It is very important to us that the protection of your privacy is strictly observed when processing personal data.
In the following we would like to inform you about the handling of your personal data when you use our website www.phoenixgroup.eu (hereinafter: "website") and in the context of existing business relationships or when you visit us on site.
For a simpler overview, we have divided our Privacy Notice into the following areas:
A: General information
Contains the information to be provided for fair and transparent processing, such as our contact details, the contact details of our Data Protection Officer and your rights as data subjects.
B: Data processing when visiting our website
Contains all the information related to visiting or actively using our website, for example in the context of using our online application portal.
C: Data processing not related to website use
Contains all the information about data processing, if you are in a business relationship with us, if you visit us on site or if you contact us via other means.
A. General information
1. Controller
Controller in terms of data protection law is:
PHOENIX Pharma SE
Pfingstweidstraße 10-12
68199 Mannheim, Germany
2. Data Protection Officer
For all concerns regarding data protection, our Data Protection Officer is at your disposal:
Data Protection Officer
PHOENIX Pharma SE
Pfingstweidstraße 10-12
68199 Mannheim, Germany
E-mail: dataprotection(at)phoenixgroup.eu
3. Personal Data
Personal data refers to all information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is a data subject who can be identified, directly or indirectly, in particular by association with an identifier. An identifier may be, for example, a name, an identification number, location data, an online identifier, the IP address or other specific features that are the expression of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (hereinafter collectively referred to as "data").
4. Data processing by us
We process your data in accordance with the provisions of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and other applicable data protection regulations. Processing only takes place to the extent necessary and that is permitted according to data protection law, for example for the fulfilment of contractual purposes, for the protection of a legitimate interests, for the fulfilment of legal requirements or insofar as you consent to the data processing. The specific nature and extent of the data processing and the corresponding legal bases can be found in the sections "B: Data processing when visiting our website" and "C: Data processing not related to website use".
5. Data recipients
Only those internal departments or organisational units as well as other companies affiliated with us shall receive your data, insofar as this is necessary for the fulfilment of our contractual and legal obligations or if said data is required in the course of processing and implementing a legitimate interests.
Your data may be transferred to external recipients in connection with contract processing, provided that we are obliged to fulfil legal requirements for information, notification or disclosure of data, you have granted us your consent for the transfer to third parties or to external service providers that render services on behalf of us as data processors or assume functions for us on behalf of us (for example IT service provider, the service provider we use when using our online application portal, data centres, data shredders or courier services). For the sections "B: Data processing when visiting our website" and "C: Data processing not related to website use" you can find case-specific examples of data recipients.
Upon request, we will gladly provide you with appropriate detailed information.
6. Third country transfer
In certain cases we are transferring data to third parties (e.g. service providers) that are based in third countries, meaning in countries outside the European Economic Area. These data transfers are covered by an adequacy decision of the European Commission (Article 45 GDPR). Where this is not the case, the data transfers are especially based on standard data protection clauses/standard contractual clauses in line with the templates adopted by the European Commission (Article 46 Para. 2 lit. c, Para. 5 S. 2 GDPR) or by an exemption according to Article 49 GDPR.
Otherwise, we do not transfer your personal data to countries outside the EU or the EEA or to international organisations.
7. Data deletion and storage duration
For the purely informational use of our website, we store your data in accordance with the regulations in Section B.1.1.
If you actively use our website or in the event of data processing not related to website use, we will store your data for as long as is required, for example, for the provision of the respective service, for example the implementation of the application process. If you have given your consent to the processing of your data, we will store your data in accordance with the information provided in the consent document or until the consent is withdrawn. For details, please refer to the regulations in Section B.1.2 or Section C.
In addition, we will always store your personal data until the expiration of the limitation period of any legal claims arising from the relationship with you, if necessary, in order to use it as means of evidence. The maximum limitation period is 36 months. Once the limitation period has expired, we will delete your personal data, unless there is a statutory storage obligation, for example, deriving from the German Commercial Code (Sections 238, 257 Para. 4 HGB) or from the Tax Code (Section 147 Para. 3, 4 AO). These storage requirements regularly to a maximum of ten years, but may extend beyond this if and for as long as the documents are relevant for tax purposes (Section 147 Para. 3, sentence 4 in conjunction with Section 169 Para. 2, sentence 2 AO).
