Know what´s inside:

Privacy policy

The following data protection notices inform you how GBA Holding GmbH and its subsidiaries handle your data. We inform you about the collection, storage and use of personal data, the legal basis for processing and your rights with respect to us.

We have taken technical and organizational measures to ensure that data protection regulations are observed both by us and by our technical partners and service providers.

On our homepage, only the personal and business data necessary for our service offer are recorded. All other information is voluntary. Furthermore, we assure you that we will not pass on your data stored with us to third parties or use it for any other purpose, e.g. for advertising by third parties, without your consent.

The following statements apply to all anonymous and registered, logged in users who have read-only access. Only a few specific GBA Group employees have write access. Other internal rules apply to them.

We attach great importance to the sensitive handling of all data provided by you and assure you of comprehensive data protection.

With regard to the definition of terms such as "personal data" or "processing" we refer to Article 4 GDPR.

Data Protection Guidelines – Information for Customers of the GBA Group

Protecting your privacy is an important issue for all of the companies in the GBA Group.

Notice to Customers of GBA Pharma GmbH Concerning Data Protection Rights

Protecting your privacy is an important matter for all companies within GBA Pharma GmbH.

1. Name and contact details of the person responsible

Those responsible for the website in accordance with Article 4 paragraph 7 of the EU Data Protection Regulation (GDPR) are

GBA Holding GmbH
Goldtschmidtstraße 5
21073 Hamburg,

represented by the CEO Steffen Walter.

This data protection information also extends to our Group companies. Each Group company is a responsible party in the sense of data protection law.

The names and contact persons of the responsible data protection officers can be found on this page.

You can contact the data protection officer of GBA Holding GmbH at
datenschutz@gba-group.de.

2. Provision of the website and log files

Description and scope of the data processing

Whenever our website is called up, our system, i.e. the web server, automatically records information from the calling computer or end device of the user. If you only use our website for information purposes (i.e. no registration or other transmission of information), we only collect the personal data that your browser sends to our server. We collect the following data:

  • information about the browser type and version used
  • the operating system of the user's end device
  • the Internet service provider of the user
  • the IP address of the user
  • date and time of access
  • form data

This data will not be stored together with other personal data of yours. The data serves the purpose of user-friendly, functional and secure delivery of our website to you with functions and contents as well as their optimization and statistical evaluation.

Legal basis of the data processing

The legal basis for the temporary storage of this data and the log files is Article 6 paragraph 1 (f) GDPR (our legitimate interests as a responsible website operator).

Purpose of the data processing

The temporary storage of the user's IP address by our system is necessary to enable the website to be delivered to the user's computer. For this purpose, the user's IP address must necessarily remain stored for the duration of the session.

The storage of the above-mentioned data in the log files is done to ensure the functionality of our website. In addition, this data serves us to optimize the website and to ensure the security of our information technology systems (e.g. to detect attacks). An evaluation of the data for marketing purposes does not take place in this context.

Duration of storage

To ensure the error-free functionality of our website, we store this data in server log files for a period of 190 days for security reasons. After this period has elapsed, they are automatically deleted, unless we need to keep them for evidence in case of attacks on the server infrastructure or other legal violations.

Normally there is no access to these log files, but if errors occur, they are used to investigate the cause.

3. Cookies

Description and scope of the data processing

We use so-called cookies when you visit our website. Cookies are small text files that your internet browser places and stores on your computer. When you visit our website again, these cookies provide information to automatically recognize you.

Our website uses session cookies, persistent cookies and third- party cookies:

Session cookies: We use so-called cookies to recognize multiple use of an offer by the same user (e.g. if you have logged in to determine your login status). When you visit our site again, these cookies provide information to recognize you automatically. The information obtained in this way serves to optimize our offers and to make it easier for you to access our site. When you close the browser or log out, the session cookies are deleted.

Persistent cookies: These are automatically deleted after a predetermined period of time which may vary depending on the cookie. You can delete or block the cookies at any time in the security settings of your browser.

Third-party cookies: You can configure your browser settings according to your wishes and, for example, refuse to accept third- party cookies or all cookies. However, we would like to point out at this point that you may then not be able to use all functions of this website. Please read more about these cookies in the respective privacy statements of the third-party providers we use.

Legal basis of the data processing

The legal basis for the processing is our legitimate interest (Article 6 paragraph 1 (f) GDPR) for essential cookies or your - at any time revocable - consent pursuant to Article 6 paragraph 1 (a) GDPR.

