Schwabe Group is a global pharmaceutical and nutritional supplement company committed to the highest standards of integrity and legal compliance in all our business relationships. This due diligence assessment is an essential component of our compliance program and serves to evaluate potential business partners.
With the following information, we would like to give you an overview of the personal data processed by us in the business partner screening and inform you about your rights under data protection laws.
1. Controller for data processing and contact details of the data protection officer
Dr. Schwabe Holding SE & Co. KG
Willmar-Schwabe-Straße 4, 76227 Karlsruhe, Germany
Phone: +49 (0) 721 - 4005-0; Fax: +49 (0) 721 - 4005-500
E-Mail: info(at)schwabe-group.com
Data protection officer: e-mail to [email protected] or at our postal address with the addition "the data protection officer".
2. From which source does the personal data originate?
As part of the business partner screening, you are obliged to provide us with information, which may also include personal data. We thus receive this data directly from you or the data subject.
Depending on the compliance check carried out, it is possible that we also obtain and process personal data from publicly available sources, provided that the processing of this data is permitted.
3. For what purposes and on what legal basis is the personal data processed?
We process personal data in compliance with data protection laws, in particular the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
Data fields marked with an asterisk* in the questionnaires are mandatory.
a.) Registration for the Third Party Portal
To participate in our business partner screening, access to our third-party portal with your access account is required.
As a rule, we already create certain basic data about your company and then ask you by e-mail to complete your information and fill out the questionnaires provided.
To register your access account, you will need to provide your name, company and email address. A sufficiently complex password must be chosen by you. We process this data exclusively to ensure your access to our third-party portal and to exclude unauthorized access to it (Art. 6 (1) lit. f GDPR). Your chosen password will also remain secret for us.
You can reassign your password at any time. If you suspect that third parties may have gained knowledge of your access account data, you are obliged to inform us immediately.
b.) Business Partner Screenings
In order to qualify as a business partner, it is necessary to check certain framework conditions.
We use this third-party portal to carry out the necessary compliance checks as part of the “Know Your Counterparty” (KYC) process, which includes compliance checks in the areas of anti-corruption, integrity, money laundering prevention, etc. In addition, checks may also be carried out against public sanctions lists and regulations on terrorist financing.
In this context, we process your personal data to meet our legal requirements (Art. 6 (1) lit. c GDPR).
4. Recipients of personal data
Your information will be treated strictly confidential and will be used solely for the listed purposes.
For the implementation of the business partner screening and the provision of the Third Party Portal, we use the services of Proxora GmbH, Nockherstr. 4, 81541 Munich, which processes personal data on our behalf.
Only in the case of a legal obligation do we provide information to certain public bodies on request. These are mainly tax authorities, law enforcement authorities and authorities that prosecute administrative offences that are subject to fines.
5. Will data be transferred to a third country or to an international organization?
No. In the case of a statutory obligation to provide information to a public body pursuant to No. 4 based in a third country, data may be transferred in exceptional cases.
6. Data retention period
We process and store your personal data for as long as it is necessary for the fulfilment of our contractual and legal obligations.
- Personal data processed for registration for the Third Party Portal will be deleted when your account is removed. This is done if a business relationship is not established.
- We delete personal data that is processed for the purpose of business partner screening after the respective compliance check has been carried out and any existing statutory retention periods have expired.
7. Rights of data subjects
You have the following rights with regard to your personal data:
- Right of access
- Right to rectification or erasure
- Right to restriction of processing
- Right to object to processing
- Right to data portability.
You also have the right to complain to a data protection supervisory authority about the processing of your personal data by us.
If you have given us consent (Art. 6 (1) lit. a GDPR), you can revoke it at any time with effect for the future.
Insofar as we base the processing of your personal data on the balancing of interests (Art. 6 (1) (f) GDPR), you may object to the processing. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the situation and either stop or adapt the data processing or point out to you our compelling legitimate reasons for continuing the processing.
You can object to the processing of your personal data for advertising purposes at any time.
8. Obligation to provide data
In the context of the execution or initiation of a contract, you must provide the personal data that is necessary for the performance of the contract or the implementation of pre-contractual measures and the associated obligations. You must also provide the personal data that we are legally obliged to collect, in particular to meet our compliance obligations. Without providing this data, we will not be able to conclude or perform a contract with you.
In cases of data collection based on consent, the provision of data by you is voluntary and not mandatory. However, if you do not give your consent, we will not be able to provide the services based on data processing by means of consent. You can also revoke your consent at any time with effect for the future, even after it has been given.
9. Is there automated individual decision-making or profiling?
No.