Data Privacy Statement

(dated 31 January 2023)

THIS DATA PRIVACY STATEMENT comprises information on how 3B Pharmaceuticals GmbH, a german limited liability company with its registered seat at MagnusstraSSe 11, 12489 Berlin, Germany (“3B Pharmaceuticals” or “WE”), AS a data controller with respect to the online offerings on the 3B Pharmaceuticals website and social media profiles (hereinafter TOGETHER the “Services”), processes personal data of the natural persons that, in their discretion, have decided to visit and use the services (“you”).

there may be other situations in which we process your personal data, e.g. if you are a customer of 3B Pharmaceuticals, or if you are working for any of our customers, partners, or suppliers, or if you apply for a job at 3B Pharmaceuticals. please use the contact information provided herein if you seek information on any processing operation(s) concerning your personal data that are not comprised by this data privacy statement.

1. General Statement

(1) Personal Data. This Data Privacy Statement explains how we collect, process, and delete your personal data as a controller under applicable data protection laws, in particular the EU General Data Protection Regulation (“GDPR”). “Personal data”, according to Art. 4 No. 1 of the GDPR, means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(2) Your Options. This Data Privacy Statement also describes the options available to you regarding our use of your personal data and the steps you can take to access your personal data and ask us to correct or delete it.

(3) Principles for the Processing. Personal data is solely collected, processed, and deleted in accordance with applicable law, and subject to the following principles for the processing of personal data: Personal data are:

  • processed lawfully, fairly and in a transparent manner in relation to you;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

(4) Change in Processing Purposes. In the event that we intend to process personal data for purposes other than those set forth in this Data Privacy Statement, we will notify you of such changes and inform you of the purposes for which your personal data will be used and who, if any, the recipients are.

(5) Data of Minors. Subject to local laws, we do not knowingly collect data from minors, and our Services are not targeted at minors.

2. Processing Activities

(1) Contacting Us. We offer you the opportunity to contact us by e-mail or via specific contact forms. In this case, the information you provide will be stored for the purpose of processing your inquiry. The legal basis for processing your personal data is your consent given at the time of submission of your inquiry (Art. 6 para. 1 lit. a of the GDPR) or, in the case of (pre-)contractual inquiries, Art. 6 para. 1 lit. b of the GDPR. The personal data we collect and process upon submission of your inquiry will be deleted after completion of the request and, if applicable, after expiry of statutory retention periods (i.e., for example, if you send us a pre-contractual message via e-mail and we then establish a contractual relationship, or if your message relates to existing contractual relationships).

(2) Logfiles. Each time that you access our website, it collects a series of general information. This general information is stored in the logfiles of our webserver. Logfiles contain information as follows:

  • shortened IP-address
  • browser type/ browser version
  • your operating system
  • referrer URL (or the website visited previously)
  • date and time of the server request
  • amount of transmitted data
  • your internet service provider

When using this general information, we generally do not draw any conclusions about a specific person. Rather, this information is needed to deliver the content of our website correctly and for basic statistical research concerning the number of visitors to our website. The legal basis for data processing is Art. 6 para. 1 lit. f of the GDPR. Our legitimate interest follows from the purposes for data collection listed above. The aforementioned logfiles are regularly anonymized after one week.

(3) Google reCAPTCHA. Our website uses Google reCAPTCHA to check and prevent automated servers (“bots”) from accessing and interacting with our website. In the European Economic Area (EEA) and Switzerland, Google reCAPTCHA is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis. Google collects further information to determine from which website your request has been sent and from which IP address the Google reCAPTCHA input box has been used. In addition to your IP address, Google collects the type and settings of the browser, the type and settings of the device, the operating system, information about the mobile network such as the name of the mobile provider and the telephone number and the version number of the app (if applicable). The legal basis for us to use Google reCAPTACHA is Art. 6 para. 1 lit. f of the GDPR. Our legitimate interest lies in the security of our website and in the prevention of unwanted, automated access in the form of spam or similar. The reCAPTCHA integration on our website contains links to both Google’s Privacy Notice and Terms of Use which we recommend checking for further information concerning Google’s handling of your personal data.