Purpose of the data processing

The information obtained in this way serves the purpose of optimizing our web offers technically and economically and enabling you to access our website more easily and securely. When you visit our website, you have the option of actively agreeing to the use of cookies for statistical and marketing purposes. Technically necessary cookies ("essential cookies") are needed to provide the functionalities of our website.

Duration of storage

he cookies are stored for different lengths of time. For more information, see the privacy settings in the cookie configuration panel.

General information on cookies

You can generally prevent cookies from being stored on your hard disk by selecting "do not accept cookies" in your browser settings. However, this can result in a functional limitation of our offers. You can object to the use of third-party cookies for advertising purposes by opting out using this American website (https://optout.aboutads.info)
or this European website (http://www.youronlinechoices.com/de/praferenzmanagement/)

4. Contact by e-mail or contact form

Description and scope of the data processing

When you contact us by e-mail or via a contact form, the data you provide (your e-mail address, your name and telephone number if applicable) will be stored by us in order to answer your questions.

On our homepage you have the possibility to fill out our online application form and send it to us. We assure you that we will use the personal data you entrust us with when filling out the application form exclusively in connection with your application. Your data will not be passed on to third parties.

Data on applicants who apply to the GBA Group for an advertised position will be stored in our systems for six months after completion of the vacancy and then deleted. Data of candidates who submit unsolicited applications will be checked and deleted if no suitable vacancy exists. If there is a suitable position available, this data will be used within the application process, especially for making contact. No applicant data will be passed on to third parties or transferred to a third country. You will find further information on this in our data protection.

Legal basis of the data processing

The legal basis for the processing of these data, which are transmitted in the course of a request, is Article 6 paragraph 1 (f) GDPR (our legitimate interests as the responsible party). In this case, our legitimate interest is a commercial interest, such as answering your enquiry, acquiring customers or similar.

If necessary, Article 6 paragraph 1 (b) GDPR (fulfilment of contract) can be an additional legal basis for the processing, as we can only come back to you and your request if we know a way to contact you. We use these data exclusively to be able to get back to you regarding the communicated concern.

Purpose of the data processing

The processing of this personal data serves us solely to process the contact.

Duration of storage

The above-mentioned data will be deleted as soon as they are no longer necessary for the purpose of their collection. For personal data sent by e-mail or contact form, this is the case when the respective conversation with the user has ended. The conversation is terminated when it can be concluded from the circumstances that the matter in question has been finally clarified.

Right of objection

The user has the possibility at any time to object to data processing based on our legitimate interest. The objection is to be sent to the following e-mail address:

datenschutz@gba-group.de.

In this case, all personal data stored in the course of the contact will be deleted, unless this is contrary to statutory storage obligations. For further information, please refer to the section on the rights of data subjects and the note on the right of objection (point 9).

5.Search function on the website

Description and scope of data processing

We use the search function of the provider Algolia Inc. on our website to search for and index content. By using Algolia, your IP address and your search query are transmitted to Algolia's servers and stored there for 90 days for statistical purposes. Please note the terms of use of Algolia and the privacy policy of the provider.

Legal basis of the data processing

The legal basis for the processing of these data, which are transmitted in the course of a request, is Article 6 paragraph 1 (f) GDPR (our legitimate interests as the responsible party). In this case, our legitimate interest is a presentable and user-friendly usability of our website.

Purpose of the data processing

The use of Algolia is for the purpose of making the information contained on our website easier to find and thus ensuring user- friendliness.

Duration of storage

The data is stored on the server of Algolia for a period of 90 days.

Right of objection

The user has the possibility at any time to object to data processing based on our legitimate interest. The objection should be sent to the following e-mail address:

datenschutz@gba-group.de

In this case, all personal data stored in the course of the contact will be deleted, unless this is contrary to statutory storage obligations. For further information, please refer to the section on the rights of data subjects and the note on the right of objection (point 9).

6. Tracking using Google Analytics

Description and scope of the data processing

We use the tracking tool Google Analytics on our website. In Google Analytics, the interactions of the user of our website are primarily recorded and systematically evaluated by means of cookies. If individual pages of our website are called up, the following data are stored:

  • three bytes of the IP address of the user's calling system (anonymized IP address)
  • the website accessed
  • the website from which the user accessed the page of our website (referrer)
  • the subpages that are accessed from the visited page
  • the time spent on the website
  • the frequency of access to the website

The software is set up so that the IP addresses are not stored completely, but the last octet of the IP address is masked (e.g.: 192.168.79.***). In this way, it is no longer possible to assign the shortened IP address to the calling computer or end device of the user.

