doccheck.com/de/privacy/

§7 Tools for Tracking and Analysis

We use tracking and analysis tools to ensure continuous optimization and user-oriented design of our website. With the help of tracking measures it is also possible for us to statistically record the use of our website by visitors and to further develop our online offer for you with the help of the knowledge gained.

On the basis of these interests, the use of the tracking and analysis tools described below is justified in accordance with Art. 6 para. 1 s. 1 lit. f GDPR. The following description of the tracking and analysis tools also shows the respective processing purposes and the processed data.

1. IONOS Webanalytics
Our website uses IONOS Webanalytics, a web analysis service of 1&1 IONOS SE, Elgendorfer Straße 57, 56410 Montabaur, Germany, ("Ionos"). Ionos uses server log data, to help the website analyse how users use the site.

The information from the server logs, for example about the referrer (previously visited website), requested website or file, browser type and version, operating system used, type of device used, time of access and IP address in anonymised form (only used to determine the location of the access), is only processed by Ionos from servers within the EEA and not transferred to third parties unless this is required by law or if third parties process this data on behalf of Ionos. According to 1&1, the data collection is completely anonymised so that it cannot be traced back to individual persons. Cookies are not stored by 1&1 Web Analytics. Ionos will use the information on behalf of the operator of this website to evaluate your use of the website, to compile reports on website activities and to provide the website operator with further services associated with website and internet use.

For more information on data collection and processing by 1&1 Web Analytics, please see the following links:

https://hosting.1und1.de/hilfe/online-marketing/
https://hosting.1und1.de/hilfe/datenschutz/datenverarbeitung-von-webseitenbesuchern-ihres-company-name-produktes/webanalytics/
https://hosting.1und1.de/terms-gtc/terms-privacy/

2. Web Beacons
In connection with cookies, so-called "Internet tags" (also known as web beacons) can be used on our website or by third party advertising partners. Tags can help us measure visitor response and the effectiveness of advertising campaigns.

§ 8 Hyperlinks

Our website contains hyperlinks to websites of other providers. When you activate these hyperlinks, you will be directed directly to the other providers' website. You will recognize this when the URL is changed. Please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these websites.

§ 9 Your Rights as a Data Subject

If your personal data are processed, you are a data subject within the meaning of the General Data Protection Regulation (GDPR) and the following rights apply to you:

  • Pursuant to Art. 15 GDPR you can request information about your personal data processed by us. In particular, you may obtain information about the purposes of processing, the categories of personal data, the categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right to correction, deletion, restriction of processing or objection, the right to lodge a complaint with a supervisory authority, the origin of your data, if not collected from us, about transfer to third countries or international organizations, and the existence of automated decision-making, including profiling and, where applicable, meaningful information about the logic involved.
  • Pursuant to Art. 16 GDPR you can immediately demand the correction of incorrect data or the completion of your personal data stored with us.
  • Pursuant to Art. 17 GDPR, you may request the deletion of your personal data stored by us, provided that the processing is not necessary to exercise the right to freedom of expression and information, to fulfil a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims.
  • Pursuant to Art. 18 GDPR, you can request the restriction of the processing of your personal data if you contest the accuracy of the data, if the processing is unlawful, if we no longer need the data and if you refuse their deletion because you need to establish, exercise or defend legal claims. You are also entitled to the right under Art. 18 GDPR if you have objected to the processing in accordance with Art. 21 GDPR.
  • Pursuant to Art. 20 GDPR, you may request that the personal data you have provided us with be received in a structured, current and machine-readable format or you may request that it be transmitted to another person responsible.
  • Pursuant to Art. 7 para. 3 GDPR you can withdraw your consent at any time. As a consequence, we are no longer allowed to continue the data processing based on this consent for the future.
  • Pursuant to Art. 77 GDPR, you have the right to complain to a supervisory authority. You can contact the supervisory authority of your habitual residence, place of work or our company headquarters.

§ 10 Right to Object

In case the processing of your personal data is based on legitimate interest in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR insofar as there are reasons which arise from your particular situation or if the objection refers to direct marketing. In the case of direct marketing, you have a general right to objection which will be considered without mentioning any particular situation.

