In the text that follows, we would like to give you an overview of the personal data we process and inform you about your rights under data protection laws.
1. Controller responsible for data processing
This information applies to all companies of the Schwabe Group. The company responsible for data processing in each case is the company in the corporate group which makes a reference to this data protection information (e.g. in the letter or email signature). The respective postal address can be found on the corresponding letterhead or email signature.
2. What sources do the personal data come from?
We process personal data which we have obtained from business relationships (such as with customers or suppliers) or inquiries to our company. As a rule, we receive these data directly from the contractual partner or person who sends an inquiry. However, personal data can also come from public sources (such as the commercial register), provided that the processing of this data is permissible. We may also have received data from other companies that have received the necessary authorization. Depending on the individual case, we also save our own information about these data (e.g. as part of an ongoing business relationship).
Depending on the individual case, this may involve master data (e.g. name, address), contact data (e.g. telephone number, email address), contract and billing data to fulfil our contractual obligations, or the data needed to process an inquiry, including information about creditworthiness, advertising and sales information and other data from comparable categories.
3. For what purposes and on what legal basis do we process personal data?
We process personal data in compliance with data protection laws, most notably the General Data Protection Regulation (GDPR).
a.) In the context of honouring a contract or implementing pre-contractual measures (Art. 6 Para. 1 S. 1 lit. b GDPR)
We process personal data primarily to fulfil contractual obligations and provide related services or within the context of pre-contractual measures (e.g. negotiations, preparing bids). The specific purposes depend on the respective service or product related to the business relationship or the pre-contractual measures.
b.) In the context of fulfilling a legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR)
In many situations, we are required by law to collect certain personal data from you and to disclose or make it available to certain entities - usually public ones.
For example, we provide the tax authorities with the personal data they need to calculate taxes in compliance with the relevant legal requirements. In order to guarantee pharmaceutical drug safety, we are also obliged to record any related reports, information or findings (e.g. on the potential side effects of a drug) and, if necessary, to make them available to the supervisory authorities in question.
c.) In the context of legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)
We also collect and process personal data to safeguard legitimate interests in the following situations:
- Processing general inquiries about our products and services
- Reviewing creditworthiness via credit bureaus to assess default risk in business relationships
- Advertising or market research
- Video surveillance to ensure compliance with site regulations on our company premises or buildings
- Asserting legal claims and defence in legal disputes
- Ensuring IT operations and security
- Measures to ensure physical-plant and system security (e.g. access authorisations)
- Measures to improve our internal business processes and product optimization
d.) In the context of consent (Art. 6 para. 1 sentence 1 lit. a GDPR)
In some situations, processing your personal data is not absolutely necessary and is only permitted with your consent. In such cases, we will draw your attention to this fact, especially letting you know that your consent is voluntary and can be withdrawn at any time with effect for the future.
Examples of such situations include
- in some advertising-related situations (if required by law, consent may be necessary for advertising)
4. Recipient(s) of personal data
In general, the company only gives access to your data to the parties which need to work with them (the “need-to-know principle”), i.e. grants access so that a contractual or legal obligation can be fulfilled. This can also include service providers and third-party agents who act on behalf of the company and/or who are obliged to process the data confidentially.
In certain situations we may transfer your data to
- public authorities (e.g. tax authorities, supervisory authorities) where there is a legal obligation to do so
- other companies of the Schwabe Group (e.g. for internal administrative purposes or to fulfil orders where needed)
- other companies within the framework of fulfilling the contractual relationship, within the context of legitimate interests, or on the basis of your consent. In individual cases, depending on the business relationship or order, these parties may be companies, logistics partners, marketing service providers, credit agencies, banks, tax consultants or lawyers involved in providing our services.
5. Are data transferred to a third country or to an international organisation?
We transfer personal data to other locations in countries outside the European Union (third countries) to whatever extent it is necessary so we can fulfil the business relationship, it is required by law, or you have given us your consent to do so.
In certain situations, we use or reserve the right to use service providers who may either be located in a third country or who may themselves use service providers located in a third country.
According to Art. 45 GDPR, a transfer of data to a third country is permissible if the European Commission has decided that an adequate level of protection exists there. In the absence of such a decision, data may be transferred to a third country if the data controller has provided appropriate safeguards (e.g. standard data protection clauses issued by the European Commission) and enforceable rights and if effective remedies are available to the data subject (Art. 46 GDPR).
As a matter of principle, we only cooperate with third-country parties that fulfil the criteria listed.
6. Data storage period
We process and store your personal data for as long as is necessary to fulfil our contractual and legal obligations. If it is no longer necessary to save personal data to fulfil these obligations, they will be deleted unless there are legal obligations which mandate saving such data, such as relevant commercial and tax law requirements, pharmaceutical law and protecting evidence within the framework of the statute of limitations.
7. Your rights
You have the following rights vis-à-vis the Schwabe Group with regard to your personal data:
- The right to be informed (Art. 13, 14 GDPR)
- The right to correct or delete information (Art. 16, 17 GDPR)
- The right to restrict the processing (Art. 18 GDPR)
- Right to object to data processing (Art. 21 GDPR)
- Right to data portability (Art. 20 GDPR)
You also have the right to file a complaint to a data protection supervisory authority about us processing your personal data.
If you have given us your consent (Art. 6 Para. 1 S. 1 lit. a GDPR), you can withdraw it at any time with effect for the future.
Since we base the processing of your personal data on legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR), you may object to the data being processing. In the event of such an objection, we will ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will examine the situation and either discontinue or modify our data processing or point out our compelling legitimate grounds for processing data, in which case we will continue the processing.
You can object to your personal data being processed for advertising purposes at any time.
8. Obligation to provide data
Within the framework of honouring a contract or pre-contractual obligations, you must provide the personal data necessary for us to fulfil the contract or implement pre-contractual measures and the related obligations. Furthermore, you must provide the personal data that we are legally obliged to collect. We will not be able to complete or fulfil our contract with you unless these data are provided.
In cases when consent is needed for us to collect data, providing your data is voluntary and not mandatory. However, if you do not consent, we will not be able to provide the services based on consent-related data processing. You can withdraw your consent at any time with effect for the future, even after it has been granted.
9. Is there any automated decision-making or profiling?