Privacy Policy for Business Partners and Consumers

Swiss Pharma Ltd is a member of the Swiss Galenica Group. The “Galenica Group” refers to Galenica Ltd. and its member companies. An overview can be found here: Organisation of the Galenica Group.

Swiss Pharma Ltd is a pharmaceutical company that distributes products of the brands Otalgan (OTC drugs and medical devices) and Perskindol (medical devices and cosmetic products) in Europe. The company is a German subsidiary of the Swiss Galenica Group.

The companies of the Galenica Group use data concerning you or other persons (so-called “third parties”). In the following, we use the term “data” synonymously with “personal data”. Personal data means any information relating to an identified or identifiable person.

In this Privacy Policy, we describe how we process personal data from suppliers, service providers, clients and other business partners or their employees and other auxiliaries as well as consumers of the pharmaceuticals, medical devices and cosmetic products sold by Swiss Pharma in the course of our business, whenever such processing is not obvious and the applicable data protection law requires information. If you are connected to us as an employee or other auxiliary person of one or more business partners, you will find information about our data processing in this Privacy Policy. If, for example, you send us a general or medical enquiry, notify us of a suspected adverse drug effect (e.g. side effect), safety-relevant information about our products, or a quality defect of a product, you will find specific information about our data processing in this regard in sections 3.5, 4.2, and 7.2 of this Privacy Policy. If you use our online services (e.g. websites), you will find information about our data processing in this regard in section 6. In addition, we may inform you separately about the processing of your data, e.g. in declarations of consent, additional privacy policies, forms and notices.

If you provide us with data about other persons, for example, if you provide us with information about them on behalf of another person, please ensure that these persons are aware of this Privacy Policy. In addition, only share their data with us if you are permitted to do so and if the data is accurate.

Swiss Pharma Ltd, Rheinzaberner Str. 8, 76761 Rülzheim (“we” or “us”) is responsible for the data processing described here.

If you have any questions, please contact nfswssphrm.

Depending on the occasion and purpose, we process different categories of personal data. The most important categories are listed below, but this list may not be exhaustive.

We process data of the persons with whom we are in contact, such as name, contact details, job details and communication details, as well as details of executives, etc., as part of the general information regarding companies we work with.

We generally obtain your personal data from you but may also obtain it from other persons who work for your company. In addition, we may obtain personal data from third parties, such as entities you work for, or from our contractual partners, associations and publicly available sources, such as public registers or the internet (websites, social media, etc.).

Master data refers to the basic data that we need for the purpose of processing our business relationships, as well as for marketing and advertising purposes, and that relates directly to you and your characteristics. For example, we process the following master data:

• title, name, sex and date of birth;
• address, contact details such as e-mail address and telephone and mobile number;
• relationships with the company you work for;
• signatory powers, proxies and declarations of consent.

Contract data is information that arises regarding the conclusion or performance of the contract, e.g. information about contracts and the services to be provided or rendered, as well as data from prior to the conclusion of a contract, information about the conclusion of the contract itself (e.g. the date of conclusion and the subject matter of the contract), as well as the information required or used for its execution. For example, we process the following contract data:

• date, application process, information on the type and duration of and terms of the contract in question, details regarding the termination of the contract;
• contact details and delivery addresses;
• information on the use and offers of services;
• information on the goods purchased;
• details of payments and payment terms, invoices, reciprocal claims, contacts with customer service, objections, defects, returns, details regarding customer satisfaction, complaints, feedback, etc.

We receive this data from you, as well as from partners we work with. Again, this data may relate to your company, in which case it does not constitute “personal data”, but it may also relate to you if you work for a company or if you yourself purchase services from us.

Communication data is data related to our communication with you or with third parties about you, e.g. when you contact us via the contact form or other means of communication. Examples of communication data are:

• name and contact details, e.g. postal address, e-mail address and telephone number;
• content of correspondence (e.g. e-mails, written correspondence, telephone conversations, chat messages, etc.);
• information concerning the type, time and, where applicable, the location of the communication and other metadata relating to it.

If we record telephone conversations, we will notify you at the beginning of each call. If you do not agree to the recording and storage of the conversation, you also have the option of terminating the conversation or contacting us via other communication channels.

Technical data is collected in connection with the use of our website. These include, e.g., the following data:

• IP address of the end device and device ID;
• information about your device, its operating system or language settings;
• information about your internet provider;
• content or logs accessed in which the use of our systems is recorded;
• the date and time of your access to the website and your approximate location;

We may also assign you or your end device an individual code (e.g. by means of a cookie). This code is stored for a certain period of time, often only for the duration of your visit. As a rule, we cannot infer who you are from technical data.

