Data Protection Policy

To Indivumed, the protection of your privacy and your personal data is highly important. We observe all relevant statutory regulations when processing your personal data. We also pay close attention to the data protection aspects of our Internet activities.

To make you feel comfortable during the performance of any services or when visiting our website, we hereby inform you about our collection and use of data below.

By using our information and services, Indivumed GmbH, Falkenried 88, Bldg. D, 20251 Hamburg, Germany (hereinafter “Indivumed” or “we”/“us”) may collect, process, and use your personal data in accordance with the respective legal regulations and the terms and conditions set forth hereinafter.

Insofar as in the following reference is made to the EU GDPR, this refers to The Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repeals Directive 95/46/EC (General Data Protection Regulation).

 

1. General remarks

Our data protection practice conforms with the applicable data protection regulations and other relevant legal requirements.

For the best protection of your data against manipulation, loss, deletion, or unauthorized access by others, we employ technical and organizational security measures which are continuously updated to conform to respective technical and legal requirements.

Personal data

Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This Data Protection Policy applies to the processing of the data belonging to the visitors of this website, as well as Indivumed’s business partners such as customers, service providers, or other collaboration partners (hereinafter “third parties”), for the purpose of performing our services and other related legitimate purposes.

Indivumed may perform its services within the framework of group contracts or through various corporate units and therefore acts within the Indivumed group towards the third parties in legal transactions, for the purpose of performance of the contract, to which you are a party, and other related legitimate purposes.

 

2. Collection, processing, and transfer of third parties’ personal data

Purpose, legal basis, and duration of processing

The purpose of our company is to perform our own and to support third-party research and development activities in the field of biomedicine and any services related thereto. All collection, processing, and use of data pertains to the implementation of this purpose.

We generally collect your personal data to provide the offers and services requested by you. This also applies when you contact us, e.g. via the contact form, e-mail, telephone, or via social media.

If your personal data is collected and processed in connection with our services, including a request for a quotation or the performance of any contract  (e.g. purchase or work order), we use your data (such as your company e-mail address, the company you work for, your position, the salutation chosen by you, your name, your telephone number, your fax number, your address, your payment data, and your purchase history) within the scope of the contractual purpose to provide the respective products and/or services, and any additional services that may be necessary for such performance.

In such a case, we process your personal data for the performance of your contract(s) with Indivumed, or in order to take steps at your request prior to entering into a contract (Art. 6 Sec. 1 lit. b) EU GDPR), and as far as necessary for compliance with legal obligations to which Indivumed is subject (in accordance with Art. 6 Sec. 1 lit. c) EU GDPR).

Provision of these data is a necessary requirement for entering into a contract, which otherwise cannot be entered into.

In addition, your e-mail address, obtained from you in the course of performance of services, might be used for the purposes of improving customer support, optimizing our offers, and providing you with information about our services by e-mail, based on the legitimate interest in maintaining our business relationship (Art. 6 Sec. 1 lit. f) EU GDPR), as far as you have not objected to the processing of your data for such purpose and in accordance with the applicable law. You may always object to such use of your data by following the link provided in each such e-mail or by sending an informal e-mail to the sender e-mail address. If you participate in one of our customer surveys, this is done on a purely voluntary basis.

Your personal data will be stored in accordance with the applicable law, as far as necessary in relation to the purposes for which they were collected or otherwise processed, such as the performance of your contract with Indivumed, legitimated interest in maintaining our business relationship, and as far as necessary for compliance with legal obligations to which Indivumed is subject, based on Art. 6 Sec. 1 lit. c) EU GDPR (e.g. accounting or taxation purposes).

When you subscribe to a newsletter, we collect and process your data for gathering and providing the respective content, based on your consent.

As far as permissible under the applicable law, we may also use your personal data, solely for the purpose of asking your consent (Art. 6 Sec. 1 lit. a) EU GDPR), to send you information about our services by e-mail and process your personal data for such purpose.

Your consent in such a case is optional and you may decline it without any possible consequences. You may also withdraw your consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

You may always object to such use of your data by following the link provided in each such e-mail or by sending an informal e-mail to the sender email address.

