Privacy Statement for customers, suppliers and prospects

How we process personal data

We are committed to the protection of your personal data, “we” referring to the controller referred to in Section 1.

We would like to inform you how we handle your personal data which we process in connection with our business relationship (hereinafter “data”), “personal data” meaning information relating to an identified or identifiable person.

1. Controller

Controller of the processing operations:

Gebro Pharma GmbH, 6391 Fieberbrunn, Austria, registered under FN 377056w regional court of Innsbruck,
T: +43 (0)5354 53000
F: +43 (0)5354 5300-2710 or 82100
E: pharma@gebro.com

2. Categories of processed data:

We process different categories of data, depending on the kind of business relationship with you. We receive data either from you or from third parties (e.g. from your employer, from rating agencies) or from public registers (e.g. land register, companies register).

2.1 Prospects

If you are interested in our products we will process the following of your data:

  • Salutation, name
  • Academic title
  • Address
  • Phone or cell phone number
  • E-mail address or other mailing information from modern means of communication
  • Credit standing information
  • If the prospect is a legal entity according to GDPR, we will process the following data of the prospect’s point of contact:
    Salutation, name
    Additional information to address communications to the prospect, including e-mail address or other mailing information arising from modern means of communication.
    Position held with the prospect
    Scope of authorization
    Processed business cases
    Data exchange key (if appropriate)
    Image data from designated video surveillance operations

2.2 Customers

If you buy any of our products, we will process the following data:

  • Customer number
  • Salutation, name
  • Academic title
  • Address
  • Phone or cell phone number
  • E-mail address or other mailing information arising from modern means of communication
  • Bank details
  • Financing and payment terms
  • Credit standing information
  • Purchase price
  • Account / document data
  • Credit card information
  • Bank guarantees, bonds
  • Insurance and/or customs data
  • Tax liability and tax calculation data
  • Credit management data
  • Performance data
  • Various blocking data:
    Contact blocking
    Invoice blocking
    Supply blocking
    Posting blocks
    Payment blocking
  • Dunning and legal action information
  • If the customer is a legal entity according to GDPR, we will process the following data of the customer’s point of contact:
    Salutation, name
    Additional information to address communications to the customer, including e-mail address or other mailing information arising from modern means of communication.
    Position held with the customer
    Scope of authorization
    Processed business cases
    Data exchange key (if appropriate)
    Image data from your participation in events (e.g. training courses, seminars, company events).
    Image data from designated video surveillance operations

2.3 Suppliers / subcontractors

We process the following information of our suppliers and subcontractors:

  • Supplier number
  • Company name
  • Business address
  • Phone number
  • E-mail address or other mailing information from modern means of communication
  • Fax number
  • VAT number
  • Object of supply or service
  • Terms of supply and service, e.g. place of delivery, date of delivery
  • Commercial register information
  • Credit standing information
  • Bank details
  • Account / document data
  • Credit card information
  • Bonus, commission and similar information
  • Financing and payment terms, including down payments and value adjustments
  • Bank guarantees, bonds
  • Insurance and/or customs data
  • Tax liability and tax calculation data
  • Credit management data
  • Performance data
  • Various blocking data:
    Contact blocking
    Invoice blocking
    Supply blocking
    Posting blocks
    Payment blocking
  • Dunning and legal action information
  • If the supplier/subcontractor is a legal entity according to GDPR, we will process the following data of the supplier’s point of contact:
    Salutation, name
    Additional information to address communications to the supplier, including e-mail address or other mailing information arising from modern means of communication.
    Position held with the supplier
    Scope of authorization
    Processed business cases
    Data exchange key (if appropriate)
    Image data from your participation in events (e.g. training courses, seminars, company events).
    Image data from designated video surveillance operations

3. Purposes for which we process data and legal basis for processing operations

We process data for different purposes and in reliance on different legal bases, depending on the kind of business relationship with you.

3.1 Prospects

We process and transfer data to solicit business based on your interest in one of our products, including text documents (such as correspondence) created or archived in these cases with the aid of computer technology.

We lawfully process data based on the necessity to take steps at your request prior to entering into the contract or, in case of data of our contact point, based on our overriding legitimate interest in processing your requests and entering into a business relationship with you.

Before the conclusion of a contract and throughout an existing contract (if you are already a customer), we have a legitimate interest in examining your credit standing to ensure that you are able to fulfil your obligations vis-à-vis us. In the context of examining your credit standing, we will transfer the following information to a rating agency as processor in return for receiving information on your credit standing: name, address, date of birth. The rating agency carries out profiling operations. Should your credit rating be too low, we can refuse to conclude a contract with you or insist that you provide securities or make advance payments. Decisions whether your credit rating is too low or whether we refuse to conclude a contact and/or insist on the provision of securities and/or the making of advance payments will always be taken by a human being. You have the right to object to profiling or to comment on the result of profiling (and provide further information).

3.2 Customers

We process and transfer data in connection with the business relationship with you, including text doc-uments (such as correspondence) created or archived in these cases with the aid of computer technology.

