1. Data privacy
Subject of the Data Privacy Statement
The protection of your privacy when you use our Website is an important concern to us. This Statement provides information on which personal data will be gathered by us during your visit to our Website and for what purpose, how we use the gathered personal data, to whom we transmit the personal data and what your rights are regarding the gathered personal data.
We have taken appropriate technical and organisational measures to ensure that the regulations on data protection are observed both by us as well as by external contracted data processors.
This Website is exclusively targeted to users who are older than 14 years of age.
This Data Privacy Statement is limited to our Website and does not apply to websites of third-party providers that can be called up via this Website. We have no influence on the data processing by such third-party providers and do not provide any warranty nor accept liability in connection with such websites.
By using this Website, you declare your consent to the gathering and processing of your personal data in accordance with this Data Privacy Statement.
Gathering of personal data and purpose of the data processing
In general, only such personal data will be gathered and used by us that is needed to enable the use of our website for you, and to analyse and optimise them and other processes, to the extent as permissible within the limits of legal regulations or as this is done on the basis of your consent.
You can generally use our Website without disclosing your personal data. Information on the operating system, browser, your IP address, the previous website called up by you (“referrer URL”) and the date of your visit to our Website are gathered automatically by means of cookies during your visit for the exclusive purpose of statistical analysis of our online presentation.
We gather this data solely for statistical purposes to be able to further optimise our internet appearance and make it more attractive. The gathering and temporary storage takes place exclusively in anonymised form without permitting any conclusions as to your identity in the course of this use.
Furthermore, personal data will only be gathered if you provide it, for example, in the course of a registration or by sending E-mails. Any gathered personal data that is used in the process solely to fulfil the purposes for which the data has been provided to us and to which you have granted your consent.
Our Website uses Google Analytics, an advertising analysis service of Google Inc. ("Google"). Google Analytics uses so-called “cookies”. These are text files that are stored on your computer and that enable an analysis of the website utilisation by you. The information generated by the cookie about your utilisation of this website is generally transmitted to and saved on a server of Google in the USA. However, because of the IP anonymisation that is activated on this Website (“anonymizeIP”), your IP address will be truncated beforehand by Google within Member States of the European Union or in other signatory states of the Treaty on the European Economic Zone (so-called IP masking). The complete IP address will only be transmitted in exceptional cases to a Google server in the USA and it will be truncated there before further processing. By order of the controller of this Website, Google will use this information in order to analyse your utilisation of the website, compile reports about website activities, and perform additional services for Croma, which relate to the website utilisation and internet use. The IP address transmitted from your browser in the context of Google Analytics will not be combined with other data of Google. You can prevent the storing of the cookies by a corresponding setting of your browser software; however, we point out that you might not be able to use all functions of this website to full extent in that case. In addition, you can prevent the gathering of the data that is generated by the cookie and relates to your utilisation of the website that (incl. your IP address) from being transmitted to Google, as well as the processing of this data by Google by downloading and installing the browser plug-in from the following link (http://tools.google.com/dlpage/gaoptout?hl=de).
Registration of physicians
To view contents on our Website, which are intended exclusively for physicians, you have to register with us, by specifying your name and E-mail address and confirming that you are a practicing physician. This personal data will be stored in our database for the purpose of later processing on login and verification that your statement has been obtained and documented.
Newsletter and information about events
Additionally, you can also tell us if you would like to receive a newsletter and if you wish to receive information about future events.
If you sign up for our newsletter with your E-mail address, we will use this E-mail address for our own advertising purposes until you unsubscribe the newsletter. Unsubscribing the newsletter is possible at any time by clicking the corresponding link in the respective newsletter or by sending an E-mail to firstname.lastname@example.org stating the accordant wish.
When using our website and registration as physician, data will be stored automatically in our logfiles, which we receive from your browser during the visit (a browser is, for example, Internet Explorer, Firefox, Safari, etc.) This means that we know the IP address and that a cookie will be created automatically on your computer. These small files are pure information carriers that serve to recognise your browser, and optimise and simplify the use of our online offer. No viruses are produced, the computer will not be attacked and you will not be identified personally or be phished.
