Data Privacy Statement

This website, www.grunenthal.com, (hereinafter “website”) is provided by Grünenthal GmbH (hereinafter “we”, “our” or “us”). We respect your privacy and are committed to protecting your information. The privacy policy below discloses our practices regarding information collection and usage solely for the website located at www.grunenthal.com. If you are looking for further information on the provider of this website, please refer to our imprint.

Handling of personal data

At Grünenthal, we believe transparency is the foundation of trustful collaboration. Below we will provide you with information on how we handle your personal data when you use our website. We handle your personal data because this is necessary to make certain functionalities of our website available and give you the best possible experience. Unless otherwise indicated, the legal basis for the handling of your personal data results from our legitimate interest to make available the functionalities of the website requested by you and to promote our business interests, according to (Art. 6(1)(f) General Data Protection Regulation).

Using our Website

1.1.1 Accessing our Website

When you call up our website, your browser will transfer certain data to our web server. This is done for technical reasons so that we can make the information you request available. In particular, the following data are collected, briefly stored and used:

• IP address
• Date and time of access
• Time zone difference to Greenwich Mean Time (GMT)
• Content of request (specific site)
• Status of access/HTTP status code
• Transferred volume of data
• Website requesting access
• Browser, language settings, version of browser software operating system and surface

We will also store such data for a limited period of time so that we are able to initiate a tracking of personal data in the event of actual or attempted unauthorised access to our servers (Art. 6(1)(f) General Data Protection Regulation).

1.1.2 Use of cookies

What are cookies?
Our website uses so-called “cookies”. Cookies are small text files stored in your terminal's memory via your browser. They store certain information (for example your preferred language or site settings). Your browser may retransmit these to us when you revisit our website, depending on the lifespan of the cookie.

What cookies do we use?
We differentiate between two categories of cookies: (1) functional cookies which are necessary for the functionality of our website and (2) optional cookies. These are used for website analysis and marketing purposes. You can find a detailed list of the cookies that we use in the cookie banner that pops up when you access our website or by clicking on the “privacy settings” symbol.

Subject to your consent
We only use optional cookies if we have obtained your prior consent (Art. 6(1) a) GDPR). When you visit our website for the first time, a banner will appear asking you to give us your consent to the setting of optional cookies. If you consent, we will place a cookie on your computer and the banner will not appear again as long as the cookie is active. After expiration of the cookie’s lifespan, or if you actively delete the cookie, the banner will reappear the next time you visit our website and will again ask you for your consent.

How to prevent the placing of cookies
Of course you may use our website without any cookies being set. In your browser, you can configure or completely deactivate the use of cookies at any time. Check out the Help menu of your browser to get assistance:

Internet Explorer™:
http://windows.microsoft.com/de-DE/windows-vista/Block-or-allow-cookies

Safari™:
https://support.apple.com/en-gb/guide/safari/sfri11471

Chrome™:
http://support.google.com/chrome/bin/answer.py?hl=de&;hlrm=en&answer=95647

Firefox™:
https://support.mozilla.org/en-US/products/firefox/protect-your-privacy/cookies

This may, however, lead to a restriction of the functions or have adverse effects on our website's user-friendliness. You may object to the setting of optional cookies at any time by using the respective objection option as indicated above.

1.1.3 Website Analysis

Sitecore

This Website uses the web analytics service “Sitecore Experience Analytics” in order to help us continually improve the customer friendliness of our Website. Sitecore uses "cookies" that are stored on your computer and allow your use of the Website to be analyzed. The information generated by the cookie on your use of this Website is transmitted to and stored by state of the art secured EU based cloud servers (Azure Cloud, Dublin). You can use a corresponding setting in your browser software to prevent cookies from being saved; we would, however, like to draw your attention to the fact that, if you do so, you may not be able to use all of the functions offered by the website in full.

Matomo

We use the open source software tool Matomo (formerly PIWIK) from InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand on our website to analyze the surfing behavior of our users. Matomo is an open source tool for web analysis.

Matomo Tag Manager is a tag management system for managing JavaScript and HTML tags used to implement tracking, analytics and marketing tools.

Matomo uses cookies. These text files are stored on your computer and make it possible for us to analyze the use of the website. For this purpose, the usage information obtained by the cookie is transmitted to us and stored so that the usage behavior can be evaluated. Your IP address is immediately anonymized; thus you remain anonymous as a user. The information generated by the cookie about your use of this website will not be disclosed to third parties.

