DATA PROTECTION

DATA PROTECTION

The protection and security of your personal data is of particular concern to us. We are therefore committed to treating and protecting your data confidentially and strictly complying with the General Data Protection Regulation (GDPR) and the Data Protection Act (DSG) when collecting, processing and storing your data. Below we will inform you about which of your personal data we collect and for what purposes it is used. All personal terms used in this data protection declaration apply equally to persons of the female and male gender.

  1. Responsible person

The person responsible within the meaning of the GDPR is Nikolaus Apotheke Längenfeld KG, Mag. pharm. Laura Canov, 6444 Längenfeld, Oberlängenfeld 6/01B, Austria.

Inquiries regarding data protection and the processing of personal data can be sent to the following email address: office@nikolaus-apotheke.at

The person responsible has not appointed a data protection officer because the legal requirements for a mandatory appointment do not exist.

Data collected, purpose of processing, legal basis, storage period, recipients and recipient categories of data

The categories of personal data we process and the purposes pursued by processing these personal data are described below. Here you will also receive information on the storage period of the respective data or the criteria for determining the duration if information on the storage period is not possible, and on recipients and recipient categories of data.

  • General customer relationship
  • Obtaining  medicines and medical devices based on  health insurance prescriptions

The following data from our customers is generally processed on the basis of Sections 1 and 10 of the Pharmacy Operating Regulations 2005. When you purchase medicines and medical devices based on a doctor’s prescription and a health insurance prescription, we save the respective prescription with the following data :

  • Prescription number (contains the contractual partner number of the prescribing doctor)
  • Social security number of the patient and the insured person
  • Name and number of the health insurance company
  • Classification group (e.g. employed, retired, etc.)
  • Prescription delivery date
  • Chief medical approval
  • Exemption from prescription fees
  • dispensed medicines and medical devices
  • Prescription fees, tax amounts, cost shares and additional fees as well as discounts and deductibles

This data is collected, processed and stored for the purpose of billing the patient’s statutory health insurance for the medicines and medical devices dispensed: In this case, the patient only bears part of the costs (prescription fee or share of the costs), the remaining costs for medicines and medical devices are borne by covered by the patient’s statutory health insurance. For this purpose, the pharmacy must bill the health insurance company electronically and transmit the data to the statutory health insurance company.

The processing of this data takes place in particular on a legal basisof Art. 9 Para. 2 lit. The provision of the above-mentioned data is necessary as part of electronic billing to the health insurance company in accordance with Section 7 Paragraph 2 of the overall pharmacist contract concluded between the Main Association of Austrian Social Insurance Institutions and the Austrian Chamber of Pharmacists. Otherwise, the pharmacy cannot bill the patient’s statutory health insurance provider for the remaining costs of the medicines and medical devices prescribed based on a health insurance prescription.

Our records of business transactions and electronic prescription invoices with the statutory health insurance companies, which contain the data mentioned, are stored in accordance with the retention period regulated in Section 132 Paragraph 1 of the Federal Tax Code (which is currently the last seven financial years). After this retention period has expired, this data will be automatically deleted.

If a data subject exercises their data protection right to deletion, the records of business transactions and electronic prescription invoices with the statutory health insurance companies will be retained for the retention period regulated in Section 132 Paragraph 1 of the Federal Tax Code, but the social security number of the data subject will be anonymized in these data. “Anonymization” means that the affected individual’s Social Security number is replaced with a randomized, invalid Social Security number from which the original Social Security number can no longer be recalculated.

Excluded from this anonymization are the prescription billing data that fall within the period specified in Appendix IV § 13 of the overall pharmacist contract concluded between the Main Association of Austrian Social Insurance Institutions and the Austrian Chamber of Pharmacists (this is currently six months from the billing of a prescription). As a result, the social security numbers remain unchanged in the prescription billing data for the past six months.

