Data protection policy
This data protection policy is aimed at all people who visit our website. Gender-neutral terms have been used in the explanations below to improve readability. All references to people refer to all genders. In addition to these and other matters, we take your rights to privacy, data protection and informational self-determination very seriously. We are happy to provide you with information below within the scope of the General Data Protection Regulation (EU Regulation 2016/679, “GDPR” for short).
1. Who are we?
The “controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. With regard to the processing of your data when using this website, we are the controller as defined by GDPR:
OrphaCare GmbH
represented by: Ralf Lenhard and Dr. Georg Fischer
OrphaCare GmbH
Leopold-Ungar-Platz 2/1/132
1190 Vienna, Austria
Tel.: +43 1 93 46 108
E-mail: office@orphacare.com
Insofar as “we” or “us” are mentioned, this refers to the controller shown here.
2. Overview of your rights as a visitor to our website
Visitors have numerous rights under the General Data Protection Regulation with regard to their processed personal data. In particular
- The right of access to the saved personal data,
- The right to the rectification of incorrectly saved personal data,
- The right to the erasure of personal data for the further saving of which there is no legal basis,
- The right to the restriction of the processing of saved, personal data,
- The right to data portability,
- The right to lodge a complaint with the responsible supervisory authority for data protection.
If the legal prerequisites for the respective claims are fulfilled and we can identify you, we will fulfil your claims in a timely manner. Further details about your rights can be found in the explanations on the legal bases.
3. Information about the legal processing obligation
A legal obligation to process only exists insofar as we refer to Article 6(1)(1)(c) GDPR in the following data protection policy.
4. Data transfer to entities outside of the European Union, in particular in the USA
1) It is possible that we will transfer personal data and/or have personal data transferred to entities based outside of the European Union or at least cannot rule this out (henceforth: third country entity). In these cases, we must guarantee according to Article 44 GDPR that the protection level of the General Data Protection Regulation is not undermined. As a precaution, we point out that the third party entity can be both a controller and a processor.
(2) If we refer to what is known as an adequacy decision in the following statement, this means that the third country entity is based in a country, region or specific sector that the Commission has decided offers an adequate level of protection. This guarantee then follows from Article 45 GDPR.
(3) If we refer to standard contractual clauses in the following statement, this means that the third country entity accepts the EU standard contractual clauses and is thus contractually committed to respecting the protection level of the General Data Protection Regulation. This guarantee then follows from Article 46(1) and (5) GDPR.
(4) If we refer to you having consented to the transfer to the third country entity in the following statement, this means that you have been informed about all existing risks of such transfers, for which there is no adequacy decision or other safeguards, and have nevertheless consented to the data transfer. This guarantee then follows from Article 49(1)(a) GDPR. For reasons of transparency, we indicate the corresponding risks separately.
(5) We only provide this notice as a precaution. It only applies when we make reference to it in the following statement. It is also possible that we will not make use of it.
EU standard contractual clauses and third country bodies based in the USA
(1) In addition to the information under “Data transfer to entities outside the European Union” – section 3, we draw your attention to a special constellation. For transfers to third country entities based in the USA, the possibility of referring to the EU standard contractual clauses is limited. If we therefore intend to refer to the EU standard contractual clauses in this connection (or have already done so), we indicate the following:
(2) We will only base the transfer of personal data to US third country entities on the EU standard contractual clauses if we have previously undertaken a thorough assessment of the associated circumstances. During this, we first determine a risk level (nature and, in particular, sensitivity of the affected data, scope of data processing, purpose of data processing, vulnerability to abuse). We then assess whether the contractual assurances of the US third country entity and the technical and organisational measures implemented there (e.g. processing of data exclusively in EU-based computer centres, encryption technology) sufficiently minimise the risks identified beforehand. Only if we reach the conclusion that the EU standard contractual clauses are also an adequate safeguard without exception, even for a US third country entity, will we refer to it.
(3) We only provide this notice as a precaution. It only applies when we make reference to it in the following statement. It is also possible that we will not make use of it.
Consent to the transfer to third country entities based in the USA, including risk information
(1) In addition to the information under “Data transfer to entities outside the European Union” – section 4, we draw your attention to a further special constellation. For transfers to third country entities based in the USA, the possibility of referring to the EU standard contractual clauses is limited. In some cases, the only possibility that remains is to ask you for your consent to this transfer. However, before you grant this consent, we ask that you become aware of the following risks and consider them when deciding whether to consent:
(2) We emphatically indicate that a data transfer to the USA without the protection of an adequacy decision may bring with it significant risks. Particular reference is made to the following risks:
1. In the USA, there is no standardised data protection law; particularly not one that would be comparable with the data protection law that applies in the EU. This means that both US companies and also state entities have more possibilities for processing your personal data, particularly for advertising purposes, profiling and conducting (criminal) investigations. Our possibilities of taking action against this are significantly limited.
