Privacy statement (customers)
Dear customers,
With this privacy statement, we would like to let you know
- which personal data we collect, store, process, block and erase (this shall be collectively referred to as ‘processing’),
- the purposes we use them for,
- how you can object to their use or withdraw your consent, as well as
- what other rights you have as a data subject and how you can exercise them.
1. Who is responsible for the data processing and who can I contact?
The data controller, as set out in the GDPR, is
Lomapharm GmbH
Langes Feld 5
31860 Emmerthal, Germany
Phone: +49 (0) 5155 2791-0
Fax: +49 (0) 5155 2791-219
Email: service@lomapharm.de
You can contact our company data protection officer by email at datenschutz@lomapharm.de or by post under the above address with the note ‘the data protection officer’.
2. Is there an obligation to make data available?
In the context of our business relationship, you only need to provide the personal data that are necessary for entering into and conducting a business relationship and the fulfilment of the contractual obligations related to it or that we are legally obliged to collect. Generally speaking, without these data, we would not be able to enter into the contract with you or perform it.
3. What sources and data does Lomapharm GmbH use?
We process personal data that we receive from our customers as part our business relationship. In addition, we process personal data that we obtain permissibly from publicly accessible sources (e.g. the commercial register, the press and the internet), or that are permissibly transferred to us by other companies or other third parties (e.g. by credit agencies) to the extent that this is necessary for our cooperation.
The personal data we process particularly include:
- personal details (name, address and other company contact data)
- Order data and data from performing the contract
- data from audits being performed (e.g. contact person data)
- as well as other data that are similar to data in the specified categories
4. Purposes of the processing and legal basis
We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) based on the following legal bases:
4.1 To fulfil contractual obligations (Art. 6(1)(1b) GDPR)
The processing of data takes place for the purpose of fulfilling the contracts concluded with our customers, implementing pre-contractual measures taken at the request of our suppliers and service providers or carrying out all the tasks necessary in running and/or managing a pharmaceutical company.
4.2 As part of the balancing of interests (Art. 6(1)(1f) GDPR)
Where necessary, we process personal data in a way that goes beyond the fulfilment of the contract itself in order to protect our legitimate interests.
This particularly includes the following activities and processes:
- the establishment of legal claims and defence in legal disputes,
- safeguarding the IT security and IT operations of our company,
- checking against sanctions lists that go beyond what is prescribed by law but which are customary.
4.3 On the basis of your consent (Art. 6(1)(1a) GDPR)
To the extent that you have given consent to the processing of personal data for specific purposes, this processing of the data shall be lawful on the basis of your consent.
Consent that has been given can be withdrawn at any time. This also applies to the withdrawal of declarations of consent that were given before the GDPR came into effect. Please note that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
You can withdraw consent free of charge and informally via our contact data stated in point 1. If consent is withdrawn by phone, we ask that, if necessary, you provide additional proof of your identity using another means.
4.4 On the basis of legal requirements (Art. 6(1)(1c) GDPR) or in the public interest (Art. 6(1)(1e) GDPR)
Like every company, Lomapharm GmbH is also subject to many legal obligations that make it necessary to process personal data. Examples of these obligations include obligations in relation to identification in order to prevent money laundering, checking against sanctions lists that are prescribed by law and compliance with fiscal documentation obligations.
5. To what extent is there automated decision-making in individual cases?
We generally do not use any fully automated decision-making, as referred to in Article 22 GDPR, to establish or conduct the business relationship. If we implement this procedure in individual cases, you will be informed of this separately, insofar as this is legally required.
6. Who will receive my data?
Within Lomapharm GmbH, the bodies and departments that receive your data are those which require them to fulfil our contractual and legal obligations. The service providers, carefully selected and monitored by us, can also receive data for these purposes, but are, in this regard, bound by the requirements of data protection law that also apply to us, as part of ‘contracted processing’. Amongst others, they may include companies in the sectors of IT services, logistics, print services,
telecommunications, consultancy or marketing agencies.
Disclosure to recipients outside Lomapharm GmbH shall only take place if there is a legal basis for this (e.g. a legal obligation or consent).
7. Are data transferred to companies in third countries or an international organisation?
Data are generally only transferred to bodies in countries outside the European Union (so-called third countries) if, in addition to the general conditions for transferring data, there is an adequacy decision (Art. 45 GDPR) or appropriate safeguards (Art. 46 GDPR) and, where necessary, there are additional measures or the requirements of Art. 49 have been fulfilled (e.g. if the corresponding consent has been given).
8. How long will my data be stored?
We process your personal data only as long as it is necessary to fulfil the purposes of the processing described above. If the data are no longer necessary for the fulfilment of the processing purposes described above, they will be erased, unless their processing (for a limited time) is necessary for the following purposes:
- Fulfilling retention obligations under commercial and tax law: These include the German Commercial Code (Handelsgesetzbuch – HGB) and the German Anti-Money Laundering Act (Geldwäschegesetz – GwG). The periods for retention and documentation stated there last up to 10 years.
- Preservation of evidence in the context of legal limitation periods. According to Section 195 et seq. of the German Civil Code (Bürgerliches Gesetzbuch – BGB), these limitation periods may last up to 30 years, whereas the standard limitation period lasts for three years.
9. What rights do I have as a data subject?
As the data subject, you have the right of access under Article 15 GDPR. If a query is not in writing, we ask that, if necessary, you provide additional proof of your identity using another means. Moreover, you have the right to rectification under Article 16 GDPR, the right to erasure under Article 17 GDPR, the right to restriction of processing under Article 18 GDPR, as well as the right to data portability under Article 20 GDPR. The right of access and the right to erasure are subject to the limits according to Sections 34 and 35 of the German Federal Data Protection Act. In addition, there exists a right to lodge a complaint with a competent data supervisory authority (Article 77 GDPR in conjunction with Section 19 of the German Federal Data Protection Act).
Furthermore, you have the right to object under Article 21 GDPR and you can object to processing of personal data on the basis of Article 6(1)(e) or (f) GDPR at any time without giving reasons.