If you no longer wish us to use your personal data, you can of course revoke your consent at any time with effect for the future at the following address:

Hormosan Pharma GmbH
Hanauer Landstrasse 139 - 143
60314 Frankfurt am Main
Germany
Deutschland
Fax: 069/ 47 87 30
e-Mail: datenschutz@hormosan.de

Requests for the deletion of your personal data will be carried out in compliance with all applicable legal regulations.

§ 11 Data Security and Security Measures

We are committed to protecting your privacy and treating your personal information confidentially. In order to avoid any manipulation, loss or misuse of your data stored by us, we take extensive technical and organizational security measures that are regularly reviewed and adapted to technological progress. This includes, among other things, the use of recognized encryption methods (SSL or TLS).

However, we would like to point out that due to the structure of the internet, it is possible that the rules of data protection and the above-mentioned security measures may not be observed by other persons or institutions for which we are not responsible.

In particular, unencrypted data - e.g., if this is done by e-mail - can be read by third parties. We have no technical influence on this. It is the responsibility of the user to protect the data provided by him against misuse by encryption or in any other way.

§ 12 Minors

This website, and the information provided on this website, are not designed or intended for use by children 18 years and younger. Lupin also do not knowingly collect, process or store any Personal Data from any users under the age of 18 without the verifiable consent of a parent or guardian prior to collecting, processing or storing information collected either directly or indirectly through the use of this websites. Parents or guardians of minors may have the right to request to view or delete Personal Data provided by the child either directly or indirectly through the use of this website.

Privacy Policy for applicants

Data controller:
The following companies operating as part of Lupin Europe are deemed to be data controllers:

Hormosan Pharma GmbH, Hanauer Landstraße 139-143, 60314 Frankfurt am Main, Germany

Lupin Europe GmbH, Hanauer Landstraße 139-143, 60314 Frankfurt am Main, Germany

1. Introduction

The Company is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you.

During the recruitment process, the Company collects and processes personal data relating to job applicants.

The Company is committed to being clear and transparent about how it collects and uses that data and to meeting its data protection obligations.

2. Data Protection requirements

The Company will comply with data protection law. This means that the personal information we hold about you must be:

  1. Used lawfully, fairly and in a transparent way;
  2. Collected only for valid purposes that we have explained to you clearly and not used in any way that is incompatible with these purposes;
  3. Relevant to the purposes we have told you about and limited to those purposes only;
  4. Accurate and kept up to date;
  5. Kept only for such time as is necessary for the purposes we have told you about; and
  6. Kept securely.

3. What personal information does the Company collect and process?

The Company collects and processes a range of personal information (personal data) about you. Personal data means any information about an individual from which the person can be identified. This may include:

  1. Personal contact details, such as your name, title, address and contact details, including email address and telephone number;
  2. application documents such as CV, references, certificates
  3. details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers;
  4. lawful selection testing data where requested; which results shall only be interpreted by those qualified to do so;
  5. information about your remuneration, including entitlement to benefits such as pensions;
  6. information about your nationality and entitlement to work in the country;
  7. Data that is collected when using our online application portal (date and time of access, browser type and version, operating system used, URL of the previously visited website, amount of data sent, IP address of access). This data is stored exclusively for technical reasons and is never assigned to a specific person.
  8. Finally, cookies are used in the context of the use of the online application portal. Cookies are small files that are sent by us to the browser of your terminal device and stored there during your visit to our Internet pages. Some functions of our website cannot be offered without the use of technically necessary cookies. Transient cookies are used on our website, which are automatically deleted when you close your browser. This type of cookie enables us to record your session ID. This enables us to assign various requests from your browser to a common session and enables us to recognize your terminal device during subsequent visits to the website.

We may also collect the following special categories of more sensitive personal information:

  1. information about medical or health conditions, including whether or not you have a disability for which the Company needs to make reasonable adjustments, in accordance with local labour law
  2. information about your criminal record; and
  3. equal opportunities monitoring information, including information about your health and religion or belief.