2. The US legislator has conceded numerous access rights to your personal data (cf. Section 705 of FISA or E.O. 12333 in conjunction with PPD-28), which are not compatible with our legal understanding. In particular, no proportionality assessment comparable to that in the European Union takes place before data is accessed.
3. Citizens of the European Union cannot expect any effective legal protection in the USA.
4. We will generally only ask for such consent if we have come to the conclusion that the US third country entity cannot successfully refer to EU standard contractual clauses.
(3) We only provide this statement as a precaution. It only applies when we make reference to it in the following statement. It is also possible that we will not make use of it.
1. Processing operations for which your consent is required (legal basis Article 6(1)(1)(a) GDPR)
General information about the purpose and legal basis for the processing operations.
(1) The purpose of the processing operations described below is described separately for each tool.
(2) The legal basis for the respective data processing is your consent according to Article 6(1)(1)(a) GDPR. According to this provision, the processing of your personal data is permitted if you have given consent to the processing of your personal data for one or more specific purposes.
(3) It is possible for you to grant your consent via a cookie banner or by ticking a checkbox.
(4) Profiling does not take place unless it is expressly stated below.
General information on storage duration
(1) We save the data until you withdraw your consent.
(2) Once you withdraw your consent, we save the information that you consented, when and how (status opt-in) until the expiry of any limitation periods under civil law with regard to any claims arising from GDPR, i.e. generally three years after the withdrawal of your consent. The legal basis for this is Article 6(1)(1)(c) GDPR in conjunction with Article 5(2) GDPR or also Article 6(1)(1)(f) GDPR in conjunction with Section 1489 ABGB.
(3) Only in the event that a contractual relationship is established between us following processing based on your consent may we additionally save some of your data until our statutory retention periods elapse. The legal basis is Article 6(1)(1)(c) GDPR, Section 131, 132 of the Austrian Federal Fiscal Code (BAO), Section 212 of the Austrian Commercial Code (UGB). We may therefore be obliged
1. To retain data relating to your person that results from books and records within the meaning of Sections 131, 132 of the Austrian Federal Fiscal Code for seven years, whereby the retention period generally begins with the end of the calendar year in which the relevant document was created (Article 6(1)(1)(c) GDPR in conjunction with Section 132 BAO),
2. To retain data relating to your person that results from books, inventories, opening balance sheets, annual financial statements including management reports, consolidated financial statements including group management reports, received business letters, copies of sent business letters and receipts for entries in the books to be kept by us pursuant to Section 190 UGB for seven years, whereby the retention period generally begins with the end of the calendar year in which the relevant document was created (Article 6(1)(1)(c) GDPR in conjunction with Section 212 UGB).
Possibilities of withdrawing consent
(1) If we obtain your consent to processing, you have the right at all times to withdraw this consent with effect for the future. This is usually possible in the form of an informal message to us (cf. above “controller”).
(2) Furthermore, we indicate that we process additional personal data from you as part of obtaining your consent. These are identifying features (such as your name, your e-mail address, your IP address) and also log data for consent (time of consent, status of consent, scope of consent). We base this data processing on Article 6(1)(1)(c) GDPR in conjunction with Article 7(1) GDPR. The purpose is the need to demonstrate that you have granted consent.
How do we use Matomo?
(1) We use the open-source web analytics platform Matomo (formerly Piwik) to analyse your usage behaviour on our website. We will be happy to briefly explain this processing operation: The tool saves a cookie on your computer, enabling your browser to be recognised. Cookies are text files that are saved on your computer and enable how you use the website to be analysed. Although we only save the data acquired from this on a dedicated server within the European Union and the provider thus does not receive any data from you, we would like to inform you as a precaution that you can find more information about data protection for this tool here: https://matomo.org/gdpr/. More details about the nature and manner of processing via this tool can be found here: https://matomo.org/feature-overview/.
(2) We usually process the following data from you here: The tool uses what are known as “cookies”. These are text files that are saved on your computer and enable how you use the website to be analysed. We usually acquire the following information from them: Your IP address (anonymised), the accessed subpage and the time of access, the page from which you reached our website (referrer), the information about which browser with which plugins, which operating system and which screen resolution is used, the time spent on our website and the pages that are controlled from the accessed subpage. We have anonymised your data here.