8. Your rights as a data subject
You may exercise your rights listed hereafter at any time, towards the body that is designated under Section A.1.
8.1 Right to information
Within the framework of Article 15 GDPR, you are entitled to request information free of charge and at any time regarding the data that is processed by us, the processing purposes, the categories of recipients, the planned storage period or, in the case of third-country transfers, the appropriate guarantees.
8.2 Right to rectification, deletion, restriction of processing
If your data processed by us is incorrect, incomplete or their processing is inadmissible, you may ask us to correct your data, to supplement it, restrict processing or to delete the data to the extent permitted by law, according to Article 16, 17 and 18 GDPR.
The right to deletion does not exist, among other reasons, if the processing of personal data is required for (i) the exercise of the right to freedom of expression and information, (ii) the fulfilment of a legal obligation to which we are subject (for example statutory storage obligations) or (iii) enforcement, exercise or defense of legal claims.
8.3 Right to data portability
If you provide us with your data based on your consent or contractual relationship with us, upon request we will provide you with that data in a structured, current and machine-readable format or, if technically possible, submit the data to a third party that you have appointed.
8.4 Right of objection
If we process your data on the basis of a legitimate interest, you can object to this processing for reasons that arise from your particular situation, according to Article 21 GDPR. The right of objection only exists within the limits provided for in Article 21 GDPR. In addition, our interests may preclude termination of processing, so we may, despite your opposition, still be entitled to process your personal data.
8.5 Right of appeal
If you have any questions, suggestions or criticism, please feel free to contact our Data Protection Officer (see Section A.2).
You are also entitled, under the provisions of Article 77 GDPR, to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence, your place of work or the place of the alleged breach, if you believe that the processing of data concerning you violates the GDPR. The right of appeal is without prejudice to any other administrative or judicial remedy.
The competent supervisory authority for us is:
The State Commissioner for Data Protection and Freedom of Information
PO box 10 29 32, 70025 Stuttgart, Germany
Tel.: +49 (0) 711/615541-0
Fax: +49 (0) 711/615541-15
E-mail: poststelle(at)lfdi.bwl.de
However, we recommend that you always lodge a complaint with our Data Protection Officer first.
9. Obligation to provide data
In principle, you are not obliged to provide us with your data. However, if you do not do so, we will not be able to provide you with our website or all of its functions, we cannot guarantee the active use of the website and we cannot process requests outside the website. Personal data that we do not necessarily need for the aforementioned processing purposes, are identified as voluntary information by "optional" or some other indication. In principle, you are not obliged to provide us with your data.
10. Automated decision making/profiling
We do not use an automated decision making process. We may partially process your information with the goal of evaluating certain personal aspects. In particular, we may use evaluation tools to provide you with targeted information and advice on products. These enable needs-based communication and advertising.
11. Consent/withdrawal rights
In the event that you give or have granted us consent for the collection, processing or use of your data, you may withdraw this consent at any time, with future effect, by notifying the body appointed in Section A.1.
You also have the right, for reasons arising from your particular situation, to object at any time to the processing of data concerning you by us, pursuant to Article 6 Para. 1 lit. e GDPR (exercise of a task in the public interest) or Article 6 Para. 1 lit. f GDPR (legitimate interest of the person in charge); this also applies to profiling based on these provisions. In this case, we no longer process data about you, unless we can demonstrate compelling legitimate grounds for processing the data that outweigh your interests, rights and freedoms, or the processing is intended to assert, exercise or defend legal claims.
If the data about you is processed for direct marketing purposes, you have the right to object at any time to the processing of this data for the purpose of such advertising. If you object to processing for direct marketing purposes, that data will no longer be processed for these purposes.
Any withdrawal should be directed to the address indicated in Section A.1.
12. Amendments
We reserve the right to change this Privacy Notice at any time. Any amendments will be announced by means of publication of the amended Privacy Notice on our website. Unless otherwise specified, such amendments will take effect immediately. Therefore, please check this Privacy Notice regularly to view the latest version.
B. Data processing when visiting our website
1. Nature and scope of data processing
1.1 Informative use of the website
You can visit our website without the need to provide any personal information. If you use our website only for informational purposes, we will not collect any data from you. This excludes the data that your browser transmits to enable you to visit the website, as well as information provided by cookies.