Health data is information about your state of health (e.g. about your diagnoses, examination results, personal or family history, diseases, risk factors, forms of therapy or vaccinations) and your treating doctors. It also includes information about individuals who report adverse events (e.g. side effects) to us about themselves (or others) or report a special case scenario (e.g. exposure during pregnancy, lactation, overdose, lack of efficacy, etc.) or make medical enquiries or complaints about product quality, including health care professionals and carers. This enables us to respond to enquiries and to obtain additional information if necessary.

We may also collect information from you in other situations. Data (such as files, evidence, etc.) that may relate to you is collected in connection with official or court proceedings.

We primarily use your data in relation to your purchase of goods or services or in connection with our relationships with our business partners. In such cases, we process your data in order to prepare for the conclusion of the contract and to implement the corresponding contract. In addition, we may process your data for the purposes specified in detail below and for other purposes that we inform you of separately or are obvious:

• to provide, improve and further develop our offerings and services. For this purpose, we may process data including but not limited to master data and contract data;
• to process contracts, including shipping and payment processing, to manage receivables and to process returns, complaints and warranty claims. For this purpose, we may process data including but not limited to master, contract and communication data. Further information can be found in our GTC ;
• for communicating with you and with third parties, e.g. when processing your enquiries via customer service, we may process data including but not limited to master, contract and communication data;
• to verify and comply with legal obligations. For this purpose, we may collect and process data including but not limited to master data;
• to detect, investigate and prevent misuse, criminal offences and other misconduct (e.g. conducting internal investigations and performing data analyses to combat fraud). For this purpose, we may, in particular, process master, contract and communication data as well as your other data;
• to assert and defend against legal claims in connection with legal disputes and official proceedings. For this purpose, we may, in particular, process master, contract and communication data, as well as your other data;
• to manage, guarantee and improve our operations, particularly our IT, websites, as well as for accounting, archiving, training and other administrative purposes. For this purpose, we may process master, contract data, as well as other data;
• for other purposes, e.g. in the context of corporate transactions and related investigations and transfers of personal data and to safeguard other legitimate interests. All the aforementioned categories of personal data may be relevant for this purpose;
• no automated decision-making will be made based on your data.

If, for example, you send us a general or medical enquiry, report a suspected adverse drug reaction (e.g. side effect), safety-related information about our products, or a quality defect in a product, we may process data including but not limited to master, communication, health and other data. In this regard, we may process your data for the purposes specified in detail below and for other purposes that we inform you of separately or that are obvious:

• monitoring the safety of medicinal products, including the detection, evaluation, follow-up and prevention of adverse events and the reporting of adverse events to health authorities;
• responding to medical enquiries, e.g. regarding the dosage and composition of our products, interactions with other medicines and foods and use in comorbidities;
• responding and, if applicable, making necessary inquiries as to quality complaints regarding our products, such as quality defects;
• answering other questions or requests and improving our products;
• adhering to our guidelines and legal, regulatory and compliance requirements, conducting audits and asserting, establishing, exercising and defending against legal claims.

The use of your data, depending on the purpose, is based on the following legal justifications:

• needed in order to conclude or perform a contract or to take steps prior to entering into a contract, to comply with legal obligations, to protect vital interests, to ensure high standards of quality and safety in healthcare and regarding pharmaceuticals and medical devices, for scientific research or statistical purposes;
• the assertion or exercise of or defence against legal claims;
• based on your consent;
• or based on a legitimate interest.

In particular, we have a legitimate interest in the use of the respective data types for the referenced purposes. This includes providing third-party services to you and developing and improving our products.

The comments in this section 6 relate mainly to our websites.

Every time our websites are used, technical data is generated for technical reasons and is temporarily stored in log files (as log data) (see section 3.4 above). We use this data to enable our websites to be utilised to ensure system security and stability and to optimise our websites, as well as for statistical purposes.

Our websites also use cookies, i.e. files that your browser automatically stores on your device. This enables us to distinguish individual visitors from others, but usually without identifying them. Cookies may also contain information about pages visited and the duration of the visit. Certain cookies (“session cookies”) are deleted when the browser is closed. Others (“permanent cookies”) remain stored for a certain period of time (usually a few days to two years) so that we can recognise visitors when they visit us later and store, for instance, your user preferences, such as the language you choose and your login details. We may also use other technologies to recognise website visitors. For example, data such as the characteristics of the device you are using or the identification number of your mobile device are stored.

We may use visible and invisible image elements in our websites.

Using cookies and other technologies helps us to understand how you use our websites. This enables us to improve our online services and also to display offers tailored to you.

You can set your browser to reject cookies, store them only for one session, or delete them prematurely, or you can uninstall the relevant app if these adjustments cannot be made through its settings. Most browsers are preset to accept cookies. You can find more information on this in your browser's help pages (usually under the heading “Privacy”). If you block cookies, certain features (such as language selection, shopping cart, ordering processes) may no longer work.

