Data Protection Policy

Adjust your cookie preferences

To Indivumed, the protection of your privacy and your personal data is highly important. We observe all relevant statutory regulations when processing your personal data. We also pay close attention to the data protection aspects of our Internet activities.

To make you feel comfortable during the performance of any services or when visiting our website, we hereby inform you about our collection and use of data below.

By using our information and services, you consent that Indivumed GmbH, Falkenried 88, Bldg. D, 20251 Hamburg, Germany (hereinafter “Indivumed” or “we”/“us”) may collect, process, and use your personal data in accordance with the respective legal regulations and the terms and conditions set forth hereinafter.

Insofar as in the following reference is made to the EU-GDPR, this refers to The Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

1. General remarks

Our data protection practice conforms with the applicable data protection regulation and other relevant legal requirements.

For the best protection of your data against manipulation, loss, deletion, or unauthorized access by others, we employ technical and organizational security measures which are continuously updated to conform to respective technical and legal requirements.

Personal data

Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This Data Protection Policy applies to the processing of the data belonging to the visitors of this website, as well as Indivumed’s business partners such as customers, service providers, or other collaboration partners (hereinafter “third parties”), for the purpose of performing our services and other related legitimate purposes.

Indivumed may perform its services within the framework of group contracts or through various corporate units and therefore acts within the Indivumed group towards the third parties in legal transactions, for the purpose of performance of the contract, to which you are a party, and other related legitimate purposes.

Special notice regarding Indivumed Services GmbH

This notice applies to any third parties who engaged with Indivumed GmbH prior to 20.03.2023.

As you are aware, on 20.03.2023, former Indivumed GmbH business unit “IndivuServ” demerged from Indivumed GmbH to the newly formed Indivumed Services GmbH. All contracts in place between you and Indivumed GmbH on 20.03.2023 which are attributable to said business unit will continue in full force and effect and with all contractually agreed rights and obligations thereunder between you and Indivumed Services GmbH. Along with these rights and obligations, your personal data processed in connection with the contracts have devolved to Indivumed Services GmbH and will be further processed by Indivumed Services GmbH as a controller.

Indivumed Services GmbH effectively continues the business of the former “IndivuServ” business unit and processes personal data for the same purposes for which the personal data were collected by Indivumed GmbH, relying on the existing lawful basis, as described below (Art. 6 Sec. 1 lit. b), c), f) EU-GDPR). Therefore, the purpose of personal data processing by Indivumed Services GmbH, as well as your related rights, remain unchanged.

Nevertheless, Indivumed GmbH continues to process certain personal data, in the aspects such as legal and financial matters, technical support etc., based on a Transfer Service Agreement set in place between Indivumed GmbH and Indivumed Services GmbH and, if applicable, other appropriate data protection agreements between Indivumed Services GmbH and Indivumed GmbH.

For further information about Indivumed Services GmbH, please visit the website of Indivumed Service GmbH.

2. Collection, processing, and transfer of third parties’ personal data

Purpose, legal basis, and duration of processing

The purpose of our company is to perform our own and to support third-party research and development activities in the field of biomedicine and any services related thereto. All collection, processing, and use of data pertains to the implementation of this purpose.

We generally collect your personal data to provide the offers and services requested by you. This also applies when you contact us, e.g. via contact form, e-mail, telephone, or via social media.

If your personal data is collected and processed in connection with our services, including a request for a quotation or the performance of any contract (e.g. purchase or work order), we use your data (such as your company e-mail address, the company you work for, position, the salutation chosen by you, your name, your telephone number, your fax number, your address, your payment data, and your purchase history) within the scope of the contractual purpose to provide the respective products and/or services, and any additional services that may be necessary for such performance.

In such a case, we process your personal data for the performance of your contract(s) with Indivumed, or in order to take steps at your request prior to entering into a contract (Art. 6 Sec. 1 lit. b EU-GDPR), and as far as necessary for compliance with legal obligations to which Indivumed is subject (in accordance with Art. 6 Sec. 1 lit. c EU-GDPR).

Provision of these data is a necessary requirement for entering into a contract, which otherwise cannot be entered into.

In addition, your e-mail address, obtained from you in course of performance of services, might be used for the purposes of improving customer support, optimizing our offers, and providing you with information about our services by e-mail, based on the legitimate interest in maintaining our business relationship (Art. 6 Sec. 1 lit. f EU-GDPR), as far as you have not objected to the processing of your data for such purpose and in accordance with the applicable law. You may always object to such use of your data by following the link provided in each such e-mail or by sending an informal e-mail to the sender e-mail address. If you participate in one of our customer surveys, this is done on a purely voluntary basis.

