Data protection
Merz attaches great importance to the protection of personal data. In the following data protection information, we inform you about who is responsible for the processing of your data (see section A). Further information is provided depending on the particular capacity in which you contact us, for example whether you are a visitor to our website or a customer of our products (see section B). In addition, you will receive general information on the processing of your data by Merz, in particular regarding sharing of your data, the data retention period and your rights in relation to the processing of your data (see sections C. to G.).
Merz processes your data in accordance with the Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”).
A. CONTROLLER FOR THE PROCESSING OF YOUR PERSONAL DATA
Controller for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR is Merz Therapeutics GmbH (“Merz”, “we”, “us”, “our”), a member of the Merz group of companies, given as contact address in the imprint or through direct communication with you.
B. DATA PROCESSING IN DIFFERENT PROCESSING CONSTELLATIONS
I. Visitors to our websites
1. What data is collected and processed when you visit the Merz websites?
When the Merz websites are accessed, the Merz servers automatically store various data about the system accessing the site. This includes the type of browser used, the browser version, the operating system used, the website from which the Merz website is accessed, the subpages of the Merz website accessed, the date and time of access, the Internet protocol address (IP address), the Internet service provider and data that is comparable with this data. Merz uses this data to enable access to the website and to identify and correct any technical problems that may occur. The legal basis for the processing of personal usage data for this purpose is Art. 6 para. 1 sentence 1 lit. (b) GDPR. Merz further uses this data to prevent and, if necessary, tackle misuse of Merz products and services. The legal basis for this processing of personal usage data is Art. 6 para. 1 sentence 1 lit. (f) GDPR. Our legitimate interest is the protection of our websites and systems. In addition, Merz uses this data in anonymized form, i.e. without the capability of identifying the user, for statistical purposes and to improve the websites.
2. What data is processed in areas with restricted access?
Certain areas of the Merz websites are accessible to medical professionals only and require prior registration. As part of the registration process, the user must provide certain information, such as name, postal address (for identification as a healthcare professional), and e-mail address. After a selected Merz employee checked whether you qualify as a medical professional during the initial registration process, your user data will be sent to you. Merz uses this information solely for the purpose of setting up and managing the user account, identifying authorized users and in order to be able to make the desired function available to the user. The legal basis for the processing of the data described above is Art. 6 para. 1 sentence 1 lit. (b) GDPR. As far as the identification as a healthcare professional is concerned, the legal basis for the processing is our legitimate interest in verifying that only authorized persons access our restricted websites (Art. 6 para. 1 sentence 1 lit. (f) GDPR).
3. How are cookies used?
The Merz websites use cookies. Cookies are small text files that are stored on the user’s data carrier and exchange certain settings and data with the Merz system via the browser. A cookie usually contains the name of the domain from which the cookie data was sent, information about the age of the cookie, and an alphanumeric identifier. As far as the cookies are technically necessary to operate our websites and to enable users to use its functions, the legal basis for using such cookies is Art.6 para. 1 sentence 1 lit. (b) GDPR.
In addition, with your consent cookies are used to collect information about how users use Merz websites, how they navigate through the website, and which areas of the website and which products they are interested in (see section b) below). In this way, Merz can improve the websites as well as the users’ online experience. The information stored in the cookies is not used to identify the user and is not merged with other personal data stored about the user. The legal basis for the use of such cookies is your consent (Art. 6 para. 1 sentence 1 lit. (a) GDPR).
By changing the settings of the Internet browser, users can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This function can also be automated. If cookies for the Merz websites are deactivated, it may no longer be possible to fully use all functions of the websites.
4. How is Google Analytics used?
With your consent, this website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Merz uses Google Analytics to understand how visitors use our site. Cookie data about your use of this website (including your IP address) will be transferred to and stored on a Google server in the USA. We use an anonymized Google Analytics application that truncates your IP address. In other words, Google shortens your IP address prior to transferring it to the USA. Google uses this information to evaluate your use of this website, compile reports on website activity and provide other services. Google may also transfer this information to third parties where required to do so by law, or where such third parties process this information on Google’s behalf. The IP address transmitted from your browser through Google Analytics will not be associated with other data held by Google.
You can prevent the storage of cookies by selecting the appropriate settings on your browser software. However, please note that if you do this you may not be able to make full use of all the functions of this website.
