Fair Information Notice
When you do business with Merz Pharmaceuticals GmbH (“Merz”) we know that you trust us to take care of your personal information. Trust is an important Merz value, and we aim to earn your trust not just by providing safe, effective pharmaceutical and medical devices, but also by responsibly managing your personal data. This Fair Information Notice (“FIN”) explains who is responsible for processing and caring for your personal data at Merz as well as details relating to when, where and how we use, protect, store, delete and sometimes transfer your personal data.
Merz is responsible for processing your personal data. Merz operates in Eckenheimer Landstrasse 100, D-60318 Frankfurt, simply click on the region and the scroll through the “all cities” bar.
Merz is a “controller” under the terms of the GDPR and EU Member state laws. “Controller” is the legal term for the company, in this case Merz, which, alone or jointly with others, determines the purposes and the methods by which your personal data are processed. Non-EU countries may not use the term “controller,” but nonetheless may place similar legal requirements on Merz to protect personal data we collect about you.
Like most companies, we process your personal data for several, legitimate reasons related to our business. In general, we process personal data for the following specific business reasons:
- To complete a sales transaction;
- To honor an agreement or contract;
- If, after we provide you with fair information, you give us express consent to do
- To comply with the law (e.g., national drug safety reporting);
- To protect your vital interest (e.g., your health);
- To protect the public interest (e.g., drug safety monitoring); and
- Because we have a legitimate interest in processing your personal (e.g., advertising, marketing materials, newsletters)
Merz manufactures and sells some of the best pharmaceutical products and medical devices in the world. We sometimes process personal data to make healthcare professionals, pharmacies, patients and consumers aware of our products with marketing and advertising materials. We do this only when we have a legitimate reason to do so that does not outweigh your privacy rights.
If Merz processes your personal data based on our “legitimate business interests” per Article 6(1), Sentence 1(f) of the GDPR, you can object to the processing by telling us how our processing violates your rights in your unique situation. If we use your personal data to build a profile of you and you object, we must provide you with evidence of our legitimate business need to do so and the measures we have taken to protect your fundamental rights and freedoms. You can contact us as specified in Section H of this FIN.
Merz complies with all European Union and Member state laws regarding data privacy and protection, including Regulation (EU) 2016/679 (General Data Protection Regulation–GDPR). Where applicable, Merz also complies with local and regional privacy laws in other countries where we do business.
The amount and type of personal data you share with Merz, or that Merz collects about you, depends on our relationship to you. Below are types of interactions with Merz where you may share personal data with us or where we may collect personal data about you. If you interact with us in more than one way, please review each section that pertains to your relationships with Merz.
If you do not find the information you are looking for in this FIN, or if you simply have questions or need more information, please contact the Merz Privacy Officer Germany via the email below for the area where you reside: firstname.lastname@example.org or email@example.com
How we Process and Protect Your Personal Data
In the sections below, we describe how we process and protect your personal data when you engage with Merz in specified ways.
1. I visit(ed) a Merz commercial website.
There are some general practices common to most Merz websites. When you visit a Merz website, our servers automatically store data sent by your computer’s software and internet browser, including the type and version of internet browser and operating system you use, the Merz website and sub-websites you access, the date and time of such access and your internet protocol address (“IP address”). Merz uses these data to provide you with access to the website in a readable form, to identify and fix any technical problems that may arise, and to prevent and, if necessary, take action against, any abuse of our services. We generally use an anonymized form of this data to analyze site statistics so that we can improve the look, user-friendliness and content of our websites. In some cases, we partner with third parties who may host or manage our websites. When these partners have access to your data, we contract with them to require that they only process your data according to our instructions and applicable law. The legal basis for this processing is Merz’s legitimate interest.
- How We Use Data Cookies
Merz websites used data cookies to simplify and improve your experience of our web pages. Cookies are small text files that are stored on your computer or server, that exchange settings-related information with Merz’s systems. A cookie normally contains the name of the domain from which the cookie data were sent, information about the cookie’s age, and an alphanumeric identifier.
If you visit a password-protected area of a Merz website, for example, the Merz job board website, session cookies are used for the duration of your visit. These enable Merz to make your experience simpler by using a single sign-on method as a means of authenticating you across the password-protected areas of websites. This method enables you to move around the website’s entire password-protected area without having to log in to each area separately.
- How We Use Google Analytics
Merz websites in the European Union, European Economic Area and Switzerland use Google Analytics with the added code “anonymize IP”. This means that user IP addresses collected by the Google Analytics cookie are truncated within Member States of the European Union and states party to the Agreement on the European Economic Area before they are transmitted to the U.S. This means that Google cannot use your IP address to identify your specific device or location. Only under exceptional circumstances is the full IP address transmitted to a Google server in the U.S. and then truncated there.