In the event that IP anonymization is activated on this website, your IP address will be shortened by Google within member states of the European Union or in other states which are parties to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of

this website to evaluate your use of the website, to compile reports on the website activities and to provide further services to the website operator in connection with the use of the website and the internet. This website also uses Google Analytics for a cross-device analysis of visitor flows, which is carried out using a user ID. You can deactivate the cross-device analysis of your usage in your customer account under "My data", "personal data".

Legal basis of the data processing

The legal basis for the processing of users' personal data is Article 6 paragraph 1 (a) GDPR, the consent of the user. This consent can be revoked at any time. The data processing carried out up to the revocation remains unaffected by this. Google has submitted to the EU-US Privacy Shield which legally legitimizes the transfer of personal data to the USA: https://www.privacyshield.gov/EU-US-Framework.

Purpose of the data

The processing of the user's personal data using Google Analytics

processing

enables us to analyze the surfing behavior of our users. By evaluating the data obtained, we are able to compile information on the use of the individual components of our website. This helps us to constantly improve our own website and its user- friendliness.

Duration of storage

The data stored by tracking is deleted as soon as it is no longer needed for our recording purposes. This is the case with us after 26 months.

Right of objection

With the help of a browser add-on for deactivating Google Analytics JavaScript (ga.js, analytics.js, dc.js), the user can prevent Google Analytics from using their data on our website.

If the user wants to deactivate Google Analytics, they can download and install the add-on for the web browser they use. The add-on for deactivating Google Analytics is compatible with the current versions of Chrome, Internet Explorer, Safari, Firefox and Opera. For the add-on to work it must be loaded and run correctly in the browser. In Internet Explorer, third-party cookies must also be activated.

You can find more detailed information at https://tools.google.com/dlpage/gaoptout?hl=de

7. integration of Google Maps and Google Fonts

8. Newsletter (valid only for GBA Group Pharma, ABF, Pharmacelsus GmbH, LKF)

Description and scope of data processing

When you sign up for one of our newsletters, we require at least your email address, because otherwise we cannot send you the newsletter. You confirm your registration by means of a double opt-in; that means, after you register for the newsletter, you receive an email from us notifying you of this including a confirmation link. Only after you click on the confirmation link is your email address actually added to the newsletter mailing list. We utilize this process in order to ensure that you are actually the one who has entered your email address and that you actually want to receive the newsletter. Additionally, we as a company have the obligation to provide proof. In order to fulfill this obligation, we log your registration to the newsletter. For this purpose, we log the date and time of your registration and confirmation.

You have the possibility to cancel your registration at any time, even after registering for the newsletter. There is an opt-out link provided in each issue of the newsletter.

Legal basis of the data processing

We process your personal data that you provide in the context of registering for the newsletter based on Article 6, par. 1, let. b of the GDPR: for the purpose of fulfilling the contract and/or based on Article 6, par. 1, let. a of the GDPR: your consent, which can be revoked at any time.

We process the data concerning the opt-in process on the legal basis of Article 6, par. 1, let. f of the GDPR, since we have a legitimate interest in being able to provide proof of your registration for the newsletter in the potential event of a legal dispute. There is no obvious legitimate interest on your part for us not to process this data that might outweigh our legitimate interest. Moreover, the double opt-in process is also in your interest, because that is the only way to ensure that no unauthorized third party undertakes the registration process for you.

Purpose of the data processing

The purpose of processing the data is in order to be able to send company news and information.

Duration of storage

We save the data that you provide us with in the newsletter form until you revoke your consent and/or you cancel your subscription to our newsletter. Furthermore, the log data from the opt-in process is stored as long as legal claims could potentially be made against us, i.e. for a maximum of three years.

Further information

We use the US-American service provider Mailchimp for our newsletter. For the purpose of data protection, when data is processed in a non-EU state such as the USA, an appropriate level of data protection must be provided. In the case of Mailchimp, this is ensured using the “Privacy Shield” framework.

9. RDV log-in (valid only for customers of LKF)

Description and scope of the data processing

Customers of LKF receive log-in data with which they can gain access to a secured log-in area.

Legal basis for the data processing

The legal basis for temporarily saving this data is Article 6, par. 1, let. f of the GDPR (legitimate interest). The legitimate interest is to enable the access to results for the customers, monitors, and doctors sending information, in order to facilitate communication and provide an overview. If the contractual partner is a natural person, the legal basis is Article 6, par. 1, let. b of the GDPR.

Purpose of the data processing

The purpose of the data processing is the provision of laboratory values and study documentation.

This data is evaluated exclusively for the purpose of analyzing performance and errors, in the context of customer service, as well as in order to reproduce actions that have been executed. The data is not analyzed in this context for the purpose of marketing.

