Ypsomed data protection declaration

You will be given an overview about which data we process in detail and how we use them as well as about your rights according to the data protection regulations. The type and scope of processing of your data depends on the relationship you have with Ypsomed and whether and which services you make use of. It is therefore likely that not all parts of this information will be relevant for you.

Responsible body

The Responsible Body within the meaning of the EU General Data Protection Regulation (GDPR) and other data protection regulations is:

Ypsomed AG
Brunnmattstrasse 6
P.O. Box
3401 Burgdorf / Switzerland

Telephone+41 (0)34 424 41 11
E-mail: info@ypsomed.com

CEO: Simon Michel

You can contact our data protection officer by mail at the address provided or directly by e-mail at privacy@ypsomed.com.

Personal data is all information that allows identification of your person. For example, this includes the name, address, telephone number, e-mail or IP address.

Operator of the Internet sites

Our Internet pages are operated by the Ypsomed AG group of companies.

Ypsomed AG
Brunnmattstrasse 6
P.O. Box
3401 Burgdorf / Switzerland

Telephone +41 (0)34 424 41 11

E-mail: onlinecommunication@ypsomed.com
Website: www.ypsomed.com

How are you affected by the processing of your personal data?

As a visitor to our websites

Description of data processing, relevant data and sources of data

Server log files
Our Internet pages log all enquiries and accesses by visitors to our Internet pages and automatically store this information, as so-called server log files. Server log files are used to track your activities on our Internet pages and to detect any errors in the functions of the page.

Relevant data: website visited, time of access, amount of data sent in bytes, where you came from to the site, browser used, operating system used, IP address used, user data (if login to a user account), error message, source of error.

Analytical tools and online marketing
On our Internet pages we use state-of-the-art analytical methods and tools to understand visitor behaviour on our website. This information helps us to continuously develop our online offering and to highlight attractive, relevant information. For this purpose we only receive and use data that are anonymised and do not allow any conclusions to be drawn about the identity of the visitors. For more information about which analytical services and technologies we use for such purposes, see Cookie Policy.

Contact form and service hotline
For your questions and concerns you can contact us via a contact form or by telephone. We use your information to process your enquiry or request.

Relevant data:

Contact data: Name, first name, salutation, country, address, telephone number and e-mail address.

Enquiry data: Content of the request and the answer, date and time of the request or call.

User account
Access to certain Internet pages may be protected by a password. To gain access to such pages, you must first register and provide us with further details (e.g. occupation, therapy details, etc.) in connection with the desired service.

The data you provide us with will only be used for the registration and authentication of your person. If required by law, we will verify your information before providing you with access data.

Relevant data:

Contact data: Name, first name, salutation, country, address, telephone number and e-mail address.

Health data: Therapy data (e.g. type and status of therapy, type of diabetes, insulin pump used).

Medical professionals: profession, employer.

Purpose and legal basis for data processing

Fulfillment of contractual obligations (Art. 6 Sec. 1b GDPR)

  • Processing and answering customer enquiries

Pursuing the legitimate interests of Ypsomed (Art. 6 Sec. 1f GDPR)

  • Statistical analyses to improve our Internet pages. We use the collected data anonymised, however we reserve the right to subsequently check the server log files if there are concrete indications for illegal use.
  • To tailor the offer on our website to the interests of the visitors or to improve the website in general on the basis of statistical evaluations.
  • Maintaining customer satisfaction

Based on consent (Art. 6 Sec. 1a GDPR)

  • Registration and sending of newsletters and media mailing lists
  • Registration and maintenance of the user account

Special categories of personal data
We process special categories of personal data according to Art. 9 Sec. 1 GDPR (e.g. health data, therapy data) within the framework of the contractual relationship, to exercise or defend legal claims, on the basis of Art. 9 Sec. 2f GDPR. The processing of special categories of personal data outside the above-mentioned purpose is always based on consent in accordance with Art. 9 Sec. 2a GDPR.