Merz’s legitimate interest in using the data collected by Google Analytics is to understand the effectiveness, reach and usability of its websites.
You can prevent Google from collecting and processing cookie-generated data relating to your use a website by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
You can also deactivate Google Analytics cookies by clicking https://developers.google.com/analytics/devguides/collection/analyticsjs/user-opt-out
You can also deactivate or restrict the transmission of cookies by changing your internet browser settings. You can delete cookies already stored at any time, either by manually deleting each cookie or setting your browser to do so automatically. If you want to accept cookies used by Merz, but not cookies used by Merz’s service providers and partners, you can select the “Block only third party cookies” setting in your browser.
- How We Use YouTube Videos
Some of our websites feature YouTube videos. YouTube is a service offered by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Merz uses YouTube’s advanced data protection settings to integrate videos. In this way, technical data pertaining to your accessing system, for example, information about what video you viewed, are only transmitted to Google if you click on the video. Merz’s legitimate interest in processing personal data via YouTube is so that we may provide relevant business videos to our users.
You can prevent the transmission of your data to Google by not clicking on the YouTube videos integrated into the Merz websites.
- How We Use Social Media Plug-Ins
Merz websites use plug-ins of social media platforms such as Facebook, Twitter, Google and Instagram so that you may share your experience with Merz on social media. We use this information to improve our business and to provide you with content more relevant to your life and interests as expressed online. Social media plug-ins are identifiable by the logo of the respective plug-in provider that they feature and, in the case of Facebook, also by the additional “Like” and “Share” buttons.
If you are signed into social medial when you click on a social media plug-in, your IP address and other activities may be stored by the social media providers. To prevent this, you should log off of your social media accounts before navigating to websites that use social media plug-ins. The plug-in providers explain the information obtained by plug-ins and how you can limit it on their websites, which you can access here:
You can limit or prevent transmitting your data to social media plug-in providers by using the tools and methods provided on the plug-in providers respective websites (links above).
2. I use a Merz product and I participate(d) in a Merz-sponsored contest or campaign.
From time to time, we hold competitions, lotteries and other such promotional events. Unless otherwise specified in data protection regulations pertaining to the respective competition or promotion, any personal information that you provide us as part of your participation in the competition or promotion will be used to administer the competition or promotion (e.g. determining the winner, notifying the winner, sending the prize). In some cases, with your consent, we will use personal information you provided as a part of your participation in the contest to contact you with other Merz contests or promotions and information about Merz products.
If you have consented to share information with Merz you may at any time revoke your consent with future effect; such revocation will not put you at any disadvantage whatsoever. To revoke consent, you may simply send a corresponding written notification to the body specified on the declaration of consent, or to firstname.lastname@example.org.
Once the competition or promotion is over, your data will be deleted, unless you have consented to allow Merz to process your data for promotional purposes beyond the time period of the contest. Where the prizes are objects, the data of any winners will be kept for as long as the respective statutory warranty claims apply so that we may arrange rectification or exchange should the prize be defective.
3. I report(ed) that a Merz product may have caused a side effect or injury.
If you or your patient experience any unwanted side effects when using our products, we encourage you to contact us immediately. Reporting such situations is very important from a public health perspective and is in the legitimate interest of both Merz and the public at large. If you believe that you may have experienced adverse effects while using our products, we ask you to report this to us at email@example.com.
If you contact us to report a potential side effect, we will collect and process various types of health-specific data relating to you. These data may include the treatment you received and side effects themselves as well as all relevant medical information about your age, gender, other medications you take and medical history. Such data are used for the exclusive purpose of investigating your report and understanding how our drug or device may have caused it. If you are a European Economic Area or Swiss resident your data will be forwarded to Merz Pharmaceuticals GmbH in Frankfurt am Main, Germany, which, within the Merz companies (outside the United States), is responsible for managing reports of side effects or injury. Merz Pharmaceuticals submits all reports of adverse reactions received from within Europe to the European Medicines Agency. Safety reports within the United States and Latin America are reported to Merz North America, Inc., and, if legally required, to the United States Food and Drug Administration and relevant Canadian, South American and Mexican authorities. The Merz Group provides regulatory authorities the minimum necessary personal data to comply with public safety and drug regulation laws.
For public health reasons, reports of adverse events are kept until the legally required retention period has expired and are then deleted.
