Data Protection Declaration (Information according to Art. 13 and 14 GDPR)
We, DSD Pharma GmbH (also referred to as “DSD Pharma”, “DSD”, or “we” in this data protection declaration), are committed to the principles of personal data protection and data minimisation. As a rule, the use of our website and our business activities involve the processing of personal data. To make this data processing comprehensible, we would like to inform you in our Data Protection Declaration about how we process personal data and what rights you have in this context. Should you have any further questions, please find our contact details below.
Name and Address of the Controller
Controller for the purposes of the General Data Protection Regulation (GDPR) is:
DSD Pharma GmbH
T +43 2231 64438 – 0
F +43 2231 64438 – 44
Our Data Processing – for what purpose and on what legal basis do we process personal data
We process personal data in compliance with the relevant data protection regulations, in particular the General Data Protection Regulation (GDPR, VO [EU] 2016/679) and the Austrian Data Protection Act (DSG). Therefore, processing by us only takes place based on a legal basis (in particular under Art 6 (1) lit a – f GDPR), which is specified below for the individual data processing operations.
All our employees entrusted with the processing are obliged to maintain the confidentiality of your data (data secrecy). DSD Pharma does not carry out any automated decision-making.
In principle, we collect personal data from the data subject. In individual cases, we collect and store personal data (in particular name, contact information) based on correspondence with our customers and business partners or from publicly accessible sources (e.g. telephone directory, websites, company register) based on Art 6 (1) f GDPR (and thus not directly from the data subject), if this is necessary for the provision of our services or for contacting and administration, which is also our legitimate interest.
For the use of the service portal via the internet portal www.dsd-pharma.com, the collection, storage and processing of personal data is necessary. This Data Protection Declaration describes how DSD Pharma collects and processes personal data. By continuing to use the service portal, the user agrees to the processing of their data under this declaration.
Operation of our Website
Each time you access our website (www.dsd-pharma.com), your computer (terminal device) or browser automatically transmits certain information to enable the visit or operation of the website:
- Name and URL of the retrieved file.
- Date and time of access.
- Amount of data transferred.
- Message about successful retrieval (HTTP response code).
- Browser type and browser version..
- Operating system
- Referrer URL (i.e., the previously visited page).
- Websites accessed by the user’s system via our website.
- Internet service provider of the user.
- IP address and the requesting provider.
We store this data in the log files of our system. We do not store this data together with other personal data of the user.
Legal Basis and Purpose of Data Processing
The legal basis for processing the data and their temporary storage in log files is Art 6 para 1 lit f GDPR. The system’s temporary storage of the data mentioned above is necessary to enable the delivery of the website to the user’s computer. The storage in log files takes place to ensure the website’s functionality. In addition, we use the data to optimise the website and ensure the security of our information technology systems, particularly to guarantee the integrity, confidentiality, and availability of the data processed via our website. These purposes also constitute our legitimate interest in the data processing under Art 6 (1) (f) GDPR. This data is not stored together with other personal data of the user.
Dauer der Speicherung
The data is deleted as soon as it is no longer required for achieving the purpose for which it was collected. When collecting data to provide the website, this is when the respective session has ended. When storing the data in log files, this will be after no more than seven days unless further processing is necessary to clarify a (suspected) attack.
We will only transmit personal data that is generated during the operation of the website to third parties (in particular experts and security authorities) in the event of a (suspected) data security incident or a criminal offence (e.g., an attack) for clarification, prosecution and the assertion of legal claims.
Third-party Websites: Our website partly contains hyperlinks to and from third-party websites. If you follow a hyperlink to one of these websites, please note that we cannot accept responsibility or guarantee for third-party content or data protection conditions.
Legal Basis and Purpose for Data Processing
The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without cookies. For these, the browser must be recognised even after a page change.
This purpose is also our legitimate interest in processing personal data according to Art 6 (1) f GDPR.
Duration of Storage, Possibility of Objection and Removal
Cookies are stored on the user’s computer and transmitted to our site by the user. Therefore, you as a user also have complete control over cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. Deletion can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all the website’s functions to their full extent.
Use of Matomo
This website uses Matomo — an open-source, self-hosted software — to collect anonymous usage data for this website.
The visitor behaviour data is collected to identify problems such as pages not being found, search engine problems or unpopular pages. Once the data (number of visitors who see error pages or only one page, etc.) is processed, Matomo generates reports for the website owners to react to (layout changes, new content, etc.).