Your personal data will be stored in accordance with the applicable law, as far as necessary in relation to the purposes for which they were collected or otherwise processed, such as the performance of your contract with Indivumed, legitimated interest in maintaining our business relationship, and as far as necessary for compliance with legal obligations to which Indivumed is subject, based on Art. 6 Sec. 1 lit. c EU-GDPR (e.g. accounting or taxation purposes).

When you subscribe to a newsletter, we collect and process your data for gathering and providing the respective content, based on your consent.

As far as permissible under the applicable law, we may also use your personal data, solely for the purpose of asking your consent (Art. 6 Sec. 1 lit. a EU-GDPR), to send you information about our services by e-mail and process your personal data for such purpose.

Your consent in such case is optional and you may decline it without any possible consequences. You may also withdraw your consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

You may always object to such use of your data by following the link provided in each such e-mail or by sending an informal e-mail to the sender email address.

In the event you do not provide your consent or object to the processing of your data, you will no longer receive such information and your data will no longer be processed for this purpose.

Upon your consent your data will be stored in accordance with the applicable law and processed exclusively for the purposes for which they were collected, as long as you do not withdraw your consent.

If you withdraw your consent or object to the data processing, your data will no longer be processed for the respective purposes and will be erased in accordance with our internal policies. Should it not be possible to erase your data entirely, (e.g. due to compliance reasons), processing of your personal data will be restricted to necessary purposes, such as maintaining the so-called Blacklist in order to comply with your request not to receive information about our services or for compliance with the mandatory retention period.

Transfer and recipients of personal data

We only transfer personal data as far as permissible and necessary for the performance of the contract to which you are a party, and other legitimate reasons. Personal data will only be collected and transferred to governmental institutions and authorities based on mandatory legal requirements. We particularly do not sell personal data, such as addresses, to third parties.

For purpose of performance of our services, we may transfer your personal data to our service providers, such as third-party suppliers entrusted with procurement, logistics, technical, or any other support in services performance, insurers or banks entrusted with the execution of payment, as well as for internal administrative purposes to our subsidiaries, affiliates, spin-off companies, and other entities collaborating with Indivumed, including Indivumed Services GmbH, (e.g., for procurement and logistics services), in each case as necessary and in accordance with applicable law.

Regarding the use of online services, personal data may be transferred to our online system service providers, namely operators of hosting services, Internet booking engines, web analysis services, global distribution services, and marketing services. These system service providers help us to continuously improve our offers and services addressed to you. Any use of your personal data by third parties based on your consent will strictly be performed as commissioned data processing in keeping with all applicable laws.

As far as we transfer data to our service providers and/or affiliated entities as described above, they are contractually bound to data protection agreements in addition to mandatory laws.

Your personal data may be transferred to our service providers outside of European Union/European Economic Area to the countries for which the European Commission has not determined an adequate level of data protection. Any such transfer occurs solely based on Standard Contractual Clauses, the copy of which may be obtained from the Controller or the Data Protection Officer.

3. Information for website visitors on cookies used by Indivumed and third parties

General remarks

Cookies are small files that are saved to your computer’s “hard drive” by your web browser. They can be deleted by you at any time or not be accepted by your browser if the respective options have been checked. Most browsers accept cookies automatically. There are two types of cookies: 1. session cookies are used by us to facilitate navigation through our website. Session ID cookies expire when you close your browser; 2. permanent cookies stay on your hard drive for a longer period, depending on the duration or “lifetime” of the specific cookie, as well as in your browser settings.

Most Internet browsers are initially set up to automatically accept cookies.

If you do not want our websites to store cookies on your device, you can change your browser settings on each device, by following the instructions provided in your browser’s “help” files. You can adjust your settings so that you receive a warning before certain cookies are stored, so that your browser refuses most of our cookies or only certain cookies from third parties. You can also withdraw your consent to cookies by deleting the cookies that have already been stored by clicking on the Cookie Consent button in the footer of this website or the “Adjust cookie preferences” button at the beginning of this web page.

However, this might disable or impair the use of our website. You may still use our website without accepting any or all cookies; however, functionality and/or comfort may be impaired, e.g., the loading time may be slowed, logins may not be kept, and so-called “pop-unders” may be displayed twice.

Different service providers may themselves place cookies on your hardware via our Internet services (third-party cookies). You can manage these third-party cookies by following the instructions provided in your browser’s “help” files, as further described below.