We understand this analysis as part of our Internet services. We would like to use it to further improve the website and adapt it even more to the needs of the users.

These processing operations are only carried out if explicit consent is given in accordance with Art. 6 (1) a) GDPR.

If individual pages of our website are called up, the following data is stored:

1. Bytes of the IP address of the calling system of the user are anonymized.
2. The website from which the user accessed the called website (referrer).
3. The subpages accessed from the accessed website
4. The time spent on the website
5. The frequency of accessing the web page

In this regard, the software runs exclusively on the servers within our control and within the Matomo Cloud. We have concluded a data processing agreement with InnoCraft Ltd. about data processing on our behalf. Storage of the users' personal data only takes place there. The data is not passed on to third parties.

We store this data for a period of at least two years, unless you revoke your consent beforehand.

You can view the data protection provisions of Matomo at: https://matomo.org/privacy/

Matomo Tag Manager

On our website we use Matomo Tag Manager. Matomo Tag Manager is an extension of the open source Matomo web analytics solution. The Tag Manager is used to integrate tracking events (marketing cookies) and control the integration of third-party code. The legal basis for the data processing is Art. 6 (1) f) GDPR. The legitimate interest is the error-free functioning of the website. The deletion of the data takes place as soon as the purpose of the collection has been fulfilled.

LinkedIn

Our online presence uses the “LinkedIn Insight Tag”, an advertising cookie, provided by LinkedIn Corporation (1000 W Maude Ave, Sunnyvale, CA 94085, USA).

We use the LinkedIn Insight Tag to track conversions, retarget website visitors, and unlock additional insights about members interacting with our LinkedIn ads. The LinkedIn Insight Tag enables the collection of metadata such as IP address information, timestamp, and events such as page views. All data is encrypted. The LinkedIn browser cookie is stored in a visitor’s browser until they delete the cookie or the cookie expires. With the help of the LinkedIn Insight Tag we are able to analyse the success of our campaigns within the LinkedIn platform or determine target groups for them based on the interaction of the users with our website. If you are registered with LinkedIn, it is possible for LinkedIn to associate your interaction with our online services with your user account. You can permanently opt out on this link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

For more information on the LinkedIn Privacy Policy, go to: https://www.linkedin.com/legal/privacy-policy.

LinkedIn advertising cookie is used on the basis of your consent according to Art. 6 (1) (a) GDPR.

1.1.4 Use of contact forms

You can contact us directly by using the contact forms available on our website. In particular, you may provide us with the following information:

• Name, surname and title
• Address (street, postal code, city)
• Country
• Contact data (e.g. e-mail address, phone number)
• Message

We collect, process and use the information you provide via the contact forms exclusively for the processing of your specific request. We will store the information you provide to us in contact forms for as long as we are legally obliged to or we can claim a legitimate interest. The same applies to data you send to us when using one of the designated email addresses indicated on our website.

1.1.5 External services or content on our website

We include third-party services and/or content on our website. When you use such third-party services or when third-party content is displayed, communication data are exchanged between you and the respective provider for technical reasons. The respective provider of the services or content may also process your data for own additional purposes. To the best of our knowledge, we have configured the services and content of providers known to process data for own purposes in such a way that either any communication for other purposes than to present their services or content on our website is blocked, or communication only takes place once you have actively opted to use the respective service. However, since we have no control over data collected and processed by third parties, we are not in a position to provide binding information regarding the scope and purpose of such processing of your data.

For further information regarding the scope and purpose of such collection and processing of your data, please consult the privacy statements of the providers whose services and/or content we include and who are responsible for the protection of your data in this context:

For the purpose of an interactive design of our website third-party content from Youtube and Vimeo is integrated into this website. This serves to safeguard our predominant legitimate interests in a multimedia presentation of our services and our activities in accordance with Art. 6(1)(f) GDPR.

YouTube (videos)

This website uses plug-ins from the American company Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA ("Google") which Youtube is operated by.

As a consequence, log information may be transmitted from our website to Google. Google’s server in the United States thus automatically stores information (“log data”), such as the information that your browser sends to a website when you visit, or the information that your mobile app sends when you use it. This log data may contain your IP address, the address of the website you visited that uses Google features, the browser type and settings, the date and time of your request, information about your use of Google, and cookies.

You can find out more information about data collection, how you data is evaluated and processed by Youtube and your rights relating to this in Youtube’s / Google’s Privacy Policy: https://www.google.com/intl/en/policies/privacy/

Vimeo (videos)

This website uses plug-ins from the American company Vimeo, LLC, 555 West 18th Street, New York, New York 10011, USA.