In the event you do not provide your consent or object to the processing of your data, you will no longer receive such information and your data will no longer be processed for this purpose.

Upon your consent your data will be stored in accordance with the applicable law and processed exclusively for the purposes for which they were collected, as long as you do not withdraw your consent.

If you withdraw your consent or object to the data processing, your data will no longer be processed for the respective purposes and will be erased in accordance with our internal policies. Should it not be possible to erase your data entirely, for example, due to compliance reasons, processing of your personal data will be restricted to necessary purposes, such as maintaining the so-called Blacklist in order to comply with your request not to receive information about our services or for compliance with the mandatory retention period.

Transfer and recipients of personal data

We only transfer personal data as far as permissible and necessary for the performance of the contract to which you are a party, and other legitimate reasons. Personal data will only be collected and transferred to governmental institutions and authorities based on mandatory legal requirements. We particularly do not sell personal data, such as addresses, to third parties.

For the purpose of the performance of our services, we may transfer your personal data to our service providers, such as third-party suppliers entrusted with technical support, insurers or banks entrusted with the execution of payment, as well as our subsidiaries, affiliates, spin-off companies, and other affiliated entities within the Indivumed group.

Regarding the use of online services, personal data may be transferred to our online system service providers, namely operators of hosting services, Internet booking engines, web analysis services, global distribution services, and marketing services. These system service providers help us to continuously improve our offers and services addressed to you. Any use of your personal data by third parties based on your consent will strictly be performed as commissioned data processing in keeping with all applicable laws.

As far as we transfer data to our service partners and/or affiliated entities in connection with services described here, they are contractually bound to data protection agreements in addition to mandatory laws.

Your personal data may be transferred to our service providers outside of the European Union/European Economic Area to the countries for which the European Commission has not determined an adequate level of data protection. Any such transfer occurs solely based on standard contractual clauses, in the currently applicable version issued by the European Commission, according to Art. 46 Sec. 2 lit. c) EU GDPR.

 

3. Information for website visitors on cookies used by Indivumed and third parties

General remarks

Cookies are small files that are saved to your computer’s “hard drive” by your web browser. They can be deleted by you at any time or not be accepted by your browser if the respective options have been checked. Most browsers accept cookies automatically. There are two types of cookies: session cookies and permanent cookies. Session cookies are used by us to facilitate navigation through our website and expire when you close your browser. Permanent cookies stay on your hard drive for a longer period, depending on the duration or “lifetime” of the specific cookie, as well as in your browser settings.

Most Internet browsers are initially set up to automatically accept cookies. 

If you do not want our websites to store cookies on your device, you can change your browser settings on each device by following the instructions provided in your browser’s “help” files. You can adjust your settings so that you receive a warning before certain cookies are stored, so that your browser refuses most of our cookies or only certain cookies from third parties. You can also withdraw your consent to cookies by deleting the cookies that have already been stored by clicking on the “Cookie Consent” button in the footer of this website or the “Adjust cookie preferences” button at the beginning of this web page.

However, this might disable or impair the use of our website. You may still use our website without accepting any or all cookies; however, functionality and/or comfort may be impaired, e.g. the loading time may be slowed, logins may not be kept, and so-called “pop-unders” may be displayed twice.

Different service providers may themselves place cookies on your hardware via our Internet services (third-party cookies). You can manage these third-party cookies by following the instructions provided in your browser’s “help” files, as further described below.

Purpose and legal basis of processing

Some cookies are essential for the proper running and maintenance of our website (technically necessary cookies) and used for the purposes of safeguarding system stability and basic website functions, based on Art. 25 Abs. 2 Nr. 2 TTDSG. These cookies are not subject to your prior consent.

We also use these cookies for managing your consent (User-Hash) for the purpose of compliance with legal obligations and accountability (Art. 6 Para. 1 S. 1 lit. c) GDPR).

In addition, Indivumed also uses statistics cookies, which are technically not necessary, but allow us to improve our content for you by saving and analyzing user data, based exclusively on your consent (Art. 6 Sec. 1 lit. a) EU GDPR). By consenting to statistics cookies, you agree that we may process your data for the specified purposes and pass it on to certain data recipients such as Google Analytics and LinkedIn (for further information, please see below).

