Data protection

II General notes and mandatory information

1) Responsible body

Responsible for the processing of your data is

Kyberg Vital GmbH
Keltenring 8
82041 Oberhaching

represented by the managing directors Stephan Lix and Thomas Lix

Phone: +49 89 613 809 3300 E-Mail: info@kyberg-vital.de

2) Data protection officer

You can contact the data protection officer of Kyberg Vital GmbH by e-mail at datenschutz@kyberg.de or by post:

msecure GmbH
attn. For the attention of DSB Kyberg Vital
Bajuwarenring 21
82041 Oberhaching

3) Data processing to fulfill legal reporting obligations (pharmacovigilance)

Personal data of data subjects will generally be deleted by the controller as soon as the purpose of the processing no longer applies. However, it may be necessary to store personal data even after the original necessity has ceased to exist, e.g. due to legal obligations.

If we receive information or a report in connection with the use of our medicinal products, we are legally obliged to record these reports in a structured manner and forward them to the responsible drug regulatory organizations.

As part of the notification, personal data of the notifying person and the patients concerned are processed. The legal basis for this processing of personal data is the fulfillment of legal obligations regarding the monitoring of the safety of medicinal products in accordance with Article 6 para. 1 subpara. 1 lit. c and Article 9 para. 2 lit. i GDPR in conjunction with EU Regulation 520/2012.

The data will be transmitted to appropriately authorized organizations exclusively for the purpose of clarifying the facts and fulfilling the reporting obligations. Personal data is stored for the duration of the marketing authorization of the medicinal product and for a further 10 years thereafter.

III Description and scope of data processing

1) Provision of the website and log files

Each time you visit our website, our system, i.e. the web server, automatically collects information from the system of your accessing computer or end device.

The following data is collected by us:

• Information about the browser type and version used
• the operating system of the end device
• the Internet service provider
• the IP address
• Date and time of access
• the previous website from which the user reached our website (referrer URL)

a) Purpose of data processing

The temporary storage of your IP address by our system is necessary to enable delivery of the website to your device. For this purpose, the IP address of the end device must necessarily remain stored for the duration of the session. The above-mentioned data is stored in log files to ensure the functionality of our website. We also use this data to optimize the website and to ensure the security of our information technology systems (e.g. to detect attacks).

b) Legal basis

The legal basis for the temporary storage of this data and the log files is Art. 6 para. 1 subpara. 1 lit. f GDPR (legitimate interests of us as the website operator in the secure, trouble-free and legally compliant provision of the website).

c) Duration of storage

The above-mentioned data is deleted as soon as it is no longer required for the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.
In the case of the storage of data in log files, this is the case after 7 days at the latest. Storage beyond this period is possible. In this case, the user’s IP address is deleted or anonymized by us so that it is no longer possible to identify the accessing client and the data contained can no longer be linked to a specific person.

2) Session cookies

To make it easier for you to use our website, we use so-called “session cookies”. These are small text files that are only stored on your hard disk for the duration of your visit to our website and are deleted again when you close your browser, depending on the settings of your browser program. These cookies do not retrieve any information stored on your hard disk about you and do not affect your files.

Most browsers are set to accept cookies automatically. However, you can deactivate the storage of cookies or set your browser to notify you when cookies are sent. Please note that individual functions of our website may be impaired if you have deactivated the use of cookies.

3) E-mail and contact form

We can be contacted via our contact form and the e-mail address provided. In this case, the sender’s personal data transmitted with the request (in any case the name and e-mail address) will be stored together with the content of the message.

a) Purpose of the processing

The processing of this personal data serves us to process the content of the contact.

b) Legal basis

The legal basis for the processing of this data, which is transmitted in the course of sending a request, is Art. 6 para. 1 subpara. 1 lit. f GDPR (legitimate, concurrent interest of us as the responsible body in communicating with the person transmitting the message).
If the request is aimed at the conclusion or fulfillment of a contract, the legal basis is Art. 6 para. 1 subpara. 1 lit. b GDPR (fulfillment of a contract or pre-contractual measures for this).

c) Duration of storage

The above-mentioned data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data sent by email or via the contact form, this is the case when the respective conversation with the user has ended. As a rule, the conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified. In the case of the preparation or execution of contracts, longer retention periods may result from statutory (e.g. tax law) requirements.

d) Possibility of objection

As a user, you have the option to object to data processing at any time with effect for the future. In this case, all personal data stored in the course of making contact will be deleted immediately, provided that there are no statutory retention periods or other legal reasons to the contrary.

4) Analysis of the website

4.1 Google Tag Manager – Management of tools

We use the Google Tag Manager.

The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, with whom we have concluded a corresponding data processing agreement.

a) Purpose of the processing

As a website operator, we have an interest in the fast and uncomplicated administration of the various tools on our website.