How do we use LinkedIn?
(1) We use the aforementioned social medium. Its provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. We neither have an influence over the collected data and data processing operations nor are we aware of the full scope of data collection, the purposes of processing, the storage periods. We also have no information about the erasure of the collected data by these providers. If you call up our company pages, it is possible that the provider will save the data collected about you as a usage profile and use this for purposes of advertising, market research and/or the needs-appropriate designing of its website. You have a right to object to the formation of this user profile, whereby you need to contact the provider to exercise this right. You can find the provider’s data protection policy here: https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv.
(2) Insofar as we can influence data processing, its purpose lies in presenting our company, analysing your usage behaviour in relation to interaction with the company pages maintained there, and communicating with you via this social network (possibly advertising).
(3) The categories of personal data that we process about you depend on the specific use of this social medium, as described in Section 4.
(4) In addition to our general remarks on the legal basis, we also state here: If you maintain your own profile on this social medium, the legal basis is your consent within the meaning of Article 6(1)(1)(a) GDPR, which you have granted to the provider of the social network. In all other cases, the legal basis is Article 6(1)(1)(f) GDPR, according to which your data can be processed if it is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms, which require protection of personal data, in particular where the data subject is a child. We have an economic interest in linking our company pages, whereby you click on the links independently and voluntarily. The provider is otherwise responsible.
(5) If and to the extent to which we analyse user interactions with our company page, we are jointly responsible for data protection to this extent with this provider; this is in accordance with Article 26 GDPR. If and to the extent to which we commission this provider to process data for us in addition, we are the client within the meaning of Article 28 GDPR. The data processing operations are also not prevented by the fact that the data may be processed outside the European Union by the provider, possibly in cooperation with LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA. This is because the processing of your personal data via this tool only takes place if you consent to the associated data transfer to the USA (cf. Article 49(1)(a) GDPR). This[UC3] consent is granted to us to the extent that we control the data processing. Please be sure to read the risk information beforehand (cf. general section/special constellation: Consent to the transfer to third country entities based in the USA, including the risk information). If the provider controls the processing (for instance, if you visit the social network independently of a campaign on our website), we do not conduct a transfer to the USA, meaning that we also do not have to provide any further safeguard within the meaning of Article 44ff. GDPR. If necessary, a relationship within the meaning of Article 26 GDPR exists between us and the provider of the social network.
(6) In addition, we inform about data processing in this context:
We maintain a company page on this social network and analyse, where applicable, whether and how you have visited our company there; whether and how you react to our posts on social networks; whether and how you communicate with us via the channels there. The consent that you have granted to the provider is also relevant.
In addition, we have added a link to our company page on this provider’s site on our website. If you click on this link, you will reach our profile. With regard to this processing, we refer to our previous information on visiting our company page with this provider.
We also use LinkedIn ads:
With the help of this tool’s advertising materials (called LinkedIn ads), we can draw attention to our attractive offers on this provider’s social network. In relation to the data for the advertising campaigns, we can determine how successful the individual advertising measures are. We thus pursue the interest of displaying advertising to you that is of interest to you, making our website more interesting for you and achieving a fair calculation of advertising costs.
This advertising is delivered by the provider. If you reach our website via an ad that this provider presents to you, a cookie is saved on your PC by the tool. These cookies should not be used to identify you personally. The unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wants to be addressed) are usually saved as analysis values for this cookie.
Due to the tool used, your browser automatically establishes a direct connection to this provider’s server. We have no influence on the scope and further use of the data collected through the use of this tool and therefore inform you according to our state of knowledge: By integrating this tool’s advertising material, the provider receives the information that you have called up the corresponding part of our website or clicked on an advertisement from us. If you are registered for a service by this provider, it can allocate the visit to your account. Even if you are not registered with this provider or are not logged in, it is possible for the provider to become aware of and save your IP address.
You can prevent participation in this tracking procedure in various ways:
- By applying a corresponding setting in your browser software; in particular, suppressing third-party cookies causes you to not receive ads from third-party providers;
- By deactivating cookies
More information about functionality and associated data processing can be found here: https://business.linkedin.com/de-de/marketing-solutions/ads.
6. Processing operations that lie within our legitimate interest (legal basis Article 6(1)(1)(f) GDPR)
General information about the purpose and legal basis for the processing operations.