Furthermore, within the framework of electronic prescription billing, the Pharmazeutische Lohnkasse für Österreich, Spitalgasse 31, 1090 Vienna ( www.lohnskasse.at ) is acting as a clearing point between the pharmacy and the statutory health insurance in accordance with Section 7 Paragraph 1 of the overall pharmacist agreement concluded between the Main Association of Austrian Social Insurance Institutions and the Austrian Chamber of Pharmacists of the patient interposed. The pharmacy’s original prescription data must be retained by the Pharmazeutische salary fund for Austria for the period specified in Annex IV § 4 paragraph 3 of the overall pharmacist contract concluded between the Main Association of Austrian Social Insurance Institutions and the Austrian Chamber of Pharmacists (which is currently nine months).

  • Purchase on account

For purchases on account (target purchases using credit invoicing), we collect the following customer data :

  • First and Last Name
  • title
  • Gender
  • Postal address
  • Telephone number
  • E-mail address

This data is processed for the purpose of fulfilling and processing the contract with the customer. The legal basis for data processing is therefore Article 6 Paragraph 1 lit b GDPR and Section 11 of the Sales Tax Act, which standardizes obligations with regard to the issuance of invoices.

Our records of such business transactions are stored in accordance with the retention period regulated in Section 132 Paragraph 1 of the Federal Tax Code (currently the last seven financial years). After this retention period has expired, this data will be automatically deleted.

The right to deletion does not apply to these business cases, as the data is automatically deleted after the statutory retention period has expired and deletion or anonymization of the data before the statutory retention period has expired is not permitted in accordance with Section 11 of the Sales Tax Act and Section 131 of the Federal Tax Code (“erasure ban”).

If a customer does not want to disclose the data mentioned and have it processed electronically under the conditions mentioned, we cannot carry out target purchases using credit invoicing. However, the customer can purchase the desired products on an anonymous receipt in compliance with the relevant regulations on prescription requirements and pay in cash or by debit or credit card.

  • Regular customers

We offer our customers to record them in our regular customer file. The prerequisite for inclusion in our regular customer file is the written consent of the customer through their own declaration of consent. Consent to be included in our regular customer file requires the customer to be of legal age and legally competent. We collect the following data from our regular customers:

  • First and Last Name
  • title
  • Gender
  • birth date
  • Social Security Number
  • Postal address
  • Telephone number
  • E-mail address
  • Data about purchases made from us

This data is processed for the following purposes :

  • Sending information and advertising regarding over-the-counter medicines and other health products by email or post
  • Delivery of an electronic newsletter
  • Information about the availability of ordered medicines by telephone, SMS or email
  • Reminders of vaccination appointments or appointments to use a medication via email and SMS
  • Printout of statements about medicines purchased in our pharmacy, which you can use to submit to the tax office (annual balance) or the health insurance company.

This data is processed on the legal basis of Article 6 Paragraph 1 Letter a (consent) and Article 9 Paragraph 2 Letter a of the General Data Protection Regulation.

Records of business transactions with regular customers are stored in accordance with the retention period regulated in Section 132 Paragraph 1 of the Federal Tax Code(that is currently the last seven financial years). After this retention period has expired, this data will be automatically deleted. Regular customers are automatically deleted from our regular customer file if no business transactions have been recorded with the regular customer and the new regular customer was created more than three years ago. If a regular customer exercises his right to deletion, the records of business transactions will be retained for the retention period regulated in Section 132 Paragraph 1 of the Federal Tax Code, but the regular customer will be deleted and the affected business cases will be anonymized. Delivery notes and invoices in accordance with point 2.1.2 of this data protection declaration are excluded from this anonymization. Furthermore, the data remains in accordance with point 2.1.

There is no legal or contractual requirement to be listed as a regular customer in our pharmacy, to disclose the data mentioned or to use the services mentioned for regular customers. If a customer does not want to be listed as a regular customer in our pharmacy, the services mentioned as processing purposes cannot be provided.

  • Use of our website
  • Data collected, processing purposes, legal basis and storage period

Every time the website is accessed, access data is stored in a log file, the server log. The data record stored contains the following information: date and time of access, IP address, session ID, website accessed, name of the website from which the website was accessed and information about the website used.