This cookie enables us to store your E-mail address, so that you will be recognised and logged in automatically on your next visit.
Of course, you can also view our Website without cookies. If you do not want that we recognise your computer, you can prevent the storing of cookies on your hard drive by deactivating the storing of cookies in your browser settings. To find out how this works exactly, please refer to the instructions of your browser manufacturer. If you do not accept any cookies, however, this can result in functional limitations of our offers.
Our Website can use so-called social plug-ins ("Plugins") of the social networks (1) Facebook, (2) Instagram, (3) LinkedIn, (4) Xing, (5) Vimeo and (6) Youtube ("Social Networks"). These are operated by (1) Facebook Inc., (2) INSTAGRAM, Inc., (3) LinkedIn Ireland Unlimited Company, (4) XING SE, (5) Vimeo LLC and (6) YouTube, LLC ("Providers").
When you call up a website that contains Plug-ins, your browser will establish a direct connection to the servers of the respective Provider. The content of the Plug-in is transferred by the respective Provider directly to your browser and integrated by it in the Website. By embedding the Plug-in, the corresponding Provider receives information that your browser has called up our Website. This takes place regardless of whether you have a profile with the relevant Social Network or are currently logging in.
If you are logged into the respective Social Network, it is able to attribute the visit of our website to your profile on the respective Social Network. If you interact with the Plug-in, for example, with the “Like” button of Facebook or if you enter a comment, the corresponding information will be transmitted from your browser directly to the relevant Provider where it will be stored.
You can find information in the respective Provider’s data privacy statements regarding the purpose and scope of the personal data gathering, the further processing, and use of the data by the respective Provider, as well as your rights in this regard and optional settings for the protection of your privacy.
Croma is More
If you register to our education program “Croma is More” (www.cromaismore.com), you consent to Croma processing your personal data (name, address, telephone number, email address, special field) for the purpose of conducting the program. For the same purpose, you also consent to receiving emails containing information in connection with the program (news about further education, workshops, symposia, etc.). You may withdraw your consent at any time.
Your personal data will be stored on servers within the European Union / the European Economic Area and processed in compliance with legal requirements within the Croma-Pharma Group (please see the list below) in order to fulfill the purpose mentioned above. In case Croma needs the assistance of external service providers who process your personal data (Order Processors), we concluded the necessary agreements to comply with our data protection obligations.
We store your personal data only as long as required to fulfill the mentioned purpose. After cessation of the purpose, your personal data will be immediately and entirely deleted.
For a detailed overview of your rights under the GDPR, please visit the section “Period of storage, right to obtain information, correction, objection and deletion of the personal data, right to revoke consent”” below.
For the map display on our Website, we use Google Maps (controller: Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Through the use of Google Maps, information about the use of this Website including your IP address can be transmitted to Google.
When you call up a sub-page of our internet appearance that contains Google Maps, your browser will establish a direct connection to the servers of Google. The content of the map is transferred by the Google directly to your browser, which integrates it in the Website. We therefore have no influence on the scope of the data gathered by Google this way.
You can find details on the purpose and scope of the data gathering, the further processing, and use of the data by Google, as well as your rights in this regard and optional settings for the protection of your data privacy in Google’s data privacy policies at: https://www.google.com/policies/privacy/
Data privacy – dissemination of personal data to third parties
Your data will be stored on the servers of Croma-Pharma GmbH (Austria), and be exchanged and used within the limits of the described purposes and legal regulations by the companies affiliated in the Croma Group (these include: Croma-Pharma GmbH, Croma GmbH, Croma Australia Pty Ltd, Croma Deutschland GmbH, Croma Pharma Produtos Medicos Ltda, Croma Aesthetics Canada Ltd., Croma Schweiz GmbH, Laboratorios Croma Estetica, SL, Croma France SASU, Croma Nederland B.V:, Croma-Pharma Sp. Z o.o., Croma Pharma Romania SRL, Croma USA Inc.) Furthermore, your data will be transmitted to external service providers only in individual cases and only insofar as required for the web appearance.
