It is very important to us that the protection of your privacy is strictly observed when processing personal data.

In the following we would like to inform you about the handling of your personal data when you use our website www.phoenixpharma.bg (hereinafter: „website“) and in the context of existing business relationships or when you visit us on site.

For a simpler overview, we have divided our Privacy Notice into the following areas:

A: General information

Contains the information to be provided for fair and transparent processing, such as our contact details, the contact details of our Data Protection Officer and your rights as data subjects.

B: Data processing when visiting our website

Contains all the information related to visiting or actively using our website, for example in the context of using our online application portal.

C: Data processing not related to website use

Contains all the information about data processing, if you are in a business relationship with us, if you visit us on site or if you contact us via other means.

  1. General information
  2. Controller

Controller in terms of data protection law is:

PHOENIX Pharma EOOD

1700 Sofia, Bulgaria

199A Okolovrasten pat str.

UIC 203283623

  1. Data Protection Officer

For all concerns regarding data protection, our Data Protection Officer is at your disposal:

Data Protection Officer
E-mail: data.protection@phoenixpharma.bg.

  1. Personal Data

Personal data refers to all information relating to an identified or identifiable natural person („data subject„). An identifiable natural person is a data subject who can be identified, directly or indirectly, in particular by association with an identifier. An identifier may be, for example, a name, an identification number, location data, an online identifier, the IP address or other specific features that are the expression of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (hereinafter collectively referred to as „data„).

  1. Data processing by us

We process your data in accordance with the provisions of the General Data Protection Regulation (GDPR), Bulgarian Data Protection Act and other applicable data protection regulations. Processing only takes place to the extent necessary and that is permitted according to data protection law, for example for the fulfilment of contractual purposes, for the protection of a legitimate interests, for the fulfilment of legal requirements or insofar as you consent to the data processing. The specific nature and extent of the data processing and the corresponding legal bases can be found in the sections „B: Data processing when visiting our website“ and „C: Data processing not related to website use“.

  1. Data recipients

Only those internal departments or organisational units as well as other companies affiliated with us shall receive your data, insofar as this is necessary for the fulfilment of our contractual and legal obligations or if said data is required in the course of processing and implementing a legitimate interests.

Your data may be transferred to external recipients in connection with contract processing, provided that we are obliged to fulfil legal requirements for information, notification or disclosure of data, you have granted us your consent for the transfer to third parties or to external service providers that render services on behalf of us as data processors or assume functions for us on behalf of us (for example IT service provider, the service provider we use when using our online application portal, data centres, data shredders or courier services). For the sections „B: Data processing when visiting our website“ and „C: Data processing not related to website use“ you can find case-specific examples of data recipients.

Upon request, we will gladly provide you with appropriate detailed information.

  1. Third country transfer

In certain cases we are transferring data to third parties (e.g. service providers) that are based in third countries, meaning in countries outside the European Economic Area. These data transfers are covered by an adequacy decision of the European Commission (Article 45 GDPR). Where this is not the case, the data transfers are especially based on standard data protection clauses/standard contractual clauses in line with the templates adopted by the European Commission (Article 46 Para. 2 lit. c, Para. 5 S. 2 GDPR) or by an exemption according to Article 49 GDPR.

Otherwise, we do not transfer your personal data to countries outside the EU or the EEA or to international organisations.

  1. Data deletion and storage duration

For the purely informational use of our website, we store your data in accordance with the regulations in Section B.1.1.

If you actively use our website or in the event of data processing not related to website use, we will store your data for as long as is required, for example, for the provision of the respective service.. If you have given your consent to the processing of your data, we will store your data in accordance with the information provided in the consent document or until the consent is withdrawn. For details, please refer to the regulations in Section B.1.2 or Section C.

In addition, we will always store your personal data until the expiration of the limitation period of any legal claims arising from the relationship with you, if necessary, in order to use it as means of evidence. The maximum limitation period is 36 months. Once the limitation period has expired, we will delete your personal data, unless there is a statutory storage obligation.

  1. Your rights as a data subject

You may exercise your rights listed hereafter at any time, towards the body that is designated under Section A.1.

8.1 Right to information

Within the framework of Article 15 GDPR, you are entitled to request information free of charge and at any time regarding the data that is processed by us, the processing purposes, the categories of recipients, the planned storage period or, in the case of third-country transfers, the appropriate guarantees.

