Privacy Notice for Partners

This privacy notice explains how Boehringer Ingelheim acting as a data controller (hereafter "Boehringer Ingelheim", "we", "us"; processes which personal data of you for which purposes. In any event, collection and processing of personal data will only take place in accordance with the General Data Protection Regulation, "GDPR" and the Data Protection Act 2018 in relation to communicating, providing information and services and for the purposes connected with the relationship personal data is needed, e.g. name, contact data and function of the data subject.

1. Personal Data we might process

The following data categories may be collected and processed:
a. Identification data, e.g. name, gender, images (badges), CCTV (visiting monitored areas), User ID (using Business applications)
b. Addresses and contact data, e.g. postal addresses, e-mail addresses, phone numbers, organisational data such as company/organisation, department, function
c. Authorisations and their use e.g. IP-addresses or User-Accounts for Wi-Fi (Guest-Net), online services or used business applications
d. Time and attendance, e.g. being on the company premises or for providing services
e. Activities, tasks and operations, e.g. for projects

2. Purpose

Personal Information of individuals may be used in general for:

  • Communication, e.g. for clarifying questions, exchanging information or appointments
  • Documenting activities, e.g. meetings, events and agreements
  • Complaint management and solving of disputes, exercise or defend legal claims

Related to business partners, e.g. suppliers, customers, contractors, service providers or chempark partners, it may be used in addition for:

  • Settlement of transactions, e.g. payment, invoicing and contract management
  • Logistics, e.g. transportation
  • Authorisation and identity management for electronic services, including technical support and troubleshooting
  • Administrative communication, e.g. sales promotion or product development
  • Monitoring, e.g. for complying with our legal obligations such as Business Partner compliance screening obligations
  • checks and surveys

Related to media representatives, interested persons and visitors it may be used for:

  • Identification and Authorisation
  • Providing information and requested services, e.g. newsletter
  • Monitoring, safety checks

The processing of your personal data is necessary for the purposes listed above. The legal basis for the processing, unless stated otherwise, is Article 6 (1) b) GDPR (performance of contracts), Article 6 (1) f) GDPR (legitimate interests) or Article 6 a) GDPR where you have given your consent.

3. Monitoring and investigation

Different methods are used for protecting data privacy and our IT security against different threats (malicious software, hacker attacks, spam, espionage and theft of intellectual property), e.g. exchanged data are examined for viruses and connection data are analysed for abnormalities. For suspicious cases relevant documents and connection data can be analysed. In order to comply with existing export- and payment restrictions - e.g. companies and persons are listed in different government lists – business partner data may be checked against these lists.

In addition, in the case of suspicions, which have been reported via the compliance hotline, in the case of official investigations and defense against claims, an investigation and, where appropriate, provisioning of data and documents relating to the respective case and the persons concerned may be necessary.

In all cases internal regulations, legal requirements and the personal rights of the data subjects are respected.

4. Processing Principle

Reasonable technical and organisational measures for data security are implemented through internal regulations and - if the data is processed by an external service provider - by means of appropriate contractual agreements, for example through the use of the EU standard contract clauses for data processing outside the European Union.

5. Data Transfer / Disclosure

In compliance with legal requirements and existing internal regulations, the data required for the respective purpose can be passed to other internal and external bodies in the following cases:

1. Reporting obligations to regulatory authorities and enforcement of rights

As a pharmaceutical company, we are subject to specific regulations, such as pharmacovigilance. Some of these laws require us to send your reports to regulators or other authorities worldwide (including countries that may have a different level of data protection than the EU). We only provide authorities with personal data if we are legally obliged to do so.

In order to protect our rights or the rights of third parties, we may also disclose data to rights holders, consultants and authorities in accordance with legal provisions.

2. Service providers

We engage service providers to process your personal data for the purposes described in this data protection information. These service providers process the data only on our behalf, in accordance with our instructions and under our control in accordance with this data privacy declaration.

3. Boehringer Ingelheim companies

As part of a global group of companies, we involve other Boehringer Ingelheim companies that support us in data processing. These group companies process the data exclusively for the purposes stated in this data protection declaration.

4. Data transfer to recipients outside the EU

Some of these service providers and Boehringer Ingelheim companies process personal data outside the EU. In these cases, we ensure an adequate level of data protection to comply with European law (usually through EU standard contractual clauses published by the European Commission).

6. Data Storage

Personal data will only be kept for as long as necessary to meet the respective purpose and to fulfil regulatory requirements, as a rule for the duration of the respective contractual relationship, including a possible statutory retention period.
For business partners, the deletion usually takes place 10 years after the last contact, for other persons, e.g. visitors or subscribers of information/newsletters 5 years after the last contact or on request.

Data erasure is carried out within the framework of the deletion routines implemented by the process managers.

7. Your Rights

You can request information which personal data we store. If you have provided personal data based on a contract or consent, you have the right to receive this data in a common and machine-readable format.

In justified cases, you may also request the deletion, correction or limitation of the processing of your data. If your personal data is transferred to a country outside the EU that does not provide adequate protection, you may request a copy of the contract that provides adequate protection of personal data.

Where you provided consent for the use of your personal data, you can withdraw your consent at any time with future effect.

If we use your personal data on the basis of a balance of interests, you can object to the use of your data. In this case, we will no longer use your data unless our interests prevail. You can object to the use of your data for direct marketing purposes, e.g. the receipt of mailings, at any time without further consideration.

8. Contact

If you have any questions about our use of personal data, this data protection declaration or would like to exercise your rights, you can contact us at any time or you can contact our data protection officer directly:

Boehringer Ingelheim Limited
– Data Protection Officer –
Ellesfield Avenue
Bracknell
Berkshire
RG12 8YS

In case of questions or concerns you can also contact the lead data protection authority supervising us:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz Hintere Bleiche 34, 55116 Mainz
https://www.datenschutz.rlp.de/de/startseite/

This privacy notice may be updated from time to time as appropriate.