1. Privacy Policy

In addition, we expressly point out that your data may be transferred not only to Ireland but also to the USA and thus to an unsafe third country. There is currently no EU adequacy decision or any other appropriate guarantees for the US. The protection of your data cannot be guaranteed in the destination country USA. There is currently no equivalent level of data protection in the US. Therefore, the transmission is associated with corresponding risks. In particular, there are no guarantees regarding the failure of access to your transmitted data by public authorities. For example it cannot be ruled out that US authorities may access your data on the basis of Section 702 of the Foreign Intelligence Surveillance Act (FISA; German such as "Foreign Intelligence Surveillance Act", a law that governs the United States' foreign intelligence and counter-espionage services). In this context, we expressly point out that you, as an EU citizen, do not have an effective legal protection against the processing of your data by US authorities on the basis of FISA. If you still use our Facebook fan page, you do so in the knowledge of these risks, which you consciously accept as a result

1.1   Definition of terms

The following terms that we use within our privacy policy are defined within Article 4 GDPR. This is only an extract from Article 4 GDPR. All definitions can be viewed in the GDPR (available here).

• Personal data (Art. 4 no. 1 GDPR): Personal means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Processing (Art. 4 no. 2 GDPR): Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• Pseudonymisation (Art. 4 No. 5 GDPR): Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
• Controller (Art. 4 no. 7 GDPR):  Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  

• Processor (Art. 4 No. 8 GDPR): Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
• Third party (Article 4 No. 10 GDPR): Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
• Consent (Art. 4 No. 11 GDPR): Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
• Enterprise (Art. 4 No. 18 GDPR): Enterprise means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.
  

1.2 Joint responsibility (Art. 4 No. 7 GDPR) in accordance with Article 26 GDPR

URSAPHARM Arzneimittel GmbH
Industriestraße 35
66129 Saarbrücken
Phone: + 49 (0) 68 05 92 92-0
Fax: + 49 (0) 68 05 92 92-88
E-Mail: info(at)ursapharm.de
Internet: www.ursapharm.de
Our complete imprint can be found here: https://hylo.de/en/imprint

Facebook Ireland Ltd.,
4 Grand Canal Square, Grand Canal Harbour,
Dublin 2 Ireland,
(hereinafter also referred to as "Instagram" or "Facebook")
Imprint:https://help.instagram.com/581066165581870
The parent company of this company, which is established in Ireland, is:
Facebook, Inc., 1601 Willow Road, Menlo Park, California 94025, USA.

The basis of the data processing is an agreement between us and Facebook in accordance with Art. 26 sec. 1 and 2 GDPR. You find it under the following link: : https://www.facebook.com/legal/terms/page_controller_addendum. Pursuant to Article 26(3) GDPR, you may exercise your rights against both us and Facebook in accordance with this Privacy Policy.

1.3 Data protection officer

1.3.1 URSAPHARM Arzneimittel GmbH

Data protection officer
Industriestraße 35,
66129 Saarbrücken
You can reach our Data Protection Officer at the e-mail address datenschutz@ursapharm.de or by post at our aforementioned address.

1.3.2 Facebook

You can contact Facebook's (Instagram) data protection officer using the following form: https://help.instagram.com/519522125107875/?helpref=hc_fnav&bc[0]=Instagram-Hilfebereich&bc[1]=Privatsph%C3%A4re%20und%20Sicherheit

1.4 Legal bases of processing

For any processing described within this Privacy Policy, we will always inform you of the appropriate legal basis on which the processing is carried out. A distinction is made between the following case groups where processing is lawful:

• You have given us consent to the processing of personal data concerning you for one or more specific purposes (Art. 6 sec. 1 lit. a GDPR).
• There is a contract between you and us for the fulfilment of which the processing takes place or the processing is necessary for the implementation of pre-contractual measures, which are carried out on your request (Art. 6 sec. 1 p. 1 lit. b GDPR).
• The fulfilment of a legal obligation to which we are subject requires processing (Art. 6 sec. 1 p. 1 lit. c GDPR).
• The protection of vital interests on your part or of another natural person requires processing (Art. 6 sec. 1 p. 1 lit. d GDPR).
• The exercise of a task entrusted to us which is in the public interest or the exercise of official authority require processing (Art. 6 sec. 1 lit. e GDPR).
• The necessity of the processing in order to safeguard our legitimate interests or the legitimate interests of a third party, unless your interests or fundamental rights and fundamental freedoms, which require the protection of personal data, predominate (Art. 6 sec. 1 p. 1 lit. f GDPR).