8.2 Right to rectification, deletion, restriction of processing

If your data processed by us is incorrect, incomplete or their processing is inadmissible, you may ask us to correct your data, to supplement it, restrict processing or to delete the data to the extent permitted by law, according to Article 16, 17 and 18 GDPR.

The right to deletion does not exist, among other reasons, if the processing of personal data is required for (i) the exercise of the right to freedom of expression and information, (ii) the fulfilment of a legal obligation to which we are subject (for example statutory storage obligations) or (iii) enforcement, exercise or defense of legal claims.

8.3 Right to data portability

If you provide us with your data based on your consent or contractual relationship with us, upon request we will provide you with that data in a structured, current and machine-readable format or, if technically possible, submit the data to a third party that you have appointed.

8.4 Right of objection

If we process your data on the basis of a legitimate interest, you can object to this processing for reasons that arise from your particular situation, according to Article 21 GDPR. The right of objection only exists within the limits provided for in Article 21 GDPR. In addition, our interests may preclude termination of processing, so we may, despite your opposition, still be entitled to process your personal data.

8.5 ight of appeal

If you have any questions, suggestions or criticism, please feel free to contact our Data Protection Officer (see Section A.2).

You are also entitled, under the provisions of Article 77 GDPR, to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence, your place of work or the place of the alleged breach, if you believe that the processing of data concerning you violates the GDPR. The right of appeal is without prejudice to any other administrative or judicial remedy.

The competent supervisory authority for us is:

Commission for the Protection of Personal Data

Sofia 1592,

Blvd. „Prof. Tsvetan Lazarov“ No. 2

Email: kzld@cpdp.bg

Website: www.cpdp.bg

However, we recommend that you always lodge a complaint with our Data Protection Officer first.

  1. Obligation to provide data

In principle, you are not obliged to provide us with your data. However, if you do not do so, we will not be able to provide you with our website or all of its functions, we cannot guarantee the active use of the website and we cannot process requests outside the website. Personal data that we do not necessarily need for the aforementioned processing purposes, are identified as voluntary information by „optional“ or some other indication. In principle, you are not obliged to provide us with your data.

  1. Automated decision making/profiling

We do not use an automated decision making process. We may partially process your information with the goal of evaluating certain personal aspects. In particular, we may use evaluation tools to provide you with targeted information and advice on products. These enable needs-based communication and advertising.

  1. Consent/withdrawal rights

In the event that you give or have granted us consent for the collection, processing or use of your data, you may withdraw this consent at any time, with future effect, by notifying the body appointed in Section A.1.

You also have the right, for reasons arising from your particular situation, to object at any time to the processing of data concerning you by us, pursuant to Article 6 Para. 1 lGDPR (exercise of a task in the public interest) or Article 6 Para. 1 lit. f GDPR (legitimate interest of the person in charge); this also applies to profiling based on these provisions. In this case, we no longer process data about you, unless we can demonstrate compelling legitimate grounds for processing the data that outweigh your interests, rights and freedoms, or the processing is intended to assert, exercise or defend legal claims.

If the data about you is processed for direct marketing purposes, you have the right to object at any time to the processing of this data for the purpose of such advertising. If you object to processing for direct marketing purposes, that data will no longer be processed for these purposes.

Any withdrawal should be directed to the address indicated in Section A.1.

  1. Amendments

We reserve the right to change this Privacy Notice at any time. Any amendments will be announced by means of publication of the amended Privacy Notice on our website. Unless otherwise specified, such amendments will take effect immediately. Therefore, please check this Privacy Notice regularly to view the latest version.

  1. Data processing when visiting our website
  2. Nature and scope of data processing

1.1 Informative use of the website

You can visit our website without the need to provide any personal information. If you use our website only for informational purposes, we will not collect any data from you. This excludes the data that your browser transmits to enable you to visit the website, as well as information provided by cookies.

1.1.1 Technical provision of the website

1.1.1.1 Scope of processing, purpose and storage duration

For the technical provision of the website, it is necessary that we process certain automatically transmitted information from you, so that your browser can display our website and you can use the website. This information is automatically collected each time you visit our website and stored in our server log files. This information relates to the computer system of the visiting computer. In the process, the following information is collected:

  • IP address;
  • Date and time of access
  • Name and URL of the visited website
  • Website/application from which access was made (referrer URL)
  • Operating system and information about the internet browser used (for example, browser version, language settings, and installed add-ons)
  • Name of the access provider

In addition to ensuring a smooth connection establishment and convenient use of our website, the collected data is also used to ensure the system security of the website.