As a consequence, log information may be transmitted from our website to Vimeo. Vimeo’s server in the United States thus automatically stores information (“log data”), such as the information that your browser sends to a website when you visit, or the information that your mobile app sends when you use it. This log data may contain your IP address, the address of the website you visited that uses Vimeo features, the browser type and settings, the date and time of your request, information about your use of Vimeo, and cookies.
You can find out more information about data collection, how you data is evaluated and processed by Vimeo, and your rights relating to this in Vimeo’s Privacy Policy: http://vimeo.com/privacy.

Google reCAPTCHA

For the purpose of protection against misuse of our web forms, as well as to protect against spam, we use the Google reCAPTCHA service as part of some forms on this website.

By checking a manual entry, this service prevents automated software (so-called bots) from performing abusive activity on the site. In accordance with Art. 6(1)(f) GDPR the preservation of our justified legitimate interests in the protection of our website against misuse as well as an interference-free representation of our online presence
Google reCAPTCHA is an offer from Google LLC (www.google.com).

Google reCAPTCHA uses a code embedded in the website, a so-called JavaScript, as part of the review methods that allow an analysis of your use of the website, such as cookies. The automatically collected information about your use of this website, including your IP address, is usually transmitted to a Google server in the USA and stored there. In addition, other cookies stored by Google services in your browser are evaluated by Google reCAPTCHA.

There is no readout or storage of personal data from the input fields of the respective form. For more information about Google's privacy policy, visit https://www.google.com/policies/privacy/.

1.1.6 “Zoom” Online Meetings

Grünenthal uses the tool "Zoom" to enable online meetings with our customers and business partners. "Zoom" is a service of Zoom Video Communications, Inc., 55 Almaden Blvd. Suite 600, San Jose, CA 95113, USA.

With regards to visiting "Zoom´s" internet presence, the provider of "Zoom" is responsible for any processing of personal data related thereto.

The scope of the data that we process when you participate in an online meeting with “Zoom” depends on the functionalities you will use and what kind of data you will provide to us in the meeting. Usually, the following categories of personal data will be processed by Grünenthal when using “Zoom”:

User details: first name, last name, telephone (optional), e-mail address, password (if "single sign-on" is not used), profile picture (optional), department, entity or occupation (optional)

Meeting data: Topic, description (optional), attendee IP addresses, device/hardware information.

In case of recordings (only optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of online meeting chat.

If you participate via telephone, the following data will be processed to make this possible: information about the incoming and outgoing call number, country name, start and end time.

Content data: If you make use of the chat or survey functions, the text entries you make are processed in order to display them and, if necessary, to log them. In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of the terminal device will be processed accordingly for the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time via the "Zoom" applications.

If we want to record “Zoom” meetings, we will transparently inform you in advance and - if necessary - ask for your consent. The fact of the recording will also be displayed to you in the "Zoom" app.

If it is necessary for the purposes of logging the results of an online meeting, we will log the chat content. However, this will generally not be the case.

In the case of webinars, we may also process questions asked by webinar participants for purposes of recording and following up on webinars. If you are registered as a user with "Zoom", the reports of online meetings (meeting metadata, telephone dial-in data, questions and answers in webinars, survey function in webinars) may be stored at "Zoom" for up to one month.

The legal basis for the processing of your personal data as outlined above is Art. 6 (1) lit. b) GDPR, insofar as the meetings are conducted in the context of contractual relationships, e.g if you are a Healthcare Professional in a contractual relationship with us.

Should no contractual relationship exist, the legal basis is Art. 6 (1) lit. f) GDPR. Here, too, our interest is in the effective implementation of "online meetings". In these cases, our interest is in the effective implementation of online meetings.

"Zoom" is a service hosted by an US-based provider. We have concluded an order processing agreement with the provider of "Zoom" that meets the requirements of Art. 28 (3) GDPR.

As we cannot exclude the possibility that parts of the data processed in “Zoom” meetings will be transferred to the US, an adequate level of data protection is guaranteed by the conclusion of the so-called EU standard contractual clauses. As an additional safeguard, we have also configured “Zoom” in a way that only data centers in the EU, the EEA or secure third countries are used to conduct online meetings.