You may opt out of the collection and storage of data by Google at any time with future effect by downloading and installing a deactivation add-on for your browser. This will prevent Google Analytics from collecting and processing data about your website visits. For more information and instructions on download and installation, go to google.com/dlpage/gaoptout, where you can also download the deactivation add-on.
You can also prevent the collection of data by Google Analytics by clicking on the link below. An opt-out cookie will be set that prevents the future collection of your data when visiting this website:
5. How is Matomo used?
With your consent, we also use the web analytics service Matomo (formerly Piwik) from InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769 („Matomo“) on our website. Matomo uses cookies for analysing the usage of the website. The information generated by the cookies about the use of this website is stored on servers of Matomo located in the European Union. The cookies collect the following information about the users: Usage data (e.g. websites visited, interests in content, times of access), location (country, region, city) and meta / communication data (e.g. information about the device and browser, IP address). The IP address of the user is anonymized before storage. The cookies used by Matomo expire after 13 months at the latest. You can find further information about the data processing performed by Matomo under https://matomo.org/privacy-policy/. The legal basis for the processing of personal data via the use of the web analytics service Matomo is the user’s consent, Art. 6 para. 1 sentence 1 lit. (a) GDPR. The user can withdraw his / her consent at any time. The cookies placed by Matomo can be deactivated or deleted if the user adapts the cookie settings of his / her browser or deactivates marketing cookies in the cookie settings on our website.
6. How is Google Ads used?
We use Google Ads to display advertisements across the internet. These ads may appear with Google search results, YouTube, or other websites in Google’s display network. The ads you see may be based on your previous interactions with our website or your online behavior, as tracked by Google. We and our third-party vendors, including Google, use cookies and device identifiers to recognize your device across different websites and platforms. These technologies help us serve more relevant ads and analyze the performance of our advertising campaigns. You can opt out of personalized advertising by visiting Google’s Ad Settings page (https://adssettings.google.com). You can adjust your browser settings to block or delete cookies. You can also adjust your cookie preferences on our website by clicking on the cookie icon in the bottom right.
7. How long will my personal data be stored?
Personal data of visitors to our website will be deleted when their data is no longer required for the purposes described above, unless longer storage is required by law. Usage data in the meaning described in Section B.I.1 above is regularly stored for a period of seven days. Cookies that are necessary for the operation of our website from a technical perspective are stored for a period of up to one year.
II. Adverse event reports from customers
We are grateful if you report to us any adverse reactions to our products. Such reports are of vital importance as regards public health. If you believe that you have experienced an adverse event while using one of our products, please let us know.
When you contact us in the European Economic Area, UK or Switzerland, we, Merz Therapeutics GmbH, may collect and process various (health) data relating to you. This includes, for example, information about the incident, age, gender, etc. The sole purpose of providing this data is to help us investigate the incident. Merz submits all adverse event reports from Europe to the European Medicines Agency. Where required by law, the data will also be shared with other competent authorities. The legal basis for the processing of the data is our compliance with a legal obligation to monitor risks in connection with our products (Art. 6 para. 1 sentence 1 lit. (c) GDPR) and, as far as health data is concerned, ensuring high standards of quality and safety of health care and of medicinal products or medical devices (Art. 9 para. 2 lit. (i) GDPR).
Within the Merz group, Merz Pharmaceuticals GmbH, Eckenheimer Landstrasse 100, 60318 Frankfurt am Main, Germany, dataprotection@merz.com, will have access to the adverse event reports as far as products are concerned for which Merz Pharmaceuticals GmbH is the market authorization holder. In this event, Merz Therapeutics GmbH and Merz Pharmaceuticals GmbH act as joint controllers when processing adverse event reports. The operational responsibility for the data processing in this context mainly lies with Merz Therapeutics GmbH. While you also have the right to exercise your data protection rights towards Merz Pharmaceuticals GmbH, we encourage you to turn to Merz Therapeutics GmbH since Merz Therapeutics GmbH has the internal responsibility to manage data subjects’ rights.
The adverse reaction reports shall be kept for at least 10 years for public health reasons after the product has ceased being marketed in any country.
Adverse reaction reports within the United States and Latin America are reported to Merz North America, Inc., and its affiliated companies, and, if legally required, to the United States Food and Drug Administration and relevant Canadian, South American, and Mexican authorities.