We are authorised to disclose your personal data to other Croma Group affiliates inside and outside of the European Union (Australia, Brazil, Canada), provided that these undertake to process the data in accordance with the Data Privacy Statement and the applicable data protection law, and thereby guarantee an equivalent protection of your personal data.
We are likewise authorised to assign external contracted data processors inside and outside of the European Union with the processing of your personal data and to disclose your personal data to them for this purpose, provided that these undertake to process the data solely on our behalf and for our purposes, and that they comply with the Data Privacy Statement and the applicable data protection law.
Insofar as the personal data is hosted by us and/or through contracted data processors engaged by us in the domestic country, inside and outside of the EU and/or if it is processed otherwise, we will take the necessary organisational, technical and contractual measures in accordance with all applicable legal regulations, in particular the EU General Data Protection Regulation No. 679/2016, in order to assure a level of protection for the personal data that is equivalent to that, which would be provided if the data was hosted and/or processed otherwise in the EU.
Subject to a legal obligation or an order given by an authority or court, the personal data that we have received from you will not be passed on to third parties beyond this, unless your explicit consent has been obtained beforehand or we are obligated to do so under the law.
Period of storage, right to obtain information, correction, objection and deletion of the personal data, right to revoke consent
We store personal data within the limits of legal regulations only for as long as it is required to fulfil the purpose for which the data has been collected.After cessation of the purpose, your Data will be immediately and entirely deleted.
At any time and free of charge, you have the right to request access to and rectification or erasure of personal data or restriction of processing concerning you or to object to processing as well as the right to portability of personal data, provided there is no legal obligation or other justified legal interest of Croma to retain your personal data. If the processing of your personal data was based on your consent, you may withdraw your consent at any time, without affecting the lawfulness of processing based on the consent before its withdrawal. Under certain circumstances you may have the right to lodge a complaint against the personal data processing with the responsible data protection authority.
A correct recording of your personal data is always an important concern to us. In order to have your personal data be corrected or deleted, please send an email to email@example.com specifying “Change of customer data at homepage” in the subject line.
Change of this Data Privacy Statement
The perpetual further technical development of the internet and any potential changes in the legal framework conditions may require adjustments to our Data Privacy Statement from time to time. We therefore reserve changing this Data Privacy Statement accordingly. Changes will apply from publication of the changed Data Privacy Statement on our Website. By continuing the use of this Website, you declare your agreement with the changes.
Contact our Data Protection Officer
2. Clinical Studies and Evaluation
I. The data we process
We process data of the following persons:
- Participants in clinical studies
- Staff at clinical study investigation sites
The following types of data are processed for the respective persons:
Participants in clinical studies (in pseudonymised form)
- Personal identifiable data including demographic data (e.g. name, address, date of birth, age, gender, social insurance number, photos…)
- Health data (Art Article 4 (Z 15) DSGVOGDPR)
Clinical study investigation site staff
Name, work address, phone and fax numbers, email address, Curriculum Vitae including documentation pertinent to education and experience in their medical field and respective clinical studies as well as training documentation and any other necessary documents to facilitate the conduct of a clinical study
II. Purpose and legal basis of data processing
As the manufacturer of medical devices and pharmaceuticals we are legally obliged to evaluate our products and conduct clinical studies in the role of the sponsor. As such we ensure that all clinical evaluation adheres to the high level of quality and safety required by regulation in order to gain market authorization. The personal data collected in the scope of these clinical studies are processed according to the Austrian data protection act as well as the GDPR.
