Data security

We take the protection and security of our employee, business partner, and customer data seriously. 
The respect of privacy is thus a serious concern to which we pay special attention when processing and using personal data. Insofar as personal data is collected (e.g. your name, address, or other contact details), it is processed and used exclusively in accordance with applicable data protection regulations.
In the following we would like to inform you about the collection of personal data when using this website. Personal data is any data that refers to you personally – e.g. name, address, e-mail address, user behaviour.
 
1. Controller & data protection officer
The controller responsible for the collection, processing, and use of your personal data in the context of the General Data Protection Regulation (GDPR) is:

PHOENIX Pharmahandel GmbH & Co KG
Pfingstweidstraße 10–12
68199 Mannheim, Germany

Headquarters: Mannheim
Register Court: Local Court Mannheim HRA 3551
You can contact our data protection officer at Datenschutz(at)phoenixgroup.eu or via our postal address, marked for the attention of “the data protection officer”.

2. Collection of personal data when visiting our website
(1) When you use the website for information purposes only – i.e. if you do not register or otherwise provide us with information – we collect only the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security:
–    IP address
–    Date and time of the request
–    Time zone difference from Greenwich Mean Time (GMT)
–    Content of the request (specific page)
–    Access status/HTTP status code
–    Amount of transferred data
–    Referrer URL
–    Browser
–    Operating system and its interface
–    Language and version of the browser software

The lawful basis for processing this data is Art. 6(1)(f) GDPR. Our interests in the data processing are, in particular, to enable the use of the website by guaranteeing the stable operation and security of the website. Where not specifically indicated, we store personal data only for as long as it is necessary to fulfil the purposes for which it was collected.

(2) In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive by the browser and through which certain information flows. Cookies cannot execute programs or transmit viruses to your computer. Their purpose is to make websites more user-friendly and effective.

So that we can determine whether you have consented to the processing of data in connection with cookies/plug-ins (if necessary), we set a cookie, on the basis of our legitimate interest (Art. 6(1)(f) GDPR), that informs us to which type of data processing you have given your consent or if you have not consented.

Of course, you can also view our website without cookies. Internet browsers are generally set to accept cookies. You can disable the use of cookies at any time via your browser settings. Please use the help functions of your Internet browser to find out how to change these settings. Please note that some features of our website may not work if you have disabled the use of cookies.

(3) If you have given us your consent, we will use Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”). Google Analytics allows us to compile statistics about the use of our website and its sources. The cookies are stored for two years. We use Google Analytics exclusively for statistical purposes – e.g. to track how many users have clicked on a specific element or piece of information.
The lawful basis for the processing is your consent (Art. 6(1)(a) GDPR), which you can provide in the cookie banner. If you have not given us your consent, your use of our website will not be recorded by Google Analytics.
Google Analytics is based on cookies and records information about your use of our website, including your IP address. To prevent website visitors being identified via their IP addresses, we use a specific code to ensure that your IP address is only transmitted in a truncated and therefore anonymous form. It is no longer possible to identify individual users with this shortened IP address. 

You can find more information about data protection with Google Analytics here.
You may revoke your consent with effect for the future by downloading and installing the plug-in available from the following link: tools.google.com/dlpage/gaoptout .
In addition, you can change the settings at here or via the opt-out page of the Network Advertising Initiative (NAI). 
Alternatively, you can also disable Google cookies via the Digital Advertising Alliance website using the following link: http://optout.aboutads.info/?c=2#!/
Finally, you can prevent cookies from being stored via your browser’s general settings.
General note about Google: 
The information recorded by Google Analytics is sent to Google, which is based in the USA. Google is self-certified under the Privacy Shield to ensure adequate protection of your personal data in accordance with EU law.

Further information about data protection at Google can be found at https://policies.google.com/privacy?hl=en.

3. E-mail contact
If you contact us (e.g. via the contact form or e-mail), we store your details in order to process your query and for any follow-up questions. We delete this data when it no longer needs to be stored or restrict its processing if there are legal obligations to keep the data. We store and use other personal data only if you consent to this or this is legally permissible without specific consent.

4. Google Maps
The website incorporates Google Maps via an API in order to display geographical information visually. Our legitimate interests are derived from this purpose. The IP address needs to be processed by Google in order to display the map. When you visit the website, Google is notified that you have accessed the relevant subpage of our website. The data is processed on the lawful basis of Art. 6(1) sentence 1(f) GDPR. Our cooperation with Google LLC in data protection aspects is based on an agreement regarding shared responsibility in accordance with Art. 26 GDPR, which can be viewed here 
By using Google Maps, the user enters directly into a user relationship with Google. 

General note about Google: 
The information recorded by Google Maps is sent to Google, which is based in the USA. Google is self-certified under the Privacy Shield to ensure adequate protection of your personal data in accordance with EU law. Further information about data protection at Google can be found at https://policies.google.com/privacy?hl=en.

