Last updated: June 2020
Protecting your personal data is of great importance for us (HERMES). We will always process your personal data such as your name, address, e-mail address or telephone number in accordance with the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).
1. Controller and Data Protection Officer
The “controller” for data protection purposes is:
HERMES Arzneimittel GmbH
Telephone: +49 / 089 7 91 02 – 0
Fax: +49 / 089 7 91 02 – 280
The contact details for the HERMES Arzneimittel GmbH Data Protection Officer are as follows:
Tim Faulhaber, Attorney-at-law, external Data Protection Officer
2. Collection of general data and information
This website collects a set of general data and information every time the website is accessed. This general data and information is stored in the server log files. The following may be captured: (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website page from which an accessing system reaches our website (“referrers”), (4) the sub-websites activated on our website via an accessing system, (5) the date and time the website is accessed, (6) the Internet Protocol (IP) address, (7) the accessing system’s internet service provider and (8) other similar data and information for use to defend against attacks on our IT systems.
HERMES does not personally identify you when using this general data and information. We need this information to deliver the contents of our website correctly, to optimise the contents of our website and the advertising for it, to ensure that our IT systems and the technology running our website operate continuously and to provide law enforcement agencies with the information they require for a prosecution in the event of a cyber attack.
HERMES conducts statistical analyses of this anonymised data and information in order to increase data and data security levels in our company. We store the anonymous data in the server log files separately from all personal data provided by you. The legal basis for the temporary storage of the data and the log files is provided by point (f) of Art. 6 (1) GDPR.
3. Data processing when you contact us
You can contact us via the contact form provided on our website or using the e-mail address provided. If you get in contact with HERMES using one of these channels we will automatically store the personal data you send. This personal data sent to HERMES on a voluntary basis is stored for the purpose of dealing with your request and/or contacting you. The legal basis for data processing is as set out in point (b) of Art. 6(1) GDPR, where a contract is being prepared or implemented, and in all other cases point (f) of Art. 6(1) GDPR.
4. Google Analytics
This website uses analytical cookies provided by Google Analytics. This is a web analytical service from Google LLC (“Google”). Using the analytical cookies allows us to find out how the website is used so we can continuously optimise our offering. The cookie processes data relating to the data referred to in clause 2. The information that cookies generate about your use of this website is normally transferred to a Google server in the USA and stored there.
When IP anonymisation is activated on our website, your IP address will be shortened by Google before transmission if you are in a member state of the European Union or in another signatory state to the agreement covering the European Economic Area.
Google uses this information to analyse your use of the website, create reports on website activities and provide additional services to us in connection with use of the website and Internet usage.
The IP address that is transmitted by your browser as part of Google Analytics is not merged with other data held by Google. You can prevent these cookies from being stored by enabling the relevant setting in your browser software. Please note, however, that this may prevent you from using all the functions available on this website. In addition, you can prevent the information about your use of the website that is generated by the cookie (including your IP address) from being passed on to Google and from being processed by Google by downloading and installing the browser plug-in available at the following link (https://tools.google.com/dlpage/gaoptout?hl=de).
The legal basis for the processing of personal data using technically necessary cookies is provided by point (a) of Art. 6 (1) GDPR. Personal data is transmitted to the USA under the EU-US Privacy Shield in accordance with Art. 45 (1) GDPR, which Google has signed up to.
This website uses the Usercentrics consent management service. The recipient of your data as defined in point (e) of Art 13 (1) GDPR is Usercentrics GmbH. As processor, HERMES transmits personal data (consent data) for processing purposes to Usercentrics GmbH, Sendlingerstr. 7, 80331 Munich. “Consent data” is defined as follows: The date and time of access or consent/rejection, device information, anonymised IP address. The data processing is conducted for the purpose of complying with legal obligations (duty to demonstrate consent in accordance with Art. 7(1) GDPR) and to document consent, and thus on the basis of point (c) of Art. 6(1) GDPR. Local storage is used to store the data.
This list includes all (personal) data collected by or through the use of this service. The request URLs of the website and the page path of the website are data that are recorded via the tag logger. The tag logger is always active and keeps track of which technologies are active. Users can only access this data if the tag logger function has been activated for them. Data is also transmitted when the function is not activated.
- Device information
- Browser information
- Anonymised IP address
- Opt-in and opt-out data
- Date and time of visit
- Request URLs of the website
- Page path of the website
The legal basis for the processing of personal data required under Art. 6(1) GDPR [TN] is point (c) of Art. 6 (1) GDPR.
Place of processing and retention period
The consent data (consent granted and withdrawal of consent) is retained for three years. Data is exported after the contract has ended. The data is stored in the European Union and the consent database is located in Belgium.
