In this privacy notice, we wish to inform you about the nature, scope and purpose of the personal data we process.

The controller within the meaning of Art. 4(7) GDPR is Melisana AG, Grüngasse 19, 8004 Zurich (hereinafter: "we" or "us").

I. PURPOSES AND LEGAL BASES OF THE PROCESSING

1. Processing of your contact data

We process your contact data (e.g. last name, first name, academic title, specialisation/professional qualification, address, telephone numbers, email addresses, operating licences and GLN number (Refdata). We collect some of this data ourselves from you or from sources in the public domain, and we receive some of it from our service providers.

We process the above data insofar as necessary to conclude and fulfil our contracts with you.

The legal basis for this is Art. 6(1)(1)(b) GDPR (if you are our contractual partner) or Art. 6(1)(1)(f) GDPR (if you are a contact person at the company that is our contractual partner). In the latter case, our legitimate interest is communication with you in connection with concluding and performing the contract.

We also process the above data to pursue the following legitimate interests: maintaining our business relationship with you, and for the purposes of scientific information, marketing and market research.

The legal basis for this is Art. 6(1)(1)(f) GDPR or Art. 6(1)(1)(a) GDPR (if you have given us your consent to the processing).

In addition, we process your contact data to comply with relevant legal obligations (see I.4. below).

2. Processing in the context of field sales visits, and surveys by service providers appointed by us

Following a visit by our sales force or one of our external service providers, we process the date and content (e.g. order, POS and location-related data) of the visits made, along with preferred visit times and medicinal product sample requests and dispensing.

We process the above data to pursue the following legitimate interests: maintaining our business relationship with you, managing our sales force, adapting our sales force visits to your needs, evaluating the quality of visits, improving the presentation and design of our products, and for information and marketing purposes.

The legal basis for this is Art. 6(1)(1)(f) GDPR.

If you have given us your consent to do so, we also process your personal data to contact you by email, fax, telephone or video call and to send you information, newsletters and offers from Melisana that are tailored to your specific interests.

The subject matter of the information and offers includes, in particular, information and news about the company, product information, reports on new study results, appointments/visit notifications by our sales force for online, telephone and in-person sales appointments, online forms for sample and material requests, information on media placements, training courses, invitations to and/or information on events, conferences, lectures, trade fair visits, online seminars and invitations to take part in short surveys/market research surveys.

Your data will be stored until you cancel your newsletter subscription. We will also analyse this data (e.g. by pixel tracking) in order to see, for example, which newsletter you open or which link you click on, and to link this to stored data and information, e.g. about your interests and preferences.

Users who do not want their data to be processed in this way should unsubscribe from the newsletter. You will find an unsubscribe link in every newsletter email. You can also contact us at the address given below.

The legal basis for this is Art. 6(1)(1)(a) GDPR.

3. Processing in the context of competitions

We process the personal data you provide in the context of competitions (e.g. name, address, answers to competition questions) exclusively for the purpose of running the competition and distributing the prizes.

The legal basis for this is Art. 6(1)(1)(b) GDPR.

You are not obliged to provide us with your personal data as part of a competition. However, without these details, you may not be able to enter the competition, or we may not be able to send you the prize.

4. Processing for compliance with a legal obligation

Where required, we process your personal data to comply with our legal obligations.

In particular, we process the date, number and type of medicinal product samples we provide you with, along with the date and content of important information we send to you about the safety of medicinal products. In addition, we process your name and contact details if you notify us of possible adverse reactions or quality defects concerning our products.

We process the above data to comply with our legal obligations under the relevant statutory provisions.

The legal basis for this in each case is the Data Protection Ordinance Art. 98, Swiss Therapeutic Products Act (TPA) Art. 62 (data confidentiality); Swiss Medicinal Products Licensing Ordinance (MPLO) Art. 66 (processing of personal data); sample dispensing: Swiss Ordinance on Advertising of Medicinal Products (OMPA) Art. 10; ADR and incident reporting: TPA Art. 59 and OMPA Art. 63.

The legal basis in each case is the Data Protection Ordinance Art. 98 and the applicable legal standards.

5. Processing for credit checks and data transmission to credit agencies

In individual cases, we also process the data you provide (name, address, date of birth and, if applicable, gender) about the application, implementation and termination of our business relationship with you for the purpose of handling queries and carrying out credit checks based on mathematical/statistical procedures at credit agencies in order to check your creditworthiness before concluding a contractual relationship, and, if necessary, transmit data about breaches of contract or fraudulent behaviour during the contractual relationship to a credit agency. Data exchange with a credit agency is also used to verify identity. We can use the match rates returned by the credit agency to establish whether a person is stored in their database as being at the address provided by the customer.

The legal basis for this is Art. 6(1)(1)(f) GDPR, where necessary for the protection of our legitimate interests or those of third parties and as long as this does not override the protection of your interests or fundamental rights and freedoms as a data subject. The legitimate interest here is to protect us from payment defaults and to enable the credit agency to inform third parties about negative payment experiences, which protects us from losses.
 

II. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF YOUR DATA

At our company, only those employees who need your personal data to fulfil our contractual and legal obligations will have access to it. Your data will only be passed on to external parties if this is permitted or required by law or if you have given your consent.