1.1.1 Technical provision of the website
1.1.1.1 Scope of processing, purpose and storage duration
For the technical provision of the website, it is necessary that we process certain automatically transmitted information from you, so that your browser can display our website and you can use the website. This information is automatically collected each time you visit our website and stored in our server log files. This information relates to the computer system of the visiting computer. In the process, the following information is collected:
In addition to ensuring a smooth connection establishment and convenient use of our website, the collected data is also used to ensure the system security of the website.
For a purely informative use of the website, we store your personal data on our servers for a period of 14 days.
The storage period for cookies may differ from the aforementioned information and is explained in more detail in Section "B.1.1.2 Cookies and similar technologies".
1.1.1.2 Legal basis
We process your data for the technical provision of our website on the basis of the following legal bases:
1.1.2 Cookies and similar technologies
1.1.2.1 Scope of processing, purpose and storage duration
When using our website, cookies, pixels and similar technologies (hereinafter referred to as "cookies") may be used. Cookies are text files that are stored in the internet browser or by the internet browser when you visit a website on your computer system. A cookie contains a characteristic string that allows the browser to be uniquely identified when the website is visited again.
When using cookies, we primarily distinguish between four categories:
To manage your cookie preferences, we use the cookie consent tool Cookiebot from the company Usercentrics. With this solution you can always inform us about your cookie preferences.
In addition, almost all browsers allow you to completely block cookies, remove existing cookies, or alert you to cookies, to prevent them from being placed on your device. You can find more information in the documentation or in the help file of your browser or at www.aboutcookies.org.
Please note that blocking cookies can significantly affect the use of the website. Some of our website functions cannot be offered without the use of cookies.
When storing cookies, a distinction is made between so-called session cookies and persistent cookies. Session cookies are deleted after leaving our website. Persistent cookies have different lifespans, which you can find in the cookie overview within the Cookiebot cookie banner. You can always delete cookies set in your browser via your browser settings.
1.1.2.2 Legal basis
Unless otherwise described in the following paragraphs, we process your data within the context of the use of cookies on the basis of the following legal bases:
1.1.3 Google Analytics
1.1.3.1 Scope of processing, purpose and storage duration
We use Google Analytics of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), (Google) to measure the effectiveness and improvement of our website.
We use Google Analytics with the extension "_anonymizeIp ()". As a result, IP addresses are processed further in shortened form, any direct links to individual persons can therefore be excluded.
Google uses the data collected on our website also for their own purposes – e.g. to improve its offer. You can find more information on this at http://www.google.com/analytics/terms/de.html or at https://policies.google.com/privacy.
Google sets cookies on the website for this purpose. You can prevent the collection of data generated by the cookie and related to your use of the website and the processing of this data by
However, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.
The storage period of the data collected with the help of cookies is up to 24 months.
1.1.3.2 Legal basis
We process your personal data for statistical analysis of the use of our website on the basis of the following legal bases:
1.1.4 Google Maps
1.1.4.1 Scope of processing, purpose and storage duration
We are using Google Maps (API), a service from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Mother company: Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google) on our website. Google Maps is a web service for displaying interactive (land) maps in order to visualize geographical information. By using this service, you can see the location of our company sites and make it easier for you to find us. Data is processed in order to show you the map and thus the marked location.
The cooperation with Google in terms of data protection law is based on a signed contract on joint responsibility in accordance with Art. 26 GDPR, available at https://privacy.google.com/intl/de/businesses/mapscontrollerterms/. Furthermore, by using Google Maps, you as a user enter into a direct user relationship with Google.
Information about your use of our website (such as your IP address) is transmitted to Google servers in the USA and stored there as soon as you access the subpages in which the Google Maps map is integrated. This occurs regardless of whether Google provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data will be assigned directly to your account. If you do not wish your data to be associated with your Google profile, you must log out before using the service. Google stores your data (even for users who are not logged in) as usage profiles and analyses them.
In addition, Google uses the data for its own purposes (display of personalized advertising, market research and/or needs-based design of the website) which cannot be influenced by us.