The Company collects this information in a variety of ways during the application and recruitment process.

In some cases, the Company collects personal data about you from third parties in accordance with local labour law, with your consent or if the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party such as references supplied by former employers, information from employment background check providers and information from criminal records checks permitted by law.

Data is stored in a range of different places, including on your application record, in the Company's HR systems and in other IT systems (including the Company's email system).

4. Why does the Company process personal data and under what situations?

The Company needs to process data prior to entering into a contract with you. We also need to process data to enter into an employment contract with you and to meet its obligations under that employment contract.

In addition, the Company needs to process data to ensure that we are complying with our legal obligations. For example, we are required to check an employee's entitlement to work in the country. For certain positions, it is necessary to carry out criminal records checks to ensure that individuals are permitted to undertake a particular role. The Company processes health information if we need to make reasonable adjustments to the recruitment process for candidates with a disability.

The Company has a legitimate interest in processing personal data during the recruitment process and in keeping records of that process. Processing such data from job applicants enables the Company to manage the recruitment process, assess the suitability of candidates and make informed decisions as to whom we wish to recruit. The Company may also have to process data from job applicants in order to defend legal claims.

In cases where the processing of your personal data exceeds the purpose of processing the recruitment process, it shall be legitimised by an individual consent.

If you have granted us your consent for the processing of your personal data, this consent will provide the legal basis for the processing specified therein.

With regard to the use of cookies in the context of the online application portal, the legal basis for the processing of personal data lies in Art. 6 para. 1 lit. f DSGVO. Further information on the use of cookies can be found here: https://go.softgarden.de/datenschutz_softgarden and here: https://www.hormosan.com/datenschutz.html#datenschutz

5. If you fail to provide personal information

You are under no obligation to provide the Company with personal data during the recruitment process. However, if you do not provide certain personal information when requested, the Company may not be able to process your application for employment properly or at all.

You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for you if this information is not provided.

6. Automated decision-making

Our employment decisions are not based on automated decision-making.

7. For how long do we keep personal data?

The Company will only hold your personal data for as long as is necessary to fulfil the purposes we collected it for, including any legal, accounting or reporting requirements. If your application for employment is unsuccessful, the company will destroy your data unless you specifically consent for your data to be kept for a longer specified period in order to be considered for any other suitable position within a twelve (12) month period.

If your application for employment is successful, personal data gathered during the new recruitment process will be transferred to your personnel file and we shall inform you through a new privacy notice which sets down the details of how we process your data in an employment relationship including the periods for which your data shall be held.

8. Who has access to personal data?

Your information will be shared internally for the purposes of the recruitment process, including with members of the HR team and interviewers.

The execution of the application process is supported by the responsible person with the help of the order processor softgarden e-Recruiting GmbH, Tauentzienstr. 14, 10789 Berlin. Further information on data processing as well as on all measures taken for data security can be found here: https://go.softgarden.de/datenschutz_softgarden

Furthermore, the Company will not share your data with third parties unless you accept an offer of employment. In those circumstances, the Company shall share your data with third parties where required by law and where it is necessary in order to administer the employment relationship with you or where we have another legitimate interest in doing so.

Your data may be transferred to countries outside the European Economic Area (EEA) in order to administer employment benefits, effect compensation payments, make recommendations on compensation and promotions.

Data is transferred outside the EEA on the basis of data processing agreements, EU standard contractual clauses and other safeguards.

9. How does the company protect data?

The Company takes the security of our data seriously. The Company has internal policies and controls in place to prevent your data being lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. When the Company engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

10. Your rights

As a data subject, you have a number of rights. You can:

  1. access and obtain a copy of your data on request (known as a “data subject access request”);
  2. require the Company to change incorrect or incomplete data;
  3. request erasure of your personal information. This enables you to ask the Company to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
  4. object to the processing of your data where the Company is relying on its legitimate interests as the legal ground for processing; and
  5. ask the Company to suspend the processing of your personal data for a period of time if data is inaccurate or there is a dispute about its accuracy or the reason for processing it, and
  6. Lodging a complaint with a supervisory authority

If you would like to exercise any of these rights, or you have any questions about the privacy notice, please contact your HR Manager or the relevant Data Protection Officer.