We only evaluate these log files in the event of misuse of the website and therefore reserve the right to subsequently check the log files of users who are specifically suspected of using our website illegally and/or in breach of contract. In general, we cannot assign this data to a specific person. If such an assignment is possible, we will only use this data in cases where there is a corresponding legal basis (balancing of interests in individual cases). This data is processed in particular on the legal basis of Article 6 Paragraph 1 lit f GDPR (legitimate interests of the controller). The data in the server log is generally processed for a period of 30 days.

  • Recipients and recipient categories of data

In connection with the operation of the website, the following processors work for the controller:

  • Website hosting and maintenance: INOMIND.SRL, 051135, Bucharest, RO
  • Newsletter service: CleverReach GmbH & Co. KG, 26180 Rastede, DE
  • Newsletter service: PHOENIX Arzneiwarengrosshandlung GmbH, 1140 Vienna, AT

In addition to the specifically listed recipients, other processors may also be used in connection with the provision of this website in the future (e.g. hosting providers, shop operators, payment service providers) if they offer sufficient guarantees for lawful and secure data use and contractually undertake to do so to comply with the principles and legal regulations described in this data protection declaration. If necessary, the data from the server log can be transmitted to the responsible courts and/or (security) authorities as well as professional party representatives.

  • Use of cookies

We use cookies on our website to enable the use of certain functions of the website. Cookies are small text files that are stored on your computer. We use cookies to make our offering user-friendly. Some of the cookies we use are deleted from your hard drive at the end of the browser session (session cookies). Other cookies remain on your computer and enable us to recognize your computer on your next visit (long-term cookies).

You can completely prevent the storage of cookies by setting your browser accordingly. However, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.

If you do not want cookies to be stored on your computer, please deactivate the storage of cookies in your browser for our website or set your browser so that cookies are generally not stored on your computer. Cookies that have already been saved can also be deleted in your browser.

The following categories of cookies are used on our website:

  • Session cookies / session ID

To make it easier for you to browse our website, we may use a so-called session ID (English: session identifier ), which is assigned to each visitor at the beginning of each use of the website. This session ID is used by our server to recognize you or your computer/browser as the same visitor, despite your IP address possibly having changed in the meantime. This session ID enables several related requests from a user to be assigned to a session.

Storage period: The session ID cookie we use is only valid until the end of a session. It is automatically deleted when you close your browser.

  • Long-term cookies

If you confirm the cookie notice displayed on our website with “OK”, the fact of this confirmation will be saved in a separate cookie. As long as this cookie is stored on your device, the cookie notice will not be displayed again. It is still possible to access the relevant information in our data protection declaration.

Storage period: 400 days

  • Third party cookies

Third-party services are also linked on our website. With regard to these services, personal data may only be used by the providers mentioned below, who are not the responsibility of the provider of this website. Further information can be found in the data protection declaration of the respective provider:

  • Facebook share button

Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

https://www.facebook.com/privacy/explanation

  • Google Maps, Google ReCapcha, Google Analytics

Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland

https://privacy.google.com/businesses/controllerterms/mccs/

Further information about these cookies, their use and storage period can be found in your “privacy settings” in the Consent Manager – the links to them can be found above under 2.2.3 of this data protection declaration.

  • Use of the contact form

If you use the contact form on our website, we process the data you provide (name, email address, telephone number, content of your request) to process your request and any follow-up questions. The legal basis for the use of this data is the fulfillment of the contract or the implementation of pre-contractual measures within the meaning of Art. 6 Para. 1 lit. b GDPR and our legitimate interest pursuant to Art. 6 Para. 1 lit. f GDPR. The data mentioned will be stored for as long as necessary for the purposes mentioned. We will not pass on the data processed in this context to third parties without your consent, unless this is necessary to fulfill the contract or to carry out pre-contractual measures. If your inquiry does not result in an order,

  • Inquiries by email

If you send us an inquiry by email, we will process the data you provide (name, email address, content of your inquiry) to process your inquiry and any follow-up questions. The personal data you provide is necessary to fulfill the contract or to carry out pre-contractual measures. The legal basis for data processing is therefore Article 6 Paragraph 1 lit b GDPR. If your request does not result in an order being placed, this data will be deleted after three months at the latest.