1.1.7 Webinars with GoToWebinar and similar solutions

Grünenthal uses the services of LogMeIn Ireland Unlimited Company, The Reflector 10 Hanover Quay, Dublin 2, D02R73, Ireland (“LogMeIn”) to facilitate webinar sessions via the tools “GoToWebinar” or “GoToMeeting” in which our customers and business partners can voluntarily participate.

With regards to visiting LogMeIn´s internet presence, the provider responsible for any processing of personal data related thereto, e.g. when you download the GoToWebinar app. Please refer to LogMeIn´s privacy statement which can be found under this link: LogMeIn International Privacy Policy.

The scope of the data that we process when you participate in a webinar session with us depends on the functionalities you will use and what kind of data you will provide to us in the webinar. Usually, the following categories of personal data will be processed by Grünenthal:

User details: first name, last name, telephone (optional), e-mail address, password (if "single sign-on" is not used), profile picture (optional), department, entity or occupation (optional).

Meeting data: Topic, description (optional), attendee IP addresses, device/hardware information.

If you participate via telephone, the following data will be processed to make this possible: information about the incoming and outgoing call number, country name, start and end time.

Content data: If you make use of the chat or survey functions, the text entries you make are processed in order to display them and, if necessary, to log them. In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of the terminal device will be processed accordingly for the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time via the LogMeIn applications.

If it is necessary for the purposes of logging the results of an online meeting, we will log the chat content. However, this will generally not be the case.

We may also process questions asked by webinar participants for purposes of recording and following up on webinars. If you are registered as a user with LogMeIn, the reports of online meetings (meeting metadata, telephone dial-in data, questions and answers in webinars, survey function in webinars) may be stored at LogMeIn for up to one month.

The legal basis for the processing of your personal data as outlined above is Art. 6 (1) lit. b) GDPR, insofar as the webinars are conducted in the context of contractual relationships, e.g. if you are an HCP in a contractual relationship with us or have registered for a conference to which the webinar is an integral part.

Should no contractual relationship exist, the legal basis is Art. 6 (1) lit. f) GDPR. In these cases our interest lies in the effective conduct of online sessions and conferences.

We have concluded an order processing agreement with LogMeIn that meets the requirements of Art. 28 (3) GDPR. Processing of your data will usually take place in the European Union but we cannot ensure that some data might be transferred to LogMeIn´s affiliated companies in the United States and the United Kingdom.

In order to guarantee an adequate level of data protection, we have concluded the so-called EU standard contractual clauses with LogMeIn. In addition, LogMeIn provides technical and organizational measures to protect your data when transferred to countries outside the EU. You can find a description of these measures on LogMeIn´s website under this link: https://logmeincdn.azureedge.net/legal/Schrems-II-FAQ.pdf.

1.1.8 Webinars with Meetyoo and similar solutions

Grünenthal uses the services of Meetyoo conferencing GmbH, Friedrichstraße 200, 10117 Berlin, Federal Republic of Germany (“Meetyoo”) to facilitate webinar sessions in which our customers and business partners can voluntarily participate.

With regards to visiting Meetyoo´s internet presence, the provider responsible for any processing of personal data related thereto, e.g. when you download the Meetyoo app. Please refer to Meetyoo´s privacy statement which can be found under this link: https://meetyoo.com/en/data-security/.

The scope of the data that we process when you participate in a webinar session with us depends on the functionalities you will use and what kind of data you will provide to us in the webinar. Usually, the following categories of personal data will be processed by Grünenthal:

• User details: first name, last name, e-mail address, password (if "single sign-on" is not used), speciality, country (only optional)
• Preferences: whether you want us to send educational and/or promotional content or reach out to you by digital means.
• Meeting data: Topic, description (optional), attendee IP addresses, device/hardware information.
• In case of recordings (only optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of online meeting chat.
• If you participate via telephone, the following data will be processed to make this possible: information about the incoming and outgoing call number, country name, start and end time.
• Content data: If you make use of the chat or survey functions, the text entries you make are processed in order to display them and, if necessary, to log them. In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of the terminal device will be processed accordingly for the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time via the Meetyoo applications.

If we want to record webinars, we will transparently inform you in advance and - if necessary - ask for your consent. The fact of the recording will also be displayed to you in the app.

If it is necessary for the purposes of logging the results of an online meeting, we will log the chat content. However, this will generally not be the case.

We may also process questions asked by webinar participants for purposes of recording and following up on webinars. If you are registered as a user with Meetyoo, the reports of online meetings (meeting metadata, telephone dial-in data, questions and answers in webinars, survey function in webinars) may be stored at Meetyoo for up to 12 months.