11. Complaints

If you believe that the Company has not complied with your data protection rights, you have the right to make a complaint to:

The Hessian Data Protection Office
https://datenschutz.hessen.de/
The Hessian Data Protection Officer
PO Box 3163
65021 Wiesbaden
Phone: +49 611 1408 - 144

12. How you can get in contact with the relevant Data Protection Officer?

For Hormosan Pharma GmbH and die Lupin Europe GmbH:
Bird & Bird DPO Services SRL
Avenue Louise 235 b 1
1050 Brussels, Belgium
Email: dpo@lupin.com

13. Updating our privacy notice

Constant technological development makes it necessary to adapt our privacy notice from time to time. We reserve the right to change this privacy notice at any time with effect for the future. If we change our privacy notice, we will inform you of this by appropriate means.

Privacy Policy for customers

§ 1 Data Controller

The following companies operating as part of Lupin Europe are deemed to be data controllers (hereinafter termed: the Company) and according to the EU General Data Protection Regulation (hereinafter: GDPR) and other national data protection acts of the Member States, as well as other data protection regulations, are:

Hormosan Pharma GmbH
Hanauer Landstraße 139-141
60314 Frankfurt
Germany
+49 (0) 69 - 47 87 30
info@hormosan.de

Lupin Europe GmbH
Hanauer Landstraße 139-141
60314 Frankfurt
Germany
+49 (0) 69 - 47 87 30
info@hormosan.de

§ 2 Introduction

As representatives of our customers, we will process your personal data as described in this Privacy Notice. We respect you and are committed to honoring and protecting your privacy. This Privacy Notice describes our privacy practices regarding collection and use of your personal data when we process it in the context of providing services to our customer whom you represent and sets out your privacy rights in relation to it.

§ 3 Data Protection requirements

The Company will comply with data protection law. This means that the personal information we process about you must be:

  1. Used lawfully, fairly and in a transparent way;
  2. Collected only for valid purposes that we have explained to you clearly and not used in any way that is incompatible with these purposes;
  3. Relevant to the purposes we have told you about and limited to those purposes only;
  4. Accurate and kept up to date;
  5. Kept only for such time as is necessary for the purposes we have told you about; and
  6. Kept securely.

§ 4 What information does the Company collect?

The Company collects and processes a range of personal information (personal data) about you. Personal data means any information about an individual from which the person can be identified. The categories of personal data that could be processed are:

  1. personal identification and contact details
    e.g., first and last name, address, e-mail address, telephone number
  2. Information about your job and your qualifications
    e.g., name, title, company you represent, designation/job role, industry
  3. Information about your interests that you share with us
    e.g., using our Subscription Center or within the scope of discussions
  4. Activity-data
    e.g., trackingdata from E-Mails (time of dispatch, read receipt, user-behavior)
  5. Metadata
    z.B. user-IP-adresses, device/hardware-information through your browser, URL data

§ 5 To which purposes we process your personal data and on what legal basis

We, at Lupin, use your personal data in order to establish a connection with our customer (whom you work for or represent), provide you and the customer whom you represent with a better customer experience and ensure that the marketing material we send to you reflects your personal preferences.

In the following, we will inform you about the legal basis and the purpose for which we process your data:

1. Based on your consent (Art. 6 sec. 1 lit. a GDPR)
If you have given us your consent to process your data, the respective consent shall be the legal basis for the mentioned processes. For example, we do this so that we can communicate with you for the following purposes:

  • To inform you of new products, services or promotions we may offer, including opportunities to inform you of our thought leadership and marketing materials and to better support your needs, in pursuit of our legitimate business interests and with your consent when necessary.
  • To invite you to Lupin hosted or sponsored events in your region that may be of interest to you based on your role within the company and/or industry in pursuit of our legitimate business interests.
  • To conduct market research and marketing campaigns.
  • To carry out selected analysis of email activity.
  • To contact you for client-related purposes, including regular communication about project status, notification of issues/concerns, sharing of project results and carrying out day-to-day project activities to meet our contractual obligations to the client you represent.
  • We may also use your personal data to communicate with you about our product and service offerings, for example, to notify you that our products/services have changed or to send you critical alerts and other communications about our products and/or services as part of our legitimate business interests.
  • We engage carefully selected third party vendors to conduct surveys to obtain feedback from you about the services currently provided by Lupin to the company you represent. This helps us to help the company you represent improve our overall service offering and business strategies in line with our legitimate business interests.
  • To develop new and improved products and services that help us better serve the company you represent and to improve our overall service offering in line with our legitimate business interests.

2. Legitimate interests (Art. 6 sec. 1 lit. f GDPR)
We may also use your data for the purposes of legitimate interests. For example, we do this so that we can communicate with you for the following purposes:

  • To inform you of new products, services or promotions we may offer, including opportunities to inform you of our thought leadership and marketing materials and to better support your needs, in pursuit of our legitimate business interests.
  • To invite you to Lupin hosted or sponsored events in your region that may be of interest to you based on your role within the company and/or industry in pursuit of our legitimate business interests.
  • To conduct market research and marketing campaigns.
  • To develop new and improved products and services that help us better serve the company you represent and to improve our overall service offering in line with our legitimate business interests.

§ 6 Change of purpose

The Company will only use your personal information for the purpose for which it was collected unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will advise you of this and explain the legal basis which allows us to do so.

You should be aware that we may process your personal information without your knowledge or consent where this is required or permitted by law.

§ 7 Automated decision-making

An automated decision-making process does not take place.

§ 8 For how long do we keep your personal data?

We will only keep your personal data for as long as is reasonably necessary taking into consideration our need to answer queries or resolve problems, any other purpose outlined above or to comply with legal requirements under applicable law(s). Your data will be completely deleted as soon as the processing purpose for its storage ceased to apply.

§ 9 Who has access to data?

Your data is only disclosed if disclosure is permitted by a legal basis and only with due regard for the duty of confidentiality.

We may use carefully selected third parties to carry out certain activities to help us to run our business (such as cloud service providers, IT support vendors, information security support vendors, third party auditors, etc.) also outside of the EU and actual or prospective purchasers. Any such third parties would be required to contractually agree with applicable laws and regulations and treat your personal data in accordance with this Privacy Notice.

We have offices and operations in a number of international locations, and we share information between our group companies for marketing and administrative purposes. Your information may be shared with our internal staff for marketing and administrative purposes, located in India, as outlined above. Please visit https://www.lupin.com/contact-us/global-offices/ to see a list of the locations within our corporate group.

§ 10 Am I obliged to provide my personal data?

Within the scope of the mentioned processing activities, you are not obliged to provide your personal data.

If you do not provide the relevant information, we may not be able to answer your inquiries or provide product information.

§ 11 How does the Company protect personal data?

The Company takes the security of our data seriously. The Company has internal policies and controls in place to prevent your data being lost, accidentally destroyed, misused or disclosed, and is not accessed except by its employees in the performance of their duties. When the Company engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organizational measures to ensure the security of data.

§ 12 Your choices and rights

As a data subject, you have a number of rights. You can request the Company to:

  1. access and obtain a copy of your data on request (known as a “data subject access request”);
  2. require the Company to change incorrect or incomplete data (known as “right of rectification”)
  3. request erasure of your personal information. This enables you to ask the Company to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing (known as “right of erasure”);
  4. object to the processing of your data where the Company is relying on its legitimate interests as the legal ground for processing (known as “right of objection”);
  5. ask the Company to suspend the processing of your personal data for a period of time if data is inaccurate or there is a dispute about its accuracy or the reason for processing it. (known as “right to restriction of processing”);
  6. obtain your personal data in a structured, machine-readable format (known as “right to data portability”);
  7. restrict the processing of your personal data;

If you believe the processing of your personal data infringes data protection law, you have the right to lodge a complaint before a data protection supervisory authority.

If you would like to exercise any of these rights, or you have any questions about the privacy notice, please contact the relevant Data Protection Officer.

