Data privacy

1. Privacy policy
1.1. Many thanks for your interest in our company. The management of ACS PharmaProtect GmbH attaches great importance to data protection. It is possible to use the ACS PharmaProtect GmbH website without providing any personal data. However, if a data subject wishes to make use of special services offered by our company via our website, it may be necessary to process personal data. If it is necessary to process personal data and there is no legal basis for such processing, we generally obtain the consent of the person concerned.

1.2. The processing of personal data, such as the name, address, e-mail address or telephone number of a data subject, is always carried out in accordance with the basic data protection regulation and in compliance with the country-specific data protection regulations applicable to ACS PharmaProtect GmbH. By means of this data protection declaration our company wishes to inform the public about the type, scope and purpose of the personal data collected, used and processed by us. Furthermore, this data protection declaration informs affected persons about the rights to which they are entitled.

1.3. ACS PharmaProtect GmbH, as the person responsible for processing, has implemented numerous technical and organisational measures to ensure that the personal data processed via this website is protected as completely as possible. Nevertheless, Internet-based data transmissions can generally have security gaps, so that absolute protection cannot be guaranteed. For this reason, every person concerned is free to transmit personal data to us by alternative means, for example by telephone.

2. Name and address of the data controller
The person responsible within the meaning of the basic data protection regulation, other data protection laws applicable in the member states of the European Union and other regulations of a data protection nature is the:

ACS PharmaProtect GmbH
Taubenstr. 20
10117 Berlin
Phone: +49 (0) 30 4000 484 00

3. Name and address of the data protection officer
The Data Protection Officer of the controller is:

peritux compliance GmbH
Data protection officer
Oststraße 11 – 13
50996 Köln
Phone: +49 (0) 221 29236305

Every person concerned can contact our data protection officer directly at any time with all questions and suggestions regarding data protection.

4. Data security on our website
For the security of our website we use a currently valid SSL certificate according to the state of the art. A website encrypted with SSL transmits personal data encrypted to the server so that it is impossible for third parties to intercept or read them. Our identity is verified by a certificate. Depending on your browser, you can see from the green address bar and/or the lock that a secure connection exists. By clicking on the lock or the green address bar you can read our online proof of identity. By encrypting the transmission, you can assume that the data you enter can only be read by us. You can see from the address bar that you are connected to our server and that it is not the site of a third-party provider.

5. Protection of minors
Our offer is basically directed at adults. Persons under 16 years of age may not transmit personal data to us without the consent of their parents or legal guardians.

6. Hosting
6.1. The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services as well as technical maintenance services which we use for the purpose of operating this online offer.

6.2. For this purpose, we, or our hosting service provider on our behalf, process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors of this online offer on the basis of our legitimate interests in an efficient and secure provision of this online offer in accordance with Art. 6 para. 1 lit. f GDPR. The data processing of our hosting service provider is carried out within the framework of a contract processing agreement in accordance with Art. 28 GDPR.

7. Cookies
The ACS PharmaProtect GmbH website uses technically required cookies. Cookies are text files which are stored on a computer system via an Internet browser.

7.1. Session cookies with ID (PHPSESSID) are used on our website, which are technically necessary for the stability and security of the website. A cookie ID is a unique identifier of the cookie. It consists of a string of characters by which websites and servers can be assigned to the specific Internet browser in which the cookie was stored. This enables the websites and servers visited to distinguish the individual browser of the person concerned from other Internet browsers that contain other cookies. A specific Internet browser can be recognized and identified by means of the unique cookie ID.

7.2. By using cookies, ACS PharmaProtect GmbH can provide users of this website with more user-friendly services that would not be possible without the setting of cookies.

7.3. By means of a cookie the information and offers on our website can be optimised in the interest of the user. As already mentioned, cookies enable us to recognise the users of our website. The purpose of this recognition is to make it easier for users to use our website. For example, the user of a website that uses cookies does not have to enter his or her access data each time he or she visits the website, as this is done by the website and the cookie stored on the user's computer system. The legal basis for the use of cookies is our legitimate interest in accordance with Art. 6, paragraph 1, letter f. GDPR to make our website user-friendly and to ensure the stability and security of the website.

7.4. The person concerned can prevent the setting of cookies by our website at any time by means of an appropriate setting in the Internet browser used and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software programs. This is possible in all common Internet browsers. If the person concerned deactivates the setting of cookies in the Internet browser used, it is possible that not all functions of our website can be fully used.

8. Collection of general data and information
8.1. The website of ACS PharmaProtect GmbH collects a range of general data and information each time the website is called up by a data subject or automated system. This general data and information is stored in the server log files.

8.2. ACS PharmaProtect GmbH will not draw any conclusions about the person concerned when using this general data and information. This information is required to (1) deliver the contents of our website correctly, (2) to ensure the contents of our website, (3) to guarantee the permanent functionality of our information technology systems and the technology of our website and (4) to provide law enforcement agencies with the information necessary for prosecution in the event of a cyber attack. These anonymously collected data and information are therefore statistically evaluated by ACS PharmaProtect GmbH on the one hand and also with the aim of increasing data protection and data security in our company, in order to ultimately ensure an optimum level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by a person concerned. The legal basis for the temporary storage of this data in so-called log files are our legitimate interests as the responsible website operator in accordance with Art. 6 para. 1 lit. f. GDPR, to guarantee the technical presentation as well as stability and security of the website.