  • Newsletter, direct marketing

You have the option of subscribing to our newsletter, emails and other electronic messages (collectively “newsletter”). For this we need your name and email address. The purpose of the processing is advertising and direct marketing for us, our offers and our services (e.g. by email or post). We send newsletters exclusively on the basis of the recipient’s consent or other legal permission. When registering for the newsletter, you declare that you agree to receive the newsletter and the processing of the required data. The content specifically described when registering for the newsletter, which in particular includes information about promotions and offers, our services and us, is decisive for the consent of the recipient. The legal basis for this data processing is therefore consent in accordance with Article 6 Paragraph 1 lit a GDPR. As soon as you have registered for the newsletter, we will send you a confirmation email with a link to confirm your registration (double opt-in). Your confirmation prevents anyone from logging in with a third-party email address. In order to prove that our registration process complies with legal requirements, we log your registration for the newsletter. For this purpose, we store your IP address including the time of registration and confirmation as well as any changes to data from your shipping service provider. We will send you a confirmation email with a link to confirm your registration (double opt-in). Your confirmation prevents anyone from logging in with a third-party email address. In order to prove that our registration process complies with legal requirements, we log your registration for the newsletter. For this purpose, we store your IP address including the time of registration and confirmation as well as any changes to data from your shipping service provider. We will send you a confirmation email with a link to confirm your registration (double opt-in). Your confirmation prevents anyone from logging in with a third-party email address. In order to prove that our registration process complies with legal requirements, we log your registration for the newsletter. For this purpose, we store your IP address including the time of registration and confirmation as well as any changes to data from your shipping service provider.

If consent is not required, the newsletter will be sent on the basis of our legitimate interests in direct marketing to the extent permitted by law (existing customer advertising). The commissioning of a service provider to send emails is based on our legitimate interests in secure and efficient newsletter delivery. The registration process is recorded based on our legitimate interests to demonstrate that it was carried out in accordance with the law. The legal basis in this case is our legitimate interests (Article 6 (1) (f) GDPR).

In order to optimize our offer, we evaluate which contents of the newsletter are particularly interesting based on the recipient. As part of individual profiling, the opening of certain content or click behavior in the newsletter is recorded and evaluated. In order to provide you with targeted information, we also collect and process voluntarily provided information about areas of interest, birthday, zip code, etc.

In connection with sending the newsletter, the following processor works for us:

CleverReach GmbH & Co. KG, //CRASH Building

Schafjückenweg 2, 26180 Rastede, Germany

www.cleverreach.com/de

www.cleverreach.com/de/datenschutz

The registration process is recorded on the basis of our legitimate interests for the purpose of providing evidence of its proper execution.

The data will be processed while consent is valid. You can of course unsubscribe from the newsletter and your consent to the storage of the data as well as its use to send the newsletter at any time, i.e. revoke your consent and/or object to further receipt. The revocation can be done via a link at the end of each newsletter or by sending a message to the contact options listed here. We will then immediately delete your data in connection with sending the newsletter, but we are entitled to store your email address for up to three years in order to prove your original consent. In this case, your email address will only be processed to defend against any claims.

  1. Note on data transfer to the USA and other third countries

We use, among other things, tools from companies based in the USA or other third countries that are not secure in terms of data protection. When these tools are active, your personal data may be transferred to these third countries and processed there. We would like to point out that a level of data protection comparable to the EU cannot be guaranteed in these countries. For example, US companies are obliged to hand over personal data to security authorities without you as the data subject being able to take legal action against this. It cannot therefore be ruled out that US authorities (e.g. secret services) process, evaluate and permanently store your data on US servers for surveillance purposes. We have no influence on these processing activities.

