Privacy

Data protection declaration

This data protection declaration (version: GDPR 3.0 of 18 June 2020) was drawn up by:

Deutsche Datenschutzkanzlei Data Protection Office Munich – www.deutsche-datenschutzkanzlei.de

Data protection

We, Medigene AG, are responsible for this online service. As the provider of a teleservice, we must inform you at the beginning of your visit to our online service about the type, scope and purpose of personal data collection and use. We must do so in a manner that is precise, transparent, easy to understand and easily accessible, using clear and simple language. You must be able to access the content of this notice at any time. We are required to inform you about the personal data that we collect or use. Any information relating to an identified or identifiable natural person constitutes personal data.

We attach great importance to the security of your data and compliance with data protection regulations. The collection, processing and use of personal data is subject to the provisions of the European and national legislation currently in force.

In the following Data protection declaration, our intention is to outline how we handle your personal data and how you can contact us:

Medigene AG

Lochhamer Straße 11

D-82152 Planegg

Commercial Register No.: HRB 115761

Leadership: Prof. Dr. Dolores J. Schendel (chairman), Axel-Sven Malkomes, Dr. Kai Pinkernell

Telephone: +49 89 2000330

E-mail: medigene@medigene.com

Our data protection officer

If you have any questions, please contact our data protection officer as follows:

Sven Lenz

Deutsche Datenschutzkanzlei – Datenschutzkanzlei Lenz GmbH & Co. KG

Bahnhofstraße 50

D-87435 Kempten

E-mail: datenschutz(at)medigene.com

 

A.           General

For ease of understanding, we do not distinguish between the genders in our Data protection declaration. For the purpose of equality, equivalent terms apply to all genders.

The meaning of the terms used, such as "personal data" or its "processing", can be found in Article 4 of the EU General Data Protection Regulation (GDPR).

The personal data of users processed within the scope of this online service includes user-related data (e.g. names and addresses of users), usage data (e.g. data transmission and logging for internal system and statistical purposes) and content data (e.g. input for newsletter registration).

"User" includes all categories of data subjects affected by data processing. These include, for example, those interested in the "Investors and Media" section and other visitors to our online service.

 

B.            Specific

Data protection declaration

We guarantee that we will only collect, process, store and use your data in connection with the processing of your inquiries as well as for internal purposes and in order to provide the services or content that you request.

Bases for data processing

We process users' personal data only in compliance with the relevant data protection regulations. Users' data will only be processed if the following legal authorization exists: 

-              In order to fulfill our contractual obligations

-              The processing is required by law

-              If you have given your consent

-              On the basis of our legitimate interests (i.e. interest in the presentation of our Company as well as optimization and cost-effective operation and security of our online service within the meaning of Art. 6 (1) f) GDPR)

This is where the above legal bases are regulated in the GDPR:

-              Consent: Art. 6 (1) a) and Art. 7 GDPR

-              Processing for the purpose of providing our services and taking contract-related steps: Art. 6 (1) b) GDPR

-              Processing for the purposes of compliance with our legal obligations: Art. 6 (1) c) GDPR

-              Processing for the purposes of our legitimate interests: Art. 6 (1) f) GDPR

Data transfer to third parties

Disclosure of personal data to third parties only will be made in accordance with applicable laws. We only disclose data of users to third parties if this is required e.g. for contractual purposes or on the basis of a reasonable interest in an economic and effective conduct of our business.

If any service provider is engaged to enable offering our services, appropriate legal measures apply as well as technical and organizational measures to ensure the protection of personal data in accordance with applicable laws.

We would like to inform you, that a data transfer occurs because of the use of Vimeo while using our online services.

Data transfer to a third country or an international organization

A "third country" is a country in which the GDPR is not a directly applicable law. This basically includes all countries outside the EU or the European Economic Area.

Because of the use of Vimeo videos, data is transferred to a third country or an international organization. The availability of appropriate guarantees was ensured as well as enforceable rights and effective remedies.

A copy of appropriate guarantees is available under the following links:

•             Privacy-Shield:

www.privacyshield.gov/list

•             Standard Contractual Clauses:

eur-lex.europa.eu/LexUriServ/LexUriServ.do

Storage period of your personal data

We adhere to the principles of data economy and data reduction. This means that we only store the data you provide to us for as long as is necessary to fulfill the above-mentioned purposes or in accordance with the various storage periods stipulated by law. If the purpose no longer applies or if the relevant time limits expire, your data will be blocked or erased in accordance with statutory provisions.

Contact

If you contact us by email or via the contact form to register for the newsletter, you agree to electronic communication. During the contact process, personal data is collected and processed if the user provides it voluntarily to us. Your data will be transmitted using SSL encryption. The information you provide will be stored exclusively for the purpose of processing your inquiry and for possible follow-up questions.

The legal bases for this are as follows:

-              Processing for the purpose of providing our services and taking contract-related steps: Art. 6 (1) b) GDPR

-              Processing for the purposes of our legitimate interests: Art. 6 (1) f) GDPR

We would like to point out that, during transmission, e-mails can be read or changed unnoticed and without authorization. Please also note that we use software to filter unsolicited e-mails (spam filter). Use of the spam filter may result in the rejection of e-mails that have been falsely identified as spam due to certain characteristics.

What rights do you have?

a)            Right to information

You have the right to obtain information about your stored data, free of charge. Upon request, we will inform you in writing of your personal data that we have stored in accordance with applicable law. This also includes the origin and recipients of your data as well as the purpose of data processing.

b)           Right to rectification

You have the right to have your data that we store rectified if it is incorrect. In doing so, you can request restriction of processing, e.g. if you contest the accuracy of your personal data.

c)            Right to blocking

You can also have your data blocked. In order to allow blocking of your data at any time, this data must be held in a blocking file for control purposes.

d)           Right to erasure

You can also request the erasure of your personal data, provided there are no statutory retention requirements. Insofar as such an obligation exists, we will block your data on request. If the relevant legal requirements are met, we will erase your personal data even if you do not request us to do so.

e)           Right to data portability

You are entitled to request that we provide you with the personal data you have provided to us in a format that allows it to be transferred to another location.

f)            Right of appeal to a supervisory authority

You have the option to lodge a complaint with one of the data protection supervisory authorities.

Bavarian Department of Data Protection Supervision (BayLDA)

Promenade 27, D-91522 Ansbach

Telephone: +49 981 53-1300

Fax: +49 981 53-981300

You can access the complaint form of the Bavarian Department of Data Protection Supervision via the following link: www.lda.bayern.de/de/beschwerde.html

g)            Right to object

You have the option at any time to revoke the use of your data for internal purposes with effect for the future. To do so, it is sufficient to send an e-mail to datenschutz@medigene.com. However, any such revocation shall not affect the legality of the processing operations carried out by us up to that point. This does not affect data processing with regard to all other legal bases, such as the initiation of the contract (see above).

Protection of your personal data

We take contractual, organizational and technical security measures in line with state of the art technology in order to ensure compliance with the provisions of data protection legislation and to safeguard the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons.

The security measures include in particular the encrypted transmission of data between your browser and our server. 256-bit SSL (AES 256) encryption technology is used for this purpose.

Your personal data is protected within the scope of the following actions (excerpt):

a)            Maintaining the confidentiality of your personal data

In order to protect the confidentiality of your personal data stored with us, we have taken a range of steps to control admission, entry and access.

b)           Safeguarding the integrity of your personal data

In order to safeguard the integrity of your personal data stored by us, we have taken various measures to control the forwarding and input of such data.

c)            Ensuring the availability of your personal data

In order to maintain the availability of your personal data stored with us, we have taken a number of steps to control compliance with work orders and availability.

The security measures in use are continuously improved in line with technological developments. Despite these precautions, due to the insecure nature of the Internet, we cannot guarantee that your data will be transmitted securely to our online service. As a result, any data transmission from you to our online service is at your own risk.

Protection of minors

Persons under the age of 16 must not transfer any personal data to us without the consent of their legal guardians. Personal information may only be provided to us by persons under the age of 16 with the express consent of a parent or guardian, or by persons who are aged 16 or older. This data will be processed in accordance with this data protection declaration.

Cookies

We use cookies. Cookies are small text files that are stored locally in the cache of your Internet browser. Cookies enable the Internet browser to recognize the website. The files are used to help the browser navigate through the online service and to ensure that all functions can be used to the full extent.

Our online service uses: browser cookies

User control of cookies

Browser cookies: you can set all browsers to accept cookies only upon request. You can also accept cookies only where the website is currently being visited. All browsers offer functions that allow the selective deletion of cookies. It is also possible to turn off the acceptance of cookies generally, but this may make this online service less user-friendly.

Lifetime of the cookies used

Cookies are managed by the web server of our online service. This online service uses:

Transient cookies/session cookies (one-time use)

Lifetime: 30 minutes

Persistent cookie (permanent browser recognition)

Lifetime: between 6 and 24 months

Disable or remove cookies (opt-out)

Every web browser provides options to restrict and delete cookies. Further information is available on the following websites

-              Internet Explorer:

windows.microsoft.com/en-GB/windows7/How-to-manage-cookies-in-Internet-Explorer-9

-              Firefox:

support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer

-              Google Chrome:

support.google.com/chrome/answer/95647

-              Safari:

support.apple.com/de-de/HT201265

Use of Vimeo videos

Plugins of the video portal Vimeo of Vimeo LLC, 555 West 18th Street, New York, New York 10011, USA (“Vimeo”) are integrated in our website offering.

The Vimeo videos are integrated through the no-cookie setting as provided by Vimeo. According to Vimeo, no data will be saved because of the no-cookie setting.

If an embedded Vimeo video is started, cookies may potentially be set and a direct connection to browsers of Vimeo may be activated.

The plugin content will potentially be transferred by Vimeo directly to your browser and embedded into the website. Through such embedding, Vimeo potentially receives the information of your browser calling the respective page of our website, even if you do not own a Vimeo account or are currently not logged-in at Vimeo. This information (including your IP address) will potentially be transferred from your browser directly to a server of Vimeo in the USA and will be saved on such server.

If you are logged-in at Vimeo, Vimeo may allocate the visit of our website directly to your Vimeo account. If you interact with the plugins (e.g. by pushing the start button of a video), such information will also be transferred directly to a server of Vimeo and will be saved on such server.

The handling of data as described herein is in accordance with Art. 6 para. 1 lit. f GDPR on the basis of a legitimate interest of Vimeo in market analysis and the practicable provision of Vimeo services. If you do not wish Vimeo to allocate collected data through our website to your Vimeo account, you have to log-out at Vimeo prior to your visit of our website.

The purpose and the scope of data collection and further handling and use of data by Vimeo as well as your respective rights and setting options for the protection of your privacy are available in the privacy statement of Vimeo under: https://vimeo.com/privacy

Vimeo LLC with a business place in the USA is certified for the US-European Privacy Shield which ensures the compliance with applicable EU data protection levels. A valid certificate is available under: https://www.privacyshield.gov/list

Newsletter

If you subscribe to our e-mail newsletter, we will send you press releases and company announcements as soon as they are published. Personal data is collected for this purpose. Your email address is the only information required for sending the newsletter. Providing any further data is voluntary (form of address, nationality, first name, surname, categories such as investor, private shareholder, press or other category, telephone number and address). This data will be used by us for our own purposes of contacting you in the form of the e-mail newsletter or specific contact of the press as well as possibility of a country specific selection of information to be submitted by us, provided that you have expressly consented to it as shown below:

"I have read the data privacy and subscription statement and agree to the handling of my personal data as described therein. I am aware that subscription and usage are voluntary and revocable at any time for the future. Yes, I would like to receive the Medigene newsletter in the future, by e-mail to the above e-mail address. I was informed of my right of revocation when I registered."

We use the "double opt-in" procedure to send the newsletter. This means that we will only send you an e-mail newsletter after you have expressly confirmed that you agree to receive the newsletter. We will then send you a confirmation e-mail asking you to click on a link to confirm that you wish to receive our newsletter in the future.

By activating the confirmation link, you consent to the use of your personal data in accordance with Art. 6 (1) a) GDPR. When you register for the newsletter, we store your IP address as entered by the Internet Service Provider (ISP) as well as the date and time of registration. The purpose of this is to be able to track any possible misuse of your e-mail address at a later point in time.

You can unsubscribe from the newsletter at any time via the link provided for this purpose in the newsletter, or by sending a message to us, e-mail: investor@medigene.com. After you have unsubscribed, your e-mail address will immediately be deleted from our newsletter distribution list and included in a blocking file to ensure that revocation is successful. Any back-bounced e-mails due to invalid e-mail addresses will be deleted from our newsletter distribution list.

Changes to our privacy policy

We reserve the right to change our data protection declaration from time to time in order to reflect the latest legal requirements or to incorporate changes to our services in the data protection declaration. This could involve the introduction of new services, for example. Your return visit will then be subject to the new data protection declaration.

Trademark protection

Any company logo or trademark mentioned herein is the property of the respective company. Trademarks and names are used for information purposes only.

C.            Russia-specific provisions

The following applies to users resident in the Russian Federation:

The above online services are not intended for citizens of the Russian Federation residing in Russia.

If you are a Russian citizen resident in Russia, you are hereby expressly informed that any personal data you provide to us through this online service is solely at your own risk and responsibility. You furthermore agree that you will not hold us responsible for any failure to comply with the laws of the Russian Federation.