1. GENERAL INFORMATION
1.1. Who are we?
Controller in the sense of the GDPR is AOP Orphan Pharmaceuticals GmbH, Leopold-Ungar-Platz 2, 1190 Vienna (Austria), Tel.: + 43 1 503 72 44 („we“, „us“). In addition we have appointed a data protection officer according to Art 37 Abs 4 GDPR: Christian Zange, firstname.lastname@example.org
2. PERSONAL DATA, PURPOSES AND LEGAL BASIS
When you contact us – e.g. by e-mail or telephone – we process the personal data provided: Typically, this is your name, contact details (e.g. telephone number and/or email address) and the content of the message. The processing is necessary in order to deal with your enquiry and to reply to you. It is therefore carried out within the framework of our (pre-) contractual obligations towards you pursuant to Art 6 Para 1 lit b GDPR.
If you send us material (e.g. scans of documents, invoices or images) when contacting us, we will also process any personal data contained therein. If these documents contain data of third parties, it is your responsibility to inform the data subject about the disclosure of the data and to ensure that the transmission is based on an appropriate legal base.
The processing of this data is not legally required. However, we cannot properly process and respond to your enquiries without this information.
2.2. DocCheck Login
2.3. When you login via DocCheck, your name, status, address and email address are processed. The processing is necessary in order to be able to provide certain content to the professional audience and is thus carried out to fulfill our legal obligations pursuant to Art 6 Para 1 lit c GDPR. However, the data is processed exclusively by DocCheck Community GmbH and not forwarded to us. We therefore have no access to this data.
3.2. On the one hand, we use the technical cookie "wires", which is mandatory for the operation of the website. The cookie does not process any personal data. It is stored only for the duration of the session and deleted after your visit. The cookie provides for a proper functioning of the website and is thus set on the basis of our legitimate interests pursuant to Art 6 Para 1 lit f GDPR.
3.3. We also use the following cookies from the provider Matomo for analysis purposes:
• _pk_id to create a unique visitor ID. This cookie is stored for 13 months;
• _pk_ref to store the attribution information used by the referrer for the visit. The cookie is stored for 30 minutes;
• _pk_ses for short-term storage of the visit data. This cookie is deleted after 6 months.
3.4. We activate all these cookies only after your voluntary consent via cookie banner when you click on the button "Accept all". If you do not wish to set analytical cookies, simply click on the "Accept and save selection" button. You can revoke your consent at any time without giving reasons. In addition, you have the option to delete cookies at any time via your browser settings.
4. DATA TRANSFER
If required in the course of our activities, we transfer your personal data to the following external recipients:
a) IT service provider, cloud services, data hosting and processing or similar services;
b) providers of software solutions and tools that support us in our activities.
These recipients are processors. When we engage them, we ensure that this service providers are carefully selected and regularly audited. The processing is carried out on the basis of data processing agreements exclusively on our behalf and on the basis of our documented instructions.
In addition, we transmit your personal data - insofar as necessary - to the following recipients, who act as independent data controllers:
a) third parties who assist us in fulfilling our contractual obligations towards data subjects (e.g. payment service providers and banks for payment processing, postal and parcel service providers for shipping, etc);
b) external third parties who advise and support us to the extent necessary on the basis of our legitimate interests (e.g. legal representatives and insurance companies, auditors and consultants, etc);
c) courts, authorities and other public bodies to the extent required by law or on a case-by-case basis (e.g. tax authority, data protection authority, civil courts, etc).
4.3. Recipients outside of the European Union
In the course of providing our services, your personal data may be transferred to recipients who are either located or process data outside the European Union. This is only done on the basis of your consent or our legitimate interests, if it is necessary for the fulfilment of our (pre-)contractual obligations or on the basis of a legal requirement.
If there is no adequacy decision pursuant to Art 45 GDPR for the respective third country, we implement suitable guarantees in order to maintain the level of data protection according to Art 44 GDPR. This usually involves the conclusion of standard contractual clauses pursuant to Art 46 Para 2 lit c GDPR or the existence of binding corporate rules due to Art 47 GDPR. If necessary due to legal conditions in the respective country (e.g. USA due to access rights by authorities), we also implement supplementary measures in order to take the special data protection situation into account. Upon your request, we will gladly provide you with a copy of the respective appropriate guarantees with a specific data recipient.
If no such appropriate guarantees are available for the data transfer, we can base the processing on your express consent in individual cases pursuant to Art 49 GDPR. In this case, we will inform you separately.
5. DATA RETENTION
We process your data only as long as it is necessary for the fulfilment of the respective purpose. We retain data in connection with your enquiries for a period of six months in order to be able to respond to any follow-up questions.
We may further process this data if there are indications that the data is required for the assertion or defense of our claims in a particular case. The retention of data in this regard is subject to statutory warranty periods or periods of limitation. This retention beyond the original purpose is carried out in on the basis of our legitimate interests in accordance with Art 6 Para 1 lit f and, if applicable, Art 9 Para 2 lit GDPR.
6. DATA SAFETY
We implement appropriate technical and organizational measures to protect your data from unlawful loss, alteration, access by third parties and other processing. In addition, our employees are contractually obliged to maintain data secrecy in accordance with § 6 DSG.
7. DATA SUBJECT RIGHTS
As a data subject, you have the right to information about the personal data processed about you. Furthermore, you have the right to rectification, erasure and restriction of processing or to data portability. You also have the right to object to the processing of your personal data if this results from your particular situation or if your personal data is processed for direct marketing purposes.
If the processing is based on your voluntary consent, you can withdraw this consent at any time, free of charge and without giving reasons, with effect for the future, e.g. by sending an email to email@example.com.
Furthermore, you have the right to complain to the competent supervisory authority. In Austria, it is the Austrian Data Protection Authority, accessible at dsb.gv.at.
However, before you contact the authority, if you want to exercise your data protection rights or have any other questions about data protection, please contact us directly using the contact details listed in Section 1. We will be happy to provide you with advice and answers at any time.