(1) The purpose of the processing operations described below is described separately for each tool. It is the primary justification for our legitimate interest in processing.
(2) The legal basis for the respective data processing is Article 6(1)(1)(f) GDPR. According to this provision, the processing of your personal data is also permitted without your consent if it is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms, which require protection of personal data.
(3) Profiling does not take place unless it is expressly stated below.
General information on storage duration
(1) We save the data until this purpose no longer applies, which is always the case when you have submitted a justified objection (cf. “Information on the right to object”).
(2) If a contractual relationship is established between us following processing based on the legitimate interest, we will additionally save the data until our statutory retention periods elapse. The legal basis is Article 6(1)(1)(c) GDPR, Section 131, 132 of the Austrian Federal Fiscal Code (BAO), Section 212 of the Austrian Commercial Code (UGB). We may therefore be obliged
1. To retain data relating to your person that results from books and records within the meaning of Sections 131, 132 of the Austrian Federal Fiscal Code for seven years, whereby the retention period generally begins with the end of the calendar year in which the relevant document was created (Article 6(1)(1)(c) GDPR in conjunction with Section 132 BAO),
2. To retain data relating to your person that results from books, inventories, opening balance sheets, annual financial statements including management reports, consolidated financial statements including group management reports, received business letters, copies of sent business letters and receipts for entries in the books to be kept by us pursuant to Section 190 UGB for seven years, whereby the retention period generally begins with the end of the calendar year in which the relevant document was created (Article 6(1)(1)(c) GDPR in conjunction with Section 212 UGB).
Right to object
(1) Insofar as we base data processing in the following data protection statement on Article 6(1)(1)(f) GDPR, i.e. on a legitimate interest in processing, you always have the right to object to processing. This is usually possible in the form of an informal message to us (cf. above “controller”). If the objection is justified, we will stop the processing.
(2) If the legitimate interest is based on the interest in direct advertising or promotional targeting, your objection is always justified insofar as you are identified.
Data processing for use of the website for information purposes
(1) If you use our website purely for information purposes, i.e. if you do not register as a user or otherwise transmit information, we collect the following data from you: IP address, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, website from which the request comes, browser, operating system and its interface, language and version of the browser software. We receive this data via cookies and directly from your browser.
(2) The purpose of this processing is the provision of our website and statistical evaluation.
Data processing when handling your data protection enquiries
(1) You have the right to assert data protection claims against us (cf. our information under “Rights of the visitors to the website”). If you do this, we will receive and process your enquiry and respond to you. In deviation from the aforementioned information on the storage period, we save the data until 31 December of the third calendar year following the year in which you submitted your enquiry. This follows from Article 6(1)(1)(f) GDPR in conjunction with the relevant civil law statutes of limitation.
(2) We usually process the following data from you here: Your contact details and all data required to process your enquiry.
How do we use Adobe Typekit?
We use external fonts on our website with the help of Adobe Typekit. This is a service by Typekit from Adobe Systems Inc, 345 Park Avenue San Jose, California 95110-2704, USA. General information on data processing by the service provider can be found in the data protection policies of Adobe at: https://www.adobe.com/uk/privacy/policy.html (Adobe). When accessing our website, your browser loads the necessary fonts directly from Adobe so that they can be displayed correctly on your device. By establishing a connection to Adobe, Adobe becomes aware that our website has been accessed via your IP address. The service provider states that they neither place nor use cookies on websites in order to offer their fonts. Detailed information on what information is collected, how this is used and whether and to whom the service provider passes on data when using Adobe Typekit can be found at: https://www.adobe.com/de/privacy/policies/adobe-fonts.html (Adobe Typekit). The use of this service is also not prevented by the fact that the provider is based outside the EU, as the provider has committed itself in accordance with the standard contractual clauses. The purpose of processing and thus the object of our legitimate interest is to enable the technically error-free and optimised provision of our services, in particular to ensure a uniform typeface on our website.
Transient cookies
(1) We use what are known as transient cookies on our website. These include, in particular, session cookies. These store what is known as a session ID, which enables various requests from the visitor’s browser to be assigned to the joint session. This allows the user computer to be recognised when the visitor returns to your website.
(2) The purpose from which our legitimate interest also arises can be described as follows: The cookies are used to display and use the website in a way that is appropriate for you.
(3) We usually process the following data from you here: Session cookies. These store what is known as a session ID, which enables various requests from your browser to be assigned to the joint session. This allows your computer to be recognised when you return to our website. The session cookies are deleted when you log out or close the browser.