Google Tag Manager is an organizational tool that allows us to integrate and efficiently manage website tags centrally and via a user interface.

The Google Tag Manager collects data on the website and forwards it to the connected analysis tools. These tools (e.g. Google Analytics) then store and evaluate this data if they are activated.

The Google Tag Manager is a domain and does not store any data itself. It has no access to it. The Tag Manager only collects data on how individual tags are used. However, Google Tag Manager collects your IP address, which may also be transmitted to Google’s parent company in the United States.

b) Legal basis

The legal basis for processing is Art. 6 para. 1 subpara. 1 lit. a GDPR (your consent, which you have given us via our consent banner).

You can find Google’s privacy policy here: https://policies.google.com/privacy?hl=de

Google also processes your data in the USA, among other places. We have concluded an order processing agreement with Google that includes the so-called Standard Contractual Clauses (SCC) of the European Commission. Nevertheless, we would like to point out that, according to the current legal situation, there is no level of data protection in the USA comparable to the standards of the European Union.

c) Duration of the processing

Data is not stored by the Tag Manager itself. You can revoke your consent to the use of the tool at any time with effect for the future.

4.2 Google Analytics

If you have given your consent, Google Analytics, a web analysis service of Google LLC, is used on this website. The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

Google Analytics uses cookies to help the website analyze how users use the site. The information collected by the cookies about your use of this website is usually transferred to a Google server in the USA and stored there.

We use the ‘anonymizeIP’ function (so-called IP masking): Due to the activation of IP anonymization on this website, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

During your visit to the website, the following data is collected, among others:

• the pages you have accessed, your “click path”
• Achievement of “website goals” (conversions)
• Your user behavior (e.g. clicks, dwell time, bounce rates)
• Your approximate location (region)
• Your IP address (in abbreviated form)
• technical information about your browser and the end devices you use (e.g. language setting, screen resolution)
• Your Internet provider
• the referrer URL (via which website/advertising medium you came to this website)

a) Purposes of the processing

On behalf of the operator of this website, Google will use this information to evaluate your pseudonymous use of the website and to compile reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our website.

b) Recipients of the data

The recipient of the data is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland as the processor. We have concluded a data processing agreement with Google for this purpose. A transfer of data to the USA cannot be ruled out. Google LLC, based in California, USA, and any US authorities may be able to access the data stored by Google.
We would like to point out that the USA does not offer a level of protection of your personal data comparable to that of the EU.

You can find more information on the terms of use of Google Analytics and on data protection at Google at https://marketingplatform.google.com/about/analytics/terms/de/ and at https://policies.google.com/?hl=de .

c) Legal basis

The legal basis for this data processing is your consent, Art. 6 para. 1 subpara. 1 lit. a GDPR. You can withdraw your consent at any time with effect for the future

d) Storage period

The data sent by us and linked to cookies is automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month.
You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by not giving your consent to the setting of the cookie or by preventing the storage of cookies by setting your browser software accordingly. However, if you configure your browser to reject all cookies, this may limit the functionality of this and other websites.

5) Google reCAPTCHA

Our Offers use reCAPTCHA, a function provided by Google Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. If you use this function, your IP address will be transmitted to Google servers. We use Google reCAPTCHA to prevent the misuse of our contact options through spam.

a) Purpose of the processing

The purpose of the processing is the technically secure provision of our services (Art. 32 GDPR), in particular protection against attacks by automated spam attacks.

b) Legal basis

The legal basis for processing is Art. 6 para. 1 subpara. 1 lit. f GDPR (our interest in the technically optimized and secure provision of web content).

You can find Google’s privacy policy here: https://policies.google.com/privacy?hl=de

6) YouTube videos

We use the YouTube.com platform to post our own videos and make them publicly accessible. YouTube is the offer of a third party not affiliated with us, namely Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Some of the pages on our website contain links to YouTube. In general, we are not responsible for the content of linked websites. However, in the event that you follow a link to YouTube, we would like to point out that YouTube stores the data of its users (e.g. personal information, IP address) in accordance with its own data usage guidelines and uses it for business purposes.

We also directly integrate videos stored on YouTube on some of our websites. With this integration, content from the YouTube website is displayed in parts of a browser window. However, the YouTube videos are only called up by clicking on them separately. This technique is also known as “framing”. When you call up a (sub)page of our website on which YouTube videos are integrated in this form, a connection to the YouTube servers is established and the content is displayed on the website by notifying your browser.

The integration of YouTube content only takes place in “extended data protection mode”. This is provided by YouTube itself and ensures that YouTube does not initially store any cookies on your device. However, when the relevant pages are accessed, the IP address and the aforementioned other data are transmitted and thus, in particular, which of our Internet pages you have visited. However, this information cannot be assigned to you unless you have logged in to YouTube or another Google service before accessing the page or are permanently logged in.