With regard to Facebook's data processing, we refer to Instagram's privacy policy, which you can access under the following link https://help.instagram.com/519522125107875/, and to Instagram's cookie policy, which you can access under the following link: https://help.instagram.com/1896641480634370?ref=ig.

1.5 Storage of data / deletion of data

Within the processing as described in our privacy policy, we always inform you of the corresponding storage period or the times of deletion or blocking of the data. If no explicit storage period is defined, the data will be deleted or blocked as soon as the purpose or legal basis for the storage no longer applies. Storage can take place beyond the defined times if statutory regulations to which we are subject (e.g. Section 147 Tax Code (Abgabenordnung), Section 247 Commercial Code (Handelsgesetzbuch)) provide for a different storage period. After the storage period, the personal data will be deleted or blocked, unless further storage is required by us due to a legal basis. In addition, storage beyond the specified time is possible in the event of a (threatening) dispute with you or any other legal procedure. With regard to data storage or deletion, we refer to Instagram's privacy policy, which you can access under the following link https://help.instagram.com/519522125107875/ as well as to Instagram's cookie policy, which you can access under the following link: https://help.instagram.com/1896641480634370?ref=ig.

1.6 Collection of personal data

In the following, we will inform you about the collection of personal data (such as name, e-mail address, address or user behaviour).

1.6.1 Exclusively informational use of our Instagram profile (without log-in)

You may also be able to access our Instagram profile if you do not have an Instagram or Facebook profile or are not logged into it when accessed, although some functions (such as the Messenger or viewing posts and IGTV) cannot be used here. We do not collect any data from you. However, we would like to point out that data is collected by Instagram. At least the personal data that your browser transmits to the Instagram’s server will be collected.

This is usually data that is technically required to provide you with the site for viewing while ensuring a secure and stable display. To our knowledge, this means at least the following information, that results from a logfile line:

• Internet protocol address (IP address)
• Time and date of access
• Time zone difference from Greenwich Mean Time (GMT)
• The concretely accessed page
• Access Status / Hypertext Transfer Protocol (http)
• Amount of data that has been transferred in each case
• Website from which access to our fan page takes place (referrer URL)
• Used internet browser (incl. language and version)
• Operating system used

For more information, please refer to Instagram's Privacy Policy, which you can access at the following link https://help.instagram.com/519522125107875/. In addition, when you visit our profile on Instagram, so-called cookies are stored on your used device, which allows Instagram to create user profiles through your preferences and interests, so that you can see targeted advertisements (both inside and outside of Instagram).

For more information, please follow Instagram's cookie policy, which can be accessed at the following link: https://help.instagram.com/1896641480634370?ref=ig. We would like to point out that you can prevent the storage of cookies at any time by setting your browser appropriately. We have compiled further information in this context with regard to the most common browsers below, but point out that this may limit the functionality of our Instagram profile.
•    Mozilla Firefox: https://support.mozilla.org/de/kb/verbesserter-schutz-aktivitatenverfolgung-desktop
•    Microsoft Edge: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies
•    Google Chrome: https://support.google.com/chrome/answer/95647
•    Opera: https://help.opera.com/de/latest/web-preferences/#cookies
•    Safari: https://support.apple.com/de-de/guide/safari/sfri11471/mac

1.6.2 Exclusively informational use of our Instagram profile (with log-in)

If you visit our Instagram profile wile begin logged into your Instagram profile, further personal data may be collected by Instagram in addition to the data mentioned in clause 6.1. For more information, see Instagram's privacy policy, which you can access at the following link https://help.instagram.com/519522125107875/.

1.6.3 Use of special features of our Instagram profile

• Contact: If you contact us via Direct-Message (DM), we will receive the appropriate information. Contact details voluntarily provided by you (e..g. e-mail address or telephone number) will be stored and processed by us in order to process your request. This is done on the basis of our legitimate interest under Art. 6 sec. 1 lit. f GDPR.
  

