Data protection

Merz attaches great importance to the protection of personal data. In the following Privacy Policy, we inform you about who is responsible for processing your data (see Section A). Any further information will be provided according to the specific capacity in which you contact us, that is to say, according to whether you contact us as a visitor to our website, a clinical trial participant, a customer of our products, a health care practitioner, a prospective customer, or a competition participant (see Section B). You will moreover be provided with general information on the processing of your data by Merz, in particular information on the transmission of your data, the duration for which your data are stored, and your rights in connection with the processing of your data (see sections C to G).

Merz processes your data in accordance with the data protection provisions set forth in the German Federal Data Protection Act (Bundesdatenschutzgesetz–BDSG), specifically in the version applicable as of 25 May 2018, and in Regulation (EU) 2016/679 (General Data Protection Regulation–GDPR).

 

A. Responsibility for the processing of your personal data

The data controller that is responsible for the processing of your personal data within the meaning of Art. 4 (7) GDPR is Merz Pharmaceuticals GmbH, Eckenheimer Landstraße 100, 60318 Frankfurt am Main, Germany (hereinafter “Merz”).

 

B. Data that is processed

1. What types of data are processed when a person visits a Merz website?

When a person visits a Merz website, Merz’s servers automatically store various data conveyed via that person’s accessing system. These data include the type of browser, the browser version and the operating system used, the website from which the Merz website is accessed, the Merz website sub-pages that are accessed, the date and time of such access, the internet protocol address (IP address), the internet service provider and any data comparable with the aforementioned data. Merz uses these data to render its website accessible, to identify and remedy any technical problems that may arise, and to prevent and, if necessary, take action against any abuse of Merz’s services. Merz moreover uses this data in anonymised form–that is, without being able to infer the user’s identity from the data provided–for statistical purposes and for purposes of improving its websites. The legal basis for processing personal usage data is Art. 6 (1) Sentence 1 (f) GDPR.

 

2. Which data are processed when a person applies as a new Revive ambassador?

The application process requires users to provide certain information, such as their name, age, contact details, photo and a link to a social media profile reference. Merz uses this information exclusively for purposes of finding new Revive ambassadors, finding models for before/after visuals and conducting the application procedure. When a user is selected, an explicit contract is concluded with him/her, which also regulates the processing of personal data. The legal basis for processing the personal data described above is provided in Art. 6 (1) Sentence 1 (b) GDPR.

 

3. How are cookies used?

The Merz websites use cookies. Cookies are small text files that are stored on the user's data carrier and that, via the browser, exchange certain data as well as settings-related information with Merz’s system. A cookie normally contains the name of the domain from which the cookie data were sent, information about the cookie's age, and an alphanumeric identifier.

If a user visits the password-protected area of a Merz website, session cookies are used for the duration of that user’s visit. These enable Merz to avail of the user-friendly single sign-on method as a means of authenticating users and controlling access to the various password-protected areas of its websites. This method enables users to move around the website’s entire password-protected area without having to log in to each area separately. Cookies are also used to collect information on how users use and navigate Merz’s websites, and what specific areas and products they are interested in. This information in turn enables Merz to improve its websites and the online experiences of website users. The information stored in the cookies is neither used to identify the user nor is it combined with other stored personal data concerning the user. The legal basis for processing personal data in connection with the use of cookies is Art. 6 (1) Sentence 1 (f) GDPR.

Users can deactivate or restrict the transmission of cookies by changing the settings of their internet browsers accordingly. Any cookies already stored can be erased at any time. Such erasure can be automated. If a user deactivates cookies for the Merz websites, he/she may not be able to make full use of all the websites’ functions.

 

4. How is Google Analytics used?

The Merz websites also use functions provided by the web analysis service Google Analytics. The provider of this service is Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (“Google”). Google is certified under the EU-U.S. Privacy Shield framework. Google Analytics also uses cookies. The cookie-generated information about the use of this website is generally transmitted to a Google server in the US and stored there. The Merz websites use Google Analytics with the added code “anonymize IP”. This means that all user IP addresses collected by the Google analytics cookie are truncated within Member States of the European Union and states party to the Agreement on the European Economic Area before they are transmitted to the US. Only under exceptional circumstances is the full IP address transmitted to a Google server in the US and then truncated there.

The information about the Merz websites that is generated by the Google Analytics cookie is then used by Google on behalf of Merz to evaluate the use of the website, to compile reports on website activity and to provide Merz with other services relating to website activity and internet usage. The IP address that, as a result of Google Analytics activity, is transmitted by the accessing system’s browser is not combined with other data held by Google. Further information on the conditions of use and data protection is available at http://www.google.com/analytics/terms/de.html or at http://www.google.com/intl/de/analytics/privacyoverview.html. The legal basis for processing personal data in connection with the use of cookies is Art. 6 (1) Sentence 1 (f) GDPR.

