This Privacy Policy is intended for all individuals who visit our website. For the sake of readability only—within the context of the following explanations—we have omitted the simultaneous use of masculine, feminine, and other diverse grammatical forms. All references to persons apply to all genders: m/f/n. In addition to these and other matters, we take your rights to privacy, data protection, and informational self-determination very seriously. We are pleased to provide you with the following information in accordance with the General Data Protection Regulation (EU Regulation 2016/679, abbreviated as “GDPR”).
1. Who are we?
The “controller” is defined as the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. With regard to the processing of your data when using this website, we are the controller within the meaning of the GDPR:
OrphaCare GmbH
represented by: Dr. Georg Fischer and Ralf Lenhard
OrphaCare GmbH
Leopold-Ungar-Platz 2/1/132
1190 Vienna, Austria
Phone: +43 1 93 46 108
Email: office@orphacare.com
Wherever the terms “we” or “us” are used, they refer to the data controllers listed here.
2. Overview of Your Rights as a Visitor to Our Website
Visitors have several rights under the General Data Protection Regulation (GDPR) regarding the personal data processed about them. In particular,
the right to access the stored personal data,
the right to have inaccurately stored personal data corrected,
the right to erasure of personal data for which there is no legal basis for further storage,
the right to restrict the processing of stored personal data,
the right to data portability,
the right to lodge a complaint with the data protection supervisory authority responsible for us.
Provided that the conditions for the respective claims are met and we are able to identify you, we will fulfill your claims in a timely manner. Further details regarding your rights can be found, among other places, in the sections on the legal bases.
3. Note on the Legal Obligation to Process Data
A legal obligation to process data exists only to the extent that we refer to Article 6(1), first sentence, lit. c of the GDPR in the following Privacy Policy.
4. Data Transfer to Entities Outside the European Union, Specifically to the U.S.
(1) It is possible that we may transfer personal data to entities located outside the European Union—or at least cannot rule out such a possibility (hereinafter: “third-country entity”)—or have such data transferred by them. In such cases, we must ensure, in accordance with Article 44 of the GDPR, that the level of protection provided by the General Data Protection Regulation is not compromised. As a precaution, we note that the third-country entity may act as both a data controller and a data processor.
(2) If we refer to a so-called adequacy decision in the following statement, this means that the third-country entity is located in a country, territory, or specific sector for which the Commission has determined that it offers an adequate level of protection. This guarantee is then provided under Article 45 of the GDPR.
(3) If we refer to the so-called standard contractual clauses in the following statement, this means that the third-country entity accepts the so-called EU standard contractual clauses and has thereby contractually committed to complying with the level of protection provided by the General Data Protection Regulation. This guarantee is then based on Article 46(1) and (5) of the GDPR.
(4) If we state in the following declaration that you have consented to the transfer to the third-country entity, this means that you have been informed of all possible risks associated with such transfers—for which there is no adequacy decision or other safeguards— and have nevertheless consented to the data transfer. This guarantee is based on Article 49(1)(a) of the GDPR. For the sake of transparency, we describe the relevant risks in a separate section.
(5) We provide this notice solely as a precautionary measure. It applies only if we refer to it in the following statement. It is also possible that we will not make use of this provision.
EU Standard Contractual Clauses and Third-Country Recipients Based in the U.S.
(1) In addition to the information provided under “Data Transfers to Entities Outside the European Union”—paragraph 3—we would like to draw your attention to a special situation. When transferring data to third-country entities based in the U.S., the ability to rely on the EU Standard Contractual Clauses is limited. Therefore, if we intend to rely on the EU Standard Contractual Clauses in this context (or are already doing so), we would like to point out the following:
(2) We will base the transfer of personal data to third-country entities in the U.S. on the EU Standard Contractual Clauses only after we have conducted a thorough review of the relevant circumstances. In doing so, we first determine a risk level (type and, in particular, sensitivity of the data in question, scope of data processing, purpose of data processing, susceptibility to misuse). We then assess whether the contractual commitments of the U.S. third-country entity, as well as the technical and organizational measures implemented there (e.g., processing data exclusively in EU-based data centers, encryption technology), sufficiently mitigate the risks identified in the preliminary assessment. Only if we conclude that, in this case, the EU Standard Contractual Clauses provide a sufficient guarantee—even in the exceptional case of a U.S. third-country entity—will we rely on them.
(3) We provide this notice solely as a precautionary measure. It applies only if we refer to it in the following statement. It is also possible that we will not make use of this provision.
Consent to Transfer to Third-Country Entities Based in the United States, Including Risk Notices
(1) In addition to the information provided under “Data Transfer to Entities Outside the European Union”—paragraph 4, we would like to draw your attention to another special scenario. When transferring data to third-country entities based in the United States, the ability to rely on the EU Standard Contractual Clauses is limited. Therefore, in some cases, our only option is to ask for your consent to this transfer. However, before you grant this consent, we ask that you take note of the following risks and consider them when deciding whether to consent:
(2) We strongly emphasize that data transfers to the United States without the protection of an adequacy decision may entail significant risks. In particular, the following risks should be noted:
1. There is no uniform data protection law in the United States; certainly none that is comparable to the data protection law in effect in the EU. This means that both U.S. companies and government agencies have greater opportunities to process your personal data, particularly for advertising, profiling, and conducting (criminal) investigations. Our ability to take action against this is significantly limited.
2. The U.S. legislature has granted itself numerous rights of access to your personal data (see, for example, Section 702 of the FISA or E.O. 12333 in conjunction with PPD-28), which are incompatible with our understanding of the law. In particular, no proportionality review comparable to that in the European Union takes place prior to such access.
3. Citizens of the European Union cannot expect effective legal protection in the United States.
4. As a general rule, we will only ask you for such consent if we have concluded that the U.S. third-country authority cannot successfully rely on EU Standard Contractual Clauses.
(3) We are providing this statement solely as a precautionary measure. It applies only if we refer to it in the following statement. It is also possible that we will not make use of it.
5. Processing operations for which your consent is required (legal basis: Article 6(1), first sentence, lit. a of the GDPR)
General information on the purpose and legal basis of the processing operations.
(1) The purpose of the processing operations described below is specified separately for each tool.
(2) The legal basis for the respective data processing is your consent pursuant to Article 6(1), first sentence, letter a of the GDPR. According to this provision, the processing of your personal data is permitted if you have given your consent to the processing of your personal data for one or more specific purposes.
(3) You may provide your consent via a cookie banner or by checking a box.
(4) Profiling does not take place unless expressly mentioned below.
General Information on Retention Periods
(1) We store the data until you revoke your consent.
(2) As soon as you withdraw your consent, we will store the information regarding whether, when, and how you gave your consent (opt-in status) until the expiration of any civil statute of limitations regarding potential claims under the GDPR, i.e., generally three years after you revoke your consent. The legal basis for this is Article 6(1), first sentence, lit. c of the GDPR in conjunction with Article 5(2) of the GDPR, or Article 6(1), first sentence, lit. f of the GDPR in conjunction with § 1489 of the Austrian Civil Code (ABGB).
(3) Only in the event that a contractual relationship is established between us following processing based on your consent will we, if necessary, store some of your data additionally until the expiration of our statutory retention periods. The legal basis is Article 6(1), first sentence, subparagraph (c) of the GDPR, Sections 131 and 132 of the Federal Tax Code, and Section 212 of the Austrian Commercial Code (UGB). Accordingly, we may be obligated to
1. retain personal data derived from books and records within the meaning of Sections 131 and 132 of the Federal Tax Code, for seven years, whereby the retention period generally begins at the end of the calendar year in which the relevant document was created (Article 6(1), first sentence, lit. c of the GDPR in conjunction with § 132 of the Federal Tax Code),
2. Personal data relating to you that is derived from books, inventories, opening balance sheets, annual financial statements including management reports, consolidated financial statements including group management reports, received business correspondence, copies of business letters sent, and supporting documents for entries in the books we are required to maintain pursuant to § 190 of the Austrian Commercial Code (UGB), for a period of seven years, whereby the retention period generally begins at the end of the calendar year in which the relevant document was created (Article 6(1), first sentence, letter c of the GDPR in conjunction with § 212 of the Austrian Commercial Code (UGB)).
Right to Withdraw Consent
(1) To the extent that we obtain your consent for processing, you have the right at any time to withdraw this consent with effect for the future. As a rule, this can be done by sending us an informal notice (see “Data Controller” above).
(2) Furthermore, we would like to point out that, in the context of obtaining your consent, we process additional personal data about you. These include, on the one hand, identifying characteristics (such as your name, email address, and IP address) and, on the other hand, log data related to your consent (time of consent, consent status, and scope of consent). We base this data processing on Article 6(1), first sentence, lit. c of the GDPR in conjunction with Article 7(1) of the GDPR. The purpose is to demonstrate that you have given your consent.
How do we use Matomo?
(1) To analyze your user behavior on our website, we use the open-source web analytics platform Matomo (formerly Piwik). We’d like to briefly describe this processing procedure: The tool places a cookie on your computer that allows your browser to be recognized. Cookies are text files stored on your computer that enable an analysis of your use of the website. Although we store the data collected in this way on our own server within the European Union—and the provider therefore does not receive any of your data—we would like to inform you, as a precaution, that you can find more detailed information about data protection for this tool here: https://matomo.org/gdpr/. For more details on how data is processed via this tool, please see here: https://matomo.org/feature-overview/.
(2) In this context, we generally process the following data from you: The tool uses so-called “cookies.” These are text files that are stored on your computer and enable an analysis of your use of the website. In doing so, we generally collect the following information: your IP address (anonymized), the subpage you visited and the time of your visit, the page from which you accessed our website (referrer), information about which browser and plugins you are using, your operating system, and your screen resolution, the duration of your visit to our website, and the pages you accessed from the subpage you visited. We have anonymized your data for this purpose.
If you wish to disable these cookies, please click HERE.
How do we use LinkedIn?
(1) We use the social media platform mentioned above. Its provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. We have no influence over the data collected or the data processing procedures, nor are we aware of the full scope of data collection, the purposes of processing, or the retention periods. We also have no information regarding the deletion of the data collected by this provider. When you visit our company pages, the provider may store the data collected about you as user profiles and use them for advertising, market research, and/or to tailor its website to your needs. You have the right to object to the creation of these user profiles; to exercise this right, you must contact the provider. You can find the provider’s privacy policy here: https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv.
(2) To the extent that we can influence data processing, its purpose is to present our company, analyze your usage behavior in relation to your interaction with our company page maintained there, and communicate with you via this social network (including for advertising purposes, if applicable).
(3) The categories of personal data we process about you depend on the specific use of this social media platform, as described in paragraph 4.
(4) In addition to our general remarks on the legal basis, we would like to note the following: If you maintain a profile on this social media platform yourself, the legal basis is your consent within the meaning of Article 6(1), first sentence, letter a of the GDPR, which you have provided to the social media platform provider. In all other cases, the legal basis is Article 6(1), first sentence, (f) of the GDPR, pursuant to which your data may be processed provided that it is necessary to safeguard our legitimate interests or the interests of a third party, unless your interests or fundamental rights and freedoms—which require the protection of personal data—override those interests, particularly if the data subject is a child. We have a business interest in linking to our company pages, and you click on these links independently and voluntarily. Otherwise, the provider is responsible.
(5) If and to the extent that we analyze visitor interactions with our company website, we are jointly responsible with this provider under data protection law; this is in accordance with Article 26 of the GDPR. If and to the extent that we commission this provider to process data for us beyond this scope, we are the data controller within the meaning of Article 28 of the GDPR. Nor do the data processing operations preclude the possibility that the data may be processed by the provider outside the European Union, potentially in cooperation with LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA. This is because the processing of your personal data via this tool takes place only if you consent to the associated transfer of data to the United States (see Article 49(1)(a) of the GDPR). This[UC3] occurs with respect to us, to the extent that we control the data processing. Please be sure to read our risk notices beforehand (see General Section/Special Circumstances: Consent to Transfer to Third-Country Entities Based in the U.S., including the risk notices). If the provider controls the processing (for example, if you visit the social network independently of any action on our website), no transfer by us to the United States has taken place, so we are not required to provide any further guarantees within the meaning of Article 44 et seq. of the GDPR. In this case, there is, at most, a relationship between us and the social network provider within the meaning of Article 26 of the GDPR.
(6) In addition, we provide the following information regarding data processing in this context:
We maintain a company page on this social network and, where applicable, analyze whether and how you have visited our company page there; whether and how you interact with our posts on social networks; and whether and how you communicate with us via the channels available there. The consent you have provided to this provider is decisive in this regard.
Furthermore, we have linked our company page on this platform to our website. If you click on this link, you will be directed to our profile. With regard to this processing, we refer to our previous explanations regarding visits to our company page on this platform.
We also use LinkedIn Ads:
Using the advertising tools provided by this platform (so-called LinkedIn Ads), we can draw attention to our attractive offers on this provider’s social network. Based on the data from the advertising campaigns, we can determine how successful the individual advertising measures are. Our goal is to show you advertisements that are relevant to you, make our website more interesting for you, and ensure a fair calculation of advertising costs.
These advertising materials are delivered by the provider. If you access our website via an ad presented to you by this provider, the tool will store a cookie on your computer. These cookies are not intended to identify you personally. The following analytics data is typically stored in connection with this cookie: the unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant for post-view conversions), and opt-out information (an indicator that the user no longer wishes to be targeted).
Due to the tool used, your browser automatically establishes a direct connection to this provider’s server. We have no influence over the scope and further use of the data collected through the use of this tool and therefore inform you to the best of our knowledge: By integrating this tool’s advertising materials, the provider receives the information that you have accessed the corresponding part of our website or clicked on one of our ads. If you are registered with this provider’s service, they can associate your visit with your account. Even if you are not registered with this provider or are not logged in, there is a possibility that the provider may obtain and store your IP address.
You can prevent participation in this tracking process in several ways:
- by adjusting your browser settings accordingly; in particular, disabling third-party cookies will prevent you from receiving ads from third-party providers;
- by disabling cookies
For more information on how this works and the associated data processing, please see here: https://business.linkedin.com/de-de/marketing-solutions/ads.
6. Processing operations based on our legitimate interests (legal basis: Article 6(1), first sentence, lit. f of the GDPR)
General information on the purpose and legal basis of the processing operations.
(1) The purpose of the processing operations described below is specified separately for each tool. It serves as the decisive basis for our legitimate interest in the processing.
(2) The legal basis for the respective data processing is Article 6(1), first sentence, subparagraph (f) of the GDPR. Under this provision, the processing of your personal data is permitted even without your consent if it is necessary to safeguard our legitimate interests or those of a third party, provided that your interests or fundamental rights and freedoms—which require the protection of personal data—do not take precedence.
(3) Profiling does not take place unless expressly mentioned below.
General Information on the Retention Period
(1) We store the data until our purpose for doing so no longer applies, which is always the case if you have lodged a justified objection (see “Note on the Right to Object”).
(2) If, following processing based on a legitimate interest, a contractual relationship is established between us, we will store the data additionally until the expiration of our statutory retention periods. The legal basis is Article 6(1), first sentence, letter c of the GDPR, Sections 131 and 132 of the Federal Tax Code, and Section 212 of the Austrian Commercial Code (UGB). Accordingly, we may be required to
1. retain your personal data derived from books and records within the meaning of Sections 131 and 132 of the Federal Tax Code, for seven years, whereby the retention period generally begins at the end of the calendar year in which the relevant document was created (Article 6(1), first sentence, lit. c of the GDPR in conjunction with § 132 of the Federal Tax Code),
2. Personal data derived from books, inventories, opening balance sheets, annual financial statements including management reports, consolidated financial statements including group management reports, received business correspondence, copies of business letters sent, and supporting documents for entries in the books we are required to maintain pursuant to § 190 of the Austrian Commercial Code (UGB), for a period of seven years, whereby the retention period generally begins at the end of the calendar year in which the relevant document was created (Article 6(1), first sentence, letter c of the GDPR in conjunction with § 212 of the Austrian Commercial Code (UGB)).
Right to Object
(1) To the extent that we base data processing in the following Privacy Policy on Article 6(1), first sentence, subparagraph (f) of the GDPR—that is, on a legitimate interest in the processing—you always have the right to object to the processing. As a rule, this can be done by sending us an informal message (see “Data Controller” above). If the objection is justified, we will cease processing.
(2) If the legitimate interest is based on an interest in direct marketing or promotional communications, your objection is always justified, provided you are identified.
Data Processing When Using the Website for Informational Purposes
(1) If you use our website purely for informational purposes—that is, if you neither register as a user nor otherwise submit information—we collect the following data from you: IP address, date and time of the request, time zone difference from Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, website from which the request originates, browser, operating system and its user interface, language, and version of the browser software. We receive this data via cookies and directly from your browser.
(2) The purpose of this processing is to provide our website and to conduct statistical analysis.
Data Processing in Connection with Your Data Protection Inquiries
(1) You have the right to assert data protection-related claims against us (see our information under “Rights of Website Visitors”). If you do so, we will receive, process, and respond to your request. Notwithstanding the above information regarding the retention period, we store the data until December 31 of the third calendar year following the year in which you submitted your request. This is based on Article 6(1), first sentence, letter f of the GDPR in conjunction with the applicable civil law statutes of limitations.
(2) In this context, we generally process the following data from you: your contact information and all data necessary to process your inquiry.
How do we use Adobe Typekit?
On our website, we use external fonts via Adobe Typekit. This is a service provided by Typekit, a division of Adobe Systems Inc., 345 Park Avenue, San Jose, California 95110-2704, USA. General information on the service provider’s data processing can be found in Adobe’s privacy policy at: www.adobe.com/de/privacy/policy.html (Adobe). When you visit our website, your browser downloads the necessary fonts directly from Adobe so that they can be displayed correctly on your device. By establishing a connection to Adobe, Adobe becomes aware that our website has been accessed via your IP address. The service provider states that it neither places nor uses cookies on websites to provide its fonts. Detailed information on what information is collected, how it is used, and whether and to whom the service provider discloses data when using Adobe Typekit can be found at: www.adobe.com/de/privacy/policies/adobe-fonts.html (Adobe Typekit). The fact that the provider is based outside the EU does not preclude the use of this service, as the provider has committed to complying with the Standard Contractual Clauses. The purpose of the processing—and thus the basis of our legitimate interest—is to enable the technically error-free and optimized provision of our services, in particular to ensure a consistent typographic appearance on our website.
Transient Cookies
(1) We use so-called transient cookies on our website. These include, in particular, session cookies. These store a so-called session ID, which allows various requests from the visitor’s browser to be assigned to the same session. This enables the visitor’s computer to be recognized when the visitor returns to our website.
(2) The purpose, from which our legitimate interest also arises, can be described as follows: The cookies serve to ensure that the website is displayed and used in a manner tailored to your needs.
(3) In this context, we generally process the following data from you: session cookies. These store a so-called session ID, which allows various requests from your browser to be assigned to the same session. This enables your computer to be recognized when you return to our website. Session cookies are deleted when you log out or close your browser.