We also point out the following:
As a pharmaceutical company, we are legally obliged to report requests that describe drug and medical device safety-related events, to document them and, if necessary, to report them to the competent authorities. This notification may also include personal information, such as your name, place of residence, health claims or the like, if you have disclosed it explicitly and voluntarily to us. In order to obtain further information, it may be necessary for URSAPHARM to contact you. The legal basis for this data processing is Art. 6 sec.1 lit. c GDPR together with Section 3 MPSV or Section 63 c AMG. Furthermore, for reasons of pharmacovigilance, we are obliged in this case to store your data for at least 5 years for testing purposes in accordance with the legal requirements. After the end of the legal periods, your data will be deleted or anonymized.

• Commentary on a post: If you make a comment under a post written by us, we will also receive information. We do not receive any further information or personal data, except those that are publicly available within your profile.
• "Like-Me Button": If you mark a post with a "Like Me" button or one of the available emojis, we will also receive information. We do not receive any further information or personal data, except those that are publicly available within your profile.

1.7 Instagram Insights

Using Instagram Insights (for more information on Instagram Insights, please visit:  https://www.facebook.com/business/help/441651653251838?id=419087378825961) Instagram provides us with anonymous statistics about our Instagram profile. This is, for example anonymous information about accounts reached, content interactions, and audiences. For individual statistics, we can perform a parameterization, e.g. with the target group. We also receive statistics on our posts, stories, videos and promotion posts. We use these statistics to optimize our profile and make it more suitable for demand. We do not have access to the usage data collected by Instagram for the production of these statistics by means of cookies. The legal basis for the processing of this data is our legitimate interest under Art. 6 sec. 1 lit. f) GDPR to achieve an improvement of the user experience of our profile in a target group-oriented manner.

1.8 Connecting our Instagram profile to Facebook

We have connected our Instagram profile to our Facebook fan page. This allows us to post an Instagram post on Facebook at the same time. The link also allows us to create ads for Instagram directly in Facebook's Business Manager.

1.9 Instagram Ads (Promotion Posts)

We run ads on Instagram in the form of so-called promotion posts. The objectives of the advertising differ. This is e.g. to the goal of getting more messages, getting more website traffic, or generating more profile views. In order to be able to use advertising as targeted as possible, we define target groups for specific ad categories or create a specific target group by parameterizing demographic data collected via Instagram. Furthermore, it is possible to have an audience created automatically by Instagram. We do not have access to the usage data collected by Instagram for the creation of these target groups. We use these tools to tailor our advertising to your needs. The legal basis for the processing of this data is our legitimate interest under Art. 6 sec. 1 lit. f) GDPR to supply demand-oriented and effective advertising. If you receive advertisements that are irrelevant to you, you can, if necessary, mark them as such in order to influence which advertisements are supplied to you. To do this, click the three dots to open the menu, then click "Hide Ad" and select the reason you don't want to see the ad. Within the Insights we receive statistics on the performance of our promotion posts.

1.10 Instagram Ads (Promotion Posts) via Facebook Business Manager

We run ads on Instagram through Facebook Business Manager. To do this, we have connected our Instagram profile to the Facebook Business Manager. In order to be able to use our advertising as targeted as possible, we define target groups using the Facebook service Custom Audiences (further information:https://www.facebook.com/business/help/744354708981227?id=2469097953376494).
For this purpose, we only use the sources that Facebook provides to us. We do not use information from other sources or even from customer lists or offline contacts.
We do not have access to the usage data collected by Facebook to compile these statistics. We use these tools to tailor our advertising to your needs. The legal basis for the processing of this data is our legitimate interest under Art. 6 sec. 1 lit. f) GDPR to supply demand-oriented and effective advertising. If you contain any advertisements that are irrelevant to you, you can mark them as such to influence which advertisements are played to you. To do this, click the three dots to open the menu, then click "Hide Ad" and select the reason you don't want to see the ads. We are able to display the performance of our advertisements through the Ad Center. Among other things, we receive information about the estimated reach (number of people who have viewed our ad at least once), the post interactions (total number of actions performed by persons in connection with our ads) and the link clicks (number of clicks on links within our ad). Within the Ad Manager, we receive additional detailed information so that we can break down our various campaigns using various anonymous metrics (including demographic data), to obtain e.g. information on results, reach, or impressions.