8.3. The temporary storage of the user's IP address by our system is necessary to enable the website to be delivered to the user's computer. For this purpose, the user's IP address must necessarily remain stored for the duration of the session. The storage of the above-mentioned data in the log files is done to ensure the functionality of our website. In addition, this data serves us to optimise the website and to ensure the security of our information technology systems (e.g. attack detection). An evaluation of the data for marketing purposes does not take place in this context. The above-mentioned data is deleted as soon as it is no longer required for the purpose of its collection. In the case of the collection of data for the provision of the website, this is the case when the respective session is ended. In the case of storage of the data in log files, this is the case after 14 days at the latest. Storage beyond this period is possible if there are indications of an illegal attack on our systems.

9. Contact possibility via the website and by e-mail
9.1. Due to legal regulations, the website of ACS PharmaProtect GmbH contains information that enables rapid electronic contact with our company as well as direct communication with us, which also includes a general address for so-called electronic mail (e-mail address). If a data subject contacts the data controller by e-mail or via a contact form, the personal data transmitted by the data subject is automatically stored. Such personal data transmitted by a data subject to the controller on a voluntary basis are stored for the purposes of processing or for contacting the data subject.

9.2. The processing of such data transmitted in the course of sending a request is carried out on the legal basis of Article 6(1)(f). GDPR of our legitimate interests to answer your inquiry satisfactorily. If the enquiry aims at the fulfilment of an existing contract or the conclusion of a new contract, the additional legal basis for processing is Art. 6 para. 1 lit. b. GDPR for the initiation/fulfilment of a contract. The processing of this personal data serves us solely to process the contact. Your data will be deleted as soon as they are no longer required for the purpose of their collection. For personal data sent by e-mail, this is the case when the respective request has been answered and the conservation with the user has ended. The conversation is terminated when it can be concluded from the circumstances that the matter in question has been finally clarified and no contract has been concluded. Inquiries regarding the contractual relationship will be stored for the duration of the existing contractual relationship Membership.

9.3. All personal data stored in the course of the contact will be deleted in this case, unless there are no legal retention periods to the contrary.

10. Recipients of the data or categories of recipients
Within our company, those entities will have access to your data that need it to fulfill their contractual and legal obligations.

11. External service providers (contract processors)
11.1. Your data will be passed on to service partners, e.g. IT and software service providers for maintenance and support in order to help us provide our services.

11.2. A processing of your personal data by commissioned service providers is carried out within the scope of order processing according to Art. 28 GDPR.

12. Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this is done in the context of using the services of third parties or disclosure or transfer of data to third parties, this will only take place if it is done to fulfil our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we will only process or transfer data to a third country if the special requirements of Art. 44 ff. GDPR. In other words, processing is carried out, for example, on the basis of special guarantees, such as the officially recognised determination of a level of data protection corresponding to that of the EU (e.g. for the USA through the "Privacy Shield") or compliance with officially recognised special contractual obligations (so-called "standard contractual clauses").

13. Contractual services with business partners
13.1. We process the data of our contractual partners and interested parties as well as clients, suppliers, service providers and customers in accordance with Art. 6 para. 1 lit. b. GDPR in order to provide them with our contractual or pre-contractual services. The data processed in this context, the type, scope and purpose of such processing and the necessity of processing it, shall be determined by the underlying contractual relationship. The processed data includes the master data of our contractual partners (e.g. names and addresses), contact data (e.g. e-mail addresses and telephone numbers) as well as contract data (e.g. services used, contract contents, contractual communication, names of contact persons) and payment data (e.g. bank details, payment history). As a matter of principle, we do not process special categories of personal data, unless they are part of a commissioned or contractual processing. We process data which are necessary for the justification and fulfilment of the contractual services and point out the necessity of their disclosure, if this is not evident to the contractual partners. Disclosure to external persons or companies will only be made if it is necessary within the framework of a contract. When processing the data provided to us within the framework of an order, we act in accordance with the instructions of the client and the statutory requirements.

13.2. When using our online services, we may store the IP address and the time of the respective user action. The storage is based on our legitimate interests of the users in protection against misuse and other unauthorized use. As a matter of principle, this data is not passed on to third parties, unless it is necessary to pursue our claims in accordance with Art. 6 Para. 1 lit. f. GDPR or there is a legal obligation to do so in accordance with Art. 6 Paragraph 1 lit. c. GDPR.

13.3. The data will be deleted when the data is no longer required to fulfil contractual or legal obligations of care and handling of possible warranty and comparable obligations, whereby the necessity of keeping the data will be reviewed every three years. In all other respects, the statutory storage obligations shall apply.