The user can prevent Google from collecting and processing the cookie-generated data relating to his/her use of the website by downloading and installing the browser plug-in available at the following link: (http://tools.google.com/dlpage/gaoptout?hl=de). Another means of preventing Google Analytics from processing data is by clicking on the following link: Google Analytics deaktivieren. Accessing this link sets an opt-out cookie, which then prevents Google Analytics from collecting the user’s data during any future visits to Merz websites. Users can deactivate or restrict the transmission of cookies by changing the internet browser settings accordingly. Any cookies already stored can be erased at any time. Such erasure can be automated. If a user is willing to accept cookies used by Merz, but not cookies used by Merz’s service providers and partners, then he/she can select the “Block only third party cookies” setting in his/her browser.

 

5. For how long will my personal data be stored?

The personal data concerning visitors to our website will be erased as soon as knowledge thereof is no longer required for the purposes described above, unless statutory provisions stipulate that the data be stored for a longer period. Usage data is generally stored for a period of 7 days. Application data is generally stored for one year after submission to be able to find before/after visuals for various projects and will be deleted automatically.

 

C. Processing where direct contact with Merz iS made (e.g. via contact form or email)

If you contact Merz directly, e.g. via a contact form on a website or via email, then the personal data you transmit to Merz as a result, e.g. your email address, your name, the content of your enquiry, etc., will be used solely for processing the respective enquiry. Your data may be passed on to other Merz companies if this is necessary to respond to your inquiry. Only the data required for such response is passed on. An overview of the Merz companies is provided here https://www.merz.com/about-merz/locations/Depending on the manner in which contact was made, the legal basis for processing the aforementioned data is Art. 6 (1) Sentence 1 (b) or (f) GDPR. If data is transmitted to Merz companies outside the European Union or European Economic Area in order to respond to your inquiry, then Merz undertakes that it has adopted the European Commission's standard contractual clauses for these countries and has thus provided the requisite additional safeguards for the protection of personal data. These can be accessed and perused here: https://eur-lex.europa.eu/eli/dec/2004/915/oj.

 

D. Passing on personal data to (other) third parties

Merz relies on the support of specialized technical service providers for the technical processing of personal data. These service providers are carefully selected and are legally and contractually committed to ensuring a high level of data protection. The legal basis for our partnerships with these service providers is Art. 28 GDPR. In individual cases, Merz works with companies and other entities that have special expertise in specific areas or subject knowledge (such as tax auditors, lawyers, and consulting firms, for example). These entities are either subject to a professional duty of confidentiality or have been obliged by Merz to maintain confidentiality. If it is necessary to pass personal data on to these agencies, then the legal basis for this is Art. 6 (1) Sentence 1 (f) GDPR. Merz will only pass on personal data to third parties for purposes other than those specified in this Privacy Policy if there is a legal obligation to do so or if you have provided your express consent to such disclosure.

 

E. Duration of the retention of your data

Unless otherwise stated in this Privacy Policy, personal data will be erased by Merz if it is no longer needed for the purposes for which it was processed and if the retention periods prescribed by law have expired.

 

F. Rights in relation to data processing

If you would like detailed information on the personal data that has been stored by Merz about you, you can contact Merz. You may also request to receive information about any data that you have provided to Merz in accordance with applicable law in a structured, commonly used, and machine-readable format, or you may also request Merz to submit such information to a third party. If you discover that personal information that has been stored about you is incorrect or incomplete, you may request that such data be immediately corrected or completed at any time. If the requirements stipulated in Art. 17 and 18 GDPR are met, you may also request the erasure of your personal data or that processing of it be restricted. You also have the right to lodge a complaint with the relevant supervisory authority for data protection issues.

Insofar as the processing of your personal data is based on legitimate interests as per Art. 6 (1) Sentence 1 (f) GDPR, you are invariably entitled to object to such processing based on reasons arising from your particular situation. This entitlement also applies to any profiling that is conducted on the basis of the above provision. Merz will then no longer process the personal data unless Merz can prove compelling legitimate grounds for data processing that override your interests, rights and freedoms, or the data processing is for the purpose of establishing, exercising or defending legal claims. If personal data is processed for the purposes of direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising. This also applies to any profiling insofar as it is associated with such direct advertising.

 

G. Contact data

If you have any questions about how Merz processes personal data or about exercising your rights against data processing, you can contact Merz at any time. Please send all inquiries to: Merz Pharmaceuticals GmbH, Eckenheimer Landstrasse 100, 60318 Frankfurt am Main. The data protection officer at Merz can be contacted at: datenschutz@merz.de.