Data Security

Data security

We take the protection and security of our employee, business partner, and customer data seriously. 
The respect of privacy is thus a serious concern to which we pay special attention when processing and using personal data. Insofar as personal data is collected (e.g. your name, address, or other contact details), it is processed and used exclusively in accordance with applicable data protection regulations.
In the following we would like to inform you about the collection of personal data when using this website. Personal data is any data that refers to you personally – e.g. name, address, e-mail address, user behaviour.

1. Controller & Data Protection Officer

The controller responsible for the collection, processing, and use of your personal data in the context of the General Data Protection Regulation (GDPR) is:

PHOENIX Pharmahandel GmbH & Co KG
Pfingstweidstraße 10–12
68199 Mannheim, Germany

Headquarters: Mannheim
Register Court: Local Court Mannheim HRA 3551
You can contact our data protection officer at Datenschutz(at) or via our postal address, marked for the attention of “the data protection officer”.

2. Collection of personal data when visiting our website

(1) When you use the website for information purposes only – i.e. if you do not register or otherwise provide us with information – we collect only the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security:
–    IP address
–    Date and time of the request
–    Time zone difference from Greenwich Mean Time (GMT)
–    Content of the request (specific page)
–    Access status/HTTP status code
–    Amount of transferred data
–    Referrer URL
–    Browser
–    Operating system and its interface
–    Language and version of the browser software

The lawful basis for processing this data is Art. 6(1)(f) GDPR. Our interests in the data processing are, in particular, to enable the use of the website by guaranteeing the stable operation and security of the website. Where not specifically indicated, we store personal data only for as long as it is necessary to fulfil the purposes for which it was collected.

(2) In addition to the aforementioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive by the browser and through which certain information flows. Cookies cannot execute programs or transmit viruses to your computer. Their purpose is to make websites more user-friendly and effective.

So that we can determine whether you have consented to the processing of data in connection with cookies/plug-ins (if necessary), we set a cookie, on the basis of our legitimate interest (Art. 6(1)(f) GDPR), that informs us to which type of data processing you have given your consent or if you have not consented.

Of course, you can also view our website without cookies. Internet browsers are generally set to accept cookies. You can disable the use of cookies at any time via your browser settings. Please use the help functions of your Internet browser to find out how to change these settings. Please note that some features of our website may not work if you have disabled the use of cookies.

(3) If you have given us your consent, we will use Google Analytics, a web analytics service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”). Google Analytics allows us to compile statistics about the use of our website and its sources. The cookies are stored for two years. We use Google Analytics exclusively for statistical purposes – e.g. to track how many users have clicked on a specific element or piece of information.
The lawful basis for the processing is your consent (Art. 6(1)(a) GDPR), which you can provide in the cookie banner. If you have not given us your consent, your use of our website will not be recorded by Google Analytics.
Google Analytics is based on cookies and records information about your use of our website, including your IP address. To prevent website visitors being identified via their IP addresses, we use a specific code to ensure that your IP address is only transmitted in a truncated and therefore anonymous form. It is no longer possible to identify individual users with this shortened IP address. 

You can find more information about data protection with Google Analytics here.
You may revoke your consent with effect for the future by downloading and installing the plug-in available from the following link: .
In addition, you can change the settings at here or via the opt-out page of the Network Advertising Initiative (NAI). 
Alternatively, you can also disable Google cookies via the Digital Advertising Alliance website using the following link:!/
Finally, you can prevent cookies from being stored via your browser’s general settings.
General note about Google: 
The information recorded by Google Analytics is sent to Google, which is based in the USA. Google is self-certified under the Privacy Shield to ensure adequate protection of your personal data in accordance with EU law.

Further information about data protection at Google can be found at

3. E-Mail Contact

If you contact us (e.g. via the contact form or e-mail), we store your details in order to process your query and for any follow-up questions. We delete this data when it no longer needs to be stored or restrict its processing if there are legal obligations to keep the data. We store and use other personal data only if you consent to this or this is legally permissible without specific consent.

4. Newsletter

(1) By actively giving your consent you can subscribe to our newsletter, with which we inform you about our current interesting offers and services. The advertised goods and services are named in the declaration of consent.

(2) We use the double opt-in procedure to subscribe to our newsletter. This means that after your registration we will send you an e-mail to the specified e-mail address in which we ask you to confirm that you would like the newsletter to be sent. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we store your IP addresses and the time of registration and confirmation. The purpose of the procedure is to be able to prove your registration and, if necessary, to clarify a possible misuse of your personal data.

(3) The only mandatory information for sending the newsletter is your e-mail address. The indication of further, separately marked data is voluntary and is used to be able to address you personally]. After your confirmation we will save your e-mail address for the purpose of sending you the newsletter. The legal basis is Art. 6 (1) lit. a GDPR.

(4) You can revoke your consent to the sending of the newsletter at any time and cancel the newsletter. You can declare your revocation by clicking on the link provided in every newsletter e-mail, by e-mail to or by sending a message to the contact details stated in the imprint.

