Data Protection Notice for Customers, Partners, Visitors, and other Data Subjects

1.    Personal data we might process

The following data categories might be collected and processed:

a.    Identification data, e.g. name, gender, date and place of birth (visitors), national identification number (truck drivers), images (badges), CCTV (visiting monitored areas), User ID (use of business applications), passport data  
b.    Addresses and contact details, e.g. postal addresses, e-mail addresses, phone numbers, organizational data such as company/organization, department, function
c.    Authorizations and their use e.g. IP-addresses or user-accounts for Wi-Fi (guest-net), online services or used business applications
d.    Time and attendance, e.g. being on the company premises or for providing services
e.    Activities, tasks and operations, e.g. for projects, professional and scientific qualifications and expertise, courses, webinars, events
f.    Financial data for payment transactions, bank details, UID number/VAT number

2.    Purpose

Personal Data might be processed for the following purposes:

•    Communication, for clarifying questions, exchanging information or making appointments, information related to promotion via e-mail or post (Legal Basis: Art 6 (1) b) GDPR)
•    Documenting activities, meetings, events and agreements, certificate of attendance (Legal Basis: Art 6 (1) f) GDPR; Legitimate Interest: administration and documentation or assignment of education credits)
•    Complaint management and solving of disputes, exercise or defend legal claims (Legal Basis: Art 6 (1) GDPR; Legitimate interest: solving of disputes, exercise or defend legal claims) 
•    Fulfilling notification obligations for reporting adverse events connected to the use of our products or related to tax laws §109a EStG (Legal Basis: Art 6 (1) c) GDPR)
•    Conducting internal and external audits and external inspections by licensing and monitoring authorities

Related to business partners, e.g. suppliers, customers, contractors, service providers or other partners, it may be used in addition for:

•    Settlement of transactions, e.g. payment, invoicing and contract management (Legal Basis: Art 6 (1) b GDPR)
•    Check against sanction lists (Legal Basis: Art 6 (1) c) GDPR)
•    Logistics, documentation of transportation, archiving of shipping documents (Legal Basis: Art 6 (1) b GDPR)
•    Authorization and identity management for electronic services, including technical support and troubleshooting (Legal Basis: Art 6 (1) f GDPR; Legitimate Interest: safeguarding system security and emergency response)
•    Administrative communication, sales promotion or product development (Legal Basis: Art 6 (1) f GDPR; Legitimate Interest: assurance of efficient communication; product optimization, sales promotion)
•    Monitoring, for complying with our legal obligations such as Business Partner compliance screening obligations (Legal Basis: Art 6 (1) f GDPR; Legitimate Interest: protection against from financial or material damage)
•    Checks and surveys (Legal Basis: Art 6 (1) f GDPR; Legitimate Interest: product optimization and sales promotion)
•    Award of education credits: Data concerning participation in an event, e.g. duration of the participation (Legal Basis: Art 6 (1) f GDPR; Legitimate Interest: Administration of education programs)

Related to media representatives, interested persons and visitors it may be used for:

•    Identification and authorization (Legal Basis: Art 6 (1) f GDPR; Legitimate Interest: Participation in education programs, legal protection against financial or material damage or image loss)
•    Providing information and requested services, newsletter (Legal Basis: Art 6 (1) a), b) and f) GDPR; Legitimate Interest: business presentation and public relations) 
•    Monitoring, safety checks (Legal Basis: Art 6 (1) c), f) GDPR; Legitimate Interest: legal protection of financial or material damage)

The processing of your personal data is necessary for the purposes listed above. Insofar as we are not required to process your data due to a legal obligation (Art. 6 (1) c) GDPR), the provision of your data for the aforementioned purposes is generally voluntary. 

However, if you do not wish to provide us with your data for this purpose, we will not be able to enter into a business relationship with you (Art 6 (1) b) and f) GDPR) and will not be able to keep you optimally informed about news (Art 6 (1) a) GDPR).

3.    Reporting obligations to regulatory authorities and enforcement of rights

As a pharmaceutical company, we are subject to specific regulations, such as pharmacovigilance (§§ 75 i) et seq Austrian Medical Products Act). Some of these laws require us to send your reports to regulators or other authorities worldwide (including countries that may have a different level of data protection than the EU). We only provide the authorities with personal data if we are legally obliged to do so. The data processing is based on a legal obligation according to Article 6 (1) c) GDPR. 

Further details on data processing in connection with pharmacovigilance for human pharmaceuticals can be found in our data privacy notice on pharmacovigilance. 

Information on data processing related to pharmacovigilance for animal health products are available in our data privacy notice on pharmacovigilance for AH products. 

To protect our rights or the rights of third parties, we may also disclose data to rights holders, consultants and authorities in accordance with legal provisions.

4.    Monitoring and investigation

Different methods are used for protecting data privacy and our IT security against different threats (malicious software, hacker attacks, spam, espionage and theft of intellectual property), e.g. exchanged data are examined for viruses and connection data are analyzed for abnormalities. For suspicious cases relevant documents and connection data can be analyzed.

To comply with existing export- and payment restrictions - e.g. companies and persons are listed on different government lists – business partner data may be checked against these lists.

In addition, in the case of suspicions, which have been reported via the compliance hotline, in the case of official investigations and defense against claims, an investigation and, where appropriate, provisioning of data and documents relating to the respective case and the persons concerned may be necessary.