§13 Contact

If you believe that the Company has not complied with your data protection rights, you have the right to make a complaint to:

The external Data Protection Officer
Bird & Bird DPO Services SRL
Avenue Louise 235 b 1
1050 Brussels, Belgium
Email: dpo@lupin.com

Privacy Policy Pharmacovigilance

Last updated: August 2022

1. What does this notice cover?

This notice describes how the European affiliates of Lupin Limited/India which act as Marketing Authorization Holders and/or Distributors for medical products ("Lupin" we", "us" or "our") uses and discloses your personal data as Controller for activities that are related to pharmacovigilance.

It also describes your data protection rights, including a right to object to some of the processing which Lupin carries out. More information about your rights, and how to exercise them, is set out in the "Your choices and rights" section.

This notice applies to data received by Lupin employees and by contractors who provide services to Lupin on its behalf. The data processing described in this notice may be limited as required by applicable law.

We also may provide you with additional information when we collect personal data, where we feel it would be helpful to provide relevant and timely information.

Lupin Limited has designated Hormosan Pharma GmbH and Lupin Europe GmbH, Hanauer Landstraße 139-141, 60314 Frankfurt, Germany, as its representative for Pharmacovigilance in the European Union.

2. What personal data we collect from You

For the provision of the services and our pharmacovigilance obligations Lupin may process the following categories of data about you where permissible:

  • Contact information, such as your name, phone number, email address and home address
  • ID and other personal details, such as your date of birth, age, gender, weight, height citizenship, nationality, marital status or relationship to a person and picture
  • Records of communications, where permissible;
  • other legal information like job title, professional qualifications;
  • Health information (physical or mental), such as medical history including medical diagnostic results and medication received, accident and injury reports, disability status or health risk factors
  • Racial or ethnic origin
  • Biometric and/or genetic information

We collect this information from you directly when you contact us via letter, fax, telephone, email and in person or from a third person in relation to your care.

For example, data is collected through forms that you expressly fill up; from correspondence with you; or through meetings, calls or other communications that may take place.

3. Why we collect, use and store this personal data

We collect, use and store your personal data for the reasons set out below:

Where necessary for Lupin's legitimate interests, as listed below, and where our interests are not overridden by your data protection rights:

  • Respond to enquiries for information, products or services
  • Reporting, assessing and processing of adverse events, product quality complaints and management of complaints
  • For the elaboration of studies, market research on our products and product developments, in which case the data will be duly aggregated to prevent your identification
  • Determination of suitability for certain products, services, or programs

Where we process personal data on this basis, then – as required by data protection law – we have carried out a balancing test to document our interests, to consider what the impact of the processing will be on individuals and to determine whether individuals’ interests outweigh our interests in the processing taking place. You can obtain more information about this balancing test by using the contact details at the end of the notice.

Where necessary to comply with a legal obligation such as:

  • Monitor and guarantee product safety and quality, including response to product quality complaints raised by you regarding Lupin products
  • Administration and legal maintenance of product registries (where required under applicable laws)
  • Management of adverse events, including investigating the adverse event and contacting you for further information on the adverse event that you have suffered
  • Provision of reports to authorities with respect to the safety of a Lupin product, in accordance with the applicable laws
  • Responding to court orders, subpoenas or other legal processes with which Lupin is required to comply;
  • Complying with legal, regulatory and other requirements under EU or Member State laws.

With your consent:

  • Where you have provided us with your express consent to process your data for a particular purpose.

We may provide you with more specific notices for some of the processing described above and, if we require your consent, will ask for this at the time we collect your personal data.

In addition, where the abovementioned purposes imply Lupin processing your health data, and/or other special categories of personal data, Lupin hereby declares and guarantees that the processing purpose additionally relies in a valid condition for the processing of special categories of data.

Where we collect personal data to administer our contract with you or to comply with our legal obligations, this is mandatory and we will not be able to comply with our purposes without this information.

4. How we share your personal data

Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above and if required for the protection of our legitimate interests.