Purpose, legal basis of processing

Some cookies are essential for proper running and maintaining our website (“Technically necessary” cookies) and used for the purposes of safeguarding system stability and basic website functions, based on Art. 25 Abs. 2 Nr. 2 German TTDSG. These cookies are not subject to your prior consent.

We also use these cookies for managing your consent (User-Hash) for purpose of compliance with legal obligations and accountability (Art. 6 Para. 1 S. 1 lit. c) EU-GDPR).

In addition, Indivumed also uses Statistics Cookies, which are technically not necessary, but allow us to improve our content for you by saving and analyzing user data, based exclusively on your consent (Art. 6 Sec. 1 lit. a) EU-GDPR). By consenting to Statistics Cookies, you agree that we may process your data for the specified purposes and pass it on to the certain data recipients such as Google Analytics and LinkedIn (for further information please see below).

If you consent to these cookies, they will help us analyze your use of our Website. The information collected in connection with your use of our Website (please see under Web Analytics Services) will be evaluated for statistical purposes with the aim of optimizing our website and our services, improving your activities and experience on our website and not used to draw any conclusions about your personal identity. Your usage data will not be connected to your full IP address during this process.

You can withdraw your consent by clicking on the Cookie Consent button in the footer of this website or the “Adjust cookie preferences” button at the beginning of this web page at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

Transfer and recipients of personal data

These data may be transferred to our service providers, such as providers of technical services or marketing agencies, for the purpose of operating, securing, and optimizing our websites and its functionalities. Our service providers are contractually bound to data protection agreements in addition to being subject to mandatory laws.

Your personal data may be transferred to our service providers outside of the European Union/European Economic Area, to the countries for which the European Commission has not determined an adequate level of data protection. Any such transfer occurs solely based on Standard Contractual Clauses, in the currently applicable version issued by the European Commission, according to Art. 46 Sec. 2 lit. c EU-GDPR.

Google, LinkedIn and possibly their affiliated companies or subcontractors may be based outside the EU/EEA in third countries (such as the USA) which do not offer an adequate level of data protection as within EU/EEA. If the data is transferred to the USA, there is a risk that your data may be processed by US authorities for control and monitoring purposes without you possibly being entitled to any legal remedies. However, please note, that for this website, we have supplemented Google Analytics by the code “gat._anonymizelp()” to ensure an anonymized collection of IP addresses (so-called “IP masking”, see below).

Web Analytics Services

This website uses Google Analytics, a web analysis service by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics uses cookies.

By accepting “Statistics” cookies, certain information about your visit to this website is collected, such as your activity, pages you have visited, newsletter registrations, downloads, user behavior (e.g. clicks, length of stay), unique identifier, your location information with varying degrees of accuracy , your IP address (in abbreviated form), technical information about your browser and the end device, Internet provider, operating system, mobile network information, the referrer URL (via which website you came to this website).For more information please see Google Privacy Policy.

Therefore, we entered into a Data Processing Agreement with Google. The information on your use of this website generated by this cookie will be processed by Google and generally transferred to, and stored on, a Google server in the U.S. and hence might be accessible to U.S. public authorities.

Please note that for this website, we have supplemented Google Analytics by the code “gat._anonymizelp()” to ensure an anonymized collection of IP addresses (so-called “IP masking”). Therefore, your IP address will be truncated by Google prior to the transfer if your computer is located in the European Union or a member state of the European Economic Area. Only in exceptional cases will the IP address be transferred to a Google server in the U.S. and truncated there. As commissioned by the operator of this website, Google will use this information to analyze your use of this website, to aggregate reports on website activities, and to render the website operator for additional services related to website and Internet operations. Through the Data Processing Agreement, it was ensured that Google receives this data as a processor and is therefore not allowed to use this data for its own purpose. The IP address collected by Google Analytics through your browser will not be combined with other data stored by Google.

The storage of such data is set to 14 months, and they are automatically deleted once a month after expiration of the retention period.

Nevertheless, you can control the information collected by Google (for more information see https://policies.google.com/technologies/partner-sites). You can prevent the storage of data through cookies by choosing the respective settings for your browser. You may also prevent the collection of data related to use of the website (including to your IP address) and its transfer to Google by downloading and installing the browser plugin software accessible under the hyperlink https://tools.google.com/dlpage/gaoptout?hl=en.

For further information on Google’s privacy policy, please see https://policies.google.com/privacy?hl=en-DE&fg=1.

LinkedIn and LinkedIn Ads

On our website we are using the conversion tracking technology and the retargeting feature of LinkedIn Corporation, 605 W Maude Ave, Sunnyvale, CA 94085, USA. This technology allows for personalized ads on LinkedIn to be linked to our website.

