As a rule, we only process personal data when you use our websites if this is necessary for the provision of our websites and the functions offered as well as for the optimisation of our content. Please see the following explanations for details of the processing procedures.
1. Webpage views logging
By accessing our websites, the following information is automatically sent from your browser to our web server for the purpose of delivering the requested content and is logged by us in a log file for a period of seven days in the interest of detecting, limiting and eliminating attacks on our websites.
• IP address
• Date and time of access
• Request (method, requested file, protocol version)
• Name of page viewed
• Status code with which the web server has answered (e.g., successful)
• Transferred data volume
• Browser type and version
• Operating system
• Device used
• Referrer URL (the previously visited page)
We reserve the right to store the log file for a longer period if there are facts that suggest unauthorised access.
The legal basis is Article 6 Paragraph 1 Letter f of the GDPR. The overriding legitimate interest lies in ensuring the trouble-free functionality of our websites.
2. Storage of information or access to stored information by means of cookies
We use cookies on our websites to enable user guidance and the implementation of certain functionalities. Here, small text files containing a characteristic string and allowing a unique identification of the browser when the websites are accessed again are stored on your terminal device for the duration of the session or beyond, depending on the purpose. Some elements of our websites require that the calling browser can also be identified even after a page change so that storage is absolutely necessary. You can view the details of the necessary and optional cookies used by us in our consent banner which can be accessed under "Change Cookie Settings".
The legal basis for the storage of information or access to such information by means of cookies is Article 6 Paragraph 1 Letter f of the GDPR, insofar as its use is necessary for the provision of certain functions. The legitimate interest necessary for this is the aforementioned purpose of being able to offer certain technical attributes on our websites. In addition, the basis for the processing is your consent pursuant to Section 25 Paragraph 1 of the Telecommunications Telemedia Data Protection Act (TTDSG)
in conjunction with Article 7 of the GDPR, which you can revoke at any time with future effect by changing your choice under “Change Cookie Settings”.
We would also like to point out that you can generally set your browser in such a way that you are informed about the placement of cookies. This makes the use of cookies transparent for you. You can also delete cookies at any time via the corresponding browser setting and prevent the setting of new cookies. Please note that our websites may then not be optimally displayed and that some functions may no longer be technically available.
3. Data processing through integration of external content
3.1 Authentication service (DocCheck)
Certain areas of our websites are reserved for healthcare professionals only. Prior login is required to access these access-restricted pages. For this purpose, the authentication service of DocCheck Medical Services GmbH ("DocCheck"), Vogelsanger Straße 66, 50823 Cologne is embedded in some of our subpages so that when you access these websites, regardless of your registration, a connection is established with the provider's server and the information described in Clause 1 is transferred. Data processing to this extent is carried out based on Article 6 Paragraph 1 Letter f of the GDPR in the interest of offering a suitable registration procedure within our websites.
If you log in using the integrated log-in form, we will not receive any personal information from you as this verification process will be performed on the provider’s servers. DocCheck is responsible for this data processing. You can find more information about this at the following link http://info.doccheck.com/de/privacy/
3.2 Embedded videos
YouTube videos from the provider Google Ireland Limited - Gordon House, Barrow Street, Dublin 4, Ireland are available on some subpages of our website. If you actively access the embedded videos, the contents are automatically reloaded, and the information described in more detail in Clause 1 for the provision of the service is transferred to the provider. To protect your privacy, all videos are embedded in the “expanded data protection mode” so that no cookies are stored for advertising purposes. We have no influence on the further processing by Google Ireland Limited.
In this context, your information may also be transmitted by the provider to the servers of Google LLC in the USA. As personal data in this target country do not enjoy adequate protection comparable to European data protection law, an appropriate level of data protection cannot be assumed at present. There is a risk that authorities may access the data for security and monitoring purposes without you being informed or being able to defend yourself. Please take this into consideration if you decide to give your consent.
The legal basis for data processing is Article 6 Paragraph 1 Letter a of the GDPR in conjunction with Article 7 of the GDPR.