Duration of data storage:

  • Server log files: the log files of the web and mail servers are irrevocably deleted after 7 days.
  • Contact form and hotline: the data of your enquiries are deleted as soon as they are no longer required for the purpose of their processing. This is the case in the context of your enquiries when the relevant facts have been conclusively clarified, unless contractual or legal obligations preclude deletion.
  • Newsletter: your newsletter profile will be deleted as soon as you have unsubscribed from all newsletters or you expressly request deletion via our contact form.
  • User accounts: we will delete your data on the web server as soon as you cancel your user account, unless there are contractual or legal obligations to the contrary.

Plugins to social networks

For plugins on social networks, we employ the "Shariff" solution on our website. Shariff is a program that prevents the automatic forwarding of your data to social networks. A contact between you and the social network is only established when you click on one of the social plug-in buttons. If you are already logged in to a social network, a pop-up window appears in which you can edit the text of the post or tweet. This way Shariff prevents you from leaving a digital trace on the visited page.

As buyer of our products as well as interested parties

Description of data processing, relevant data and sources of data

We process personal data which we receive directly from you or which is transmitted to us by third parties (e.g. the treating physician, nursing facility, clinic) for the purpose of fulfilling the contract or on the basis of your consent. The following data are affected:

Contact data: Name, first name, salutation, date of birth, address, telephone number and e-mail address.

Ordering data: shipping and billing address, quantity, product, health insurance fund, social security number.

Health data: scan of the physician's prescription, type of care (initial/ follow-up care), therapy data (e.g. type and status of therapy, type of diabetes, insulin pump used).

Data of the medical institution: name and address, contact person, position in the company, telephone and fax numbers and e-mail address.

Marketing data: consent to receive advertising or other information, existing newsletter subscription, participation in surveys, response to marketing campaigns.

Credit rating data: information on payment behaviour, information from credit agencies, dunning status.

Enquiry data: content of the request as well as the answer.

Additionally for minors: declaration of consent of the legal guardian, name of the legal guardian.

In addition in case of legal support, persons in need of care: information on the caregiver, nursing facilities, declaration of consent of the legal guardian/nursing facility.

Purposes and legal basis for data processing

We process your personal data for the purposes listed below and hereby refer to the legal bases listed in boldface in accordance with the General Data Protection Regulation ("GDPR").

Fulfillment of contractual obligations (Art. 6 Sec. 1b GDPR)

  • Acceptance and execution of orders for diabetes requirements, other products and materials from our product range.
  • Management of events including administration of participation and mailing of invitations.
  • Processing and answering of contract-related enquiries.
  • Processing of billing with the health insurance companies.

Pursuing the legitimate interests of Ypsomed (Art. 6 Sec. 1f GDPR)

  • Documentation of enquiries and their answers.
  • Determination of credit risks with regard to first-time buyers and/or where we have advance outlay.
  • Review and optimisation of direct marketing campaigns and other methods for directly addressing customers. To this purpose we analyse the response behaviour of our customers without person-related results.
  • Assertion and defence of our legal claims and rights.

Based on consent (Art. 6 Sec. 1a GDPR)
Insofar as you have given Ypsomed consent to the processing of your data for specific purposes, the lawfulness of this processing is given on the basis of your consent. You can revoke your given consent at any time.

We conduct advertising as well as market and opinion research exclusively on the basis of your consent.

Compliance with legal requirements (Art. 6 Sec. 1c GDPR)

  • For the purpose of traceability of medical devices for potential product information or recalls: documentation on the route of medical devices from the manufacturer to their handover to the end user.
  • For the purpose of implementing contracts for the provision of diabetes care: data transmission to statutory health insurance funds.

Special categories of personal data
We process special categories of personal data according to Art. 9 Sec. 1 GDPR (e.g. health data, therapy data) within the context of your supplies for diabetes care or beyond, e.g. for demand-oriented and interest-oriented advertising on the basis of your consent, Art. 9 Sec. 2a GDPR, as well as for the exercise or defence of legal claims on the basis of Art. 9 Sec. 2f GDPR.