4. I report(ed) a technical (non-injury) problem with a Merz product.
Your complaints help us improve the quality of our products. Accordingly, we process personal data you have made available to us (e.g. your personal data, contact details, and your correspondence with us) solely for the purpose of examining the quality issues you have reported and/or to clarify the details with you. Merz forwards only unidentified technical data included in your complaint to other Merz companies and contracting parties to improve any quality issues with our products. Your identified personal data is not transmitted, but rather remains solely at the Merz affiliate to which you made the report and will be erased after the legally required retention period elapses.
5. I visit a Merz social media platform including but not limited to Facebook, Instagram, Pinterest, Twitter, LinkedIn or Vimeo.
Only to the extent required by law, Merz processes your personal data as described in the following section in its capacity as controller within the meaning of the GDPR. However, in all other respects, the operator of the respective social media platform is deemed the controller under data protection law for all types of processing performed on the platform itself.
Data entered on our social media pages, for example comments, videos, images, likes, public messages, etc., are published by the operator of the respective social media network and we reserve the right to delete such content should this be necessary (e.g. due to inappropriateness or regulatory guidelines). We may also use the social media platform to communicate with you.
We also target advertising based on certain demographics, interests, behaviors and location. These data are provided to us by the operator of the respective social media platform, if required, in anonymous form. We can only influence statistics provided to us by the operator of the pertinent social media platform to a limited extent; we cannot deactivate such statistics.
To prevent the operators of social media platforms from collecting information from you and then using it to target you with behavior-related advertising, we recommend that you review the privacy settings of each social media channel and adjust the account settings accordingly. You can also deactivate or restrict the transmission of cookies by changing your internet browser settings accordingly.
6. I contacted Merz via e-mail or contact form on a website.
If you contact Merz directly, e.g. via a contact form on a website or via e-mail, then the personal data you transmit to Merz as a result, e.g. your e-mail address, your name, the content of your enquiry, etc., will be used to for processing the your respective inquiry. Your data may be passed on to other Merz companies if this is necessary to respond to your inquiry. An overview of the Merz companies is provided in paragraph A, above at the beginning of this Policy. In this case we are processing your data either to fulfill a contract or to respond to a business inquiry.
If your data is transferred outside the EU/EEA in order to process your request, then Merz will ensure the lawfulness of the transfer via the mechanisms described in Section F, below.
Merz relies on the support of specialized technical service providers for the technical processing of personal data. These service providers are carefully selected and are legally and contractually committed to ensuring a high level of data protection.
In individual cases, Merz works with companies and other entities that have special expertise in specific areas or subject knowledge (such as tax auditors, lawyers, and consulting firms, for example). These entities are either subject to a professional duty of confidentiality and/or have been obliged by Merz to maintain confidentiality.
Merz will only pass on personal data to third parties for purposes other than those specified in this FIN if there is a legal obligation to do so or if you have provided your express consent to such disclosure.
Unless otherwise stated in this FIN, we erase your personal data when it is no longer needed for the purposes for which it was processed and if the retention periods prescribed by law have expired. Contractually relevant data are usually erased ten years after the termination of the respective contract with Merz.
If data is transmitted to Merz companies in countries that are outside the European Union or European Economic Area and that, according to the European Commission, do not offer an “adequate level of data protection,” then Merz safeguards your data pursuant to the European Commission’s standard contractual clauses for these countries and has thus provided the requisite additional safeguards for the protection of personal data. These can be accessed here: https://eur-lex.europa.eu/eli/dec/2004/915/oj. An overview of all Merz companies is provided in paragraph A, above. Merz also complies with the cross border data transfer and export control laws of non-European countries within which it operates.
If you would like detailed information on your personal data stored by Merz, you can contact us using the email firstname.lastname@example.org or email@example.com or by contacting our global privacy office at firstname.lastname@example.org. You may also request to receive information about any data that you have provided to Merz in accordance with applicable law in a structured, commonly used, and machine-readable format, or you may also request that we submit such information to a third party. If you discover that personal information that has been stored about you is incorrect or incomplete, you may request that such data be immediately corrected or completed at any time. If the requirements stipulated in Art. 17 and 18 of the GDPR are met, you may also request the erasure of your personal data or that processing of it be restricted. You also have the right to lodge a complaint with the relevant supervisory authority for data protection issues in the area where you live.
If Merz processes your personal data based on our “legitimate business interests” per Article 6(1), Sentence 1(f) of the GDPR, you can object to the processing by telling us how our processing violates your rights in your unique situation. If we use your personal data to build a profile of you and you object, we must provide you with evidence of our legitimate business need to do so and the measures we have taken to protect your fundamental rights and freedoms. If you object, we will stop processing your personal data unless we can demonstrate a compelling legitimate ground for the processing, which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. If you are objecting to direct marketing by us, we will honor your request and cease such marketing.
You can contact us as specified in Section H, of this FIN.