14. Other service providers, partners and third parties
14.1. We may cooperate with other partners if it is necessary to fulfil our service offers or if we are legally obliged to release data. These may be the following partners or third parties:

  • Credit institutions and payment service providers
  • Credit agencies
  • disclosure to public authorities or by court order
  • Advertising agencies
  • Document shredding company, logistics
  • Consulting and advisory services, certified public accountant
  • Insurance
  • Law firms and competent jurisdiction
  • Service company

14.2. It is important to us to process your data within the EU. However, it may happen that we use service providers who operate outside the EU. In these cases, we ensure that an adequate level of data protection is established before your personal data is transferred. This means that a level of data protection comparable to the standards within the EU is achieved through EU standard contracts or an EU adequacy finding, such as the EU Privacy Shield.

15. Origin of personal data
We process personal data that we receive in the course of our business relationship. In addition, to the extent necessary for the provision of our services and the fulfilment of contracts, we process personal data which we have permissibly received from other third parties (e.g. credit agencies) (e.g. for the execution of orders, for the fulfilment of contracts or on the basis of consents given by you). In addition, we process personal data that we have obtained and are permitted to process from publicly accessible sources (e.g. commercial and association registers, press, media).

16. Categories of personal data
We process the following categories of personal data about you:

  • Personnel master data (name, address and other contact data, date of birth)
  • if applicable order and contract data (e.g. delivery order)
  • payment data, data from the fulfilment of our contractual obligations
  • advertising and sales data
  • documentation data (data from consulting and service discussions) and comparable data.

17. Routine deletion and blocking of personal data
17.1. The controller shall process and store personal data relating to the data subject only for the period of time necessary to achieve the purpose of storage or where provided for by the European legislator or other legislator in laws or regulations to which the controller is subject.

17.2. If the purpose of storage ceases to apply or if a storage period prescribed by the European Directives and Regulations Giver or any other competent legislator expires, the personal data will be blocked or deleted as a matter of routine and in accordance with the statutory provisions.

18. Rights of the data subject
18.1. With regard to the personal data we have collected about you, you have the right to request information at any time as to whether and what data we have stored about you, what the purpose of this storage is, where this data comes from, and whether and to whom this data is forwarded. Furthermore, the right to data transferability exists.

18.2. We make every effort to ensure that the personal data stored by us is factually correct and, if necessary, up to date. If we have nevertheless stored incorrect data concerning your person, you can demand that we correct this data.

18.3. As an exception, your data may be blocked instead of corrected or deleted if neither the correctness nor the inaccuracy of the data can be determined, or if deletion is contrary to legal retention periods, for example.

18.4. Should the storage of your data be inadmissible or should your data no longer be required to fulfil a specific task, we will delete your data.

18.5. In individual cases, you can also object to the processing of your data if the processing is lawful. This is possible if, due to a special personal situation, you have an interest in the data not being processed and this interest is to be classified higher than our interest in the data processing.

18.6. If you have a corresponding request, please contact us using the contact details above. Many data processing operations are only possible with your express consent. You can revoke any consent already given at any time. For this purpose, an informal message by e-mail to us is sufficient. The legality of the data processing carried out up to the time of revocation remains unaffected by the revocation.

18.7. In the event of infringements of the GDPR, those concerned have a right of appeal to a supervisory authority, in particular in the Member State of their habitual residence, their place of work or the place of the suspected infringement. This right of appeal is without prejudice to other administrative or judicial remedies.

19. Duration for which personal data are stored
The criterion for the duration of storage of personal data is the respective legal retention period. After expiry of the period, the corresponding data is routinely deleted, provided that it is no longer required for the fulfilment or initiation of the contract.

20. Legal or contractual provisions on the provision of personal data; necessity for the conclusion of a contract; obligation of the data subject to provide the personal data; possible consequences of not providing the data
We would like to inform you that the provision of personal data is partly required by law (e.g. tax regulations) or can also result from contractual regulations (e.g. information on the contractual partner). Sometimes it may be necessary for a contract to be concluded that a data subject provides us with personal data, which must subsequently be processed by us. For example, the data subject is obliged to provide us with personal data if our company concludes a contract with him/her. Failure to provide the personal data would mean that the contract with the data subject could not be concluded. Before the person concerned makes personal data available, the person concerned can contact one of our employees. Our employee will inform the data subject on a case-by-case basis whether the provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data and what the consequences would be if the personal data were not provided.

21. Automated decision making, profiling
As a matter of principle, we do not use exclusively automated decision-making within the meaning of Art. 22 GDPR to establish and conduct a business relationship.

22. Objection to advertising e-mails
The use of contact data published within the scope of the imprint obligation for the transmission of not expressly requested advertising and information material is hereby contradicted. The operators of the website expressly reserve the right to take legal action in the event of unsolicited sending of advertising information, such as spam e-mails.

23. Changes to the privacy policy
This data protection declaration is continuously updated in the course of the further development of the Internet or our offer. We will announce changes on this page in good time. In order to keep yourself informed about the current status of our data use regulations, this page should be called up regularly.

(Current status: March 2020)