Data Protection

Thank you for your interest in our online presence. Protecting your personal data is very important to us. Below, we would like to inform you about how Aenova Holding GmbH handles your personal data. Naturally, we comply with the statutory provisions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable data protection regulations. You can trust us with your personal data – it is encrypted by digital security systems and transmitted to us. Our website is protected against damage, destruction, or unauthorized access by technical measures.

1. Subject of Data Protection

The subject of data protection is personal data. According to Art. 4 No. 1 GDPR, personal data includes all information relating to an identified or identifiable natural person. This includes details such as name, postal address, email address, or telephone number, as well as usage data like your IP address.

2. Controller and Data Protection Officer

The controller responsible for data processing related to the operation of this website is:

Aenova Holding GmbH (Aenova)
Berger Straße 8–10
82319 Starnberg

Date: 25.09.2024

You can contact the appointed Data Protection Officer at:
Datenschutz(at)aenova-group.com

3. Scope of Data Collection and Processing During Website Visits

When visiting the Aenova website, information automatically transmitted by your browser is logged. This includes:

The IP address of your device

Date and time (including time zone) of each website access

The specific page or file requested

The domain from which the request originated (referrer URL)

Your device’s operating system and browser

These data are stored in our system’s log files and are not combined with other personal data.

Temporary storage of your IP address is necessary for our system to deliver the website to your device. To protect your privacy, we use IP anonymization, shortening your IP address to ensure it can no longer be directly linked to you. Log file storage ensures the website’s functionality, optimization, and security of IT systems. These data are not used for marketing purposes. The legal basis for temporary data storage and log files is Art. 6(1)(f) GDPR, based on our legitimate interest in providing the website.

Data are stored only as long as necessary to achieve the purpose of their collection. Data required for website functionality are deleted when the respective session ends.

4. Purpose-Specific Data Use and Disclosure to Third Parties

We adhere to the principle of purpose-specific data use, collecting, processing, and using your personal data only for the purposes for which you have communicated or we have collected the data. For details, please refer to the remaining sections of this privacy policy.

Your personal data will not be disclosed to third parties without your explicit consent. Data will only be transmitted to third parties based on your consent (Art. 6(1)(a) GDPR) or for contract fulfillment (Art. 6(1)(b) GDPR). Data may also be disclosed to authorized government institutions or courts as required by law or judicial decisions (Art. 6(1)(c) GDPR).

Internally, we take data protection seriously. Our employees and service providers are bound by confidentiality agreements and compliance with data protection regulations.

5. Data Retention and Deletion

Your personal data are retained only as long as necessary to fulfill the intended purpose (e.g., to respond to inquiries) or as required by statutory retention periods. Once retention periods expire, your data will be restricted from processing and deleted according to legal requirements.

6. International Data Transfers

If data are processed in a third country (countries outside the European Union (EU) or the European Economic Area (EEA)), this is done only in compliance with legal requirements. This also applies when data are processed in connection with the use of third-party services or disclosed or transmitted to other individuals, entities, or companies.

Subject to explicit consent or a contractual or legally required transmission (see Art. 49 GDPR), we process or allow data to be processed only in third countries with an officially recognized level of data protection (Art. 45 GDPR), under the existence and adherence to contractual obligations through so-called standard contractual clauses of the EU Commission (Art. 46 GDPR), or when certifications or binding internal data protection regulations are in place (see Art. 44 to 49 GDPR, EU Commission information page: commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_de).

Under the adequacy decision of July 10, 2023, known as the "EU-U.S. Data Privacy Framework" (DPF), the EU Commission has recognized the United States as providing an adequate level of data protection. The prerequisite is that the organization to which the data are transferred is certified under the DPF. You can find the list of certified companies and further information about the DPF on the U.S. Department of Commerce website at www.dataprivacyframework.gov/s/ (in English).

The following service provider we use, based in the U.S., is certified under the DPF:

Google LLC

7. Your Rights as a Data Subject

You have the right, pursuant to Article 15(1) of the GDPR, to obtain information free of charge upon request regarding the personal data stored about you.

In addition, and where the legal requirements are met, you have the right to rectification (Article 16 GDPR), erasure (Article 17 GDPR), and restriction of processing (Article 18 GDPR) of your personal data.

If data processing is based on Article 6(1)(f) GDPR (legitimate interests), you have the right to object pursuant to Article 21 GDPR. Should you object to the processing of your data, such processing will cease in the future unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms.

If you have provided the processed data yourself, you have the right to data portability pursuant to Article 20 GDPR.

Where data processing is based on your consent under Article 6(1)(a) or Article 9(2)(a) GDPR, you may withdraw this consent at any time with effect for the future, without affecting the lawfulness of processing based on consent before its withdrawal. You may modify your consent preferences at any time.

If you believe that your data is being processed unlawfully, you also have the right to lodge a complaint with a supervisory authority.

To exercise your rights as set out above, please contact us using the contact details provided above or send an email to us or our Data Protection Officer. We are happy to assist you at any time with further questions regarding our privacy policy and the processing of your personal data.