C. PROCESSING WHEN DIRECT CONTACT IS MADE WITH MERZ (E.G. USING CONTACT FORM OR BY E-MAIL)
When you contact Merz, e.g. using a contact form on a website or by e-mail, the personal data you provide to Merz, e.g. e-mail address, name, content of the inquiry, etc., will be used exclusively for processing the particular inquiries. Your data may be passed on to other Merz companies if and to the extent necessary to respond to your inquiry. The legal basis for the processing of the data described above is, depending on the content of the respective contact, the fulfilment of your request (Art. 6 para. 1 sentence 1 lit. (b) GDPR) or our legitimate interest in further administering and evaluating your request (Art. 6 para 1 sentence 1 lit. (f) GDPR). The sharing of data with other Merz companies for internal administrative purposes is also based on our legitimate interest in internal administration (Art. 6 para. 1 sentence 1 lit. (f) GDPR). Insofar as data is to be transferred to Merz companies outside of the European Union or the European Economic Area in order to respond to the inquiry, and if the Merz company is located in a country for which the European Commission has not decided that this country ensures an adequate level of data protection, the necessary guarantees for the protection of personal data are contained in the standard contractual clauses adopted by the European Commission. These can be viewed here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en
D. DISCLOSURE OF PERSONAL DATA TO (OTHER) THIRD PARTIES
For the technical processing of personal data, Merz is supported by specialized technical service providers. These service providers are carefully selected and are legally and contractually obligated to ensure a high level of data protection. The legal basis for the cooperation with these service providers is Art. 28 GDPR.
Merz will only pass on personal data to third parties for purposes other than those mentioned in this data protection notice if there is a legal obligation to do so (Art. 6 para 1 sentence 1 lit. (c) GDPR) or if you have given your express consent (Art. 6 para 1 sentence 1 lit. (a) GDPR).
If personal data is transferred by us to parties outside the European Union or the European Economic Area, these are either in a country for which the European Commission has decided that this country ensures an adequate level of data protection, or an adequate level of data protection is established by standard contractual clauses approved by the European Commission and concluded between us and the respective party. The standard contractual clauses can be viewed here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en
E. DURATION OF THE RETENTION OF YOUR DATA
Unless otherwise specified in this data protection notice, personal data will be deleted by Merz when it is no longer needed for the purposes for which it was processed and legal retention periods have expired. Contract-relevant data will be kept for up to ten years after termination of the respective contract with Merz.
F. RIGHTS IN RELATION TO PROCESSING
If you would like detailed information or a copy of the personal data Merz has stored about you, you can contact Merz. You may also receive the data that you have provided to Merz in a structured, commonly used and machine-readable format in accordance with legal requirements, or you may request that Merz transfers this data to a third party. Should you discover that the personal data stored about you is incorrect or incomplete, you may at any time request that this data be corrected or completed without delay. Under the conditions specified in Art. 17 and 18 GDPR, you may also demand the deletion or restriction of the processing of personal data. If you have declared your consent to the processing of your personal data, you have the right to withdraw your consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until its withdrawal.
You also have the right to lodge a complaint with the competent data protection supervisory authority.
Insofar as the processing of your personal data is based on our legitimate interests within the meaning of Art. 6 para 1 sentence 1 lit. (f) GDPR, you have the right to object to the processing of personal data concerning you at any time for reasons related to your particular situation. Merz will then no longer processes the personal data, unless Merz can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of establishing, exercising or defending legal claims. In any event Merz will immediately stop processing your personal data for direct marketing purposes based on its legitimate interests.
G. CONTACT INFORMATION
If you have any questions regarding the processing of personal data by Merz or if you wish to exercise your rights with respect to such processing, you may contact Merz at any time. For this purpose, it is sufficient to send a notification to:
Merz Therapeutics GmbH
Data protection
Eckenheimer Landstrasse 100
60318 Frankfurt am Main
Germany
Merz’s data protection officer can be contacted at the address above or at dataprotection@merz.com.
If you want to contact Merz Pharmaceuticals GmbH or the data protection officer of Merz Pharmaceuticals GmbH, please see Section B.II above. In addition, we refer to our Merz Data Protection Notice in which we provide general information about the processing of personal data in various constellations (for example, whether you contact us as a visitor to our website, as a study participant, as a customer of our products or as a healthcare professional) https://merztherapeutics.com/fin