Further information and opt-outs
6. Google Maps
We use Google Maps on this website. This allows us to show you interactive maps directly on the website so you can use the map function easily.
The legal basis for the processing of your personal data using Google Maps is provided by point (f) of Art. 6 (1) GDPR. Personal data is transmitted to the USA under the EU-US Privacy Shield in accordance with Art. 45 (1) GDPR, which Google has signed up to.
7. YouTube videos
The legal basis for processing your personal data involving YouTube videos is provided by point (f) of Art. 6 (1) GDPR. Personal data is transmitted to the USA under the EU-US Privacy Shield in accordance with Art. 45 (1) GDPR, which Google has signed up to.
8. Social plug-ins
We use social plug-ins from Facebook, Twitter and Google+ on our website. You can recognise the provider of each plug-in by its logo or initials. In particular, we use plug-ins so that you can share content from our website with other users of social networks or direct them to these content.
We use the “two-click” solution to do this. When you visit our site, we do not initially provide any personal information to the plug-in providers. We give you the option to click a button to communicate with the plug-in provider directly. The plug-in provider will only be informed that you have visited our website page if you click on the highlighted field to enable it. The data referred to in clause 2 of this policy is also transmitted. That means that enabling the plug-in will send personal data concerning you to the plug-in provider and it will be processed there (by US providers in the USA). Since the plug-in provider mainly collects data using cookies, we recommend that you delete all cookies using your browser’s security settings before clicking on the greyed out boxes.
The data is transmitted to the provider of the plug-in regardless of whether you have an account with the plug-in provider’s social network. If you are logged into the plug-in provider, the data we have collected about you is directly assigned to any account you have with the plug-in provider. If you press the enabled button and link the page, the plug-in provider will also store this information in your user account and share it publicly with your contacts. We recommend that you regularly log out after using a social network, particularly before enabling the button to avoid the plug-in provider linking to your profile.
We have no control over the type and scope of the data collected and processed when you use the plug-ins and do not know the full extent of the data collected, the purposes of the processing or the retention periods. Nor do we have any information on the erasure of data collected by the plug-in provider.
The plug-in provider stores your data as usage profiles and uses it for purposes of advertisement, market research, and/or for the demand-responsive design of its services. This analysis is performed (even where users are not logged in) particularly to show advertisements tailored to meet users’ needs and to inform other users of the social network of your activities on our website. You have the right to object to these user profiles being created, which you must exercise by contacting each plug-in provider.
We use the plug-ins to allow you to interact with the social networks and other users so we can improve our offering and design it to be more interesting for you, our user. The legal basis for processing your personal data using the social plugins is provided by point (f) of Art. 6 (1) GDPR. Personal data is transmitted to the USA under the EU-US Privacy Shield in accordance with Art. 45(1) GDPR which Google has joined.
9. Facebook Pixel, Facebook Custom Audiences and Facebook Conversion
Our website uses the “Facebook pixel” from the Facebook social network (International: Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA | EU: Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland).
The Facebook pixel is used to display interest-based ads to users of our website when they visit the Facebook social network. This pixel creates a link to the Facebook servers when you visit our website. This tells Facebook that you have visited our website. Facebook assigns this information to your Facebook account. The Facebook pixel allows us to measure, analyse and optimise the effectiveness of Facebook ads for statistical purposes and market research purposes. All reports we receive from Facebook are in anonymised form.
The legal basis for using the Facebook pixel is provided by points (a) and (f) of Art. 6 (1) GDPR. You can withdraw your consent to the use of the Facebook pixel at any time with future effect by following this link .
We also use the Facebook Custom Audiences communication tool as part of our use-based online advertising. We generate a checksum (hash value) from your usage data (e-mail addresses) and send it to Facebook for analysis and marketing purposes. Facebook compares the hash values on our customer list against the hash values of its own store of user data. This allows Facebook to identify which of our talents are also Facebook users. We find out whether there’s a match so we can target our ads.
The legal basis for the processing of personal data using technically necessary cookies is provided by point (a) and (f) of Art. 6 (1) GDPR. You can withdraw your consent to the use of Custom Audiences at any time. If you would like to object to their use you can do thishere.
Please refer to Facebook’s privacy notices for the purpose and scope of data collection and further processing and use of data by Facebook, as well as your associated rights and configuration options for protecting your privacy. Please refer to the Facebook Help for special information and details of Facebook pixel and how it works.
Personal data is transmitted to the USA under the EU-US Privacy Shield in accordance with Art. 45 (1) GDPR, which Facebook has signed up to.
