This website is a service offered by the company

Kirsch BioPharm GmbH
Langer Acker 36
30900 Wedemark
Germany

Phone: +49 5130 58 537-0
Email: biopharm@kirschpharma.de

represented by the managing director Heinz-Jürgen Kirsch, registered with the commercial register of the Local Court of Hanover under HRB 213195. UST-ID-Nr.: DE 304 273 893.

Jens-Olaf Knapp
Kirsch Pharma GmbH
Erzwäsche 2
38229 Salzgitter
Germany

Phone: +49 5341 8797 1
Email: privacy@kirschpharma.de

Landesbeauftragte für den Datenschutz Niedersachsen
[State Commissioner for Data Protection of Lower Saxony]
Prinzenstr. 5
30159 Hanover
Germany

Phone: +49 511 120 450 0
Fax: +49 511 120 459 9
Email: poststelle@lfd.niedersachsen.de

We store and process your personal data (e.g. title, name, address, email address, phone number, bank details) by observing the applicable statutory data protection provisions, especially the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and on repealing Directive 95/46/EC (General Data Protection Regulation – GDPR), the German Federal Data Protection Act (BDSG), and other data-related legislation [e.g. the German Telemedia Act (TMG)].
The GDPR and other regulations prescribe that the processing and use of data is only permissible if it is explicitly permitted by the GDPR or another regulation or if the data subject has given their consent (ban with permit reservation). According to these legal bases, the processing and use of data is, in particular, only permissible if

a) the data subject has given their consent to the processing of personal data relating to them for one or several specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

In accordance with the above, we only use and process your personal data to the extent permitted for the performance of a contract fulfilment or if you have given your informed consent.

As a principle, we do not disclose your personal data, including your address and email address, to any third parties. An exception to this are our service partners to whom we need to transfer data to enable them to perform the contract relationship or if we have explicitly stated that we do so. In these cases, however, the scope of the data transferred will always be restricted to the required minimum.

As a general rule, you can visit our website without providing us with information about your identity. We will only be informed about the name of your internet service provider, the website from which you visit our website and the pages of our website that you visit. Such information is evaluated for statistical purposes only. As an individual user, you will always remain anonymous in this process; such data will under no circumstances be associated with your personal data, unless you have given your explicit consent or one of the following cases applies.

As a rule, we will only collect personal data if you provide these voluntarily and on your own initiative. This might be the case, for example, if you place a purchase order or for the performance of a contract, to take part in a survey or when registering for services that require a registration using personal data (for example for purchase orders, special promotions, sending of newsletters or similar). In such cases, we will, as a matter of principle, only collect the data we are authorised to collect by law and which are absolutely required for providing the service requested by you (e.g. in case of placing orders, this would usually include your name, your address, your phone number, and your email address; in case of subscribing to the newsletter only your email address). Whenever we collect personal data from you (e.g. via a contact or order form), you will only be required to enter the necessary data. The relevant mandatory data fields will be identified with an “asterisk”. Any additional data you provide are voluntary and you are under no obligation to provide this information. If you still chose to enter this information, this entry will be deemed as your consent that we may also store and process these data about your person for the respective purpose; in some instances, we will also request your explicit consent for data protection-related purposes that require an explicit consent which you may naturally give voluntarily and that will not be connected to any other conditions and you may withdraw it at any time with effect for the future.

In order to afford your data the highest security possible, these will be transferred using SSL / TLS encryption. This is to prevent any misuse of the data by third parties. We will only store and process your data on servers located within the European Union. Data will, as a matter of principle, not be transferred to non-EU countries, unless we are authorised and/or obliged to do so based on a legal provision or if you have given your explicit consent prior to such transfer. These cases will, however, be clearly identified.