5. Google Fonts
To ensure the consistent display of fonts, our website uses the fonts service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (”Google”). When you access a webpage, your browser loads the required web fonts into your browser’s cache in order to correctly display text and fonts. To do this, the browser you are using needs to communicate with Google’s servers. This involves transmitting personal data to the servers of Google LLC in the USA. Google will be informed, for example, that our website has been accessed via your IP address. Google Fonts is used to ensure that our online services are presented in a consistent and attractive way. Our legitimate interests within the meaning of Art. 6(1)(f) GDPR are derived from these purposes. 
In the event that personal data is transmitted to Google LLC, which is based in the USA, Google LLC has obtained certification under the EU–US data protection convention Privacy Shield, which guarantees compliance with the level of data protection applicable in the EU.
You can find more information on Google Fonts at developers.google.com/fonts/faq and in Google’s Privacy Policy: https://www.google.com/policies/privacy.

6. Vimeo
We use the provider Vimeo to embed and display videos; our legitimate interests are directly derived from these purposes. Vimeo is operated by Vimeo, LLC, with its headquarters at 555 West 18th Street, New York, NY 10011, USA. If you access webpages forming part of our Internet presence that contain embedded videos – e.g. if you play a video – a connection is established with the Vimeo servers and the video is shown. Information about which of our webpages you have visited, and your IP address is then transmitted to the Vimeo server. If you are logged in to Vimeo as a member, Vimeo will associate this information with your personal user account. If you use the plug-in – e.g. click the play button on a video – this information is also associated with your user account. The lawful basis is Art. 6(1) sentence 1(f) GDPR. You can prevent this information from being associated with your account by logging out of your Vimeo user account before using our website and deleting the relevant cookies from Vimeo.
For more information on data processing and advice on data protection by Vimeo, please visit vimeo.com/privacy.

7. Photos
We often take photos at events. The photos are used internally and externally (in print media, on websites, etc.). On arrival at the event, attendees are advised that photos may be taken and used. Every effort is made when taking and publishing photos to ensure that this does not violate the legitimate interests of the groups of persons pictured.
The lawful basis for processing this data is generally a legitimate interest within the meaning of Art. 6(1)(f) GDPR: Customer and/or employee events and presentation of the data controller’s marketing activities, as well as consent (Art. 6(1)(a) GDPR). You have the right to object to this processing: datenschutz-pph(at)phoenixgroup.eu
The photos will generally be deleted within 12 months of their creation, insofar as the purposes of taking the photo no longer apply.

8. Your rights
In the following we would like to inform you about your rights according to the GDPR:

Right of access
You have the right to request confirmation of whether data concerning you is being processed and, if this is the case, to request information regarding this data according to Art. 15 GDPR.

Right to rectification
In accordance with Art. 16 GDPR, you have the right to request the completion or correction of inaccurate data concerning you.

Right to erasure
With reference to Art. 17 GDPR, you have the right to demand that your personal data be deleted, provided that there are no legal obligations to keep the data. 

Right to restriction of processing
You may demand restriction of the processing in accordance with Art. 18 GDPR.

Right to data portability
You have the right to request a copy of the personal data we hold about you and, in addition, to request that it be transmitted to other data controllers.

Right to object
You may object to the processing of your personal data in accordance with Art. 21 GDPR at any time.

Right to withdraw consent
You have the right to withdraw consent at any time in accordance with Art. 7(3) GDPR with effect for the future.

Right to lodge a complaint with a supervisory authority
In accordance with Art. 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.

9. Reporting system for data protection incidents
The PHOENIX group, i.e. PHOENIX Pharmahandel GmbH & Co KG as well as its affiliated companies within the meaning of sections 15ff of the German Stock Corporation Act (AktG), has established a web-based reporting system that provides our employees, business partners, customers, and third parties with a simple system for reporting data incidents or problems. These reports are taken seriously, reviewed and actioned regularly, and used to improve the protection of personal data. You can access this reporting system at any time via https://phoenixgroup-databreach.integrityplatform.org.
In order to explain the background to the reporting system in more detail, we have also answered a number of frequently asked questions below:

When should I report an incident? 
PHOENIX group has an obligation to notify the supervisory authority within 72 hours of becoming aware of an incident. This means that all incidents must be reported without undue delay via the online reporting tool.

Which data protection incidents need to be reported and how?
All personal data incidents are to be reported to the data protection officer via the online reporting tool. 

What is a data protection incident? 
A data protection incident is any event that has resulted, or could result, in the accidental or deliberate loss of personal data (electronic or paper) or destruction of data, or unauthorised access to data (e.g. loss or theft of laptops, smartphones, paper documents, prescriptions).

What happens after I submit a report? 
The data protection officers will review the incident report and contact you for further information or, where necessary, assist you with post-incident actions.

10. General
We reserve the right to modify our data protection declaration. This may be necessary as a result of technical developments, for example. We therefore ask you to consult the data protection declaration from time to time and to apply the current version.

If you have any further questions regarding the processing of your personal data, please contact the designated data protection officer.