Privacy Policy
Data protection
Merz attaches great importance to the protection of personal data. In the following data protection information, we inform you about who is responsible for the processing of your data (see section A). Further information is provided depending on the particular capacity in which you contact us, for example whether you are a visitor to our website or a customer of our products (see section B). In addition, you will receive general information on the processing of your data by Merz, in particular regarding sharing of your data, the data retention period and your rights in relation to the processing of your data (see sections C. to G.).
Merz processes your data in accordance with the Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”).
A. CONTROLLER FOR THE PROCESSING OF YOUR PERSONAL DATA
Controller for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR is Merz Therapeutics GmbH (“Merz”, “we”, “us”, “our”), a member of the Merz group of companies, given as contact address in the imprint or through direct communication with you.
B. DATA PROCESSING IN DIFFERENT PROCESSING CONSTELLATIONS
I. Visitors to our websites
1. What data is collected and processed when you visit the Merz websites?
When the Merz websites are accessed, the Merz servers automatically store various data about the system accessing the site. This includes the type of browser used, the browser version, the operating system used, the website from which the Merz website is accessed, the subpages of the Merz website accessed, the date and time of access, the Internet protocol address (IP address), the Internet service provider and data that is comparable with this data. Merz uses this data to enable access to the website and to identify and correct any technical problems that may occur. The legal basis for the processing of personal usage data for this purpose is Art. 6 para. 1 sentence 1 lit. (b) GDPR. Merz further uses this data to prevent and, if necessary, tackle misuse of Merz products and services. The legal basis for this processing of personal usage data is Art. 6 para. 1 sentence 1 lit. (f) GDPR. Our legitimate interest is the protection of our websites and systems. In addition, Merz uses this data in anonymized form, i.e. without the capability of identifying the user, for statistical purposes and to improve the websites.
2. What data is processed in areas with restricted access?
Certain areas of the Merz websites are accessible to medical professionals only and require prior registration. As part of the registration process, the user must provide certain information, such as name, postal address (for identification as a healthcare professional), and e-mail address. After a selected Merz employee checked whether you qualify as a medical professional during the initial registration process, your user data will be sent to you. Merz uses this information solely for the purpose of setting up and managing the user account, identifying authorized users and in order to be able to make the desired function available to the user. The legal basis for the processing of the data described above is Art. 6 para. 1 sentence 1 lit. (b) GDPR. As far as the identification as a healthcare professional is concerned, the legal basis for the processing is our legitimate interest in verifying that only authorized persons access our restricted websites (Art. 6 para. 1 sentence 1 lit. (f) GDPR).
3. How are cookies used?
The Merz websites use cookies. Cookies are small text files that are stored on the user’s data carrier and exchange certain settings and data with the Merz system via the browser. A cookie usually contains the name of the domain from which the cookie data was sent, information about the age of the cookie, and an alphanumeric identifier. As far as the cookies are technically necessary to operate our websites and to enable users to use its functions, the legal basis for using such cookies is Art.6 para. 1 sentence 1 lit. (b) GDPR.
In addition, with your consent cookies are used to collect information about how users use Merz websites, how they navigate through the website, and which areas of the website and which products they are interested in (see section b) below). In this way, Merz can improve the websites as well as the users' online experience. The information stored in the cookies is not used to identify the user and is not merged with other personal data stored about the user. The legal basis for the use of such cookies is your consent (Art. 6 para. 1 sentence 1 lit. (a) GDPR).
By changing the settings of the Internet browser, users can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This function can also be automated. If cookies for the Merz websites are deactivated, it may no longer be possible to fully use all functions of the websites.
a) Cookies in password-protected areas of the website
Within the password-protected area of the Merz websites, so-called session cookies are used for the duration of the visit. For reasons of user-friendliness, these enable Merz to use a so-called single sign-on concept for authentication and for controlling access to the various password-protected areas of Merz websites. Users can then move around the entire password-protected area of the website without having to log in again for each area. The legal basis for the processing of the data described above is Art. 6 para. 1 sentence 1 lit. (b) GDPR.
b) etracker
Merz also uses the services of etracker GmbH (“etracker”) from Germany to analyse usage data on its websites. We do not use cookies for web analysis by default. If we use analysis and optimisation cookies, we will obtain your explicit consent separately in advance. If this is the case and you agree, cookies are used to enable a statistical range analysis of this website, a measurement of the success of our online marketing measures and test procedures, e.g. to test and optimise different versions of our online offer or its components. The data that may possibly allow a reference to an individual person, such as the IP address, registration or device IDs, will be anonymised or pseudonymised as soon as possible. The data generated by etracker on behalf of the provider of this website is processed and stored by etracker solely in Germany.
The data processing is based on your consent (Art. 6 para. 1 sentence 1 lit. (a) GDPR). You can withdraw your consent at any time.