If you consent to these cookies, they will help us analyze your use of our website. The information collected in connection with your use of our website (please see under Web Analytics Services) will be evaluated for statistical purposes with the aim of optimizing our website and our services, improving your activities and experience on our website and not used to draw any conclusions about your personal identity. Your usage data will not be connected to your full IP address by Indivumed during this process.

You can withdraw your consent by clicking on the “Cookie Consent” button in the footer of this website or the “Adjust cookie preferences” button at the beginning of this web page at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal

Transfer and recipients of personal data

These data may be transferred to our service providers, such as providers of technical services or marketing agencies, for the purpose of operating, securing, and optimizing our websites and its functionalities. Our service providers are contractually bound to data protection agreements in addition to being subject to mandatory laws.

Your personal data may be transferred to our service providers outside of the European Union/European Economic Area, to the countries for which the European Commission has not determined an adequate level of data protection. Any such transfer occurs solely based on standard contractual clauses, in the currently applicable version issued by the European Commission, according to Art. 46 Sec. 2 lit. c) EU GDPR.

Google, LinkedIn, and possibly their affiliated companies or subcontractors may be based outside the EU/EEA in third countries (such as the USA) which do not offer an adequate level of data protection as within the EU/EEA. So-called standard contractual clauses in accordance with Article 46 of the GDPR were concluded as suitable guarantees. However, if the data is transferred to such third country, there is a risk that your data may be processed by their authorities for control and monitoring purposes without you possibly being entitled to any legal remedies. However, please note, that for this website, we have supplemented Google Analytics with the code “gat._anonymizelp()” to ensure an anonymized collection of IP addresses (so-called “IP masking”, see below).

Web Analytics Services

This website uses Google Analytics, a web analysis service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics uses cookies.

By accepting statistics cookies, certain information about your visit to this website is collected, such as your activity, pages you have visited, newsletter registrations, downloads, user behavior (e.g. clicks, length of stay), unique identifier, your location information with varying degrees of accuracy, your IP address (in abbreviated form), technical information about your browser and the end device, Internet provider, operating system, mobile network information, and the referrer URL (via which website you came to this website). For more information, please see Google Privacy Policy.

Therefore, we entered into a Data Processing Agreement with Google. The information on your use of this website generated by this cookie will be processed by Google and generally transferred to, and stored on, a Google server in the USA and hence might be accessible to public authorities in the USA.

Please note that for this website, we have supplemented Google Analytics with the code “gat._anonymizelp()” to ensure an anonymized collection of IP addresses (so-called “IP masking”). Therefore, your IP address will be truncated by Google prior to the transfer if your computer is located in the European Union or a member state of the European Economic Area. Only in exceptional cases will the IP address be transferred to a Google server in the USA and truncated there. As commissioned by the operator of this website, Google will use this information to analyze your use of this website, to aggregate reports on website activities, and to render the website operator for additional services related to website and Internet operations. Through the Data Processing Agreement it was ensured that Google receives this data as a processor and is therefore not allowed to use this data for its own purposes. The IP address collected by Google Analytics through your browser will not be combined with other data stored by Google.

The storage of such data is set to 14 months and they are automatically deleted once a month after expiration of the retention period.

You can withdraw your consent by clicking on the “Cookie Consent” button in the footer of this website or the “Adjust cookie preferences” button at the beginning of this web page at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

Nevertheless, you can control the information collected by Google (for more information, see here). You can prevent the storage of data through cookies by choosing the respective settings for your browser. You may also prevent the collection of data related to use of the website (including to your IP address) and its transfer to Google by downloading and installing the browser plugin software accessible here.

Google Maps

This website uses the Google Maps service for the purpose of displaying maps and/or showing directions. When you use this service, personal data may be processed and cookies may be set. Information about your use of this website and your IP address will be transmitted to a Google server in the USA. This happens regardless of whether you have a Google account through which you are logged in or whether no user account exists. Google may also use other tools for marketing purposes. If you are logged in to a Google account, your information will be linked directly to your account. If you choose to use this service, you thereby agree that the data may also be transferred to third countries outside the European Economic Area without an adequate level of data protection (especially the USA). There is a possibility that authorities will have access to the data without there being any legal remedy. You can withdraw this consent at any time with future effect in the Cookie Consent Banner.