(4) Google Maps. Our website uses Google Maps to display our location and to provide directions. In the European Economic Area (EEA) and Switzerland, Google Maps is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Maps offers an interactive map which enables website visitors to conveniently display our offices and have planned a route to our location. By incorporating this service, data of our website visitors may be transmitted to Google. However, this will only happen, if and once you have declared your express consent to such transmission (Art. 6 para. 1 lit. a of the GDPR) by enabling the Google Maps integration on our website. Only if you have given us your consent and, therefore, the map is shown to you, Google will receive the information that you have visited the respective subpage of our website. In addition, Google will receive, and store on its own servers, further information concerning your visit to our website (including your IP address). Please note that such transmissions and storage of data would happen regardless of whether you are logged in to a Google account or not. However, if you are logged in to your Google account, Google may be able to connect the information it received from your visit to our website with your user account. If you do not want to have your visit to our website connected to your Google account, we strongly advise you to log-off from your account before consenting to the use of Google Maps on our website. Further information on the purposes and the scope of the collection and processing of personal data by Google can be found in Google’s privacy information, likewise further information on your rights in this regard and the setting options you have to safeguard your privacy: http://www.google.de/intl/de/policies/privacy. In addition, the use of Google Maps and the information obtained via Google Maps is governed by the Google Terms of Use https://policies.google.com/terms?gl=DE&hl=en and the Terms and Conditions for Google Maps https://www.google.com/intl/de_de/help/terms_maps.html.

(5) LinkedIn. We have set up our own page in the social network LinkedIn. We have a legitimate interest in presenting ourselves on the world’s largest platform for professional exchange, to use our page to draw the attention of potentially interested parties to us and our services, to contact them or other multipliers, and to build and maintain a network of professional contacts. The legal basis for the data processing described below is therefore Art. 6 para. 1 lit. f of the GDPR. Please check our Data Privacy Statement for Job Applications for further information if you are applying for a job advertised on LinkedIn. We have included links at various points in our Services that lead to our company page on LinkedIn. In order to access these pages on LinkedIn and interact with us, you must have your own profile on LinkedIn. Therefore, please observe the LinkedIn User Agreement (https://de.linkedin.com/legal/user-agreement) and LinkedIn’s privacy policy (https://de.linkedin.com/legal/privacy-policy). In the European Economic Area (EEA) and Switzerland, LinkedIn is run by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. When you visit our site on LinkedIn, follow our site, leave comments or likes, write us a message, or otherwise use a feature of LinkedIn on our site, we receive information about your name, your current position with a company, your place of work, and other company information. We also learn about the ways in which you have interacted with our site through LinkedIn. We may use this information to respond to your interaction, such as replying to a comment. Outside of LinkedIn, we do not store your information without explicitly communicating this within LinkedIn (for example, if we agree to continue the conversation via email as part of an exchange via LinkedIn messages). If you write messages to us via LinkedIn, the information in paragraph 1 above (“Contacting Us”) applies accordingly. LinkedIn also provides us, as the operator of the company page, with so-called Page Insights reports. These are aggregated statistical information that LinkedIn creates based on the personal data of visitors to our site. For example, we learn from which regions the visitors to our site come, how often our site is accessed, in which industries visitors to our site are active, and similar information. LinkedIn does not provide us with any information that would allow us to draw conclusions about individual members of the network. With regard to the Page Insights reports, there is a joint controllership between us and LinkedIn within the meaning of Art. 26 of the GDPR or other relevant data protection laws (such as in Switzerland or the United Kingdom). As part of this Page Insights Joint Controller Addendum (https://legal.linkedin.com/pages-joint-controller-addendum), LinkedIn has assumed the obligation to inform users about the processing of their personal data. LinkedIn also takes the lead in handling data subject requests (see the “Your Rights as a Data Subject” section below). You can nevertheless also address requests in this regard to us (Art. 26 para. 3 of the GDPR).