Further information on the data processing performed by etracker can be found here.
https://www.etracker.com/en/data-privacy-statement/
4. Watching Vimeo videos
Videos from Vimeo are embedded on our websites. The Vimeo service is operated by Vimeo, Inc., 555 West 18th Street, New York, New York 10011, USA (“Vimeo”). When the user visits one of our pages on which a video is embedded via Vimeo, and the user has given us prior consent to the use of marketing cookies, a connection is established to the Vimeo servers. At the same time, the IP address, technical information (e.g. browser type, operating system, information to the end user device and its settings) and other data required for the service, as well as the information that the user has visited a specific page of our website and how he / she has interacted on this site, are transmitted to Vimeo. If the user interacts with the video (e.g. if the user clicks on the play button), this data is also transmitted to Vimeo. If the user has an account with Vimeo and is logged in at the time of his / her visit to our website, Vimeo can match the user’s browsing activity to his / her user account with Vimeo. The cookies used by Vimeo are stored for no longer than two years. Further information on data processing by Vimeo can be found at https://vimeo.com/privacy. The legal basis for the processing of personal data when using videos embedded via Vimeo is the consent of the user, Art. 6 para 1 sentence 1 lit. (a) GDPR. The user can withdraw his / her consent at any time. The cookies set by Vimeo can be deactivated or deleted by the user changing the cookie settings of his / her browser or deactivating marketing cookies in the cookie settings on our website.
5. How long will my personal data be stored?
Personal data of visitors to our website will be deleted when their data is no longer required for the purposes described above, unless longer storage is required by law. Usage data in the meaning described in Section B.I.1 above is regularly stored for a period of seven days. Cookies that are necessary for the operation of our website from a technical perspective are stored for a period of up to one year.
II. Adverse event reports from customers
We are grateful if you report to us any adverse reactions to our products. Such reports are of vital importance as regards public health. If you believe that you have experienced an adverse event while using one of our products, please let us know.
When you contact us in the European Economic Area, UK or Switzerland, we, Merz Therapeutics GmbH, may collect and process various (health) data relating to you. This includes, for example, information about the incident, age, gender, etc. The sole purpose of providing this data is to help us investigate the incident. Merz submits all adverse event reports from Europe to the European Medicines Agency. Where required by law, the data will also be shared with other competent authorities. The legal basis for the processing of the data is our compliance with a legal obligation to monitor risks in connection with our products (Art. 6 para. 1 sentence 1 lit. (c) GDPR) and, as far as health data is concerned, ensuring high standards of quality and safety of health care and of medicinal products or medical devices (Art. 9 para. 2 lit. (i) GDPR).
Within the Merz group, Merz Pharmaceuticals GmbH, Eckenheimer Landstrasse 100, 60318 Frankfurt am Main, Germany, dataprotection@merz.com, will have access to the adverse event reports as far as products are concerned for which Merz Pharmaceuticals GmbH is the market authorization holder. In this event, Merz Therapeutics GmbH and Merz Pharmaceuticals GmbH act as joint controllers when processing adverse event reports. The operational responsibility for the data processing in this context mainly lies with Merz Therapeutics GmbH. While you also have the right to exercise your data protection rights towards Merz Pharmaceuticals GmbH, we encourage you to turn to Merz Therapeutics GmbH since Merz Therapeutics GmbH has the internal responsibility to manage data subjects’ rights.
The adverse reaction reports shall be kept for at least 10 years for public health reasons after the product has ceased being marketed in any country.
Adverse reaction reports within the United States and Latin America are reported to Merz North America, Inc., and its affiliated companies, and, if legally required, to the United States Food and Drug Administration and relevant Canadian, South American, and Mexican authorities.
III. Newsletter subscription
If you make use of the option to subscribe to a Merz newsletter, you must give your consent to the processing of personal data required for this purpose. To subscribe to the newsletter, you must provide your e-mail address. Additional information can be provided voluntarily. This data is used exclusively for sending the newsletter and for documenting and confirming your consent. The legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. (a) GDPR. You have the right to revoke your consent at any time, e.g. via the link provided in the newsletter, without affecting the lawfulness of the processing carried out on the basis of the consent until the revocation. In this case, you will no longer receive the newsletter.
If you register for the newsletter on the Merz websites, the IP address of the accessing system and the date and time of registration and e-mail verification are also collected during registration. This data is processed solely for the purpose of being able to track possible misuse of an e-mail address. The legal basis for the processing of the data described above is our legitimate interest in protecting our systems (Art. 6 para. 1 sentence 1 lit. (f) GDPR).
The newsletters contain so-called tracking pixels. A tracking pixel is a miniature graphic that is embedded in emails in HTML format. Merz can use the embedded tracking pixel to recognize whether and when the newsletter was opened by the recipient and which links contained in the newsletter were called up by the recipient. Data collected via tracking pixels contained in the newsletters are stored and processed anonymously for statistical purposes in order to optimize the newsletter dispatch and to better adapt the content of future newsletters to the interests of the recipients.