For a purely informative use of the website, we store your personal data on our servers for a period of 14 days.

The storage period for cookies may differ from the aforementioned information and is explained in more detail in Section „B.1.1.2 Cookies and similar technologies“.

1.1.1.2 Legal basis

We process your data for the technical provision of our website on the basis of the following legal bases:

  • to fulfil a contract or to carry out pre-contractual measures in accordance with Article 6 Para. 1 lit. b GDPR, insofar as you visit our website, to inform yourself about our product range or our services;
  • to ensure the proper operation of the website, in particular for the implementation of appropriate technical and organisational measures and the fulfilment of a legal obligation to which we are subject, Article 6 Para. 1 lit. c GDPR and
  • to safeguard our legitimate interests in accordance with Article 6 Para. 1 lit. f GDPR. Our legitimate interest is to provide you with an attractive, technically functional, high-performance and user-friendly company website and to ensure the system security of the website.

1.1.2 Cookies and similar technologies

1.1.2.1 Scope of processing, purpose and storage duration

When using our website, cookies, pixels and similar technologies (hereinafter referred to as „cookies“) may be used. Cookies are text files that are stored in the internet browser or by the internet browser when you visit a website on your computer system. A cookie contains a characteristic string that allows the browser to be uniquely identified when the website is visited again.

When using cookies, we primarily distinguish between four categories:

  1. Strictly necessary cookies

Strictly necessary cookies help to make a website usable by enabling basic functions such as page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

  1. Preference cookies

Preference cookies allow a website to remember information that affects the way a website behaves or looks, such as your preferred language or the region you are in.

  1. Statistics cookies

Statistics cookies help website owners understand how visitors interact with websites by collecting and reporting information anonymously.

  1. Marketing cookies

Marketing cookies are used to follow visitors on websites. The intention is to show ads that are relevant and engaging to the individual user and therefore more valuable to publishers and third party advertisers.

To manage your cookie preferences, we use the cookie consent tool Cookiebot from the company Usercentrics. With this solution you can always inform us about your cookie preferences.

In addition, almost all browsers allow you to completely block cookies, remove existing cookies, or alert you to cookies, to prevent them from being placed on your device. You can find more information in the documentation or in the help file of your browser or at www.aboutcookies.org.

Please note that blocking cookies can significantly affect the use of the website. Some of our website functions cannot be offered without the use of cookies.

When storing cookies, a distinction is made between so-called session cookies and persistent cookies. Session cookies are deleted after leaving our website. Persistent cookies have different lifespans, which you can find in the cookie overview within the Cookiebot cookie banner. You can always delete cookies set in your browser via your browser settings.

1.1.2.2 Legal basis

Unless otherwise described in the following paragraphs, we process your data within the context of the use of cookies on the basis of the following legal bases:

  • to safeguard our legitimate interests in accordance with Article 6 Para. 1 lit. f GDPR. Our legitimate interest is to provide you with an attractive, technically functional, high-performance and user-friendly company website and to ensure the system security of the website. Our legitimate interest includes the regular analysis of website visits, in order to tailor the website to your needs;
  • to ensure the proper operation of the website, in particular for the implementation of appropriate technical and organisational measures nd the fulfilment of a legal obligation to which we are subject, Article 6 Para. 1 lit. c GDPR and
  • if you have granted your consent for data processing, in accordance with Article 6 Para. 1 lit. a GDPR. This applies in particular to marketing cookies and tracking methods from third parties. Additionally, for the storage of non-essential cookies on the end device, your consent pursuant to § 25 (1) sentence 1 TTDSG constitutes the legal basis.

1.1.3 Google Analytics

1.1.3.1 Scope of processing, purpose and storage duration

We use Google Analytics of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), (Google) to measure the effectiveness and improvement of our website.

We use Google Analytics with the extension „_anonymizeIp ()“. As a result, IP addresses are processed further in shortened form, any direct links to individual persons can therefore be excluded.

Google uses the data collected on our website also for their own purposes – e.g. to improve its offer. You can find more information on this at http://www.google.com/analytics/terms/de.html or at https://policies.google.com/privacy.

Google sets cookies on the website for this purpose. You can prevent the collection of data generated by the cookie and related to your use of the website and the processing of this data by

  • Changing your cookie preferences on our website using the cookie consent tool or your browser software;
  • downloading and installing the browser plugin available at the following link: http://tools.google.com /dlpage/gaoptout?hl=de or

However, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.

The storage period of the data collected with the help of cookies is up to 24 months.