For further information on Google’s privacy policy, purpose and scope of data collection, and processing, please see here.

Social Media

We maintain social media on the platforms of LinkedIn and X (Twitter). Here you can find the Data Protection Policy for Social Media Platforms.

 

4. Data Protection Statement for Microsoft Teams meetings participants

We hereby inform you about the processing of your personal data in our online meetings using the video conference solution Microsoft Teams.

Purpose and Scope of Processing

We use the video conference solution Microsoft Teams to conduct online meetings (“Microsoft Teams meeting/s”).

The scope of the personal data processed depends on information provided by you in the course of (before or during) your participation in Microsoft Teams meetings. Generally, the following personal data are processed:

  • User information: E.g. display name, e-mail address, profile picture (optional), telephone number (encrypted in recordings)
  • Meeting metadata: E.g. date and time of participation, role of participants
  • Text, audio, and video data: You have the option of using the chat function. In this respect, the text you enter will be processed in order to display it in the Microsoft Teams meeting (this is not displayed in recordings). In order to enable the display of video and the playback of audio, the data from the microphone of your end device and from any video camera on the end device will be processed accordingly for the duration of the Microsoft Teams meeting. You can switch off the camera and/or mute the microphone yourself at any time in the Microsoft Teams application.

In general, Microsoft Teams meetings with third parties are not recorded. Should a Microsoft Teams meeting be recorded in exceptional cases, this will only take place after you (i.e. the participants) have been informed about it transparently in advance and asked for consent according to Art. 7 EU GDPR (lawful basis). In addition, the participants will be provided with the following information:

  • Specific purpose (reason) and lawful basis of recording
  • The organizer and the recipients of the recording (who manages the recording and to whom the recording will be made available)
  • Location and duration of storage of the recording
  • Link to this Data Protection Policy

Lawful Basis

Insofar as Microsoft Teams meetings are held within the context of contractual relationships (with third parties), the legal basis for data processing is Art. 6 par.1 lit. b) EU GDPR.

In the event a Microsoft Teams meeting is necessary for the purposes of our legitimate interest in a particular case (Art. 6 par. 1 lit. f) EU GDPR), this will take place unless such interests are overridden by the interests or fundamental rights and freedoms of the data subjects (participants).

The exceptional recording of Microsoft Teams meetings may only take place based on previous and informed consent of the participants, under the above-mentioned conditions.

Storage duration

Any data processed in connection with the participation in Microsoft Teams meeting and its content will generally be stored for as long as they are necessary for the purpose of processing, such as for the fulfillment of contractual services or to safeguard legitimate interest.

Your login data will be deleted after 30 days at the latest.

Recipients and transfer of personal data outside of the European Union/European Economic Area

Personal data processed in connection with participation in Microsoft Teams meetings are generally not passed on to third parties unless to the extent necessary in accordance with the purpose and lawful basis of such processing, that is, unless this is intended in the context of a Microsoft Teams meeting or in connection with the content of the Microsoft Teams meetings.

Other than that, the provider of Microsoft Teams necessarily obtains knowledge of the above-mentioned personal data, in the context of data processing for the purpose of Microsoft Teams meetings.

Microsoft Teams is part of the Cloud application Office 365 (Microsoft Office 365), a software of:

Microsoft Ireland Operations Limited
One Microsoft Place, South County Business Park, Leopardstown Dublin 18, Ireland
Microsoft Corporation
One Microsoft Way Redmond, Washington 98052, USA
hereinafter “Microsoft”.

Microsoft is headquartered in the United States. Therefore, processing of your personal data also takes place in a third country, i.e. a country outside the European Union/European Economic Area.

In order to guarantee an adequate level of data protection of processing of your personal data, including in the case of transfer of personal data outside of the European Union/European Economic Area to a third country such as the USA in this particular case, we have concluded a Data Processing Agreement with Microsoft that meets the requirements of Art. 28 GDPR.