10. Data processing by KUPONA GmbH (processing by KUPONA)
a) Data processing procedures
HERMES uses services provided by KUPONA GmbH to optimise advertising of our products. KUPONA collects activity data such as product, brand or category interests from users of our website as well as technical parameters in the form of browser information, screen resolution, city, state, country, IP address, referrer, mobile device, device classes, flash version to allow us to show ads that match your interests. KUPONA’s services and advertising options are important to us as they allow us to advertise and optimise our web offering. All of your data is held in pseudonymised form. KUPONA does not know the names, addresses or similar personal characteristics that would make users identifiable. It is not possible to personally identify you. The legal basis for processing by KUPONA is your consent in accordance with point (a) of Art. 6(1) GDPR.
KUPONA uses cookie IDs that are stored on your browser. Users tagged with these pseudonymised KUPONA cookie IDs will not see more or less advertising on the web but the ads shown will be tailored to their interests. KUPONA and KUPONA’s processors assign users an ID which can be used to store characteristics of their surfing behaviour on the service’s database or the cookie. The user-related characteristics will be stored for between 30 and 180 days depending on the processor, after which they will be deleted. The cookie may be updated every time you visit, in which case the retention period will be reset. Tagging with a cookie means you can be recognised on the web later but the user cannot be personally identified. KUPONA does not use any server-side technologies that create a profile outside the cookie. This also means that the information saved in the cookie is deleted when the cookie is deleted and the user cannot be linked to the user ID. This renders the database entry unusable, as no pseudonym can be matched to it. IP addresses are not stored, except by the contractor (Adition GmbH). Adition saves this information to carry out click fraud analyses.
KUPONA can also find out whether or not an order or purchase was made, without knowing the identity of the person carrying out the process. KUPONA can measure the effectiveness of ad campaigns by measuring purchases or accessing of sub-pages. KUPONA ensures that it only collects data points that are necessary to provide this service.
Data collected concerning you may be used by KUPONA to (a) use a cookie to recognise you when you return – both to our website and other websites, apps and web offerings – and (b) to display ads and contents in line with the products or categories you are interested in as recorded through your surfing behaviour. KUPONA will only use this data for campaigns advertising our web offering.
HERMES and KUPONA are jointly responsible for KUPONA’s data processing and have signed a joint liability agreement.
KUPONA’s contact details are as follows:
b) Data recipients and passing on data
KUPONA uses the data it collects itself to show advertising for HERMES. There is no physical or actual transmission of the data to marketing clients or agencies. KUPONA uses the services of contractors and partners, who act as processors acting in accordance with KUPONA’s instructions, or from whom KUPONA obtains data directly. See the following link for a list of those involved: www.kupona.de/datenschutz/Auftragsverarbeitung
Some of the companies involved in processing by KUPONA are based outside the EU. Where data is transmitted to these companies they are either registered under the EU US Privacy Shield treaty or have signed the EU’ s “standard contractual clauses” to legitimise the transfer to a third country. These may be inspected at KUPONA’s offices on request.
c) How to object against processing by KUPONA:
You can object to the collection and processing of data by KUPONA at any time by sending a message using the contact details referred to in clause 1. You can also use the link to the KUPONA website shown here to opt out of the service:www.kupona.de/datenschutz/widerspruch. If you exercise this option KUPONA will ensure that your data cannot be reused.
d) Rights of data subjects
You can contact either HERMES (for contact details see clause 1) or KUPONA to exercise your rights regarding processing by KUPONA as set out in clause 12.
11. Data processing by Criteo
12. Data transmission to third parties
External service providers
Access to personal data by service providers and contractual parties we use to operate our website is technically possible. These external providers are obligated to use your personal data solely to carry out the services requested by us or for other purposes in accordance with our instructions.
Passing on data to third parties
Apart from the data transmission to third parties referred to above, we do not transmit, sell or market your personal data to third parties such as other companies or organisations unless you have explicitly agreed to this or such transmission is required to fulfil our contractual obligations to you as the user of our website.
13. How long your data is stored
The statutory retention period determines how long your personal data is stored. When the period expires we routinely delete the data unless it is required to fulfil our contractual duties or to set up a contract.
If the purpose for storing the data no longer applies, or if a retention period stipulated under EU directives and regulations or other applicable legislation expires, the personal data is routinely blocked or deleted in accordance with statutory provisions.
14. Your rights
As “data subject” you have rights with respect to HERMES as set out in Articles 15-21 GDPR provided that the conditions it stipulates are met. These are the right of access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (ART. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR) and the right to object to processing (Art. 21 and 22 GDPR). Apart from that, you also have the right to lodge a complaint with the competent supervisory authority in accordance with Art. 77 GDPR.