Cookies and other technologies may also originate from third-party companies that provide us with certain features. These third-party companies may be located outside Switzerland and the EEA. Cookies and similar technologies from third-party providers may enable them to approach you with personalised advertising on our websites or on other websites and in social networks that also collaborate with these third parties and to measure how effective advertisements are (e.g. whether you arrive at our websites via an advertisement and what actions you then take on our websites). The relevant third-party providers may record website usage for this purpose and combine their records with further information from other websites. In this way, they can record user behaviour across several websites and end devices in order to provide us with statistical evaluations on this basis. The providers may also use this information for their own purposes, e.g. for personalised advertising on their own website or other websites. If a user is registered with the provider, the provider can assign the usage data to the relevant person. Such processing of your personal data is carried out on the provider's own responsibility in accordance with its own privacy policy.

We comply with the principle of proportionality when disclosing data. Our employees process your data as part of their work activities.

We may disclose your data to other companies outside the Galenica Group insofar as we use services from these companies. These include, for example, external service providers (e.g. IT service providers, freight forwarders for the shipment of goods, printing companies for the printing of postal items, consultants and service providers in other areas). In certain cases, data may also be disclosed to third parties to process it on their own responsibility or on joint responsibility, e.g. to

• Swiss and foreign authorities, public offices or courts in the event of proceedings or a surrender request;
• acquirers or interested parties in acquiring business units;
• other parties in potential or pending legal proceedings.

Contracts are concluded with recipients of your data in accordance with the requirements of data protection law.

We may disclose your information to the pharmaceutical manufacturer and health authorities, the competent regulatory and control authorities, national and/or international regulatory, enforcement authorities, public bodies or a court if we are required to do so by applicable laws or regulations or at their request.

In certain cases, data may also be disclosed to third parties to process it on their own responsibility or on joint responsibility, e.g. to

• other pharmaceutical and medical device companies, if the adverse event, request for information or complaint relates to one of their products;
• service providers acting on our behalf, such as data hosting providers and service providers for the processing of adverse events (including call centre providers). These third parties are contractually obligated to protect the confidentiality and security of personal data in accordance with applicable law;
• other third parties (e.g. insurance companies), insofar as necessary in connection with the assertion, establishment, exercise of and defence against legal claims;
• other parties in potential or pending legal proceedings.

The recipients of your data process it in Germany and Switzerland. Data processing may also take place in the wider European Economic Area, in the USA and potentially worldwide. This applies particularly to countries in which service providers are located (such as Microsoft). If we transfer data to a country that lacks adequate statutory data protection, we ensure an adequate level of protection by means of appropriate contracts (namely based on the Standard Contractual Clauses of the European Commission, which are available for download here ) unless a statutory exception applies (e.g. for consent, for the performance of contracts, for the establishment, exercise or enforcement of legal claims, for the protection of overriding public interests, for published data or for the protection of the vital interests of the data subjects). You may obtain a copy of the above-mentioned contractual guarantees at any time from the points of contact named in section 2.

We process and store your personal data as long as required for the performance of our contractual obligations and compliance with legal obligations or for the other purposes pursued with the processing, i.e. for the duration of the entire business relationship (from the initiation, during the performance of the contract until it is terminated) as well as beyond this duration in accordance with legal retention and documentation obligations. Data may be retained for the period in which claims may be asserted against us and to the extent that we are legally obligated to retain it or legitimate business interests require it to be retained (e.g. for evidentiary and documentation purposes). Information on suspected cases of adverse drug effects or a quality defect of a product, including the personal data contained therein, are retained for at least 10 years after the expiry of the marketing authorisation of a product. Information on product complaints, including the personal data contained therein, are retained for at least 15 years. As soon as your data is no longer required for the aforementioned purposes, it will be deleted or anonymised.

We take appropriate technical (e.g. encryption, pseudonymisation, logging, access restriction, data backup, etc.) and organisational (e.g. instructions to our employees, confidentiality agreements, audits, etc.) security measures to maintain the security of your data, to protect it against unauthorised or unlawful processing and to prevent the risk of loss, accidental alteration, unwanted disclosure or unauthorised access. This includes, for example, issuing instructions, training, IT and network security solutions, access controls and restrictions, encryption of data carriers and transmissions, pseudonymisation and controls.

You have the right of access to, rectification and deletion of your data, provided that there are no overriding interests on our part or to legal or regulatory obligations to the contrary. You can object to data processing, revoke consent, have the right to restriction of processing, and to data portability.

In general, exercising your rights requires that you clearly prove your identity (e.g., by a copy of identification documents when your identity is not evident otherwise or cannot be verified in another way). In order to assert your rights, you may contact us at the points of contact specified in section 2.

In addition, every data subject has the right to enforce his/her rights in court or to lodge a complaint with the competent data protection authority (e.g. the Bavarian Data Protection Authority [Das Bayerische Landesamt für Datenschutzaufsicht]).

This Privacy Policy is not part of a contract. We may amend this Privacy Policy at any time. The version published on our website is the current version.