(7.1) Purpose of processing
You will provide us with your personal data for example in the context of our order process. Any mandatory information that is identified by an “asterisk” in this context will be personal data that are required for concluding a contract with us. Naturally, you are not obliged to provide your personal data. However, we will not be able to provide the service you requested (e.g. performance of a contract), unless you disclose the required data (e.g. your address if you place a purchase order). For some payment options, we need the necessary payment information in order to transmit these to a payment service provider engaged by us. This means that any of your data that you enter during the ordering process will always be processed for the purpose of contract performance.

(7.2) Legal basis
Art. 6(1) point (b) of the GDPR is the legal basis for this form of processing.

(7.3) Categories of recipients
Payment service providers, shipping service providers, where applicable, goods management system, where applicable, suppliers (dropshipping).

(7.4) Storage period
We will store the data required for contract handling until expiry of the statutory warranty periods and, where applicable, contractual guarantee periods.
We will store data required pursuant to commercial and tax legislation for the periods stipulated by law, usually ten years (cf. section 257 of the German Commercial Code (HGB), section 147 of the German Revenue Code (AO)).
We erase any email addresses that are provided to us solely for the sending of newsletters immediately after you unsubscribe from the newsletter.

When you send your inquiry by using our contact form, you give your consent that your personal data, namely

• first name and name
• email address
• telephone number

will be collected by us, stored and processed on our systems for the following purposes:

• answering your inquiry;
• taking steps (prior) to entering into a contract, if appropriate.

The legal basis for this processing is Art. 6(1) point (a) of the GDPR; if steps are taken (prior) to entering a contract, the legal basis for the processing is (1) point (b) of the GDPR. Your inquiries will be stored until they are no longer necessary for the purpose for which they were collected and will subsequently be erased, unless we are obliged to store them for longer periods pursuant to Art. 6(1), sentence 1, point (c) of the GDPR due to tax-related and commercial archiving and documentation obligations (under the German Commercial Code, German Criminal Code (StGB) or the Revenue Code) or you have given your consent to longer storage periods pursuant to Art. 6(1), sentence 1, point (a) of the GDPR.

Cookies are small text files that will be placed on your computer. Most of the cookies will be erased from your hard drive at the end of your browser session (so-called session cookies). Other cookies will remain on your computer and allow us to recognise your computer again upon your next visit (so-called permanent cookies). We do not use such cookies.

If you have given us your consent under data protection laws to use your data for certain purposes and/or services, you can naturally withdraw such with effect for the future at any time. To do so, it suffices to send an informal notification to the following address:

Kirsch BioPharm GmbH
Langer Acker 36
30900 Wedemark
Germany

As data subject, you are entitled to various rights concerning your personal data. We as data controller have taken appropriate measures to provide you with any information referred to in Articles 13 and 14 of the GDPR and any communication under Articles 15 to 22 and 34 of the GDPR relating to processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language; in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by you, the information may be provided orally, provided that your identity as data subject is proven by other means.

You naturally always have the right, inter alia, to demand access to information, in writing or in electronic form, on your personal data stored by us and their origin, the recipient(s) to whom the data are disclosed, and the purpose of storage. Additionally, you have the right to demand inaccurate data to be rectified and, where statutory conditions are met, your data to be erased or blocked. To do so, it suffices to send us an informal notification to the following address:

Kirsch BioPharm GmbH
Langer Acker 36
30900 Wedemark
Germany

Phone: +49 5130 58 537-0
Email: biopharm@kirschpharma.de

In detail, you have the following rights:

(11.1) Right of confirmation and access
You can request a confirmation from us as to whether we process personal data concerning you.
If we do process data concerning you, you may demand access to information concerning the following:

a.) the purposes of the processing of such personal data;
b.) the categories of personal data concerned;
c.) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
d.) the envisaged period for which the personal data relating to you will be stored, or, if not possible, the criteria used to determine that period;
e.) the existence of the right to request rectification or erasure of personal data concerning your person, a right of restriction of processing by us or the right to object to such processing;
f.) the right to lodge a complaint with a supervisory authority;
g.) where the personal data are not collected from the data subject, any available information as to their source;
h.) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Furthermore, you have the right to obtain access to information as to whether the personal data concerning you is transferred to a non-EU country or to an international organisation. In this context, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 of the GDPR relating to the transfer.