1.1.3.2 Legal basis

We process your personal data for statistical analysis of the use of our website on the basis of the following legal bases:

  • your consent for the processing of data using cookies for analysis purposes, in accordance with Article 6 Para. 1 lit. a GDPR. Additionally, for the storage of non-essential cookies on the end device, your consent pursuant to § 25 (1) sentence 1 TTDSG constitutes the legal basis.
  1. Data processing not related to website use
  2. Processing of your data in the context of business relationships (customers, suppliers and business partners) and general business communication

1.1 Scope of processing, purpose and storage duration

If you contact us, for example in the context of a contract initiation or a contractual relationship with us, your personal data is processed by us. This also applies if you act as a contact person in a business relationship with us and are not a contracting party.

Depending on the processing operation, different data can be processed. For example, relevant personal data may be: contact data (e.g. name, address, telephone number, e-mail address), legitimation data (for example commercial register extracts and ID data), data in the context of our business relationship (for example position, job and department in the company, supervisor, order data, payment data, creditworthiness data), photos and video recordings (for example at events or visit of our headquarters), system data (for example user name and ID or user ID, log data), date of birth and other data comparable with these categories.

In principle, we collect personal data from you directly. However, in certain cases, it is also possible that data are collected via third parties. This may be, for example, data from other companies, authorities or other third parties (e.g. information agencies). This may include personal data that we process using our compliance management system (for example whistleblowing hotline, anti-terror screening, prevention of money laundering, e-mail spot checks to detect antitrust violations).

In order to protect your data from manipulation and unauthorised access, we have implemented current state-of-the-art technical and organisational measures in our processing procedures and IT systems.

The data will be stored until the processing of the request has been completed or within the framework of our contractual relationship with you until the end of the contractual relationship and then according to Section A.7, for example until expiry of the statutory limitation or archiving periods.

1.2 Legal basis

We process your data in the context of business relationships and general business communication on the basis of the following legal bases:

  • to fulfil a contract or to carry out pre-contractual measures in accordance with Article 6 Para. 1 lit. b GDPR;
  • to fulfil a legal obligation pursuant to Article 6 Para. 1 lit. c GDPR;
  • to safeguard our legitimate interests in accordance with Article 6 Para. 1 lit. f GDPR. Our legitimate interest is to select and manage suitable business partners and to guard against dangers and liability claims and avoid (legal) risks. It also includes the protection of our property (e.g. video surveillance) and the clarification of potential compliance breaches, as well as the prevention of crime and the regulation of damages resulting from the business relationship. Additionally, it includes requirements for system security and stability and our interest to document any (company) events for communication and marketing purposes; and
  • if you have granted your consent for data processing, in accordance with Article 6 Para. 1 lit. a GDPR.
  1. Law enforcement

2.1 Scope of processing, purpose and storage duration

In addition, we process your personal data to assert our rights and to be able to enforce our legal claims. We also process your personal data to be able to defend ourselves against legal claims. Finally, we process your personal data insofar as this is necessary to prevent or prosecute crimes.

The data will be stored until the completion of the enforcement and, if applicable, according to Section A.7, for example until the expiry of the statutory limitation or archiving periods.

2.2 Legal basis

We process your personal data for this purpose on the basis of the following legal basis:

  • to safeguard our legitimate interests in accordance with Article 6 Para. 1 lit. f GDPR, insofar as we assert legal claims or defend ourselves in legal disputes or to prevent or clarify criminal offences;
  • to fulfil a legal obligation to which we are subject, in accordance with Article 6 Para. 1 lit. c GDPR in conjunction with beside others commercial, trade or tax law, as far as we are obliged to record and store your data.
  1. Processing of your data when you visit us on site

3.1 Scope of processing, purpose and storage duration

If you visit us on site, you will be given a visitor badge containing your name and the name of your internal contact person. In addition, visitors are registered at our reception and recorded on a visitor list. The visitor badge and the recording of visitors’ names on a visitor list serve the protection of our owner rights and the purpose to determine that only authorised individuals are present on our premises.

The data is stored for a period of 6 months.

3.2 Legal basis

We process your data when you visit us on the basis of the following legal bases:

  • to fulfil a legal obligation pursuant to Article 6 Para. 1 lit. c GDPR; and
  • to safeguard our legitimate interests in accordance with Article 6 Para. 1 lit. f GDPR. Our legitimate interest consists in executing our owner rights and determine only authorised individuals are present on our premises.