8. Use of Cookies

We use technical tools on our website for various functions, particularly cookies, which may be stored on your device. When accessing our website and at any time thereafter, you have the option to allow all cookies, only specific additional functions, or disable them altogether. You can make changes in your browser settings or through our consent manager. Below, we describe cookies from a technical perspective before elaborating on your individual options, distinguishing between technically necessary cookies and those that you can voluntarily enable or disable.

Cookies are text files or information stored in a database on your hard drive and associated with the browser you are using. These allow the entity placing the cookie to receive specific information. Cookies cannot execute programs or transmit viruses to your computer. They primarily serve to make the website faster and more user-friendly.

This website uses the following types of cookies, which are explained below along with their functionality and legal basis:

Transient Cookies:
These cookies, including session cookies, are automatically deleted when you close your browser or log out. They contain a session ID, which allows various requests from your browser to be associated with the same session. This enables your computer to be recognized when you return to our website.

Persistent Cookies:
These cookies are automatically deleted after a predefined period, which varies depending on the cookie. You can view and manually delete the cookies and their lifetimes at any time in your browser settings.

Mandatory Functions Necessary for Website Display:
The technical structure of the website requires the use of certain technologies, particularly cookies. Without these technologies, the website cannot be displayed fully or correctly, and certain support functions may not work. These are generally transient cookies, which are deleted at the end of your visit, at the latest when you close your browser. These cookies cannot be disabled if you wish to use our website. The specific cookies are listed in the consent manager. The legal basis for this processing is § 25(2) No. 2 of the German Telecommunications-Telemedia Data Protection Act (TTDDG) in conjunction with Art. 6(1)(f) GDPR.

Optional Cookies with Your Consent:
Various cookies are only set with your consent, which you can provide during your first visit to our website via the cookie consent tool. These functions are activated only with your approval and may, for instance, help us analyze and improve visits to our website, simplify navigation across different browsers or devices, recognize you on subsequent visits, or display advertising (e.g., tailored ads, measuring the effectiveness of ads, or interest-based advertising). The legal basis for this processing is § 25(1) TTDDG in conjunction with Art. 6(1)(a) GDPR. You can withdraw your consent at any time without affecting the lawfulness of the processing carried out before withdrawal.

9. Data Processing for Contact and Use of Contact Forms

In the context of data processing for our employee referral program, a distinction is made between whether you are an individual referring a contact (employee) or a referred individual applying for a vacancy at our company (candidate).

Employee:

As part of the Aenova Group's employee referral program, personal data are collected from current employees of companies belonging to the Aenova Group. The employee status is confirmed explicitly via the corresponding landing page. If you incorrectly state that you are an employee of a company within the Aenova Group, the data you provided will be immediately deleted upon discovery of this misinformation.

Your data from the contact form will only be transferred to our recruiting tool, onlyfy one (see Section 10), if the person you referred submits an application using your personal referral link. These data are necessary to associate you with the referred person.

The processing of these data is carried out exclusively within the framework of the program and based on your consent in accordance with Art. 6(1)(a) GDPR.

The data you enter in the contact form will remain with us until you request their deletion, revoke your consent for storage, or the purpose for storing the data no longer applies (e.g., after your inquiry has been processed). Mandatory legal provisions, especially retention periods, remain unaffected.

Candidate:

If you are a referred individual (candidate) submitting your contact details, we will evaluate whether you qualify for one of our advertised vacancies. You will be informed about the next steps via the contact method you provided (email and/or phone). Your data will not be shared without your explicit consent.

The processing of these data is based on your consent in accordance with Art. 6(1)(a) GDPR. Consent may be revoked at any time.

Option to Upload a Resume:

As part of your application, you have the option to upload a resume in PDF format by selecting the appropriate checkbox. The data provided are stored on our website server. The storage and processing of these data are for the purpose of managing applications and communicating with candidates. Access to these data is restricted to individuals involved in the technical implementation of the employee referral program and our HR experts.

The legal basis for this data processing is your explicit consent in accordance with Art. 6(1)(a) GDPR. You may revoke your consent to store and process your data at any time with future effect. Your data will be deleted after the completion of the application process or upon revocation of your consent, provided that no statutory retention periods conflict with deletion.

The following companies are part of the Aenova Group:
Aenova Holding GmbH, Swiss Caps GmbH, Temmler Italia S.r.l., SWISSCAPS Romania S.r.l., C.P.M. ContractPharma GmbH, Contract Packaging Resources, Inc., Haupt Pharma Wülfing GmbH, Temmler Ireland Limited, SWISS CAPS AG, Haupt Pharma Latina S.r.l., Temmler Pharma GmbH, Haupt Pharma Münster GmbH, Haupt Pharma Amareg GmbH, SwissCo Services AG, Dragenopharm Apotheker Püschl GmbH, Aenova Sales International GmbH, Aenova IP GmbH

10. Use of Mittwald

We host the content of our website with the provider Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4-6, 32339 Espelkamp (Mittwald).

When you visit our website, your personal data (e.g., IP addresses in log files) are processed on Mittwald's servers.

The use of Mittwald is based on Art. 6(1)(f) GDPR. We have a legitimate interest in ensuring the most reliable presentation, delivery, and security of our website.