If you do not wish data processing by Google Ireland Limited, please refrain from using the videos.
3.3 Tag Manager
The “Google Tag Manager” service of the provider Google Ireland Limited -Gordon House, Barrow Street, Dublin 4, Ireland - is integrated into our websites as part of order processing for the purposes of managing and triggering tags. This creates a connection with the provider's servers by calling up our pages with the consequence that the information described in more detail in Clause 1 is transmitted.
The legal basis for the data processing that takes place through the integration of the service into our websites is Article 6 Paragraph 1 Letter f of the GDPR. Our legitimate interest lies in the optimum design and best possible presentation of our pages.
3.4 Web analysis
Subject to your consent, we use the web analysis system "Google Analytics" of the provider Google Ireland Limited - Gordon House, Barrow Street, Dublin 4, Ireland - in the operating mode "Universal Analytics" for the needs-based design of our websites. By this means, data, sessions and interactions are recorded by means of the storage of cookies in order to analyse the activities across websites.
When tracking with Google Analytics, several different domains are recorded by Chiesi GmbH. The data is additionally directed into a common Google Analytics Property (cross domain tracking). Based on cross-domain tracking, Google Analytics can, for example, assign a user who visits several of these domains to a session. The prerequisite for cross-domain tracking is that the user agrees to the corresponding statistics cookies on both domains.
The information generated by the cookies about the use of our websites is generally transmitted to a server in the USA by the provider who processes the data on our behalf based on an order processing contract and stored there. We use the function 'anonymizeIP' (IP masking), so that your IP address is usually shortened by the service within Member States of the European Union or in other contracting states of the Agreement on the European Economic Area.
As personal data in this target country do not enjoy adequate protection comparable to European data protection law, an appropriate level of data protection cannot be assumed at present. There is a risk that authorities may access the data for security and monitoring purposes without you being informed or being able to file legal remedies. Please note this if you decide to give your consent.
The legal basis for data processing is Section 25 Paragraph 1 of the TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz [Telecommunications and Telemedia Data Protection Act]) in conjunction with Article 7 of the GDPR.
You can revoke your consent at any time under “Change Cookie Settings” by adapting your selection.
The data sent by us and linked with cookies are automatically deleted after 14 months.
4. Data processing by user input
4.1 Enquiry via contact form
If you submit a request to us using the contact form integrated into our websites, we process the data provided by you via the mandatory fields of the mask - depending on the content of your request - either in accordance with Article 6 Paragraph 1 Letter f of the GDPR in the interests of being able to process and answer your request and, if the conditions pursuant to Article 6 Paragraph 1 Letter b of the GDPR are met.
If you also voluntarily provide us with further information, the legal basis for the processing of this data is your consent, which can be revoked at any time in accordance with Article 6 Paragraph 1 Letter a and Article 7 of the GDPR.
If the data processing is carried out based on Article 6 Paragraph 1 Letter f of the GDPR, you have the right to object to the processing at any time.
Your details will only be processed to answer your request. We will delete your data as soon as it is no longer required, and the deletion is not opposed by any statutory retention obligations.
Data recipients
Recipients of your data that we collect from you through your use of our online offering are only responsible internal bodies and persons as well as external service providers who support us within the framework of a processing contract based on instructions in the operation of our websites and the associated processes. These are the web host and the marketing agency commissioned by us in addition to the service providers listed in Clauses 3.3 and 3.4.
Your information will only be transmitted to third parties if this is permissible under data protection law and is expressly stated elsewhere in this data privacy notice, as in Clauses 3.1 and 3.2.
Data transfer to recipients in third countries
Insofar as a transmission is also made to recipients in third countries within the framework of individual data processing, we will ensure, insofar as there is no adequacy decision of the European Commission for this target country, by concluding the standard contract clauses or alternatively the implementation of other measures specified in Article 46 of the GDPR, that an appropriate level of data protection is achieved, or we obtain your consent for the data transmission.
Duration of storage
Your personal data will be deleted or anonymised as soon as it is no longer needed for achieving its purpose and deletion does not conflict with any statutory retention obligations or legitimate interests. When this is specifically the case can be found in the information in the respective processing.
Data security
In order to protect your data as comprehensively as possible against unwanted access, we take technical and organisational measures, such as by using a state-of-the-art encryption procedure. Your information will therefore be transferred from your computer to our server and vice versa via the Internet using TLS encryption.
You have the option of registering via various channels for the electronic receipt of personalised summaries of product characteristics.
In the case of online registration via our websites, we use the double opt-in procedure for the purposes of proper registration and verifiability. This means that you will receive an e-mail with a confirmation link after your registration, which you must first use to confirm your registration.
Within the scope of these services, we only process information from you that is required for the provision of the content by email or text message as well as related processes. The details of this can be found in the following explanations.
As part of your participation in our Online Events, product training and other meetings (hereinafter referred to as "Online Events"), we only process information from you that is required for the planning and implementation of Online Events. The details of this can be found in the following explanations.
Processed data categories and data types
In particular, the following data may be processed by us:
• Personal data (title, first and last name)
• Contact details (e-mail address)
• Profile data, if applicable
• Metadata (e.g., meeting ID, time and duration of communication, IP address)
• Device data (MAC address, device ID, device type, information on camera and microphone)
• Telecommunications data
• Content data (audio and image data as well as shared content, such as chat courses)
Purpose of processing and legal basis
The processing of the above information is done for the purpose of preparing and technically implementing Online Events as well as for the optimum provision of the contents and for the exchange during the conference.
The legal basis for this is, on the one hand, Article 6 Paragraph 1 Letter b of the GDPR and, on the other hand, Article 6 Paragraph 1 Letter f of the GDPR. The legitimate interest required in the latter case lies in the possibility of implementing events remotely using technical systems.
Insofar as processing takes place based on individual functionalities only through your active setting, as in the case of the transfer of image data, the legal basis is your consent that can be revoked at any time with effect for the future in accordance with Article 6 Paragraph 1 Letter a in conjunction with Article 7 of the GDPR.
Data recipients
Recipients of your data are internally only the authorities and persons responsible for the planning and implementation as well as externally the respective provider of the system used, who supports us pursuant to our instructions within the framework of order processing based on a contract in the provision of the technical infrastructure.
If necessary, your information may also be passed on to third parties in the scope of the disclosure of content to other participants in the Online Event.
Duration of storage
We would like to point out that the Online Events are not recorded in this context unless all participants agree to this after having been informed. In addition, data will be deleted as soon as the purpose for their provision ceases to apply, and no statutory retention obligations or legitimate interests oppose a deletion. A legitimate interest can, in individual cases, for example, represent the logging of the chat histories if this is necessary for the result of the event.
Finally, your data may also be retained if we have obtained your consent for this in individual cases.
As part of the notification of undesirable side effects regarding our medicinal products, in general terms, we only process data that is required to process the side effect reports received via various channels and that enable proper clarification. On the one hand, this may be data of the person affected by the side effect or, if the report is made by a third party (doctors or other members of the health professions, family members), may also include their data. The details of this can be found in the following explanations.
Processed data categories and data types
In particular, the following information may be processed by us:
• Name and contact details of the reporting person
• Affiliation of the reporting person to a health profession
• Relationship of the reporting person to the person affected by the side effect
• Information on the person affected by the side effect, such as initial date of birth, age group, height, weight and gender
• Information about the preparation that probably caused the reaction, for example, name, if applicable, batch, active substance, pharmaceutical form, application form, dosage, indication, start and duration of use
• Information on the outcome of the side effect
• Information on underlying and concomitant diseases of the person concerned
• Information on the adverse drug reaction, such as date of first occurrence, duration of the side effect, specific description and, if possible, a more precise diagnosis
• Other voluntary information
Purpose of processing and legal basis
We process your data exclusively for reasons of public interest in the area of health, in order to identify and evaluate risks and thus ensure a high standard of quality and safety for our medicinal products. The legal basis can be found in Article 9 Paragraph 2 Letter i of the GDPR in conjunction with Section 22 Paragraph 1 No. 1 Letter c of the BDSG (Bundesdatenschutzgesetzes [Federal Data Protection Act]) and in Article 28 Paragraph 1 and Paragraph 3 Letter e of the Implementing Regulation 520/2012 in conjunction with Chapter VI. B.2.b of the Good Vigilance Practice (GVP) Module VI and Section 63c of the AMG (Arzneimittelgesetz [Federal Medicinal Products Act]).
Data recipients
Recipients of your data are internally only bodies and persons responsible for the respective processing as well as external service providers who support us pursuant to our instructions within the framework of order processing based on a contract, for example within the framework of the provision of information technology systems, the management of side effect reports as well as the archiving and destruction of documents based on an order processing contract.
Your data will only be forwarded to third parties if this is necessary and permissible under data protection law or if we are required to do so based on legal requirements. Third parties in this context may be other pharmaceutical companies from our group of companies or the competent national or European authority for drug safety. Personal data will only be forwarded in pseudonymised form. This means that we do not transmit such data, such as name, address data and telephone number.
Duration of storage
We delete the data collected in this respect as soon as the purpose for the processing ceases to apply and there are no statutory retention obligations or legitimate interests that prevent the deletion. In accordance with the statutory regulations, the marketing authorisation holder must store documents relevant to drug safety for the period of marketing authorisation and for a further period of at least 10 years. This also applies to personal data.
As part of a quality-related complaint, we only process data from you that is necessary for the optimum processing of your complaint. The details of this can be found in the following explanations.
Processed data categories and data types
In particular, the following information may be processed by us:
• Personal data (title, first and last name)
• Contact details (telephone number, email address)
• Settlement and payment data (e.g., information on reimbursement, credit institution, IBAN)
• Product-related data
• Content data (content of the complaint)
Purpose of processing and legal basis
We process the aforementioned data exclusively for the review, processing and documentation of your complaint. The legal basis for this is Article 6 Paragraph 1 Letter f of the GDPR. Our legitimate interest in the processing of your aforementioned personal data lies in the simplified clarification of the matter. If your complaint involves a refund to you as the data subject, the legal basis for processing is Article 6 Paragraph 1 Letter b of the GDPR.
Data recipients
Recipients of your data are internally only bodies and persons responsible for the respective processing as well as external service providers who support us pursuant to our instructions within the framework of order processing based on a contract, for example within the framework of the provision of information technology systems based on an order processing contract.
Your data will only be forwarded to third parties to the extent that information is transmitted by you to our parent company Chiesi Farmaceutici S.p.A based on Article 6 Paragraph 1 Letter f of the GDPR for administrative purposes.
Duration of storage
We delete the data collected in this respect as soon as the purpose for the processing ceases to apply and there are no statutory retention obligations or legitimate interests that prevent the deletion. Since the storage period is determined by the necessity of storage, it can be of different durations depending on the complaint. For example, data that we receive in connection with a product complaint that results in a refund are subject to commercial and tax retention obligations and must therefore be retained for up to 10 years. In addition, data collected within the scope of quality-related complaints will be stored for at least one year after the expiry date of the product, but for at least five years.
As part of your support, we only process information from you that is necessary for the optimal provision of our services and the processes associated with them or, if necessary, for the collaboration with you. This may be data that we ourselves have collected from you or received from third parties. The details of this can be found in the following explanations.