Duration of storage

Using the RDV log-in involves the one-time placement of a cookie. IP addresses are not logged.

In the context of studies, only names and e-mail addresses are saved. Those who receive access are provided passwords by us.

10. Data subject's rights

You have the following rights in relation to the personal data concerning you:

  • right to information
  • right of rectification or deletion
  • right to restrict processing
  • right to object to processing,
  • right to data portability

You also have the right to complain to a data protection supervisory authority about the processing of your personal data by us. The responsible supervisory authority for our company is the State Commissioner for Data Protection and Freedom of Information Hamburg.

Information on the revocation of a consent

A person affected has the right to revoke his data protection declaration of consent to us at any time. However, this does not affect the legality of the processing that has taken place on the basis of the consent until the revocation.

Notice of the right of objection

If a processing operation is carried out on the basis of our legitimate interests as controller (Article 6 paragraph 1 (f) GDPR), you have the right to object to this processing operation at any time. We no longer process the personal data unless we can demonstrate compelling legitimate reasons for processing that outweigh the interests, rights and freedoms of the data subject, or unless the processing serves to assert, exercise or defend legal claims.

Information on complaints to a supervisory authority

Without prejudice to any other administrative or judicial remedy, a data subject shall have the right to lodge a complaint with a supervisory authority - in particular in the member state of the user's place of residence, the user's place of work or the location of the alleged infringement - if the user believes that the processing of his or her personal data by us contravenes the GDPR.

11. Recipients/categories of recipients

Recipients of your data are regularly employees of our company who are entrusted with the processing of inquiries and contracts. In addition, we use contractually bound data processors and partners for various services who sometimes act as independent responsible persons.

Without your consent we do not pass on any data to third parties. Should this be the case, however, the transfer will take place on the basis of the aforementioned legal bases or due to a court order or due to a legal obligation to hand over the data for the purpose of criminal prosecution, danger prevention or to enforce intellectual property rights. The data will not be passed on for other non- commercial or commercial purposes

We use contract processors (external service providers e.g. for web hosting of our websites and databases) to process your data. If data is passed on to the processors within the framework of an agreement on order processing, this is always done in accordance with Article 28 GDPR. We select our processors carefully, check them regularly and have the right to give instructions regarding personal data. In addition, the processors must have taken suitable technical and organizational measures and comply with the data protection regulations in accordance with the Federal Data Protection Act and GDPR. Processors are not considered third parties as defined in Article 4 No. 10.

12. Transfer of data to third countries

Should the processing be carried out by services of third parties outside the European Union or the European Economic Area, they must comply with the specific conditions of Article 44 et seq. GDPR. This means that the processing is carried out on the basis of specific guarantees, such as the EU Commission's officially recognized determination of a level of data protection equivalent to that of the EU or the observance of officially recognized specific contractual obligations, the so-called "standard contractual clauses". For US companies, submission to the so-called "privacy shield", the data protection agreement between the EU and the USA, fulfils these requirements.

Without appropriate data protection guarantees, a transfer of your data to a third country is not permitted.

13. The need to provide personal data

The necessity to provide personal data results from the use of our website or our services and depends on the respective degree of use and the requested services.

If you have any questions, please send us an e-mail to datenschutz@gba-group.de.

14. Existence of automated decision-making

We do not use automated decision making or profiling.

15. Data security

In order to protect all personal data transmitted to us and to ensure that the data protection regulations are observed by us and our external service providers, we have taken appropriate technical and organizational security measures. For this reason, all data between your browser and our server is transmitted encrypted via a secure SSL connection.

16. Links to websites of other providers

Our internet offer may contain links to websites of other providers. We have no influence on whether these providers adhere to the data protection regulations.

Those responsible for data protection

GBA Holding GmbH

internal:
Mark Piekereit
Gesellschaft für Bioanalytik mbH
Goldtschmidtstraße 5
21073 Hamburg
Tel.: 040 797172-0

external:
Ulrike Glöde
DonLuigi IT-Service D. Ortmann
Helbingstraße 66
22047 Hamburg
Tel.: 040 59468180

GBA Gesellschaft für Bioanalytik mbH

internal:
Mark Piekereit
Gesellschaft für Bioanalytik mbH
Goldtschmidtstraße 5
21073 Hamburg
Tel.: 040 797172-0

external:
Ulrike Glöde
DonLuigi IT-Service D. Ortmann
Helbingstraße 66
22047 Hamburg
Tel.: 040 59468180