1.1.4.2 Legal basis
We process your personal data to display the map and the PHOENIX locations on the basis of the following legal bases:
1.1.5 Google Tag Manager
1.1.5.1 Scope of processing, purpose and storage duration
For the purpose of managing website tags on our website, we use the Google Tag Manager provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), (Google). This service allows website tags to be managed through a single interface. The Google Tag Manager only implements tags. This means: No cookies are used and no personal data is collected. Google Tag Manager activates other tags, which in turn may collect data. However, Google Tag Manager does not access this data. If deactivated at the domain or cookie level, it will remain in effect for all tracking tags as far as they are implemented with the Google Tag Manager.
Google Tag Manager does not use cookies.
1.1.5.2 Legal basis
We process your data to implement the management of your cookie preferences on the basis of the following legal bases:
1.1.6 Cookiebot
1.1.6.1 Scope of processing, purpose and storage duration
For the purpose of managing your personal cookie preferences, we use Cookiebot provided by Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany. Cookiebot manages and stores the cookie preference settings according to your wishes. When you visit our website for the first time, you will be asked for your cookie preferences and can agree to the use of cookies or reject them.
If you delete your Internet browser history, all cookies (including opt-out cookies) will be deleted. In this case, you will be asked again for your cookie preferences when you visit our website again.
Cookiebot only shows the status of the last settings you made in the cookie preference manager. Cookie settings made by you elsewhere are not displayed (e.g. general blocking of all cookies via your Internet browser settings).
Your IP address is used so that Cookiebot can process your cookie preferences accordingly. When using mobile devices (e.g. smartphones), the advertising identifier stored there is used.
Cookiebot stores your cookie preferences for a maximum of 12 months or until you delete your Internet browser history.
In general, you can also deactivate the use of cookies at any time via your browser settings. Please use the help functions of your internet browser to find out how to change these settings.
Please note that individual functions of our website may not work if you have deactivated the use of cookies.
1.1.6.2 Legal basis
We process your data to implement the management of your cookie preferences on the basis of the following legal bases:
1.1.7 Vimeo
1.1.7.1 Scope of processing, purpose and storage duration
We are using the provider Vimeo for the integration of videos and display of these. Vimeo is operated by Vimeo, LLC, headquartered at 555 West 18th Street, New York, New York 10011, USA. When you access the web pages of our website that are provided with embedded videos - for example, when you play a video - a connection is established to the Vimeo servers and the video is displayed. This transmits to the Vimeo server which of our Internet pages you have visited and what your IP address is. If you are logged in as a member of Vimeo, Vimeo assigns this information to your personal user account. When using the plugin, such as clicking on the start button of a video, this information is also assigned to your user account. You can prevent this assignment by logging out of your Vimeo user account before using our website. When using Vimeo videos, also cookies are set. You can prevent the collection of data generated by the cookies and related to your use of the website and the processing of this data by changing your cookie preferences on our website using the cookie consent tool or your browser software.
For more information on data processing and privacy notices by Vimeo, please see https://vimeo.com/privacy.
Vimeo stores data for up to 12 months.
1.1.7.2 Legal basis
We process your data to enable video functionality on our website using Vimeo on the basis of the following legal bases:
1.2 Active use of the website
Apart from using our website purely for information purposes, you may also actively use our website to contact us or to submit an application. In addition to the processing of your personal data as outlined above for purely informational use, we then collect and process further personal data.
1.2.1 Contact us via our website
Our website contains a contact form and you can contact us via the contact e-mail addresses provided on the website or by telephone. For more information on how we process your data when you contact us, please refer to the Section "C.1 - Processing your data in the context of business relationships (customers, suppliers and business partners) and general business communication".
1.2.2 Use of our eRecruiting option
If you use our eRecruiting option and apply to `PHOENIX, we ask you to note the data protection information for applicants.
1.2.3 Reporting system for data protection incidents
1.2.3.1 Scope of processing, purpose and storage duration
The PHOENIX group, i.e. PHOENIX Pharma SE as well as its affiliated companies within the meaning of sections 15ff of the German Stock Corporation Act (AktG), has established a web-based reporting system that provides our employees, business partners, customers, and third parties with a simple system for reporting data incidents or problems. These reports are taken seriously, reviewed and used to improve the protection of personal data. You can access this reporting system at any time via https://phoenixgroup.integrityplatform.org.