C. PROCESSING WHEN DIRECT CONTACT IS MADE WITH MERZ (E.G. USING CONTACT FORM OR BY E-MAIL)
When you contact Merz, e.g. using a contact form on a website or by e-mail, the personal data you provide to Merz, e.g. e-mail address, name, content of the inquiry, etc., will be used exclusively for processing the particular inquiries. Your data may be passed on to other Merz companies if and to the extent necessary to respond to your inquiry. The legal basis for the processing of the data described above is, depending on the content of the respective contact, the fulfilment of your request (Art. 6 para. 1 sentence 1 lit. (b) GDPR) or our legitimate interest in further administering and evaluating your request (Art. 6 para 1 sentence 1 lit. (f) GDPR). The sharing of data with other Merz companies for internal administrative purposes is also based on our legitimate interest in internal administration (Art. 6 para. 1 sentence 1 lit. (f) GDPR). Insofar as data is to be transferred to Merz companies outside of the European Union or the European Economic Area in order to respond to the inquiry, and if the Merz company is located in a country for which the European Commission has not decided that this country ensures an adequate level of data protection, the necessary guarantees for the protection of personal data are contained in the standard contractual clauses adopted by the European Commission. These can be viewed here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en
D. DISCLOSURE OF PERSONAL DATA TO (OTHER) THIRD PARTIES
For the technical processing of personal data, Merz is supported by specialized technical service providers. These service providers are carefully selected and are legally and contractually obligated to ensure a high level of data protection. In particular, for technical processing and to provide a virtual IT solution, Merz uses the support of PlusServer GmbH, Hohenzollernring 72, 50672 Cologne, Germany. For more information on the processing of your data by PlusServer GmbH, please refer to the privacy policy of PlusServer GmbH at: https://www.plusserver.com/datenschutzerklaerung
The legal basis for the cooperation with these service providers is Art. 28 GDPR.
Merz will only pass on personal data to third parties for purposes other than those mentioned in this data protection notice if there is a legal obligation to do so (Art. 6 para 1 sentence 1 lit. (c) GDPR) or if you have given your express consent (Art. 6 para 1 sentence 1 lit. (a) GDPR).
If personal data is transferred by us to parties outside the European Union or the European Economic Area, these are either in a country for which the European Commission has decided that this country ensures an adequate level of data protection, or an adequate level of data protection is established by standard contractual clauses approved by the European Commission and concluded between us and the respective party. The standard contractual clauses can be viewed here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en
E. DURATION OF THE RETENTION OF YOUR DATA
Unless otherwise specified in this data protection notice, personal data will be deleted by Merz when it is no longer needed for the purposes for which it was processed and legal retention periods have expired. Contract-relevant data will be kept for up to ten years after termination of the respective contract with Merz.
F. RIGHTS IN RELATION TO PROCESSING
If you would like detailed information or a copy of the personal data Merz has stored about you, you can contact Merz. You may also receive the data that you have provided to Merz in a structured, commonly used and machine-readable format in accordance with legal requirements, or you may request that Merz transfers this data to a third party. Should you discover that the personal data stored about you is incorrect or incomplete, you may at any time request that this data be corrected or completed without delay. Under the conditions specified in Art. 17 and 18 GDPR, you may also demand the deletion or restriction of the processing of personal data. If you have declared your consent to the processing of your personal data, you have the right to withdraw your consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until its withdrawal.
You also have the right to lodge a complaint with the competent data protection supervisory authority.
Insofar as the processing of your personal data is based on our legitimate interests within the meaning of Art. 6 para 1 sentence 1 lit. (f) GDPR, you have the right to object to the processing of personal data concerning you at any time for reasons related to your particular situation. Merz will then no longer processes the personal data, unless Merz can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of establishing, exercising or defending legal claims. In any event Merz will immediately stop processing your personal data for direct marketing purposes based on its legitimate interests.
G. CONTACT INFORMATION
If you have any questions regarding the processing of personal data by Merz or if you wish to exercise your rights with respect to such processing, you may contact Merz at any time. For this purpose, it is sufficient to send a notification to:
Merz Therapeutics GmbH
Data protection
Eckenheimer Landstrasse 100
60318 Frankfurt am Main
Germany
Merz’s data protection officer can be contacted at the address above or at dataprotection@merz.com.
If you want to contact Merz Pharmaceuticals GmbH or the data protection officer of Merz Pharmaceuticals GmbH, please see Section B.II above.
In addition, we refer to our Merz Data Protection Notice in which we provide general information about the processing of personal data in various constellations (for example, whether you contact us as a visitor to our website, as a study participant, as a customer of our products or as a healthcare professional) (www.merz.com/fin).