GBA Pharma GmbH

internal:
Thomas Ritzengruber-Marlovits
GBA Pharma GmbH
Fraunhoferstraße 11a
82152 Martinsried
Tel.: 089 899229-0

external:
Gerald Lill
Projekt 29 GmbH & Co. KG
Ostengasse 14
93047 Regensburg
Tel.: 0941 2986930

Pharmacelsus GmbH

internal:
Dr. Klaus Biemel
Pharmacelsus GmbH
Science Park 2
66123 Saarbrücken
Tel.: 0681 3946-7523

external:
Ralf Müller
Gesellschaft für moderne
Informationstechnologie mbH
Bruchbrunnenstraße 19
66123 Saarbrücken
Tel.: 0681 960214-20

INSTITUT PIELDNER GmbH

internal:
Horst U. Pieldner
INSTITUT PIELDNER GmbH
Julius-Hölder-Str. 20
70597 Stuttgart
Tel.: 0711 722094-0

external:
Ulrike Glöde
DonLuigi IT-Service D. Ortmann
Helbingstraße 66
22047 Hamburg
Tel.: 040 59468180

Data Privacy Notice for Applicants

We are glad that you are interested in our company and that you have applied or are applying for a position to work together with us. In the following, we would like to provide you with information about how your personal data is processed in the context of your application.

Who is responsible for data protection?

The responsible entity in terms of data protection law is: GBA Gesellschaft Goldtschmidtstraße 5 21073 Hamburg You can find further information about our company, authorized representatives, as well as other contacts on our website:

https://www.gba-group.de/en/disclosure/

Which of your data do we process and for what purposes?

We process the data that you sent us in the context of your application in order to check your suitability for the position (or, where applicable, for other open positions in our company) as well as to carry out the application process.

What is the legal basis for this?

The legal basis for the processing of personal data in the application process is primarily § 26 of the German Federal Data Protection Act in the version that is valid as of May 25th, 2018. According to this law, it is permitted to process data that is necessary in the context of making a decision concerning a position of employment. If, after the application process is completed, the data is required for a legal proceedings, then data processing may occur upon the legal basis of the conditions stated in Article 6 of the GDPR, in particular for the purposes of legitimate interests as per Article 6, paragraph 1, letter f of the GDPR. Our interests then consist of the assertion of or defense against legal claims.

How long is the data saved?

If an application is declined, the data from the applicant is deleted after 6 months. If you consent to having your personal data saved beyond this point, we will store your data in our pool of applicants. The data will then be erased after one year has passed. If, in the context of the application process, you receive a position at our company, the data will be transferred from our applicant data system to our employee database.

Who will receive the data that is transferred?

We use a specialized software provider for the application process. This company acts as a service provider for us, thus in the context of system maintenance, they could also gain knowledge of your personal data under certain circumstances.

This supplier has signed an order-processing contract with us, which ensures that the data processing occurs in a permissible way. Your applicant data will be viewed by the Human Resources department after your application is received. Suitable applications are then forwarded internally to the relevant department managers for the open position. The subsequent procedure will then be determined. Fundamentally, inside the company, only those who require your data in order to conduct the application process properly have access to it. If necessary, we forward your data to the following recipients:

  • Companies of the GBA Group as well as internal departments that are assigned with processing your application,
  • Tax agencies, auditors, and other agencies, if we are convinced in good faith that we are required by law or other provisions to forward this data,
  • External suppliers as well as providers of external IT services and storage providers, if there is a corresponding processing agreement on hand (or a similar form of protection).

Where is the data processed?

The data is processed exclusively in data centers in Germany.

Applying online using our application portal

When applying using our online application tool, you have the opportunity to import your data from professional networks. In order to do so, you must log in there with your individual account. Only then does the data transfer occur. For more information on this, please refer to the notices on our application portal.

Your rights as a “data subject”

You have the right to disclosure concerning the personal data that we process related to you. If the request for access is not provided in written form, we ask for your understanding that we may request proof of identification to ensure that you are the person that you are reporting to be. Furthermore, you have a right to have the data corrected or erased or to limit the processing thereof, insofar as this legally appertains to you. In addition, you have a right to object to the processing of your data even within the context of the legal regulations. The same is valid for the right of portability. You have the right to file a complaint with a monitoring agency for data privacy about the way your personal data is processed by us.

Our Data Protection Officer

For further information pertaining to the way the GBA Group handles personal data, the individuals responsible for data protection and the external data protection officer are available to assist you (https://www.gba-group.de/en/about-us/data-privacy// ).

© 2020 GBA Group
Data PrivacyLegal NoticeTerms& ConditionsDisclosure