Duration of data storage

Insofar as necessary, Ypsomed processes and stores personal data for the duration of the business relationship, which also includes the initiation, processing and termination of a contract.

Furthermore, Ypsomed is subject to various legal storage and documentation obligations. In the context of these time limits we continue to store your data even after termination of the business relationship.

Irrespective of these legal storage and documentation obligations, we will store your contact and marketing data up to a maximum of three years after your last contact with us, unless you object to the use of your data beforehand.

As a business partner and medical professional

Description of data processing, relevant data and sources of data

We process data from our business partners (e.g. wholesalers, diabetes specialist dealers, pharmacies, clinics, nursing facilities, suppliers and service providers and other cooperation partners) as well as from medical institutions (e.g. specialist practices or clinics) and thus personal data of their employees, physicians and medical professionals who are in contact with us as contact persons or participate in our events. These personal data are provided to us either by the respective medical institution, a cooperation partner or directly by the contact persons. The following data are affected:

Contact data: company, registered office, website, telephone number, name of contact person(s), position in the company, telephone/fax number, e-mail address.

Marketing data: consent to receive advertising or other information, existing newsletter subscription, participation in surveys, response to marketing campaigns.

Enquiry data: content of the request as well as the answer and other information on the cooperation.

Information on participation in events: type, time and place of the event, confirmation of participation, employer's consent, CME credits.

Ordering data: shipping and billing address, quantity, product.

Contract data: conclusion of contract, information on performance (e.g. demonstration pumps, lecture services, booked event), basis for calculation.

In addition for business partners:

Contract data: sales figures for our products, discount levels, amount of bonus payments and promotional cost subsidies.

Credit rating data: information on payment behaviour, information from credit agencies, dunning status, assessment of default risk.

Purposes and legal basis for data processing

We process personal data for the purposes listed below and hereby refer to the legal bases listed in boldface in accordance with the General Data Protection Regulation ("GDPR").

Fulfillment of (pre)contractual obligations (Art. 6 Sec. 1b GDPR)

  • Contract negotiations and conclusion (e.g. of cooperation agreements for distribution purposes).
  • Acceptance and execution of orders for diabetes requirements, other products and materials from our product range. A more detailed description for the purpose of data processing can be found in the contract and other documents and the contained data protection information.
  • Management of events including administration of participation and mailing of invitations and confirmation of participation.
  • Processing and answering of contract-related enquiries.

Pursuing the legitimate interests of Ypsomed (Art. 6 Sec. 1f GDPR)

  • Documentation of enquiries and their answers.
  • Assertion and defence of our legal claims and rights.
  • Determination of credit risks of our business partners with regard to first-time buyers or where we have advance outlay. (only for business partners)

Based on consent (Art. 6 Sec. 1a GDPR)
Insofar as you have given Ypsomed consent to the processing of your data for specific purposes, the lawfulness of this processing is given on the basis of your consent. You can revoke your given consent at any time. For example, Ypsomed performs the following data processing operations on the basis of your consent:

  • Advertising or market and opinion research.
  • Preparation and publication of photos of events.

Compliance with legal requirements (Art. 6 Sec. 1c GDPR)

  • For the purpose of traceability of medical devices for potential product information or recalls: documentation on the route of medical devices from the manufacturer to their handover to the end user.
  • For the purpose of fighting corruption in health care: documentation on the provision of rental equipment and sample materials for training and demonstration purposes for medical institutions; documentation on the organisation of events and retention of permits for participation.

Duration of data storage

Insofar as necessary, Ypsomed processes and stores personal data for the duration of the business relationship, which, for example, also includes the initiation, processing and termination of a contract.

Furthermore, Ypsomed is subject to various legal storage and documentation obligations. In the context of these time limits we continue to store your data even after termination of the business relationship.