(11.2) Right to rectification
You have a right of rectification and/or completion to us, if the processed personal data related to you is inaccurate or incomplete. Naturally, we are obliged to make such rectification immediately.

(11.3) Right to the restriction of processing
You have the right to obtain restriction of processing of the personal data concerning you where one of the following applies:

a.) you contest the accuracy of the personal data relating to you, for a period enabling us to verify the accuracy of the personal data;
b.) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
c.) we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims; or
d.) you have objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether our legitimate grounds override those of you.

Where processing of the personal data concerning you has been restricted, such personal data shall, with the exception of storage, only be processed by us or third parties authorised by us with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

Where a restriction of processing has been obtained pursuant to the aforementioned conditions, we will inform you before the restriction of processing is lifted.

(11.4) Right to erasure
a.) Erasure obligation
You have the right to obtain from us the erasure of your personal data without undue delay and we shall have the obligation to erase such data without undue delay where one of the following grounds applies:

aa.) your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
bb.) you withdraw your consent on which processing is based acc. to point (a) of Article 6(1) or point (a) of Art. 9(2) of the GDPR, and where there is no other legal ground for the processing;
cc.) you object to processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR;
dd.) your personal data have been unlawfully processed;
ee.) your personal data have to be erased for compliance with a legal obligation in Union or Member state law to which we are subject;
ff.) your personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

b.) Information to third parties
If we have made your personal data public and are obliged pursuant to Article 17(1) of the GDPR to erase the personal data, we, taking account of available technology and the costs of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

c) Exemptions
The right to erasure does not apply to the extent that processing is necessary
aa.) for exercising the right of freedom of expression and information;
bb.) for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
cc.) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Art. 9(3) of the GDPR;
dd.) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89(1) of the GDPR in so far as the right referred to in paragraph (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
ee.) for the establishment, exercising or defence of legal claims.

(11.5) Right to be informed
If you have exercised the right to rectification, erasure or restriction of processing toward us, we are obliged to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom your personal data have been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to request information on those recipients from us.

(11.6) Right to data portability
You have the right to receive the personal data concerning you that you have provided us in a structured, commonly used, and machine-readable format. Furthermore, you have the right to transmit those data to another controller without hindrance, provided that

a.) the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR or on a contract pursuant to point (b) of Article 6(1) of the GDPR; and
b.) the processing is carried out by automated means.

In exercising such right, you further have the right to have the personal data concerning you transmitted by us directly from one controller to another, where technically feasible. This shall not adversely affect the rights and freedoms of others.
The right to data portability does not apply to any processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

(11.7) Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions.

We shall then no longer process your personal data, unless we are able to demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

If we process your personal data for direct marketing purposes, you have the right to object, at any time, to processing of your personal data for such marketing, which includes profiling to the extent that it is connected with such direct marketing.
Where you object to processing for direct marketing purposes, we will no longer process your personal data for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

(11.8) Right to withdraw consent under data protection laws
You have the right to withdraw your consent under data protection laws at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

(11.9) Automated individual decision-making including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

a.) is necessary for entering into, or performance of, a contract between you and us;
b.) is authorised by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
c.) is based on your explicit consent.

Nevertheless, such decisions shall not be based on special categories of personal data referred to in Art. 9(1) GDPR, unless point (a) or (g) of Art. 9(2) applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

As regards the cases set out in a.) and c.), we will take appropriate measures in order to safeguard the rights and freedoms as well as your legitimate interests.

(11.10) Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 of the GDPR.

If you have further questions or suggestions regarding “data protection” in our company or if you would like to request access to information concerning your data or their rectification or erasure, please send an email or letter to:

Kirsch BioPharm GmbH
Langer Acker 36
30900 Wedemark
Germany