The categories of external recipients of your data are listed below:

• Affiliated companies within our group of companies, where they act as service providers for us and provide e.g. IT services so that we can provide our services, or if they require the data in order to fulfil our contractual and legal obligations, or based on our legitimate interests. These may be commercial, administrative or other internal business purposes, but only apply if they do not override your interests or fundamental rights and freedoms as a data subject.
• Private entities outside the group of companies, such as, in particular:
  • Payment service providers and banks to collect outstanding payments from accounts or pay out refunds
  • Agencies (e.g. online and offline), printers and lettershops that help us implement promotional activities (e.g. competitions, promotions, sending invitations and letters, etc.).
  • IT service providers that store data and assist with systems administration and maintenance, plus file archiving and shredding companies.
  • Logistics service providers to deliver goods etc
  • Credit agencies when retrieving a credit report
  • Debt collection agencies and legal advisors
  • Service providers that record adverse reaction reports
  • Licence partners
  • Market research companies
• Public bodies and institutions, where we are legally required to do so. For example, our legal obligations include notifying the competent state authorities to which the Klosterfrau Group companies are accountable about any reported quality defects in our products (e.g. complaints and counterfeits). Under our legal reporting obligations to the relevant competent authorities, we report the data we collect about you in the context of non-interventional or observational studies (see I.4. above).

III. TRANSFER TO THIRD COUNTRIES

Data are only transferred to countries outside the EU or the European Economic Area EEA ("third countries") if this is necessary in order to manage our contractual relationships, or is permitted or required by law (e.g. reporting obligations under tax law), or if you have given us your consent, or as part of order processing. When we use service providers in third countries, they are required to comply with the level of data protection in Europe by agreeing to the EU Standard Contractual Clauses. Alternatively, we transfer the data based on an adequacy decision by the European Commission. Further information can be obtained from our data protection officer.

IV. HOW LONG WE STORE YOUR PERSONAL DATA

We only process your personal data for as long necessary to fulfil the purposes listed in section I. We then delete it unless we are required to store it for a longer period.

For product safety reasons we are required to store data concerning safety-related events for up to ten years after the product marketing authorisation ends. This is for testing purposes due to legal requirements, depending on the status of the product as a medicinal product, medical device, cosmetic or foodstuff.

In addition, we are subject to various retention and documentation obligations, in particular under the Swiss Code of Obligations (Obligationenrecht, OR). The retention and documentation periods stipulated in the OR are up to ten years beyond the end of the business relationship or the pre-contractual legal relationship.

Furthermore, special statutory provisions may require a longer retention period, e.g. the preservation of evidence under statutory limitation periods.

V. NO AUTOMATED INDIVIDUAL DECISION-MAKING (INCLUDING PROFILING)

We do not use any procedures for purely automated decision-making in individual cases (including profiling) as provided for in Art. 22 GDPR. If we do use such a procedure in individual cases in the future, we will inform you of this separately.

VI. YOUR DATA PROTECTION RIGHTS

Under certain conditions, you can exercise your data protection rights with us

• Right of access
  You have the right to request confirmation from us at any time as to whether we are processing personal data concerning you. If this is the case, you have the right to access information about this personal data and certain other information (including processing purposes, categories of personal data, categories of recipients, planned storage period, your rights, the source of the data, the use of automated decision-making and, in the case of transfer to a third country, the appropriate guarantees).
• Right to rectification
  You have the right to demand that we rectify the personal data stored about you if it is inaccurate or incorrect.
• Right to erasure
  Under certain conditions, you have the right to demand that we erase personal data concerning you without undue delay. In certain cases, the right to erasure does not apply: for example, if the processing of personal data is necessary (i) to exercise the right of freedom of expression and information, (ii) to comply with a legal obligation to which we are subject (e.g. statutory retention obligations) or (iii) to establish, exercise or defend legal claims.
• Right to restriction of processing
  You have the right to demand that we restrict the processing of your personal data.
• Right to data portability
  Under certain conditions, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format.
• Right of withdrawal
  You have the right to withdraw your consent to the processing of personal data at any time with effect for the future.

Information about your right to object under Art. 21 GDPR

1. You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data based on Art. 6(1)(1)(f) GDPR (data processing based on a balancing of interests). This also applies to profiling based on this provision within the meaning of Art. 4(4) GDPR.

If you object, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

2. We also process your personal data in individual cases for direct marketing purposes. If you do not wish to receive any marketing, you have the right to object to this at any time; this also applies to profiling, where it is related to such direct marketing. We will honour this objection for the future.

We will no longer process your data for direct marketing purposes if you object to processing for these purposes.

You can address enquiries regarding the exercise of your aforementioned data protection rights to us either using the contact details of the controller as provided above, or by email to info@melisana.ch, or by contacting our external data protection officer using the following contact details:

Mr Alexander Bugl, Bugl & Kollegen Gesellschaft für Datenschutz und Informationssicherheit mbH, Eifelstraße 55, 93057 Regensburg, Germany, Tel. +49 941-630 49 789, email: Datenschutz.buglundkollegen@klosterfrau.de.

You also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

Last updated: September 2023