The technology also provides the ability to generate anonymous reports on ad performance and information on website interaction. For these purposes, the LinkedIn Insight-Tag is embedded in this website, which creates a connection to the LinkedIn server when you visit this website and at the same time are logged in to your LinkedIn account.

The LinkedIn Insight Tag enables the collection of data regarding members’ visits to our website, including the URL, referrer, IP address, device and browser characteristics (User Agent), and timestamp. For more information, please see here. The IP addresses are truncated or (when used for reaching members across devices) hashed, and members’ direct identifiers are removed within seven days in order to make the data pseudonymous. This remaining pseudonymized data is then deleted within 180 days.
LinkedIn does not share the personal data with the website owner, it only provides reports (which do not identify you) about the website audience and ad performance. LinkedIn also provides retargeting for website visitors (up to 90 days after the visit), enabling the website owner to show personalized ads off its website by using this data, but without identifying the member and uses data that does not identify you to improve ad relevance and reach members across devices.

Please see LinkedIn’s privacy policy at https://www.linkedin.com/legal/privacy-policy for more information on data collection and use and the choices and rights you have to protect your privacy. You can control the use of their personal data for advertising purposes at any time.

LinkedIn Members can adjust their settings here. Visitor controls can be found here.

4. Data Protection Statement for Microsoft Teams meetings participants

We hereby inform you about the processing of your personal data in our online meetings using the video conference solution Microsoft Teams.

Purpose and Scope of Processing

We use video conference solution Microsoft Teams to conduct online meetings (“Microsoft Teams meeting/s”).

The scope of the personal data processed depends on information provided by you in course of (before or during) your participation in Microsoft Teams meetings. Generally, following personal data are processed:

User information: e.g., display name, e-mail address, profile picture (optional), telephone number (encrypted in recordings)
Meeting metadata: e.g. date and time of participation, role of participants
Text, audio and video data: You have the option of using the chat function. In this respect, the text you enter will be processed in order to display it in the Microsoft Teams meeting (this is not displayed in recordings). In order to enable the display of video and the playback of audio, the data from the microphone of your end device and from any video camera on the end device will be processed accordingly for the duration of the Microsoft Teams meeting. You can switch off the camera and/or mute the microphone yourself at any time in the Microsoft Teams application.

In general, Microsoft Teams meetings with third parties are not recorded. Should Microsoft Teams meeting be recorded in exceptional cases, this will only take place after you (i.e., the participants) have been informed about it transparently in advance and asked for consent according to Art. 7 EU-GDPR (lawful basis). In addition, the participants will be provided with the following information:

Specific purpose (reason) and lawful basis of recording
The organizer and the recipients of the recording (who manages the recording and to whom the recording will be made available)
Location and duration of storage of the recording
Link to this Data Protection Policy

Lawful Basis

Insofar as Microsoft Teams meetings are held within the context of contractual relationships (with third parties), the legal basis for data processing is Art. 6 par.1 lit. b) EU-GDPR.

If otherwise Microsoft Teams meeting is necessary for the purposes of our legitimate interest in particular case (Art. 6 par. 1 lit. f) EU-GDPR), this will take place unless such interests are overridden by the interests or fundamental rights and freedoms of the data subjects (participants).

The exceptional recording of Microsoft Teams meetings may only take place based on previous and informed consent of the participants, under the above-mentioned conditions.

Storage duration

Any data processed in connection with the participation in Microsoft Teams meeting and its content, will generally be stored as long as there are necessary for the purpose of processing, such as for the fulfillment contractual services or to safeguard legitimate interest.

Your login data will be deleted after 30 days at the latest.

Recipients and transfer of personal data outside of European Union/European Economic Area

Personal data processed in connection with participation in Microsoft Teams meetings are generally not passed on to third parties unless to the extent necessary in accordance with the purpose and lawful basis of such processing, that is, unless this is intended in context of Microsoft Teams meeting or in connection to the content of the Microsoft Teams meetings.

Other than that, the provider of Microsoft Teams necessarily obtains knowledge of the above-mentioned personal data, in the context of data processing for purpose of Microsoft Teams meetings.

Microsoft Teams is part of the Cloud application Office 365 (Microsoft Office 365), a software of:

Microsoft Ireland Operations Limited
One Microsoft Place, South County Business Park, Leopardstown Dublin 18, Ireland

Microsoft Corporation
One Microsoft Way Redmond, Washington 98052, United States of America

hereinafter “Microsoft”

Microsoft is headquartered in the United States. Therefore, processing of your personal data also takes place in a third country, i.e., a country outside the European Union/European Economic Area.