We have offices and operations in a number of international locations, and we share information between our group companies for business and administrative purposes. Your information may be shared with our internal staff for pharmacovigilance and administrative purposes, located in India, as outlined above. Please visit https://www.lupin.com/contact-us/global-offices/ to see a list of the locations within our corporate group. For this purpose, your personal data will be pseudonymized.

In addition, Lupin may also share your personal data with the following third-party recipients:

Recipient Purpose
National and/or international regulatory, enforcements, public body or courts where we are required to do so by applicable law or regulation or at their request. To comply with the applicable laws or regulation and react at their request.
Co-marketing and distribution partners (Marketing Authorization Holder of the product or connected Marketing Authorization Holder) including third party auditors To allow them to comply with the applicable laws or regulation and react at their request.
Competent health authorities To comply with the applicable pharmacovigilance laws.
Third-party buyers or assignees To facilitate the sale and assignment of Lupin, where applicable.

Personal data may also be shared with third party service providers, who will process it on our behalf and in accordance with our instructions. These third parties may include medical service information providers and IT service providers, such as hosting and/or cloud providers. Third parties that process personal data on our behalf are deemed Data Processors under the applicable data protection regulations. Lupin is expressly obliged under the applicable data protection law to enter into a contract or Data Processing Agreement (“DPA”) with its Data Processors. This DPA ensures access by Data Processors to Lupin data remains compliant with the applicable law. Lupin therefore guarantees to enter into a DPA with any and all Data Processors that exist and that may exist in the future. Data Processors are further prohibited from using the personal data for any purpose other than to perform the services as instructed by Lupin.

5. Location of your personal data

Your personal data may be shared with recipients and Data Processors located in the following countries: EEA, UK, USA, India. In the event that your personal data is transferred outside of the UK or the EEA to a third party that is located in a country which is not subject to an adequacy decision by the EU Commission or considered adequate as determined by applicable data protection laws, we will take steps to ensure your personal information is adequately protected (e.g. by way EU Commission approved Standard Contractual Clauses, or by relying on  alternative data transfer mechanisms as available under applicable data protection laws). A copy of the relevant mechanism that is employed to guarantee the safety of your personal data can be obtained for your review on request by using the contact details below.

6. Your Choices and Rights

You have the right to request Lupin for:

  • A copy of your personal data (right of access);
  • Correct your personal data (right of rectification);
  • Delete your personal data (right of erasure);
  • Restrict the processing of your personal data;
  • Obtain your personal data in a structured, machine-readable format (right to data portability); and
  • Under certain circumstances (e.g., where we don’t have to process the data to meet a contractual or other legal requirement), object to the processing of your personal data (right of objection).

In addition, where we have asked for your consent, you may withdraw consent at any time. If you ask to withdraw your consent to Lupin processing your data, this will not affect any processing which has already taken place at that time.

These rights may be limited, for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law or have compelling legitimate interests to keep.

We also inform you that you have the right to lodge a complaint against Lupin before a competent data protection authority.

7. How long we retain your personal data

Lupin will retain and process personal data relating to you in accordance with our customary pharmacovigilance retention periods.

Pharmacovigilance personal data will generally be kept for as long as is reasonably necessary taking into consideration our need to answer queries or resolve problems, any other purpose outlined above or to comply with legal requirements under applicable law(s), in particular by national legislation on medicinal products, e.g. Medical Products Act (AMG).

A copy of the relevant retention periods affecting your personal data can be obtained for your review on request by using the contact details below.

8. Updates to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

9. Contact us

The joint data controllers for your personal data will be: Hormosan Pharma GmbH / Lupin Europe GmbH

If you have questions about this privacy notice or wish to contact us for any reason in relation to our personal data processing, please contact us at:

Hormosan Pharma GmbH / Lupin Europe GmbH
Hanauer Landstraße 139-141
60314 Frankfurt, Deutschland
Phone: +49 (0) 69 47 87 30
Email: service@hormosan.de

In addition, you may also contact our relevant external Data Protection Officer at:

Bird & Bird DPO Services SRL
Avenue Louise 235 b 1
1050 Brussels, Belgium
Email: dpo@lupin.com