As an applicant for vacant positions

Description of data processing, relevant data and sources of data

Applications via our website
If interested candidates apply for one of our vacancies via the online application form, their application documents will be sent via a secure connection to the address of the Human Resources department referred to in the recruitment notice. The web server itself does not store any personal data or application documents from the web form.

Application by e-mail or regular mail
You can also send your application documents directly by e-mail or regular mail. To do this, use the e-mail or postal address specified in the recruitment notice. Please note that transmission by e-mail is not encrypted and that your data may under certain circumstances be viewed by third parties.

Data from third parties
If you have applied for a job with us on the application portal of our parent company, Ypsomed AG, based in Switzerland, we will receive your application data and the documents provided from Ypsomed AG. We also work with recruitment agencies and temporary employment agencies from whom we receive applicant data. When we receive an application, we also process data from publicly accessible sources (e.g. professional networks on the Internet) or from other sources from which further information is legitimately transmitted to us (e.g. police clearance certificate from the Federal Central Register).

We exclusively use the transferred data for the application process for the position for which you are applying, unless you have given consent to the contrary. The following data are affected by processing:

Contact data: Name, first name, salutation, date of birth, address, telephone number and e-mail address, marital status, passport photo.

Data on qualifications: curriculum vitae, certificates, covering letter, diplomas, reference information (with the consent of the person concerned).

Financial data: bank details (reimbursement of travel expenses), salary expectations.

Purposes and legal basis for data processing

We use your personal data exclusively for the consideration and handling of your application in the application process. We process these for the purposes listed below and hereby refer to the legal bases listed in boldface in accordance with the General Data Protection Regulation ("GDPR").

Fulfillment of contractual obligations (Art. 6 Sec. 1b GDPR)

  • Review and assessment of the submitted documents.
  • Forwarding the documents to the potential supervisors of the department.
  • Invitation to the job interview.
  • Employment or sending of rejection letter.

Based on consent (Art. 6 Sec. 1a GDPR)

We will only process other data voluntarily provided by you (including data worthy of special protection) with your express consent, which you give us in the course of the application procedure.

Special categories of personal data

As far as health data are processed within the application process, this serves to assess your suitability for the advertised position. This is performed on the basis of Art. 9 Sec. 2h GDPR in connection with § 22 Sec. 1 No. 1b BDSG (Federal Data Protection Act). The processing of special categories of personal data outside the above-mentioned purpose is always based on consent in accordance with Art. 9 Sec. 2a GDPR.

Duration of data storage

In the event of a negative decision, we electronically store your personal data for the duration of the application process and beyond, as long as claims from the rejection of the application may be pending (for 6 months from rejection).

If you have given us your consent for the processing of specific data and revoke this consent, we will immediately delete the data collected for this purpose.

Recipient of data

Within Ypsomed, those departments and persons who require personal data to fulfil Ypsomed's contractual and legal obligations are given access to these. Furthermore, service providers and contract processors used by Ypsomed (Art. 28 GDPR) may also receive data for these purposes. This applies in particular to companies for IT services (such as hosting or SAAS solutions), payment service providers, logistics, printing services, telecommunications, advisory services and consulting as well as sales and marketing.

Ypsomed only passes on data to recipients outside Ypsomed if this is required by law or the contractual services or if you have consented to the transfer. The contract processors used by us are obliged to comply with data protection standards.

Under these conditions, the following recipients may, for example, receive personal data:

  • the parent company, Ypsomed AG, based in Switzerland, on whose servers the databases are located;
  • the application management tool of WESTPRESS GmbH & Co. KG, Hamm, which is used by us;
  • the parcel delivery services / logistics service providers commissioned by us;
  • printers, letter shops;
  • statutory health insurance companies;
  • public bodies (e.g. authorities), associations and institutions;
  • third parties involved by us in fulfilling the contract or processing the order (e.g. cooperation partners, group companies);
  • contract processors for hosting, SAAS solutions and newsletter providers as well as Google services;
  • banks and credit card companies for processing payment;
  • credit agencies (creditworthiness queries vis-à-vis business partners);
  • buying groups;
  • associations / institutions (for the application and proof of CME credits);
  • employers in case of participation in events (passing on certificates for the purpose of proving further education and training measures).