Processed data categories and data types
In particular, the following details and information and categories of personal data are processed by us:
• Personal data (first and last name, title, gender)
• Activity-related data (e.g., position, field, specialisations, special focus)
• Organisational data (e.g., practice or clinic name, employment relationship, information on department, practice organisation and patient structure)
• Business contact details (address, email address, telephone and fax number)
• Qualification data (e.g., professional career, research focus, e.g., publications, awards, participation in clinical studies)
• Billing and payment data (e.g., fees, credit institution, IBAN)
• Visit dates (information on the time and duration of the visit by our employees as well as the content of the conversation)
• Drug-related data (information on the receipt of drug samples)
• Registration and participation data (information that we collect in connection with your registration for and your participation in events, congresses and training measures)
• Technical transaction and authorisation data (metadata, e.g., time and duration in the context of electronic communication, usage data as well as access data for access-restricted systems, if applicable)
• Content data (content of communication and, if applicable, image and audio data)
• Informed consent data (informed consent form, for example regarding the receipt of electronic advertising)
• Interest data (information about your preferences in relation to our information material)
Sources of data
In this context, the aforementioned information may also be provided in part by third parties, such as IQVIA Commercial GmbH & Co. OHG, from public sources or the institution where you are employed.
Processing purposes
In principle, we process this information only for the planning, management and processing of our services. In detail, we use your data in this process to
1. inform you about our products, services and events via various channels and to advise you about this,
2. manage and organise our business relationship or the support relationship,
3. plan, prepare and implement your participation in events and related processes or the implementation of further training measures,
4. examine your technical suitability regarding possible collaboration regarding research projects and speaker activities,
5. in the event of a cooperation with you to execute the contract,
6. organise and manage the execution of projects in which you are involved,
7. maintain industry-standard codes and standards,
8. comply with the legal requirements for documentation in the context of the dispensing of medicinal products and the publication of the results of clinical trials,
9. technically implement the use of communication systems and communicate with you via them,
10. be able to contact you electronically commercially,
11. comply with our accountability obligations under data privacy law,
12. analyse and manage our business processes through sales management and market research.
Legal basis for data processing
Article 6 Paragraph 1 Letter f of the GDPR serves as the legal basis for the data processing described above (regarding points 1, 2, 4, 6, 7, 9 and 12). Our legitimate interest in the processing of your personal data lies in this scope, on the one hand, in the direct marketing made possible as a result and, on the other hand, in the planning and management of our business processes. The data processing is also carried out on the basis of your consent pursuant to Article 6 Paragraph 1 Letter a of the GDPR (with reference to point 9), for the execution of a contract or a pre-contractual measure pursuant to Article 6 Paragraph 1 Letter b of the GDPR (with regard to points 3 and 5) and finally due to a legal obligation pursuant to Article 6 Paragraph 1 letter c of the GDPR in conjunction with Section 47 Paragraph 4 or Section 42b Paragraph 3 of the German Medicinal Products Act (in relation to point 8) and in conjunction with Article 12 Paragraph 3 and 5 Paragraph 2 of the GDPR (in relation to point 11).
Data recipients
Recipients of your data are internally only bodies and persons responsible for the respective processing as well as external service providers who support us pursuant to our instructions within the framework of order processing on the basis of a contract, for example within the framework of the provision of our information technology systems, the implementation of events and marketing services as well as the archiving and destruction of documents on the basis of an order processing contract.
Your data will only be forwarded to third parties if this is permitted by data privacy law or if we are required to do so based on legal requirements. In this context, recipients may be in particular the following entities:
• Competent authorities or the higher federal authority
• Affiliated companies
• Financial institutions
• Transport and logistics service providers
• Travel services company
Data processing outside the EU or the EEA does not generally take place. Insofar as it should become necessary within the framework of individual processing that your data are also transmitted to a third country, we ensure that an appropriate level of data protection is guaranteed by concluding the standard contractual clauses of the European Commission.
Duration of storage
We delete the data collected in this respect as soon as the purpose for the respective processing ceases to apply and no legal retention obligations or legitimate interests conflict with a deletion. The storage duration is therefore decisively measured by the necessity of storage and may vary depending on the purpose. For example, data that we collect in connection with the documentation of medicinal product sample distributions are regularly kept for 24 months. In addition, due to commercial and tax regulations, there may also be an obligation to store your data for up to 10 years if you participate in further training measures and events, for example, or cooperate with us on the basis of a contract. Otherwise, we process information concerning you to the extent necessary for the duration of our support.