In order to explain the background to the reporting system in more detail, we have also answered a number of frequently asked questions below:
When should I report an incident?
PHOENIX group has an obligation to notify the supervisory authority within 72 hours of becoming aware of an incident. This means that all incidents must be reported without undue delay via the online reporting tool.
Which data protection incidents need to be reported and how?
All personal data incidents are to be reported to the data protection officer via the online reporting tool.
What is a data protection incident?
A data protection incident is any event that has resulted, or could result, in the accidental or deliberate loss of personal data (electronic or paper) or destruction of data, or unauthorised access to data (e.g. loss or theft of laptops, smartphones, paper documents, prescriptions).
What happens after I submit a report?
The data protection officers will review the incident report and contact you for further information or, where necessary, assist you with post-incident actions.
1.2.3.2 Legal basis
We process your data when you use our reporting system for data protection incidents on the basis of the following legal bases:
2. Links and social networks
2.1 Links to third-party websites
Some sections of our website contain links to third-party websites. These websites are subject to their own data protection principles. We are not responsible for their operation, including data handling by third parties. If you send information to or by means of these third-party sites, you should review the privacy notices of those sites before providing any information that may be associated with you.
2.2 Social media sites/our activity in social media
In addition to this website, we also maintain presences on social media sites, which you can reach via direct links on our website. Social plugins are not used. Further details on data processing in the context of visiting and using our social media sites can be found in the Social Media Privacy Notice.
C. Data processing not related to website use
1. Processing of your data in the context of business relationships (customers, suppliers and business partners) and general business communication
1.1 Scope of processing, purpose and storage duration
If you contact us, for example in the context of a contract initiation or a contractual relationship with us, your personal data is processed by us. This also applies if you act as a contact person in a business relationship with us and are not a contracting party.
Depending on the processing operation, different data can be processed. For example, relevant personal data may be: contact data (e.g. name, address, telephone number, e-mail address), legitimation data (for example commercial register extracts and ID data), data in the context of our business relationship (for example position, job and department in the company, supervisor, order data, payment data, creditworthiness data), photos and video recordings (for example at events or visit of our headquarters), system data (for example user name and ID or user ID, log data), date of birth and other data comparable with these categories.
In principle, we collect personal data from you directly. However, in certain cases, it is also possible that data are collected via third parties. This may be, for example, data from other companies, authorities or other third parties (e.g. information agencies). This may include personal data that we process using our compliance management system (for example whistleblowing hotline, anti-terror screening, prevention of money laundering, e-mail spot checks to detect antitrust violations).
In order to protect your data from manipulation and unauthorised access, we have implemented current state-of-the-art technical and organisational measures in our processing procedures and IT systems.
The data will be stored until the processing of the request has been completed or within the framework of our contractual relationship with you until the end of the contractual relationship and then according to Section A.7, for example until expiry of the statutory limitation or archiving periods.
1.2 Legal basis
We process your data in the context of business relationships and general business communication on the basis of the following legal bases:
2. Law enforcement
2.1 Scope of processing, purpose and storage duration
In addition, we process your personal data to assert our rights and to be able to enforce our legal claims. We also process your personal data to be able to defend ourselves against legal claims. Finally, we process your personal data insofar as this is necessary to prevent or prosecute crimes.
The data will be stored until the completion of the enforcement and, if applicable, according to Section A.7, for example until the expiry of the statutory limitation or archiving periods.
2.2 Legal basis
We process your personal data for this purpose on the basis of the following legal basis:
3. Processing of your data when you visit us on site
3.1 Scope of processing, purpose and storage duration
If you visit us on site, you will be given a visitor badge containing your name and the name of your internal contact person. In addition, visitors are registered at our reception and recorded on a visitor list. The visitor badge and the recording of visitors' names on a visitor list serve the protection of our owner rights and the purpose to determine that only authorised individuals are present on our premises.
The data is stored for a period of 6 months.
3.2 Legal basis
We process your data when you visit us on the basis of the following legal bases:
4. Video surveillance at our headquarters
Our premises are safeguarded by video surveillance. You can find the privacy notice for video surveillance here.
Last updated December 2023