1.1.6 Cookiebot

1.1.6.1 Scope of processing, purpose and storage duration

For the purpose of managing your personal cookie preferences, we use Cookiebot provided by Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany. Cookiebot manages and stores the cookie preference settings according to your wishes. When you visit our website for the first time, you will be asked for your cookie preferences and can agree to the use of cookies or reject them.

If you delete your Internet browser history, all cookies (including opt-out cookies) will be deleted. In this case, you will be asked again for your cookie preferences when you visit our website again.

Cookiebot only shows the status of the last settings you made in the cookie preference manager. Cookie settings made by you elsewhere are not displayed (e.g. general blocking of all cookies via your Internet browser settings).

Your IP address is used so that Cookiebot can process your cookie preferences accordingly. When using mobile devices (e.g. smartphones), the advertising identifier stored there is used.

Cookiebot stores your cookie preferences for a maximum of 12 months or until you delete your Internet browser history.

In general, you can also deactivate the use of cookies at any time via your browser settings. Please use the help functions of your internet browser to find out how to change these settings.

Please note that individual functions of our website may not work if you have deactivated the use of cookies.

1.1.6.2 Legal basis

We process your data to implement the management of your cookie preferences on the basis of the following legal bases:

  • to safeguard our legitimate interests in accordance with Article 6 Para. 1 lit. f GDPR. Our legitimate interest is to take your cookie preferences into account when making our website available, thereby ensuring the protection of your privacy and your personal data according to your wishes, and
  • to ensure the proper operation of the website, in particular to implement appropriate technical and organisational measures and to fulfill a legal obligation to which we are subject, Article 6 Para. 1 lit. c GDPR as well as §25 para. 2 no. 2 TTDSG.

1.2 Active use of the website

Apart from using our website purely for information purposes, you may also actively use our website to contact us or to submit an application. In addition to the processing of your personal data as outlined above for purely informational use, we then collect and process further personal data.

1.2.1 Contact us via our website

Our website contains a contact form and you can contact us via the contact e-mail addresses provided on the website or by telephone. For more information on how we process your data when you contact us, please refer to the Section „C.1 – Processing your data in the context of business relationships (customers, suppliers and business partners) and general business communication“.

1.2.3 Reporting system for data protection incidents

1.2.3.1 Scope of processing, purpose and storage duration

The PHOENIX group, i.e. PHOENIX Pharmahandel GmbH & Co KG as well as its affiliated companies within the meaning of sections 15ff of the German Stock Corporation Act (AktG), has established a web-based reporting system that provides our employees, business partners, customers, and third parties with a simple system for reporting data incidents or problems. These reports are taken seriously, reviewed and used to improve the protection of personal data. You can access this reporting system at any time via https://phoenixgroup.integrityplatform.org.

In order to explain the background to the reporting system in more detail, we have also answered a number of frequently asked questions below:

When should I report an incident?

PHOENIX group has an obligation to notify the supervisory authority within 72 hours of becoming aware of an incident. This means that all incidents must be reported without undue delay via the online reporting tool.

Which data protection incidents need to be reported and how?

All personal data incidents are to be reported to the data protection officer via the online reporting tool.

What is a data protection incident?

A data protection incident is any event that has resulted, or could result, in the accidental or deliberate loss of personal data (electronic or paper) or destruction of data, or unauthorised access to data (e.g. loss or theft of laptops, smartphones, paper documents, prescriptions).

What happens after I submit a report?

The data protection officers will review the incident report and contact you for further information or, where necessary, assist you with post-incident actions.

1.2.3.2 Legal basis

We process your data when you use our reporting system for data protection incidents on the basis of the following legal bases:

  • to fulfil a legal obligation pursuant to Article 6 Para. 1 lit. c GDPR; and
  • to safeguard our legitimate interests in accordance with Article 6 Para. 1 lit. f GDPR. Our legitimate interest consists in providing you an easy way to report data protection incidents.
  1. Links and social networks

2.1 Links to third-party websites

Some sections of our website contain links to third-party websites. These websites are subject to their own data protection principles. We are not responsible for their operation, including data handling by third parties. If you send information to or by means of these third-party sites, you should review the privacy notices of those sites before providing any information that may be associated with you.

2.2 Social media sites/our activity in social media

In addition to this website, we also maintain presences on social media sites, which you can reach via direct links on our website. Social plugins are not used. Further details on data processing in the context of visiting and using our social media sites can be found in the Social Media Privacy Notice.