1.11 Competitions

We create competitions for our Instagram followers. For each one, we provide terms of use thatare in accordance with Instagram's guidelines (https://help.instagram.com/581066165581870).
If participation is made by a private message via direct message, contact details provided by you (e.g. e-mail address or telephone number) are stored by us on the basis of our legitimate interest in accordance with Art. 6 sec. 1 lit. f GDPR to conduct our competition. As soon as the competition is completed, this data will be deleted immediately. The winner will also be informed of his/her winnings via direct message. Name and profile will not be published.

1.12 Your rights

In the following, we will clarify your rights under the GDPR. The GDPR can be retrieved here as a complete document.

• Right to information under Art. 15 sec. 1 GDPR: You have the right to request confirmation from us as to whether you personal data is processed by us. If this is the case, you have a right to information about these personal data, in addition to the right to information about processing purposes, the categories of personal data processed, the recipients or categories of recipients to whom your personal data has been disclosed or will be disclosed in the future (in particular for recipients in third countries or international organisations), the storage period or the duration of storage. Criteria for determining the retention period, the existence of a right of rectification or erasure of the personal data concerning you or the right to restrict the processing on our part, as well as the existence of a right of objection to such processing, the existence of a right of appeal to a supervisory authority, all available information on the origin of the data (in the event that it was not collected by us), the existence of automated decision-making, including profiling and, where applicable, meaningful information on the logic involved, such processing.
• Right to rectification under Article 16 GDPR: You have the right to request from us without delay the correction of inaccurate personal data as well as the completion of incomplete personal data concerning you.
• Right to erasure ("right to be forgotten") under Article 17(1) GDPR: You have the right to request that we delete the personal data concerning you immediately. However, under Article 17(3) GDPR, that right does not exist where processing is necessary for the exercise of the right to freedom of expression and information, for the fulfilment of a legal obligation, for reasons of public interest in the field of public health, for archival purposes in the public interest or for the assertion, exercise or defence of legal claims.

• Right to restrict processing under Article 18(1) GDPR: You have the right to request from us to restrict the processing of your personal data if you dispute the accuracy of your personal data (the restriction applies to the duration that allows us to verify the accuracy), the processing of your personal data is unlawful and you refuse it to be deleted, we no longer need your personal data for the processing purposes, however, you need them to assert, exercise or defend legal claims or you have objected to the processing under Article 21(1) GDPR (the restriction applies for the duration, as long as it is not established whether our legitimate reasons outweigh yours).
• Right to data portability under Article 20 GDPR: You have the right to receive the personal data concerning you from us in a structured, common and machine-readable format, as well as to make a transfer to another controller without hindrance on our part (or to request a direct transfer from us to another controller, if technically possible) if the processing by us was based on a consent or a contract or was carried out by automated procedures.
• Right to revoke consents given in accordance with Art. 7 sec. 3 GDPR: You have the right to revoke a given consent to us at any time with effect for the future, so that the data processing, which was carried out on the basis of your consent, can no longer be continued for the future, but the legality of the processing carried out up to your revocation is not affected by this.
• Right to appeal under Article 77 GDPR: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of personal data concerning you violates the GDPR. As a rule, you can contact the supervisory authority of your usual place of residence, your workplace or the place of the alleged infringement. Further information is available on the website of the Federal Commissioner for Data Protection and Freedom of Information at: https://www.bfdi.bund.de
  

1.13 Right to object

In addition to the aforementioned rights, you also have the right to object at any time against the processing of your personal data, which takes place on the basis of the performance of a task that takes place in the public interest or in the exercise of official authority (Art. 6 sec. 1 p. 1 lit. e GDPR) or to safeguard legitimate interests on our part (Art. 6 sec. 1 p. 1 lit. f GDPR), provided that there are grounds for this which arise from your particular situation. In the event of an objection, no further processing of your personal data will be carried out unless we can prove compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms or unless the processing serves to assert, exercise or defend legal claims. In the case of the processing of your personal data for the purpose of direct marketing or profiling, if there is a connection to direct marketing, you have a general right to object, without the need for reasons arising from your particular situation. In the event of an objection, we shall immediately stop processing the personal data for these purposes.
To exercise your right of withdrawal or objection, please send an e-mail to: datenschutz@ursapharm.de or act Facebook's data protection officer using the following form:
https://www.facebook.com/help/contact/540977946302970