This information notice aims to provide you with an overview of how we process your personal data, as well as your rights surrounding this. The particular data that is processed in detail and the way in which it is used depends largely on the services requested or agreed in each case. For this reason, not all sections of the information notice will be relevant to you.
 

1. Who is responsible for data processing?

Within the scope of the GDPR, the responsible party is:

Medios AG
Represented by member of the executive board Christoph Prußeit
Heidestraße 9 | 10557 Berlin, Germany | Phone: +49 30 232 566 800 | info@medios.group

Medios Pharma GmbH vertreten durch die Geschäftsführung Thorsten Kujath
Cranach Pharma GmbH vertreten durch die Geschäftsführung Maik Wolf
hvd medical GmbH vertreten durch die Geschäftsführung Vasileios Schoinas
Blisterzentrum Baden-Württemberg GmbH vertreten durch die Geschäftsführung Viola Hilbert
Medios Manufaktur GmbH vertreten durch die Geschäftsführung Eike Lehmann-Müntner
Medios Individual GmbH vertreten durch die Geschäftsführung Susanne Wasserbäch
Rhein Main Compounding GmbH vertreten durch die Geschäftsführung Dirk Aßmus
Rheinische Compounding GmbH vertreten durch die Geschäftsführung Peter Heimann
cas central compounding baden-württemberg GmbH vertreten durch die Geschäftsführung Axel Dembour
Fortuna Herstellung GmbH vertreten durch die Geschäftsführung Marlies Janßen
Onko Service GmbH & Co. KG vertreten durch die Geschäftsführung Heike Terfehr
Medios Digital GmbH vertreten durch die Geschäftsführung Christoph Prußeit

Joint responsibility is governed by an agreement between the companies. The companies use the same database solution as part of their operations and have access to a common set of data where necessary. Each company is independently responsible for the lawful processing of personal data and for granting the rights of data subjects, including the provision of mandatory information. Where necessary, the companies will support each other in this respect.

You can contact our external data protection officer at:

Data Protection Officer, Medios AG
c/o activeMind AG
Management and Technology Consulting
Kurfürstendamm 56 | 10707 Berlin, Germany | Phone: +49 30  770 191 070 | datenschutz@medios.group

2. Type of personal data collected

We process the following personal data that we receive from you as part of our business relationship:

• Company name with legal form and address
• Titles and names
• Telephone numbers
• Fax numbers
• Email addresses
• Area of activity or position
• Health data

3. We process your data for the following purposes and on the following legal basis

We process personal data in accordance with the provisions set out in the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz—BDSG):

a) To fulfil contractual obligations (Art. 6(1)(b) GDPR)

Data is processed in order to take steps prior to entering a contract (e.g. creation of offers), as part of our contract and as part of supplementary contractual services (e.g. warranty notifications or manufacturer returns)

b) Due to legal requirements (Art. 6(1)(c) GDPR)

We are subject to various legal obligations which encompass data processing. These include, for example:

• Fiscal control, reporting obligations and retention obligations
• Obligations under the German Commercial Code (Handelsgesetzbuch—HGB) and the German Fiscal Code (Abgabenordnung—AO)
• Obligations under the German Money Laundering Act (Geldwäschegesetz)
• Fulfilment of requests and requirements from regulatory, law or court authorities

c) In the context of balancing interests (Art. 6(1)(f) GDPR)

If necessary, we process your data beyond the strict fulfillment of the contract to safeguard the legitimate interests of ourselves or of third parties. Examples of such cases include:

• Measures to ensure building and plant safety (e.g. operation of surveillance cameras, access controls, locking systems)
• The assertion of legal claims and defense in legal disputes
• The processing of your data in our resource planning system

4. Who receives your data

 a) Within our company

Our employees, insofar as this is necessary to contact you and for the fulfillment of our contractual and legal obligations (including the fulfillment of pre-contractual measures).

b) In the context of order processing

Your data may be passed onto service providers that represent us as contract processors. These may be other companies within the Group and/or external service providers from the following areas:

• Support or maintenance of computing or IT applications
• Accounting
• Data destruction

All service providers are contractually bound and in particular are obligated to treat your data confidentially.

c) Other recipients (third parties)

Data will only be passed onto recipients outside of our company where this is compliant with the applicable data protection regulations. Recipients of personal data can be, for example:

• Public authorities and institutions (e.g. financial and law enforcement agencies) if there is a legal or regulatory obligation to do so
• Credit and financial service providers (settlement of payment transactions)
• Tax advisors, accountants, auditors or tax auditors (statutory audit mandate)
• Lawyers
• External data protection officers

5. Is data transferred to a third country or to an international organization?

Data will only be transferred to parties in countries outside of the European Economic Area (EEA) (referred to as third countries) when:

• This is required by law (e.g. tax reporting obligations)
• You have given us your consent
• We have concluded an order processing contract with our service provider. In this case, your data will only be transmitted if either
  • The European Commission has decided that there is an adequate level of protection in the third country (Art. 45 GDPR) or
  • Appropriate guarantees are in place (standard safeguard clauses adopted by the EU Commission)
• It is necessary for the fulfillment of the contract

Currently, your data is processed by service providers based outside the European Union and in countries outside the European Economic Area (EEA) on the basis that:

We have contractually agreed with our service providers that guarantees for data protection must always be put in place with their contractual partners, in compliance with the European standard for data protection. On request, we will provide you with a copy of these guarantees.

6. How long will your data be stored?

We process and store your personal data for as long as this is necessary to fulfill our contractual and legal obligations. If data is no longer required for the fulfillment of contractual or legal obligations, it will be deleted on a regular basis.

The following exceptions apply:

• Where legal retention obligations must fulfilled, e.g. German Commercial Code (HGB) and German Fiscal Code (AO). The retention or documentation periods specified in this case are typically six to ten years.
• For the preservation of evidence within the scope of statutory limitation periods. According to Section 195 et seq. of the German Civil Code (Bürgerlichen Gesetzbuch—BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is 3 years.

If the data processing takes place on the basis of the legitimate interest of ourselves or a third party, the personal data will be deleted as soon as this interest is no longer applicable. The above exceptions also apply here.

7. What data protection rights do you have?

You have the right of access pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to object under Article 21 GDPR and the right to data portability under Article 20 GDPR.

Restrictions may apply for the right of access and the right to erasure in accordance with sections 34 and 35 of the German Federal Data Protection Act.

In addition, there is a right to lodge a complaint with a supervisory authority (Article 77 GDPR in conjunction with Section 19 of the German Federal Data Protection Act. A list of supervisory authorities (for the non-public sector) with addresses can be found at: https://www.bfdi.bund.de/DE/Service/Anschriften/anschriften_table.html

8. Is there an obligation for you to provide data?

Within the scope of the contractual relationship, you must provide personal data that is necessary for the commencement, performance and termination of the contractual relationship and for the fulfillment of the associated contractual obligations, as well as any data that we are legally obligated to collect. Without this information, it will generally be impossible for us to enter into or carry out a contract with you.