We have entered into a Data Processing Agreement (DPA) with Mittwald in accordance with Art. 28 GDPR. This legally required agreement ensures that Mittwald processes the personal data of our website visitors exclusively in accordance with our instructions and in compliance with GDPR.

Further information about data protection can be found at: www.mittwald.de/datenschutz.

11. Use of Google Fonts

Our website uses Google Fonts to ensure a consistent display of fonts. These fonts are provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is part of the Google corporate group, headquartered at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

When you access a page, your browser loads the necessary fonts into its cache to display text and fonts correctly. To do this, the browser you are using establishes a connection to Google's servers. This allows Google to know that your IP address has accessed our website. The use of Google Fonts is in the interest of providing a uniform and appealing presentation of our website.

These processing operations are carried out only with your explicit consent in accordance with Art. 6(1)(a) GDPR.

Further information about Google Fonts and Google's privacy policy can be found at:
developers.google.com/fonts/faq
www.google.com/policies/privacy

12. Use of Google reCAPTCHA

Our website integrates the Google reCAPTCHA service. The provider of this service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is part of the Google corporate group, headquartered at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The reCAPTCHA function primarily serves to determine whether an input is made by a natural person or abusively through automated or machine-based processing. The service also involves the transmission of the IP address and, if necessary, other data required by Google for the reCAPTCHA service to Google.

These processing operations are carried out exclusively with your explicit consent in accordance with Art. 6(1)(a) GDPR.

The parent company, Google LLC, is certified under the EU-U.S. Data Privacy Framework. This certification constitutes an adequacy decision under Art. 45 GDPR, allowing the transfer of personal data without additional safeguards or measures.

For more information about Google reCAPTCHA and Google's privacy policy, please visit: www.google.com/intl/de/policies/privacy/.

13. Use of onlyfy one in the Application Process

The personal data you provide as an applicant in the contact form are transferred via an interface to our recruiting tool, onlyfy one (by XING).

onlyfy one is part of the comprehensive XING service offered by New Work SE. The goal of this service is to enhance and simplify the professional lives of users through a variety of applications (including onlyfy one, the XING social network, kununu, etc.). At the same time, it aims to make work more fulfilling for individuals and more successful for businesses.

onlyfy one serves as an online platform where companies (recruiters) and talents/applicants (candidates) come together. Through this platform, companies can:

Publish job advertisements,

Identify suitable talents (potentially from the XING professional network),

Receive and manage applications, and

Communicate directly with talents and applicants.

New Work SE facilitates this connection between talents and companies by, among other things, recommending candidates, displaying profiles within the company’s account, and providing recruitment-relevant information and analytics based on the processed data. These data may originate from onlyfy one itself, other XING applications, or external sources.

Joint Responsibility

Regarding the shared use of Aenova’s company account on onlyfy one, there is joint responsibility between Aenova (recruiter) and New Work SE in accordance with Art. 26 GDPR. Both parties jointly determine the purposes and means of data processing as defined in Art. 4 No. 7 GDPR. You can view the current version of the agreement on joint responsibility, established between New Work SE and the companies using onlyfy one, here: www.xing.com/terms/onlyfy-one. This document provides details about the key aspects of the joint responsibility agreement.

Data Processing by New Work SE

For data processing that is solely the responsibility of New Work SE or carried out jointly with Aenova, further information can be found in XING’s privacy policy. This also includes the contact details for New Work SE and its Data Protection Officer.

Access to Your Data

The data you provide during the online application process can be viewed, edited, or updated in your candidate profile at any time.

Specific Features of onlyfy one

If you use the calendar function, your data will be processed for the purpose of scheduling appointments during the application process. The legal basis for this processing is Art. 6(1)(f) GDPR. The calendar function is provided by Cronofy Ltd., an IT service provider based in the United Kingdom. The UK is classified as a secure third country under the adequacy decision of the European Commission.

For more information about Cronofy’s data protection measures, visit:
www.cronofy.com/gdpr/
docs.cronofy.com/policies/privacy-notice/.

14. Scope of this privacy Policy

This privacy policy applies solely to the content on the website of Aenova Holding GmbH. It does not cover content and websites of third parties to which our offering merely provides links. This includes, for example, social networks such as Facebook, Twitter, Xing, YouTube, and LinkedIn. The processing of your personal data on these social networks is carried out by the respective network operator, and we have no influence on this processing. For information on how your personal data is handled and protected on these platforms, please refer to the privacy policy of the respective platform.

However, if we store personal data that you have shared with us via a social network or that we have received from a social network on our own servers and use it to process your inquiry, concern, or for other purposes, our explanations in this privacy policy naturally apply to that extent.

15. Right to Amend

Please note that data protection regulations and practices are subject to continuous change. We also reserve the right to amend the measures and provisions described here—within the scope of existing legal requirements—if necessary due to new technological developments, changes in legal rulings, or adjustments to our business operations. It is therefore advisable and necessary to stay informed about changes in legal requirements and the practices of companies, including ours and, for example, Google. We kindly ask you to always refer to the latest version of this privacy policy.