Image data generated from your participation in events are processed to document the event on our website and in our publications (e.g. company newsletter) or to use such data for advertising (e.g. product folders).

We lawfully process data based on the necessity to perform the contract concluded with you or, in case of data of your contact point, based on our overriding legitimate interest in conducting our business relationship and processing your orders and contracts.

We process image data from your participation in events based on your consent, which you may revoke at any time, without prejudice to the lawfulness of processing operations conducted prior to the date of revocation.

We process image data generated from video surveillance operations at publicly accessible places that are subject to our domiciliary right or to monitor our facilities in order to control these or to identify failures. We lawfully process such image data based on our overriding legitimate interest, which consists in the achievement of these purposes.

If you fail to fulfil your obligations arising under the contract, we have a legitimate interest in processing your data to enforce our claims.

3.3 Subcontractors / suppliers

We process and transfer data in connection with the business relationship with you, including text documents (such as correspondence) created or archived in these cases with the aid of computer technology.

Image data generated from your participation in events are processed to document the event on our website and in our publications (e.g. company newsletter) or to use such data for advertising (e.g. product folders).

We lawfully process data based on the necessity to perform the contract concluded with you or, in case of data of our contact point, based on our overriding legitimate interest in conducting our business relationship and processing your orders and contracts.

We process image data from your participation in events based on your consent, which you may revoke at any time, without prejudice to the lawfulness of processing operations conducted prior to the date of revocation.

We process image data generated from video surveillance operations publicly accessible places that are subject to our domiciliary right or to monitor our facilities in order to control these or to identify failures. We lawfully process such image data based on our overriding legitimate interest, which consists in the achievement of these purposes.

If you fail to fulfil your obligations arising under the contract, we have a legitimate interest in processing your data to enforce our claims.

4. Data recipients

Data are accessible by in-house staff who need such data for the performance of the contract or for compliance with reporting, recording and informational duties, and for the exercise of our legitimate interests (if we invoke such interests). We will transfer data relevant in a particular case to different external recipients, depending on the kind of business relationship with you:

4.1 Prospects

We transfer your name, date of birth, and your address to a rating agency, if we examine your credit rating. We do not transfer any other data.

4.2 Customers

We will transfer data to the following recipients if you buy one of our products:

  • to banks for the processing of payment transactions
  • to our tax advisor, and our public accountant, where necessary for them to fulfil their tasks
  • to our subcontractors / suppliers involved in the provision of our services, to the extent necessary for them to fulfil their respective tasks
  • to administrative and fiscal authorities
  • to our lawyer in connection with dunning letters and collection proceedings, where necessary for them to fulfil their tasks
  • to courts
  • to our IT service providers
  • to the rating agency commissioned to examine your credit rating

4.3 Subcontractors / suppliers

We will transfer processed data of our suppliers and subcontractors to the following recipients:

  • to banks for the processing of payment transactions
  • to our accountant, our tax advisor, and our public accountant, where necessary for them to fulfil their tasks
  • to our customers, as recipients of your services
  • to administrative and fiscal authorities
  • to our lawyer in connection with dunning letters and collection proceedings, where necessary for them to fulfil their tasks
  • to courts
  • to our IT service providers
  • to the rating agency commissioned to examine your credit rating

5. Data subject rights

Subject to data protection laws, you have the right to information on your personal data, to rectification and erasure, the right to restrict processing, the right to object, and the right to data portability. You can exercise these rights by sending a letter, fax or e-mail to the controller’s contact details given in Section 1.

If you have any questions in connection with this data privacy policy, please contact us at the contact details provided in Section 1.

You have the right to file a complaint with a supervisory authority in the EU or with the Austrian Data Protection Authority in Vienna, if you feel that an infringement of data protection law has occurred.

If the prospect/customer/supplier is a legal entity according to GDPR, these rights may be exercised by our point of contact there.

6. Retention periods

There are different retention periods of data, depending on the kind of business relationship with you.

6.1 Prospects

We will store such data one year after you are no longer interested in any of our products/services; data will then be erased.

6.2 Customers

We will keep such data until the business relationship has ended and deadlines for the enforcement of guarantee claims, compensation for damage, limitation periods and legal retention periods have expired and also until the termination of disputes, if any, in which such data are necessary evidence.

6.3 Subcontractors / suppliers

We will keep such data until the business relationship has ended or deadlines for the enforcement of guarantee claims, compensation for damage, limitation periods and legal retention periods have expired and also until the termination of disputes, if any, in which such data are necessary evidence.

6.4 Data processed based on your consent and image data from designated video surveillance operations

We keep data processed based on your consent until we receive your notice by which you withdraw your consent, and as long as we are legally obliged to keep such data.

You may revoke your consents at any time, independently of one another, without prejudice to the lawfulness of processing operations conducted prior to the date of revocation.

We will keep your image data from video surveillance operations for 72 hours, unless this deadline ends on a Sunday, on a public holiday, on Good Friday or on 24 December. In this case, we will keep your image data until the next day, which is not any of the above days. In an event covered by the purpose of our surveillance operations, we will keep image data generated from video surveillance operations as long as such data are necessary for evidence purposes.