In addition, Microsoft is demonstrably obliged to Indivumed to comply with a data protection level that essentially corresponds to the standards of the European Union due to standard contractual clauses in the currently applicable version issued by the European Commission, according to Art. 46 Sec. 2 lit. c) EU GDPR.

Please note, however, that the existence of an appropriate data protection standard for providers outside the European Union/European Economic Area cannot always be guaranteed, regardless of the conclusion of the EU Standard Contractual Clauses.

The information about processing of personal data by Microsoft Office 365 can be found in the Microsoft Privacy Statement and Privacy and Microsoft Teams.

Microsoft reserves the right to process customer data for its own legitimate business purposes. Please note that we have no influence on such data processing operations, in which case Microsoft is an independent controller and as such is responsible for compliance with all applicable data protection regulations. If you need information about Microsoft processing, please consult the Microsoft Privacy Statement.

Please note: If you visit the Microsoft Teams website, the provider of Microsoft Teams is responsible for data processing. However, visiting the website is only necessary to download the software required to use Microsoft Teams.

If you do not want to or cannot use the Microsoft Teams app, you can also use Microsoft Teams via your browser. The service is then also provided via the Microsoft Teams website.

Further information about your rights as well as respective contact information can be found below.

 

5. Data subjects’ rights

Insofar as we process your personal data based on your consent, you are entitled to withdraw your consent at any time, based on Art. 7 Sec. 3 EU-GDPR. This will not affect the lawfulness of processing based on consent before its withdrawal.

Under the conditions of Art. 15–21 EU-GDPR and as far as applicable in the individual case, you have the right to request access to your personal data, the right to rectify and erase your personal data, the right to object to processing and restrict processing of your personal data, and the right to data portability.

If your personal data are processed based on legitimate interest, you may object to such processing on grounds relating to your particular situation, in which case, your personal data will no longer be processed, unless Indivumed can demonstrate compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.  Should your personal data (e-mail address) be processed for direct marketing purposes, you have the right to object to such use of your data at any time without giving a reason, as described above.

If you withdraw your consent or object to data processing, your data will no longer be processed for the respective purposes and erased in accordance with our internal policies. Should it not be possible to erase your data entirely (e.g. due to compliance reasons) processing of your personal data will be restricted to the necessary purpose, such as maintaining the so-called Blacklist in order to comply with your request not to receive information about our services or for compliance with the mandatory retention period.

Deletion may be barred by statutory regulations, especially where required for settling, accounting, or taxation purposes in accordance with Art. 6 Sec. 1 lit. c EU-GDPR.

 

6. Data processing entity (“Controller”), Data Protection Officer, and supervisory authority

The company (Controller):
Indivumed GmbH
represented by its Managing Director (Geschäftsführer) Prof. Dr. Hartmut Juhl
Falkenried 88, Bldg. D
20251 Hamburg
Germany

Phone: +49 (40) 41 33 83 0
Fax: +49 (40) 41 33 83 14
E-mail: info@indivumed.com

Indivumed GmbH is the provider of all content on the website indivumed.com, and the Controller in the meaning of the EU GDPR of the collection, storage, and processing of all personal data collected through this website.

The Data Protection Officer of Indivumed GmbH is:

Visnja Jankovic
E-mail: dpo@indivumed.com
Phone: +49 (40) 41 33 83 0

For additional information on the company, please refer to our site notice on this website.

You have the right to lodge a complaint with the following supervisory authority:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str 22, 7. OG
20459 Hamburg

Phone: 040 / 428 54 – 4040
Fax: 040 / 428 54 – 4000
E-mail: mailbox@datenschutz-hamburg.de

 

7. Miscellaneous

Please note that this Data Protection Policy is subject to reviews and amendments made from time to time in order to conform to any extended services or changed legal requirements. Please visit this web page from time to time to familiarize yourself with any changes, especially before submitting personal data to us.

This Data Protection Policy applies primarily to the data processing of Indivumed’s website visitors and other third parties. Processing of the personal data for the purpose of research and development activities is subject to a special data protection concept, applicable policies, and related documentation.

If you have any requests, desires, or comments regarding data protection at Indivumed, please feel free to also contact the Data Protection Officer at Indivumed GmbH.

December 2023