Matomo processes the following data:
- Anonymised IP addresses by removing the last 2 bytes (i.e., 126.96.36.199 instead of 198.51.100.54).
- Pseudo-anonymised location (based on the anonymised IP address).
- Date and time.
- Title of the page accessed.
- URL of the page accessed.
- URL of the previous page (if allowed).
- Screen resolution.
- Local time.
- Files clicked and downloaded.
- External links.
- Duration of page load.
- Country, region, city (with low accuracy due to IP address).
- The primary language of the browser.
- User-agent of the browser.
- Interactions with forms (but not their content).
Provision of Services & Customer Support and Information in this Context
(distribution and offer of our services as well as administration of these services)
We process personal data to provide our services, customer support, and information, including internal documentation and administration. The legal basis for processing the data is the performance of the contract or the implementation of pre-contractual measures (Art 6 para 1 lit b GDPR); the fulfilment of legal obligations (Art 6 para 1 lit c GDPR) as well as our legitimate interests (Art 6 para 1 lit f GDPR), in particular interests of asserting or defending our legal claims as well as internal administration within the company.
For the conclusion of a contract, the provision of certain personal data is required by law or contract, which the respective data subject is obliged to do; otherwise, no conclusion of a contract (and thus no provision of services) is possible.
When contacting us (e.g., by e-mail), we process the information provided by the enquirer to document, process, and answer the enquiry. The provision of further data is voluntary.
When contacting us by e-mail, we collect the following personal data: company name/hospital/office, department, name, title, address, telephone number, e-mail address, fax number, activity, description, and any other personal data provided voluntarily.
Rechtsgrundlage und Zweck für die Datenverarbeitung
The basis for this is our legitimate interest in the proper documentation, processing and response to the enquiry (Art 6 para 1 lit f GDPR); in the event of contact being made in an existing customer relationship or the initiation of a business relationship, we base this on the fulfilment of the contract or the implementation of pre-contractual measures (Art 6 para 1 lit b GDPR).
Insofar as you contact us to fulfil your obligations under labour or civil law as an employee (service user) for your employer or another client, we also have a legitimate interest in the proper documentation, processing, and response to the enquiry (Art 6 (1) (f) GDPR), which also includes your data as an external contact person. In the event of contact being made in a genuine customer relationship or the initiation of a business relationship, we base this on the fulfilment of the contract or the implementation of pre-contractual measures (Art 6 (1) (b) GDPR).
Use of the Service Portal
For the use of the service portal via the internet portal www.dsd-pharma.com, the collection, storage and processing of personal data is necessary. By continuing to use the service portal, the user agrees to the processing of their data per this declaration.
- Suppliers and healthcare professionals may request access. Once access is granted, healthcare professionals can download certificates, which are either deleted after 30 days or not deleted.
- Suppliers can download the product list as a pdf.
- Suppliers can download the GDP certificate. In case of misuse, we will withdraw access without notification.
Users of the service portal provide DSD Pharma with personal data through a declaration of consent. This data includes:
- Individual user name
- Type of service portal access
- First name
- Last name
- Preferred correspondence language
We process data of applicants based on Art 6 para 1 lit b GDPR (pre-contractual measures) and Art 6 para 1 lit f GDPR to carry out the application procedure and contact the applicant.
If you apply for a vacancy and are not hired, we store the personal data for six months from the end of the application procedure (deadline for asserting claims according to §§ 15 para. 1 and 29 GlBG) based on Art 6 para. 1 lit f GDPR. If the applicant consents to this in the respective individual case, we keep the specific application documents on record for up to two years.
If it is a speculative application, we process the application documents for a maximum of two years based on Art 6 para 1 lit f DSGVO to be able to contact the applicant for suitable positions, whereby an informal objection to the processing can be raised at any time.
It is necessary to provide proof of qualification to conclude a contract in any case. In individual cases, depending on the requirements for filling a position, it may also be necessary to submit further data (e.g., criminal record extract). If the required data are not presented, such an application cannot be considered. In the event of contact by us with references provided by the applicant, data and information on a previous employment relationship may be collected by appropriate third parties. If an employment relationship is established, the application documents will be used for personnel administration.
Transmission of Personal Data
We transmit your personal data only to the extent necessary and only in the following cases:
- With your consent.
- For the processing of contractual relationships or the implementation of pre-contractual measures.
- As far as we are legally obliged to do so.
- To companies that support us in providing our services; these service providers act as order processors who may only process the data following our instructions (within the framework of an order processing contract).