  1. Your rights regarding the data used

If and to the extent that we use personal data concerning you, you are particularly entitled to the following rights in relation to such data:

  • Right to revoke consent (Article 7 Paragraph 3 GDPR) : You have the right to revoke your consent at any time. From the time the revocation is received, no further data processing will take place on the basis of this declaration of consent. The lawfulness of the processing of the data until the revocation is received remains unaffected.
  • Right to information (Article 15 GDPR) : You can request information at any time as to whether and which personal data concerning you is being processed by us, for what purposes the processing is carried out, where the data comes from, to which recipients the data may be transmitted and how long such data is stored with us.
  • Right to rectification (Article 16 GDPR) : If you discover that personal data concerning you is incorrect, you can request that such data be corrected at any time. If you believe data is incomplete, you can also request that data be supplemented.
  • Right to deletion (Article 17 GDPR) : If you believe that the use of your personal data is no longer necessary or occurs without a sufficient legal basis or is unlawful for other reasons, you can request the deletion of this data.
  • Right to restriction of data processing (Article 18 GDPR): You may request the restriction of data processing if you dispute the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data; you consider that the processing is unlawful and you refuse the deletion of the personal data and instead request the restriction of the use of the personal data; we no longer need the personal data for the purposes of processing, but you need it to assert, exercise or defend legal claims; or you have objected to the processing in accordance with Article 21 Paragraph 1 GDPR as long as it is not yet clear whether our legitimate reasons outweigh yours.
  • Right to data portability (Article 20 GDPR) : With regard to the personal data that you have provided yourself and that are used on the basis of a contract or consent, you can request that this data be made available to you in a structured, common and machine-readable format become. You can also request that this data be transmitted directly to another person responsible. This right applies in particular to delivery notes and invoices in accordance with point 1.2 and for regular customers in accordance with point 2.1.3 of this data protection declaration.
  • Rights to complain to a supervisory authority (Article 77 GDPR) : If you believe that your rights in relation to personal data concerning you have been violated, you have the right to lodge a complaint with a supervisory authority. In particular, you can contact the supervisory authority responsible for your whereabouts, your place of work or the location of the suspected violation. In Austria, the responsible supervisory authority is the Data Protection Authority, Barichgasse 40-42, 1030 Vienna.

Separately, we would like to point out your right to object (Article 21 GDPR) : If your particular situation gives rise to reasons that make the use of your personal data, which we use on the basis of a balance of interests, inadmissible, you have the right to object to this data usage. If your personal data is used for direct advertising, you have the right to object.

If you have any questions or uncertainties regarding your rights or your personal data, you can contact us at any time at the following email address: office@nikolaus-apotheke.at

  1. Security measures to protect your data

To protect your data, we have taken appropriate technical and organizational data security measures, which are regularly reviewed and adapted to technological progress. Our entire data collection and processing is characterized by data protection-friendly default settings through appropriate technical design (data minimization). These measures include, among other things, ensuring the confidentiality, integrity and availability of data by ensuring and monitoring physical and electronic data access and handling, as well as data entry, distribution and separation. We have also implemented measures to ensure the availability of data, internal processes for rapid, Complete and legally compliant processing and safeguarding of the rights of those affected have been implemented and a procedure for data leaks (“data breach”) has been established. We also take the protection of personal data into account when developing or selecting hardware, software and procedures in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.

All of your personal data is transmitted to our server encrypted using the Secure Socket Layers (SSL) security process. This protects the information from unauthorized access when transmitted over the Internet. This technology offers the highest level of security and is therefore also used by banks, for example, for data protection in online banking. You can tell that data is being transmitted encrypted by the closed display of a key or lock symbol in the bottom status bar of your browser.

However, we would like to point out that due to the technical conditions of the Internet, it cannot be ruled out that the rules of data protection and data security are not observed by other people or organizations whose actions are not within our sphere of influence and responsibility.

  1. Links to other third party websites/services

This website contains links to other websites. If you click on such a link that leads to third party websites, please note that these websites have their own data protection regulations. Please check the privacy policy when using these websites as we accept no responsibility or liability whatsoever for third party websites.

  1. Changes to data protection regulations

Since changes to the law or changes to our internal company processes may require an adjustment to these data protection regulations, which we reserve the right to do, we ask you to read this data protection declaration regularly with regard to any changes.