Data transfer to a third country

Ypsomed transfers data to third countries (i.e. countries outside the European Economic Area - EEA) insofar as this is necessary or legally required for the execution of the order. To do this, Ypsomed will first obtain your consent or the required obligations or guarantees for compliance with data protection.

The contract processors used in a third country are contractually obliged by Ypsomed to comply with the EU data protection level and the instructions issued by us. Ypsomed will inform you separately about the details if required by law.

Ypsomed AG is headquartered in Switzerland. According to the EU Commission, Switzerland is a country that offers an adequate level of protection (adequacy decision according to Art. 45 GDPR of 26.7.2000, 2000/518/EC).

Obligation to provide data

Insofar as you receive goods from our product range or wish to make use of other services and offers, you must provide us with those personal data which are necessary for the establishment, performance and termination of the business relationship or which we are legally obliged to collect and store. Without providing these data, Ypsomed will not be able to conclude or execute the desired contract with you. Existing business relationships may possibly be terminated.

In the case of a job application, you must provide certain personal data. These data are necessary for us to be able to assess whether you are suitable for the position in question. Without this information, Ypsomed will not be able to consider you for the application procedure.

Automated decision making

Ypsomed does not use any procedures to make automated decisions about business transactions or other relationships between you and Ypsomed.

Your rights

Right to information (Art. 15 GDPR)
You may demand information at any time as to whether and which personal data Ypsomed processes from you and for what purpose.

Right to correction of data (Art. 16 GDPR)
You may demand that your data be corrected or completed.

Right to deletion (Art. 17 GDPR)
You may demand the deletion of your data if we do not have to store the data for the fulfilment of a legal obligation (e.g. tax or commercial storage obligations), for reasons of public interest or for the assertion, exercise or defence of legal claims.

Right to limitation of processing (Art. 18 GDPR)
You have the right to demand the limitation of the processing of your personal data, provided that the legal requirements are met.

Right of data on demand (Art. 20 GDPR)
Personal data that you have provided to us may be requested in a structured, common and machine-readable format or transferred to another responsible person.

Right of complaint (Art. 77 GDPR)
You can complain to the Data Protection Authority at your place of residence or work or to our registered office if you have any doubts that your data are not being processed in accordance with the law.

Revocation of consent to data processing (Art. 7 Sec. 3 GDPR)
All declarations of consent that you have given Ypsomed for the processing of personal data can be revoked at any time without stating reasons. The processing of the data remains legal up to revocation of the consent.

Right of objection under Art. 21 GDPR

Right of objection in individual cases
You have the right to object at any time to the processing of your personal data which we perform on the basis of a public interest or on the basis of our legitimate interests. In order to object, you must state reasons which result from your particular situation and make the processing of your data unreasonable - unlike for the other affected persons.

If you file a justified objection, we will no longer process your personal data unless we can prove compelling reasons for processing worthy of protection which outweigh your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims.

Right to object to the processing of data for promotional purposes
In individual cases, Ypsomed may - without your express consent - use direct advertising. You have the right to object at any time to the processing of your personal data for this purpose.

If you object to the processing for the purpose of direct marketing, Ypsomed will no longer process your personal data for this purpose.

You can send the objection form-free to the addresses specified in Section 1 for the desired channels.

Links

The Ypsomed website may contain links to external sites. If you use such a link, please note that this Data Protection Declaration is no longer valid for the external site and that Ypsomed does not monitor these sites. Please refer to the external website for information on the data protection conditions applicable there.

Changes to the Data Protection Declaration

The contents of this Data Protection Declaration must be amended from time to time in order to comply with legal requirements or to implement changes to our services and offers contained in the Data Protection Declaration. We reserve the right to change these at any time. You will always find the current version here. Please consult the Data Protection Declaration regularly when you visit our website.

(Status: November 2018)