In all cases internal regulations, legal requirements and the personal rights of the data subjects are respected. In all cases internal regulations, legal requirements and the personal rights of the data subjects are respected. The data processing is based in the before mentioned case on our legal obligations and the legitimate interest (Legal Basis: Art 6 (1) c) and f) GDPR; Legitimate Interest: Adhering to internal compliance regulations; ensuring system security and danger prevention; legal protection of financial or material damage).

If we are not obliged to process your personal data based on legal requirements (Art 6 (1) c) GDPR), the provision of your data for the before mentioned purposes is voluntary. Non-provision of your data would mean that we cannot enter a contractual relationship with you.

5.    Processing principles

Reasonable technical and organizational measures for data security are implemented through internal regulations and - if the data is processed by an external service provider - by means of appropriate contractual agreements, for example using the EU standard contract clauses for data processing outside the European Union.

6.    Data transfer / Disclosure

In compliance with legal requirements and existing internal regulations, the data required for the respective purpose can be passed to other internal and external bodies in the following cases:

a.    Service Providers

We engage service providers to process your personal data for the purposes described in this data protection notice. These service providers process the data only on our behalf, in accordance with our instructions and under our control. We ensure by means of a separate contract that our service providers comply with data protection obligations (e.g. with our data processors by concluding corresponding data processing agreements).

The following types of service providers may be commissioned to process personal data on behalf of Boehringer Ingelheim:

•    address database operators
•    advertising agencies
•    communication agencies
•    consultants
•    event agencies
•    financial auditors
•    IT service providers
•    logistics companies
•    market research agencies
•    printing companies
•    publishers
•    streaming service providers
•    training agencies
•    translators
•    travel agencies

b.    Boehringer Ingelheim-Companies

As part of a global group of companies, we involve other Boehringer companies that support us in data processing. Please find here an overview of the major Boehringer Ingelheim companies. These group companies process the data solely for the purposes stated in this data protection policy. This data processing is based on our legitimate interest in accordance with Art. 6 (1) f) GDPR, namely the efficient organization of our corporate administration and business communication.

c.    Data transfer to recipients outside the EU
Some of these service providers and Boehringer companies process personal data outside the EU. In such cases, Boehringer Ingelheim ensures an adequate level of data protection to comply with European law (usually through EU standard contractual clauses published by the European Commission). For further information on the legal basis for the data transfer to or by service provider to third countries please contact us via the address mentioned under 9. 

Recipients outside the EU process your data for the purpose of organizing events (if you attend an event in a country outside the EU) or awarding further education points.

7.    How long do we store personal data?

Personal data will only be kept for as long as necessary to meet the respective purpose and to fulfill regulatory requirements, as a rule for the duration of the respective contractual relationship, including a possible statutory retention period.

For business partners, the deletion usually takes place 10 years after the last contact, for other persons, e.g. visitors or subscribers of information/newsletters 5 years after the last contact or on request.

Inquiries that you send us via E-Mail, via Websites or by any other means will be deleted after 3 years. 

For tax law reasons, we store business-related documents and accounting documents as well as the associated records from our contractual relationship for a period of seven years in accordance with § 132 of the Austrian Federal Fiscal Code (BAO).

Requests related to medicinal products for human use must be retained for 30 years due to legal reasons.

8.    What are your rights?

a.    Withdrawal of consents: You can withdraw your consents any time with future effect. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.  
b.    Right to information: You can request access to your personal data at any time. If you have provided personal data based on a contract or consent, you have the right to receive this data in a common and machine-readable format. You can revoke your consent at any time with future effect.
c.    Right to deletion, correction, restriction, data portability: Under certain conditions, you may also request the deletion, correction or restriction of the processing of your data. If your personal data is transferred to a country outside the EU that does not provide adequate protection, you may request a copy of the contract that ensures adequate protection of personal data. 
d.    Right to objection: If we use your personal data based on legitimate interest, you can object to the processing of your data. In this case, we will no longer process your data unless our interests prevail. You can object to the use of your data for direct marketing purposes, e.g. to receive mailing campaigns, at any time without further consideration.
e.    Right to complaint: If, despite our obligation to process your data lawfully, contrary to expectations, a violation of your right to lawful processing of your data occurs, you have the right to file a complaint to the Austrian data protection authority or another data protection supervisory authority in the EU, at your place of residence or work.

9.    Contact details

If you have any further questions about our use of personal data, this data protection information or would like to exercise your rights, you can contact us at any time or you can contact our data protection officer directly:

Boehringer Ingelheim RCV GmbH & Co KG
– Data Protection Officer –
Dr.-Boehringer-Gasse 5-11
1120 Vienna, Austria
E-Mail: datenschutzbeauftragter.AT@boehringer-ingelheim.com

If you have any questions or concerns about the processing of your personal data, you can also contact a supervisory authority. Responsible for Boehringer Ingelheim is:
Österreichische Datenschutzbehörde
 Barichgasse 40-42
 1030 Vienna
Telephone: +43 1 52 152-0
E-Mail: dsb@dsb.gv.at
Website: www.dsb.gv.at

10.    What happens if we change this privacy policy?

We will update this privacy policy from time to time. We will inform you about any changes to our Privacy Policy by publishing the new Privacy Policy here. If there are significant changes, we will publish an eye-catching notice on our website or send you an e-mail. If necessary, we also ask for your prior consent. You should review this Privacy Policy regularly for changes.

11.    Further data protection notices

Please note that in certain situations, additional data protection notices apply (for example, contracts for clinical trials).