5. Google Fonts

To ensure the consistent display of fonts, our website uses the fonts service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (”Google”). When you access a webpage, your browser loads the required web fonts into your browser’s cache in order to correctly display text and fonts. To do this, the browser you are using needs to communicate with Google’s servers. This involves transmitting personal data to the servers of Google LLC in the USA. Google will be informed, for example, that our website has been accessed via your IP address. Google Fonts is used to ensure that our online services are presented in a consistent and attractive way. Our legitimate interests within the meaning of Art. 6(1)(f) GDPR are derived from these purposes. 
In the event that personal data is transmitted to Google LLC, which is based in the USA, Google LLC has obtained certification under the EU–US data protection convention Privacy Shield, which guarantees compliance with the level of data protection applicable in the EU.
You can find more information on Google Fonts at and in Google’s Privacy Policy:

General note about Google: 
The information recorded by Google Maps is sent to Google, which is based in the USA. Google is self-certified under the Privacy Shield to ensure adequate protection of your personal data in accordance with EU law. Further information about data protection at Google can be found at

6. Vimeo

We use the provider Vimeo to embed and display videos; our legitimate interests are directly derived from these purposes. Vimeo is operated by Vimeo, LLC, with its headquarters at 555 West 18th Street, New York, NY 10011, USA. If you access webpages forming part of our Internet presence that contain embedded videos – e.g. if you play a video – a connection is established with the Vimeo servers and the video is shown. Information about which of our webpages you have visited, and your IP address is then transmitted to the Vimeo server. If you are logged in to Vimeo as a member, Vimeo will associate this information with your personal user account. If you use the plug-in – e.g. click the play button on a video – this information is also associated with your user account. The lawful basis is Art. 6(1) sentence 1(f) GDPR. You can prevent this information from being associated with your account by logging out of your Vimeo user account before using our website and deleting the relevant cookies from Vimeo.
For more information on data processing and advice on data protection by Vimeo, please visit

7. Social Plugins

On our website social plugins ("plugins") are used by social networks.

In order to increase the protection of your data when visiting our website, the plugins are not unrestricted, but only integrated into the page using an HTML link (so-called "Shariff solution" from c't). This integration ensures that no connection is established with the servers of the provider of the respective social network when a page of our website containing such plug-ins is called up. Click on one of the buttons, a new window of your browser opens and calls up the page of the respective service provider, on which you can (if necessary after entering your login data) e.g. press the Share button.

The purpose and scope of data collection and the further processing and use of the data by the providers on their pages as well as your relevant rights and setting options for the protection of your privacy can be found in the data protection information of the following providers:

XING AG (Dammtorstr. 30 - 20354 Hamburg - Germany)

LinkedIn Corporation (2029 Stierlin Court - Mountain View - CA 94043 - USA)

facebook Inc. (1601 p. California Ave, Palo Alto, CA 94304, USA)

Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043 USA)

Twitter Inc. (795 Folsom St., Suite 600, San Francisco, CA 94107, USA)

8. Photos

We often take photos at events. The photos are used internally and externally (in print media, on websites, etc.). On arrival at the event, attendees are advised that photos may be taken and used. Every effort is made when taking and publishing photos to ensure that this does not violate the legitimate interests of the groups of persons pictured.
The lawful basis for processing this data is generally a legitimate interest within the meaning of Art. 6(1)(f) GDPR: Customer and/or employee events and presentation of the data controller’s marketing activities, as well as consent (Art. 6(1)(a) GDPR). You have the right to object to this processing: datenschutz-pph(at) 
The photos will generally be deleted within 12 months of their creation, insofar as the purposes of taking the photo no longer apply.

9. Your rights

In the following we would like to inform you about your rights according to the GDPR:

Right of access
You have the right to request confirmation of whether data concerning you is being processed and, if this is the case, to request information regarding this data according to Art. 15 GDPR.

Right to rectification
In accordance with Art. 16 GDPR, you have the right to request the completion or correction of inaccurate data concerning you.

Right to erasure
With reference to Art. 17 GDPR, you have the right to demand that your personal data be deleted, provided that there are no legal obligations to keep the data. 

Right to restriction of processing
You may demand restriction of the processing in accordance with Art. 18 GDPR.

Right to data portability
You have the right to request a copy of the personal data we hold about you and, in addition, to request that it be transmitted to other data controllers.

Right to object
You may object to the processing of your personal data in accordance with Art. 21 GDPR at any time.

Right to withdraw consent
You have the right to withdraw consent at any time in accordance with Art. 7(3) GDPR with effect for the future.

Right to lodge a complaint with a supervisory authority
In accordance with Art. 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.

10. Reporting System

The PHOENIX group, i.e. the PHOENIX Pharmahandel GmbH & Co KG as well as its affiliated companies according to §§ 15ff AktG, has established a web based reporting system which is designed to enable employees, business partners, customers and third parties an easy system by which to report data incidents or concerns. These reports are taken seriously and are reviewed and actioned regularly and are used to improve the protection of personal data. 

You can access this reporting tool at any time via:

In order to explain the background to the reporting system in more detail, we have also answered a number of frequently asked questions below:

When should I report an incident?
PHOENIX group has an obligation to notify the supervisory authority within 72 hours of becoming aware of an incident, due to this, all incidents must be reported without delay via the online reporting tool.

What data incidents should be reported and how?
All personal data incidents are to be reported to the Data Protection team via the online reporting tool.

What is a data protection incident?
Data Protection incidents are any event which has, or could have, resulted in the accidental or deliberate loss of personal data (electronic or paper) or destruction of data, or unauthorised access to data (e.g. loss or theft of laptop, smartphone, paper record, prescriptions).

What happens after I submit a report?
The Data Protection team will review the incident report and will contact you for further information or, where necessary, will assist you with the post incident actions.

11. General Comments

We reserve the right to modify our data protection declaration. This may be necessary as a result of technical developments, for example. We therefore ask you to consult the data protection declaration from time to time and to apply the current version.

If you have any further questions regarding the processing of your personal data, please contact the designated data protection officer.