The informed consent of participants in clinical studies (Art Article 9 Abs 2 lit a iVm(2a) and Article 6 (1a)Abs 1 lit a DSGVOGDPR) as well as our legal commitments to demonstrate the quality and safety of our medical devices and pharmaceuticals (Art Article 9 Abs 2 lit (2i)i iVm and Article 6 Abs 1 lit c(1c) GDPRDSGVO). form the legal basis for this data processing.
CROMA also processes data in order to meet the legal requirements of the MPG (Austrian Medical Devices Act) and the AMG (Austrian Medicinal Products Act) in their applicable versions at the time of processing. The transfer of data to Ethics Committees and domestic and foreign regulatory authorities in order to seek approval for the conduct of clinical studies, to gain market authorization or to meet regulatory requirements which result from the role of sponsor in clinical studies is permissible according to Article 6 (1c) GDPR.
III. Data transfer
CROMA and the clinical study site in question are jointly responsible for data processing while CROMA carries the main responsibility for data processing during the phase of market authorisation. To guarantee the protection of your data we have entered into an agreement according to (Article 26 DSGVOGDPR).
Before entering into a clinical study the clinical study site provides study participants with “Study participants and patient informed consent form” according to article 13 and 14 of the GDPR.
The clinical study investigation site staff receives respective information in the form of “Data Protection Information for Clinical Study Site”.
In accordance with the clinical investigation plan the clinical study site will only transfer personal data of study participants to CROMA in pseudonymised form. CROMA will maintain the pseudonymised status of study participants` personal data throughout and at no point in time attempt to identify or contact a study participant (e.g. by means of collected data). In the event of a study participant becoming identifiable to CROMA for whatever reason, CROMA is obliged to treat this information confidentially at all times.
In the course of a clinical study CROMA may contractually agree for a contract research organisation (a so-called CRO) or other 3rd party vendors (data processors) to ensure the correct conduct of the study at clinical study sites. We have entered into the necessary contractual agreements with these data processors according to Art Article 28 GPDR to ensure the protection of your data.
CROMA also processes data in order to meet the legal requirements of the MPG (Medical Devices Act) and the AMG (Medicinal Products Act) in their applicable versions at the time of processing. The transfer of data to Ethics Committees and domestic and foreign regulatory authorities in order to seek approval for the conduct of clinical studies, to gain market authorization or to meet regulatory requirements which result from the role of sponsor in clinical studies is permissible according to Art 6 Abs 1 lit cDSGVO.
In the scope of clinical studies it may be necessary to transfer data to nations outside of the EU/EEA. Such transfers are only actioned if the special requirements that require such a transfer according to Articles 44-49 ff GDPRDSGVO are fulfilled.
In the case of personal data being processed in a non-EU/EEA nation the sponsor will provide all necessary guarantees to ensure an adequate level of data protection.
IV. Duration of storage
In accordance with legal and regulatory guidance on data storage periods, collected data will be stored for a minimum of 20 years. In no case will data be stored for time periods longer than those prescribed in the applicable laws and regulations.
Please be informed that withdrawal of your consent to participate in a given study has no effect on study processes or the processing of data that was collected from you following your informed consent at the study site. As a result your right to request deletion of data is waived according to Article 17 GDPRDSGVO zu (§§ (Article 49 Abs (5) Austrian Medical Devices Act 2021 MPG, Article 39 Abs (3a) Austrian Medicinal Products Act AMG).
Contents of external websites to which we refer directly or indirectly in our web appearance (by means of “hyperlinks” or “deep links") are outside of our sphere of control and responsibility and they are not appropriated by us. However, we can declare that we presume at the time when the respective link is set that no illegal contents are contained on the linked websites. We have no influence whatsoever on the current and future design or the contents of the linked pages and the copyrights authorisation in this regard. For this reason, we expressly disclaim any contents of any linked pages that were changed after the link was set. This determination applies to all links and references contained in our online appearance. Solely the provider of the linked page is liable for illegal, false or incomplete contents and in particular, for any damages that arise from the use of the information presented on the linked website. If we take notice of any illegal, criminal or false contents on websites that we link to, we will remove the link to them.