As soon as you start playing an embedded video by clicking on it, YouTube only stores cookies on your device through the extended data protection mode, which do not contain any personally identifiable data, unless you are currently logged in to a Google service. These cookies can be prevented by making the appropriate browser settings and extensions.

The legal basis for the integration of the content is Art. 6 para. 1 subpara. 1 lit. f GDPR:

Our legitimate interest lies in the provision of content to inform you as a website visitor about products and services.

Address and link to the privacy policy of the third-party provider:

Google/YouTube: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

You can view Google’s privacy policy here: https://policies.google.com/privacy

7) Online store

You have the option of purchasing products directly from us via the online store on our website. For this purpose, we process the necessary data such as surname, first name, postal address, e-mail address, data on the selected payment method, content of the order, etc.

a) Purpose of the processing

The processing of your data serves to conclude the contract and process your order.

b) Recipients of the data

Kyberg Vital GmbH has transferred the payment processing to Kyberg Pharma Vertriebs-GmbH, Keltenring 8, 82041 Oberhaching (https://www.kyberg-pharma.de/index.php/impressum.html). Kyberg Pharma Vertriebs-GmbH processes the data transmitted by Kyberg Vital GmbH on the basis of an order processing contract (Art. 28 GDPR). You can view the privacy policy of Kyberg Pharma Vertriebs-GmbH here: https://www.kyberg-pharma.de/index.php/datenschutz.html. Kyberg Vital GmbH informs the data subject in the form for issuing the basic SEPA direct debit about their rights and about the fact that Kyberg Pharma Vertriebs-GmbH collects the receivables for Kyberg Vital GmbH as part of order processing. Kyberg Pharma Vertriebs-GmbH is authorized to process the data when the data subject authorizes the basic SEPA direct debit. Kyberg Pharma Vertriebs-GmbH will only pass on the data subject’s personal data to third parties if this is necessary for payment processing, e.g. when passing on customer data to financial service providers or, if applicable, a debt collection agency.

When paying via PayPal, credit card via PayPal, direct debit via PayPal or – if offered – “purchase on account” or “payment by installments” via PayPal, we pass on your payment data to PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter “PayPal”), as part of the payment processing. The transfer takes place in accordance with Art. 6 para. 1 subpara. 1 lit. b GDPR and only insofar as this is necessary for payment processing.

PayPal reserves the right to carry out a credit check for the payment methods credit card via PayPal, direct debit via PayPal or – if offered – “purchase on account” or “payment by installments” via PayPal. For this purpose, your payment data may be passed on to credit agencies in accordance with Art. 6 para. 1 subpara. 1 lit. f GDPR on the basis of PayPal’s legitimate interest in determining your solvency. PayPal uses the result of the credit check with regard to the statistical probability of non-payment for the purpose of deciding on the provision of the respective payment method. The credit report may contain probability values (so-called score values). If score values are included in the result of the credit report, they are based on a scientifically recognized mathematical-statistical procedure. The calculation of the score values includes, but is not limited to, address data. Further data protection information, including information on the credit agencies used, can be found in PayPal’s privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

c) Legal basis

The data is processed on the basis of Art. 6 para. 1 subpara. 1 lit. b GDPR.

d) Storage period

The data is only stored for as long as is necessary to fulfill the purpose or as required by law.In the context of the execution of sales contracts, the regular retention period is 10 years.

IV. Your rights

According to the General Data Protection Regulation (GDPR), you have the right to

• in accordance with Art. 15 GDPR, to request information about your personal data processed by us. This includes the processing purposes, the categories of personal data, the categories of recipients of the data, the planned storage period, the origin of your data, as well as the existence of automated decision-making including profiling;
  in accordance with Art. 16 GDPR to request the correction of incorrect or incomplete personal data stored by us;
• in accordance with Art. 17 GDPR, to demand the erasure of your personal data stored by us, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;
  in accordance with Art. 18 GDPR to demand the restriction of the processing of your personal data if you contest the accuracy of the data, the processing is unlawful and you oppose the erasure of your data and in cases where we no longer need your data but you require it for the establishment, exercise or defense of legal claims. Processing will also be restricted if you have objected to processing but it has not yet been determined whether our legitimate interests outweigh yours;
• in accordance with Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller;
  in accordance with Art. 7 para. 3 GDPR, to withdraw consent given to us at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation;
• pursuant to Art. 21 GDPR to object to the processing of your personal data. If the processing of your data is based on a legitimate interest of OURSELF or a third party and your objection is based on your particular situation, we will comply with this, unless there are legitimate reasons for processing that outweigh your interests or we need your data to enforce legal claims.
• to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. If you believe that we have not sufficiently complied with your rights and our obligations under the General Data Protection Regulation, you have the right to lodge a complaint with a data protection authority. The authority responsible for us is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany