Footer > Privacy Notice > Data protection information for clients and other concerned parties

Data protection information for clients and other concerned parties

In Vetter’s eyes, the protection of your privacy and a maximum of transparency form the basis for a successful and trusting cooperation. With the following information, we would like to give you as a customer or potential customer of our products/services an overview on the processing of your personal data by us and your rights under data protection law. Which data are processed in detail and the manner in which they are used is predominantly determined by the services requested or agreed. Therefore, not every element of this information may be applicable to you.

Who is responsible for data processing and who can I contact?

Responsibility lies with

Vetter Pharma-Fertigung GmbH & Co. KG
Schützenstrasse 87
Ravensburg, Germany
Tel.: +49-(0)751-3700-0
Telefax: +49-(0)751-3700-4000
(“Vetter“ or, respectively, “we")

You can reach our internal Data Protection Officer under

Mr. Henrik von Kunhardt
85276 Pfaffenhofen, Germany

Which sources and which data do we use?

We process personal data which we receive from our clients and other concerned parties in connection with our business relationship. Moreover, we process personal data legitimately obtained from publicly accessible sources (such as debtors’ lists, land registers, registers of commercial establishments and associations, press, Internet) or which have been legitimately transmitted to us from other companies of the Vetter Pharma Group or third parties (for example a credit bureau) to the extent necessary for rendering our services.

Relevant personal data are personal details (name, address and other contact data, date and place of birth and nationality) legitimisation data (such as data from ID cards) and also authentification data (such as a signature specimen). In addition, these may also be contract data (such as a payment order), data resulting from the performance of our contractual obligations (such as turnover data in payment transactions), information about your financial status (such as data on credit standing, scoring/rating, origin of assets), advertising and sales data (including advertising scores), documentation data (such as a protocol on consultations) and other data comparable with the above-mentioned categories.

What is the purpose of processing your data (processing purpose) and on which legal basis does this take place?

We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) and the German Federal Law on Data Protection (BDSG).

(1) To perform our contractual duties (Article 6 paragraph 1 lit. b) GDPR): Data are processed for the purpose of providing services and processing orders in connection with the performance of our agreements with our clients or for performing precontractual measures as a result of queries. The purposes of data processing are primarily determined by the specific product and service (such as Vetter Development Service, Vetter Commercial Manufacturing, Vetter Packaging Solution, Fill & Finish)) and may, among other things, include needs assessments, consultation, purchase and works agreement, research agreements and regulatory requirements (e.g. FDA, EMA and PMDA). For further details on the purposes of data processing, please refer to the pertinent contractual documents and our General Terms and Conditions.

(2) Within the scope of the balancing of interests (Article 6 paragraph 1 lit. f) GDPR): To the extent necessary, we will process your data beyond the scope of the actual performance of the contract so as to protect justified interests of our own and of third parties. Examples are: consultations of and exchange of data with credit agencies (e.g. SCHUFA) to determine credit worthiness or default risks in our deals, testing and optimising methods for a needs analysis in connection with approaching customers directly, advertising or market and opinion research unless you have objected to the use of your data, asserting and defending claims in connection with legal disputes, ensuring IT security and IT operation of the company, prevention and investigation of criminal acts, video surveillance to protect domiciliary rights, to collect evidence in case of break-ins (also cf. Sec. 4 BDSG), measures for securing buildings and systems (such as admission control, measures to steer business and the ongoing development of performance and products, risk control in the Vetter Pharma-Fertigung GmbH & Co. KG Group.

(3) Based on your consent (Article 6 paragraph 1 lit. a) GDPR: To the extent you have consented to the processing of personal data by us for certain purposes (such as passing on data within the Vetter Pharma-Fertigung GmbH & Co. KG Group, analysis of payment transaction data for marketing purposes, photographs taken in connection with events, mailing newsletters), such processing is legitimate on the basis of your consent. Consent once given may be withdrawn at any time. This also applies to the withdrawal of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Withdrawal of consent will have an effect only for the future and does not affect the legitimacy of data processed until that date.

(4) Based on statutory regulations (Article 6 paragraph 1 lit. c) GDPR) or in the public interest Article 6 paragraph 1 lit. e) GDPR):  Moreover, we, as a company, are subject to various legal obligations, i.e. statutory requirements (such as the Law on Money Laundering, tax laws, regulatory requirements). The purposes of processing include, among others, the assessment of creditworthiness, checking identity and age, prevention of fraud and money laundering, compliance with obligations of control and reporting under tax law and the assessment and management of risks in the Vetter Pharma Group.

Who will receive my data?

Within the company, those units will be granted access to your data that need them in order to comply with our contractual and statutory obligations. Service providers and agents appointed by us may also receive the data for these purposes if they commit to protecting confidentiality and integrity. These are companies in the categories IT services, logistics, printing services, telecommunication,  consulting as well as sales and marketing.

As far as passing on data to recipients outside our company is concerned, it must first be kept in mind that we will pass on only necessary personal data, observing all regulations on data protection. As a matter of principle, we may pass on information about you only if this is required by law, you have given your consent or we have otherwise been granted authority. Under these circumstances, recipients of personal data may, for example, be: public authorities and institutions (such as tax authorities, authorities prosecuting criminal acts, family courts, land registries) if based on a statutory or regulatory obligation, other loan and financial services institutes or comparable institutions to whom we transmit personal data to perform our business relations with you (stock exchanges, credit agencies), other companies of the Vetter Pharma Group for risk control on the basis of statutory or regulatory obligations, creditors or liquidators submitting queries in connection with a foreclosure, auditors, service providers whom we involved in connection with order processing relationships.

Will the data be transferred to a third country or an international organisation?

Data transfer to bodies in states outside the European Union (so-called third countries) will take place to the extent it is required to fill your orders (e.g. orders for shipments), it is prescribed by law (e.g. reporting obligations under tax law) or you have given us your consent.

Moreover, transfer to bodies in third countries is intended in the following cases: (1) If necessary in individual cases, your personal data may be transmitted to an IT service provider in a third country to ensure that the IT department of the company remains operative, observing the level of the European data protection rules. (2) With the consent of the data subject or as a result of statutory provisions on controlling money laundering, the financing of terrorism and other criminal acts and within the scope of the balancing of interests, personal data (such as legitimisation data) will be transferred in individual cases, observing the data protection level of the European Union.

For how long will my data be stored?

We process and store your personal data as long as necessary to comply with our contractual and statutory obligations. If the data are no longer required for the performance of contractual or statutory obligations, these will be erased on a regular basis unless – temporary – further processing is necessary for the following purposes: (1) Compliance with obligations of retention under commercial or tax law which, for example, may result from: the German Commercial Code (KWG), the German Fiscal Code (AO) and the German Law on Money-Laundering (GwG). As a rule, the time limits specified there for retention or documentation are 2 to 10 years; (2) Preservation of evidence under the statutory regulations regarding the statute of limitations. According to Secs. 195 et seqq. German Civil Code (BGB), this statute of limitations may be up to 30 years, the regular statute of limitations being 3 years.

What are my rights with regard to data protection?

Every data subject has the right to information pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to objection pursuant to Article 21 GDPR and the right to data portability pursuant to Article 20 GDPR. As far as the right to obtain information and the right to erasure are concerned, the restrictions pursuant to Secs. 34 and 35 BDSG are applicable. Moreover, there is a right to appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with Sec. 19 BDSG).

Your consent to the processing of personal data granted to us may be withdrawn at any time by informing us accordingly. This also applies to the withdrawal of declarations of consent given to us before the effective date of the GDPR, i.e. before 25 May 2018. Note that this withdrawal will be valid only for the future. Processing events that took place before withdrawal are not affected.

Am I obliged to provide data?

Within the scope of our business relationship, you are obliged to provide those personal data which are required for commencing, executing and terminating a business relationship and for compliance with the associated contractual obligations or the collection of which is imposed upon us by law. Without these data, we will generally not be able to enter into agreements with you, to perform under such an agreement or to terminate it.

To what extent will decision-making be automated?

As a matter of principle, we do not use fully automated decision-making processes pursuant to Article 22 GDPR to establish, perform or terminate a business relationship. In the event that we should use such processes in individual cases (for example to improve our products and services), we will inform you of this and of your rights in this respect separately if prescribed by law.

Will profiling take place?

Your data will be processed automatically in part with the objective of assessing certain personal aspects (profiling). For example, we will use profiling in the following cases:

  • We use analysis tools to be able to inform you selectively of our products and services. These permit communication according to need and advertising including market and opinion research.
  • In connection with the assessment of your creditworthiness we employ scoring. With this tool, the probability of a customer meeting payment obligations is calculated. Scoring is based on a proven and recognised mathematical-statistical method. The resulting score values assist us in decision-making in connection with the sale of products and will become part of the ongoing risk management.


Information about your right to object pursuant to Article 21 GDPR

Right to object based on individual cases

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) of Article 6 (1) (data-processing in the public interest) and point (f) of Article 6 GDPR (data-processing on the basis of the balancing of interests); this also applies for profiling as defined in Article 4 point 4 GDPR.

If you do object, we will no longer process your personal data unless we have compelling justified reasons for such processing which take precedence over your interests, rights and freedom or, alternatively, such processing serves to assert, exercise or defend legal claims.

Recipient of an objection

Such an objection may be submitted informally, headed “Objection”, stating your name, address and date of birth and should, if possible, be addressed to:

Vetter Pharma-Fertigung GmbH & Co. KG
Schützenstrasse 87
88212 Ravensburg, Germany
Tel.: +49-(0)751-3700-0