We maintain publicly accessible company profiles on the following social networks and career portals in order to keep you up to date on our events and our services and to communicate with you if necessary.
"Facebook" and "Instagram" provider Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
• https://www.facebook.com/pg/NHCO.Nutrition.Germany/posts/
• https://www.instagram.com/chiesi_deutschland/?hl=de
• https://www.instagram.com/hamburg_atmet_auf/?hl=de
• https://www.instagram.com/nhco_nutrition_germany/?hl=de
"YouTube" - provider Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, Ireland
• https://www.youtube.com/channel/UCxpUIqUNBEl4aBTUuhj2MBw
"LinkedIn" - provider LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
• https://de.linkedin.com/company/chiesi-deutschland
"Xing" and "Kununu" - provider New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany
• https://www.xing.com/pages/chiesigmbh/about_us
• https://www.kununu.com/de/chiesi1
If you use our pages on the respective platforms, we will generally only process information from you that you actively transmit to us. However, we would like to point out that in addition to the data provided by the user input, information on user activities for the purposes of analysis and advertising based on different technologies can be collected by the providers in particular – without the possibility of our actual influence. Therefore, please also note the privacy policy within the websites visited.
The details on the type and scope of the data processing for which we are (co-)responsible can be found in the following statements.
1. Establishing contact
We process information that you provide to us voluntarily when you contact us via our profile pages.
Depending on the reason for your request, the legal basis is Article 6 Paragraph 1 Letter b of the GDPR or Article 6 Paragraph 1 Letter f of the GDPR. In the latter case, the legitimate interest in processing lies in responding to your request.
You have the right to object to the processing, insofar as this is based on Article 6 Paragraph 1 Letter f of the GDPR.
Recipients of your data are the provider who provides the technical infrastructure and, in the case of publicly accessible comments, all visitors to our site.
The data collected in this respect will be deleted as soon as the purpose for which it was processed no longer applies and the deletion does not conflict with any retention obligations.
2. Page statistics
When you visit our profile pages, the respective providers collect information about your usage behaviour. Based on this data, aggregate statistics (page insights) are created, which are provided to us in anonymised form by the platform operators. These site insights help us to gain insights into the nature and scope of the visitor activities on our sites in order to optimise them. We are partially responsible for the processing of these data together with the providers. An agreement governing the distribution of the fulfilment of existing data privacy obligations was concluded with Facebook Ireland Limited and LinkedIn Ireland Unlimited Company.
The legal basis for the use of these statistics without the possibility of identification is our legitimate interest pursuant to Article 6 Paragraph 1 Letter f of the GDPR to use these findings for the purpose of improving our site.
As a data subject, you may request information at any time about the personal data concerning you processed by us (Article 15 of the GDPR) and, in the event of incorrectness of the processed information, you may request rectification (Article 16 of the GDPR). If the conditions are met, you also have the right to erasure (Article 17 of the GDPR) and restriction of processing (Article 18 of the GDPR) as well as in accordance with Article 20 of the GDPR to data portability.
Insofar as your data is processed in accordance with Article 6 Paragraph 1 Letter f of the GDPR to safeguard our legitimate interests, you are entitled to object to the processing at any time for reasons arising from your special situation. We will then no longer process your personal data unless there are demonstrably compelling reasons for processing that are worthy of protection that outweigh your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims. In the case of processing your personal data for the purposes of direct advertising, you may assert your right to object without giving reasons.
If the data processing takes place based on your consent, you are entitled to withdraw your consent with future effect at any time in accordance with Article 7 Paragraph 3 of the GDPR.
Right of appeal to a supervisory authority
In addition, you as the data subject have the right to complain to a supervisory authority if you believe that the processing of your data contravenes data protection regulations. The right of appeal can be asserted in particular with a supervisory authority in the Member State of your residence or the place of the suspected contravention.