The legal basis for the processing of your personal data as outlined above is Art. 6 (1) lit. b) GDPR, insofar as the webinars are conducted in the context of contractual relationships, e.g. if you are an HCP in a contractual relationship with us or have registered for a conference to which the webinar is an integral part.

Should no contractual relationship exist, the legal basis is Art. 6 (1) lit. f) GDPR. In these cases our interest lies in the effective conduct of online sessions and conferences.

We have concluded an order processing agreement with Meetyoo that meets the requirements of Art. 28 (3) GDPR. Processing of your data will usually take place in the European Union but we cannot ensure that some data might be transferred to Meetyoo´s service providers in third countries outside the EU/EEA, such as the United States.

In order to guarantee an adequate level of data protection, we have ensured contractually that Meetyoo´s concludes the so-called EU standard contractual clauses with these service providers. In addition, Meetyoo provides technical and organizational measures to protect your data when transferred to countries outside the EU.

1.1.9 Pharmacovigilance (Drug Safety)

If you report any potential adverse events regarding our pharmaceutical products to us, we process your personal data and the personal data of the affected patients in order to investigate the event and to comply with local legislation.

The data we process about the reporter includes their name, profession and contact data, as well as the circumstances of the event itself. The reason that we process contact data is to be able to investigate events and follow-up with the reporters in order to gain additional information if needed. If you do not wish your contact data to be processed, please inform the Grünenthal employee handling your request.

Regarding patients experiencing adverse events, we collect their name or initials, age, gender, details of the Grünenthal products that were applied, as well as other information about the circumstances of the event.

We may be required to share these data with health authorities, licensing partners and other entities of the Grünenthal group. We will not share any personal data that is not necessary for investigating the event with any of these third parties. When possible, we will apply techniques, such as pseudonymization or encryption, to render the personal data unintelligible to any person who does not need to access, or is not authorised to access, the personal data for the purposes described above. We also share your personal data with third parties that help us handle and investigate each case (e. g. our own service providers). We use Grunenthal proprietary and standard industry solutions to process your data in a safe environment. We ensure that all our service providers process personal data securely, both contractually and factually. Some of the data recipients are located in countries outside the European Union, where there is a lower level of data protection. This is justified by Art. 49 (1) lit. d) GDPR. In such cases, Grünenthal will ensure that a sufficient level of protection is provided for your data, e.g. by concluding specific agreements with these contractual partners. Grünenthal will apply the EU-Standard-Contractual Clauses to such transfers wherever feasible.

Reports about adverse events are stored in our systems at least 10 years after the respective product has been withdrawn from the market.

2. Information regarding your rights

You have the following rights according to applicable data privacy laws:

• right of information about your personal data stored by us;
• right to request the correction, deletion (provided that we are not legally obliged to keep the data) or restricted processing of your personal data;
• right to object to a processing for reasons of our own legitimate interest, public interest or profiling, unless we are able to prove that compelling, warranted reasons overruling your interests, rights and freedom exist, or that such processing is done for purposes of the assertion, exercise or defense of legal claims;
• right to data portability;
• right to file a complaint with a data protection authority.
• right to revoke your consent to the collection, processing and use of your personal data at any time with future effect. For further information please refer to the chapters above describing the processing of data based on your consent.

3. Contact

Do you have any questions regarding our data privacy or do you wish to exercise your rights? Then please let us know! You can either use our contact form or get in touch with our company data protection team at the following address: dataprivacy.de@grunenthal.com

In addition, if you are a healthcare professional, you might want to check our privacy for healthcare professionals available in this link https://www.grunenthal.com/en/footer-links/privacy-statement-hcp

Requests and complaints

If, as the data subject, you have any questions regarding our data privacy or if you do not agree with the way in which Grünenthal or persons at Grünenthal process your data you can get in touch with Grünenthal’s Global Data Protection officer by using the following email address: datenschutz.grunenthal@two-towers.eu

Data Protection Supervisory Authority

You may address questions and complaints also to the Data Protection Supervisory Authority in charge:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Postfach 20 04 44
40102 Düsseldorf
Telefon: 0211/38424-0
Fax: 0211/38424-10
E-Mail: poststelle@ldi.nrw.de

4. Amendment of Privacy Statement

We may update our Data Privacy Statement from time to time and we will publish these updates on our website. They become effective upon publication. So we recommend you regularly visit the site to keep yourself informed on possible amendments.

This Data Privacy Statement was last updated on 1st August 2019.