- Insofar as this is necessary to protect our legitimate interests (e.g., to assert, exercise or defend legal claims) or those of a third party, and where there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data.
The following third parties come into question in the cases mentioned above:
- Contractual and business partners involved in the delivery or service (e.g., logistics companies).
- Banks (for processing payment transactions).
- Legal representatives.
- Chartered accountants/tax consultants.
- Administrative authorities.
- Self-governing bodies (social insurance institutions).
- Insurance companies.
In principle, DSD Pharma does not intend to transfer personal data to third countries or international organisations recipients. Such a transfer is possible if a data subject or a party involved in the specific case has its registered office in a third country (e.g., a customer with headquarters outside the EU). Suppose we transfer data to a country without adequate legal data protection. In that case, we ensure an adequate level of protection through the use of appropriate guarantees in the form of corresponding contracts (standard contractual clauses) or binding internal data protection regulations (Binding Corporate Rules) or rely on the exceptional circumstances otherwise provided for in the GDPR (consent, the performance of a contract, the establishment, exercise or enforcement of legal claims, overriding public interests, published personal data or because it is necessary to protect the integrity of the data subjects). Contact us at the contact details provided for a copy of the contractual guarantee mentioned.
We also point out that any data voluntarily published by users of our services themselves (e.g., online comments on the website) are public and potentially accessible worldwide.
The data of subscribers to the newsletter are not transmitted. The newsletter is sent in such a way that none of the recipients receives information about the others. The data application for the purposes of the newsletter (including the mail servers used for distribution) is hosted by a provider.
No advanced Internet services can be provided or visited on this website without personal registration and identity disclosure. Certain services may ask for name/username/possibly other personal information, and you are free to provide this information. It is pointed out that without this information, the respective service or delivery cannot be provided in the intended form and at the desired time, nor can any enquiries be processed.
Storage of Personal Data
Unless stated otherwise in the respective processing, we store personal data for as long as is necessary to ensure the fulfilment of the stated purposes or for as long as we are legally obliged to do so.
This means in the case of business letters, contracts, bookings etc., per § 212 para. 1 UGB and § 132 para. 1 BAO: until the end of the business relationship or until the expiry of the limitation and statutory retention periods applicable to us (in particular, at least seven years to prove compliance with retention obligations under the tax, duty and company law); in addition, until the end of any legal disputes in which the data is required as evidence. In the case of services where claims for damages or other titles are asserted, for the required period (between 3 and 30 years).
In the case of enquiries (contacting us): Personal data that you voluntarily disclose to us will be stored by us to provide the associated processing and evidence (for up to 3 years after completion or termination) unless a more extended storage period is also required to fulfil a legal obligation or for asserting or defending legal claims.
Service portal: Service portal: The account data is stored for access to the service portal without limitation. We will delete the account and the data stored with it upon request.
Rights of the Data Subject
Provided that the relevant legally prescribed requirements are met, you can assert the following data subject rights:
- Right to information: you can request confirmation as to whether personal data about you is being processed and request information about this data and the information according to Art 15 GDPR.
- Right to rectification if we process inaccurate or incomplete data about you (Art 16 GDPR).
- Right to erasure of personal data concerning you if the conditions of Art 17 GDPR are met.
- Right to restrict the processing of your data (Art 18 GDPR).
- Right to data portability of your data provided to us, if the processing is based on consent (Art 6(1)(a)) or on a contract (Art 6(1)(b)) to which you are a party and the processing is carried out with the help of automated procedures (Art 20 GDPR).
- In the case of processing based on legitimate interests (according to Article 6(1)(f) of the GDPR), you have the right to object to the processing of your personal data according to Article 21 of the GDPR, provided that there are grounds for doing so that arise from your particular situation. In the case of processing for direct marketing, this right exists without restrictions.
- You can revoke your given consent to personal data processing data at any time; please get in touch with us (see our contact details). The revocation of consent does not affect the lawfulness of the processing carried out based on the consent until the revocation.
- Right of complaint: You have the right to lodge a complaint with a supervisory authority responsible for you (in Austria: data protection authority, www.dsb.gv.at) if you believe that the processing of personal data concerning you violates the GDPR or your data subject rights have been violated. We request that you first contact us in cases where you were not completely satisfied with our work so that we have an opportunity to rectify any errors.
Changes to our Data Protection Declaration
Certain services may ask you for your name/username/other personal information, and you are free to provide this information. It is pointed out that without this information, the respective desired service or the corresponding delivery cannot be provided in the intended form and at the desired time, and any related enquiries cannot be processed.