(6) XING. We have set up our own page in the social network XING. We have a legitimate interest in presenting ourselves on this renowned platform for talent scouting, to use our page to draw the attention of potentially interested job applicants to us and our services, to contact them or other multipliers, and to build and maintain a network of professional contacts. The legal basis for the data processing described below is therefore Art. 6 para. 1 lit. f of the GDPR. Please check our Data Privacy Statement for Job Applications for further information if you are applying for a job advertised on XING. We have included links at various points in our Services that lead to our company page on XING. In order to access these pages on XING and interact with us, you must have your own profile on XING. Therefore, please observe the XING Terms of Use (https://www.xing.com/terms/xing) and Privacy Policy (https://privacy.xing.com/de/datenschutzerklaerung). XING is run by New Work SE, Am Strandkai 1, 20457 Hamburg, Germany.

(7) Storage Periods. We will retain your personal data for as long as is necessary to fulfill the purposes described in this Data Privacy Statement (as described herein) or stated at the time of collection, unless a longer retention period is required or permitted by law or is necessary to comply with another legal obligation.

3. Data Recipients and Data Transfers

(1) Data Recipients. Unless stated to the contrary in this Data Privacy Statement, we will share your personal data with third parties only if (a) these recipients act as service providers who perform services on our behalf within the meaning of Art. 28 of the GDPR (e.g. hosting and web services), or (b) these data transfers are required for the following legitimate interests: (i) compliance with any valid legal process, request, law, rule or regulation; or (ii) detection and resolution of IT and data security concerns. These processing activities are based on legitimate interests as described above (Art. 6 para. 1 lit. f of the GDPR), and there may even be a legal obligation on our part to process your personal data for these purposes (Art. 6 para. 1 lit. c of the GDPR).

(2) Data Transfers. Usually and unless stated to the contrary in this Data Privacy Statement, we will not transfer any of your personal data to countries outside the European Union or the member states to the European Economic Area. Without prejudice to our obligation to specifically inform you if we wanted to transfer your personal data to such third country, we shall only transfer your personal data to recipients in third countries if the prerequisites set forth in Art. 44 et seq. of the GDPR are met. Hence, in order to appropriately safeguard your personal data, we make sure additional measures are put in place to protect your data, in particular by relying on EU Adequacy Decisions or EU Standard Contractual Clauses, for transfers of personal data to countries outside the EU/EEA, in addition to all the necessary privacy and security precautions required by applicable law.

4. Your Rights as a Data Subject

You have certain rights in relation to the personal data that we process about you. You may (a) access the information we hold about you (Art. 15 of the GDPR); we will provide you with this information usually within one month of your request at the latest;
(b) have your personal data corrected (Art. 16 of the GDPR) or deleted (Art. 17 of the GDPR); (c) obtain from us the restriction of processing under the conditions laid out in
Art. 18 of the GDPR; (d) have the information you provided to us sent to you or to another organization, where you have provided such information to us and we hold this information with your consent or for the performance of a contract with you (Art. 20 of the GDPR); and (e) lodge a complaint with the competent supervisory authority.

5. In Particular: Your Right to Object to the Processing of Personal Data

Where the legal basis for the processing of your personal data is our or a third party’s legitimate interest in accordance with Art. 6 para. 1 lit. f of the GDPR, you may, at any time and based on the grounds set out in Art. 21 of the GDPR, object to such processing.

6. No Automated Decision-Making Process

We do not use any automated decision-making processes within the meaning of Art. 22 of the GDPR, including profiling, which would produce legal effects concerning you as a data subject or similarly significantly affect you.

7. Contact Information

(1) Contacting Us. You may contact us in our capacity as data controller at the address indicated herein (for the attention of the Data Security department). You may also contact us by telephone: +49(0)30 63 92 43 17; telefax: +49(0)30 63 92 43 16; or e-mail to info@3b-pharma.com.

(2) Data Protection Officer. If you have any question or concerns as regards the processing of your personal data, or if you want to exercise any of your rights, you may also directly contact our data protection officer by sending a letter to the address indicated herein (for the attention of the Data Protection Officer), or by contacting our data protection officer with an e-mail sent to datasecurity@3b-pharma.com.

8. Updates to this Data Privacy Statement

We may change this Data Privacy Statement from time to time and the most current version will always be posted on our website. Whenever we change this Privacy Policy, we will inform you either by revising the date at the top of the Privacy Policy that’s available on our website, or we may provide you with additional notice, such as a pop-up window or an added statement to our website’s homepage.