In order to guarantee an adequate level of data protection of processing of your personal data, including in case of transfer of personal data outside of European Union/ European Economic Area to a third country such as the USA in this particular case, we have concluded a Data Processing Agreement with Microsoft that meets the requirements of Art. 28 EU-GDPR.

In addition, Microsoft is demonstrably obliged to Indivumed to comply with a data protection level that essentially corresponds to the standards of European Union by Standard Contractual Clauses in the currently applicable version issued by the European Commission, according to Art. 46 Sec. 2 lit. c EU-GDPR,

Please note, however, that the existence of an appropriate data protection standard for providers outside the European Union/ European Economic Area cannot always be guaranteed, regardless of conclusion of EU Standard Contractual Clauses.

The information about processing of personal data by Microsoft Office 365 can be found under Microsoft Privacy Statement and Privacy and Microsoft Teems.

Microsoft reserves the right to process customer data for its own legitimate business purposes. Please note that we have no influence on such data processing operations, in which case Microsoft is an independent controller and as such is responsible for compliance with all applicable data protection regulations. If you need information about Microsoft processing, please consult the Microsoft Privacy Statement.

Note: If you call up the "Microsoft Teams" website, the provider of "Microsoft Teams" is responsible for data processing. However, calling up the website is only necessary to use "Microsoft Teams" in order to download the software for using "Microsoft Teams".

If you do not want to or cannot use the "Microsoft Teams" app, you can also use "Microsoft Teams" via your browser. The service is then also provided via the "Microsoft Teams" website.

Furter Information about your rights as well as respective contact information can be found below.

5. Data subjects’ rights

Insofar as we process your personal data based on your consent, you are entitled to withdraw your consent at any time, based on Art. 7 Sec. 3 EU-GDPR. This will not affect the lawfulness of processing based on consent before its withdrawal.

Under the conditions of Art. 15–21 EU-GDPR and as far as applicable in the individual case, you have the right to request access to your personal data, the right to rectify and erase your personal data, the right to object to processing and restrict processing of your personal data, and the right to data portability.

If your personal data are processed based on legitimate interest, you may object to such processing on grounds relating to your particular situation, in which case, your personal data will no longer be processed, unless Indivumed can demonstrate compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. Should your personal data (e-mail address) be processed for direct marketing purposes, you have the right to object to such use of your data at any time without giving a reason, as described above.

If you withdraw your consent or object to data processing, your data will no longer be processed for the respective purposes and erased in accordance with our internal policies. Should it not be possible to erase your data entirely (e.g. due to compliance reasons) processing of your personal data will be restricted to the necessary purpose, such as maintaining the so-called Blacklist in order to comply with your request not to receive information about our services or for compliance with the mandatory retention period.

Deletion may be barred by statutory regulations, especially where required for settling, accounting, or taxation purposes in accordance with Art. 6 Sec. 1 lit. c EU-GDPR.

6. Data processing entity (“Controller”), Data Protection Officer, and supervisory authority

The company (Controller):
Indivumed GmbH
represented by its managing director (Geschäftsführer) Prof. Dr. Hartmut Juhl
Falkenried 88, Bldg. D
20251 Hamburg
Germany

Phone: +49 (40) 41 33 83 0
Fax: +49 (40) 41 33 83 14
E-mail: info@indivumed.com

is the provider of all content on the website indivumed.com, and the Controller in the meaning of the EU-GDPR of the collection, storage, and processing of all personal data collected through this website.

The Data Protection Officer of Indivumed GmbH:

Visnja Jankovic
dpo@Indivumed.com
Phone: +49 (40) 41 33 83 0

For additional information on the company, please refer to our site notice on this website.

You have the right to lodge a complaint with the following supervisory authority:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str 22, 7. OG
20459 Hamburg

Tel.: 040 / 428 54 – 4040
Fax: 040 / 428 54 – 4000
E-mail: mailbox@datenschutz-hamburg.de

7. Miscellaneous

Please note that this Data Protection Policy is subject to reviews and amendments made from time to time in order to conform to any extended services or changed legal requirements. Please visit this web page from time to time to familiarize yourself with any changes, especially before submitting personal data to us.

This Data Protection Policy applies primarily to the data processing of Indivumed’s website visitors and other third parties. Processing of the personal data for the purpose of research and development activities is subject to a special data protection concept, applicable policies, and related documentation.

If you have any requests, desires, or comments regarding data protection at Indivumed, please feel free to also contact the Data Protection Officer at Indivumed GmbH.

March 28, 2023