Last update: April 2021
- the personal data we collect, store, process, block and erase (collectively referred to as ‘processing’) as part of the grant application process for funding of a study,
- what we use these data for,
- how you can object or withdraw your consent to the use of these data and
- the other rights you have as a data subject and how you can assert them.
1. Who is responsible for data processing and who is the contact person for queries regarding data processing?
The responsible body for data processing (data controller) in the sense given in the GDPR is:
92318 Neumarkt, Germany
Phone: +49 (0) 9181 231-90
Fax: +49 (0) 9181 231-265
Our company data protection officer can be reached via email at firstname.lastname@example.org or by post at the above address (please include the line ‘ATTENTION: Data Protection Officer’).
2. Am I obligated to provide data?
In the context of the grant application process for funding of a study, you only have to provide the personal data about yourself and the most important members of your proposed study team which is required for the selection process for funding the study, or which we are legally obligated to collect. Without this data we will normally not be able to financially support a study.
3. Which sources and data does Bionorica SE use?
We process personal data which we receive within the scope of the grant application process for funding of a study.
The personal data which we process includes in particular:
- name and other contact details such as address, telephone number and email address,
- CV and proof of qualifications (e.g. GxP certificates),
- remuneration for members of the study team (as part of the cost grid you provide),
- other data comparable to the mentioned categories.
4. Processing purposes and legal basis
We process personal data in accordance with the provisions of the European General Data Protection Regulation (EU GDPR) and the German Federal Data Protection Act (BDSG) according to the following legal bases:
4.1. To fulfil contractual obligations (Art. 6 para. 1 cl. 1 lit. b of the GDPR)
Data is processed to perform contracts concluded with you or to implement precontractual measures at your request (e.g. reviewing the proposal during the grant application process for a trial).
4.2. Within the scope of balancing of interests (Art. 6 para. 1 cl. 1 lit. f of the GDPR)
As far as necessary, we process personal data beyond the scope of the contract to protect our legitimate interests (e.g. a sound commercial overview of the research grant, proof of qualifications of the members of the research team).
4.3. Based on your consent ( Art. 6 para. 1 cl. 1 lit. a of the GDPR)
If you granted us consent to process personal data for specific purposes, this processing is lawful based on this consent.
After granting your consent, you can withdraw it at any time. This also applies to the withdrawal of declarations of consent given to us before the GDPR came into effect. Please note that withdrawal of your consent does not affect the lawfulness of processing carried out up to the time of withdrawal.
You can withdraw consent free of charge by sending a formless statement to the contact given in Section 1. If you withdraw your consent by telephone, we may ask you to provide additional proof of your identity in another way..
4.4. Based on legal requirements (Art. 6 para. 1 cl. 1 lit. c of the GDPR) or in the public interest (Art. 6 para. 1 cl. 1 lit. e of the GDPR)
Like every company, Bionorica SE has numerous legal obligations which make processing of personal data necessary. As examples, e.g., identification obligations for prevention of money laundering or meeting of tax obligations and regulatory documentation requirements for medicinal products can be stated here.
5. When is automated individual decision-making used?
We generally do not use fully automated decision-making according to Article 22 of the GDPR in the context of the grant application process for funding of a study. If we employ these procedures in individual cases, we will inform you of this separately insofar as we are required to do so by law.
6. Who receives my data?
Within Bionorica SE, those offices and departments requiring your data for the fulfilment of our contractual and legal obligations receive your data. Service providers employed by us may also receive data for these purposes, but within the scope of so-called contract data processing they are obligated to meet the data protection requirements that are also applicable to us. They can be, e.g., companies in the fields of IT services, logistics, print services and telecommunications as well as consultancies and marketing agencies.
We only pass on data to recipients outside Bionorica if there is a legal basis, (e.g. legal obligation, consent, legitimate interest etc.). For example, in the case of a joint research grant personal data (e.g. name, contact details and proof of qualifications of the research team) may be shared with the collaborative research partner.
7. Are data transferred to companies in third countries or to international organisations?
In general, your personal data are not transferred to third parties outside the European Union (third countries). However, it may be necessary to discuss your proposal with the BNO subsidiary in the home country of the sponsor, e.g. to foster an extensive decision-making process during the application. Even in these cases, we only transfer data to bodies in countries outside the European Union (so-called third countries) if, in addition to the general requirements for data transfer, an adequacy decision exists (Article 45 GDPR) or appropriate safeguards are in place (Article 46 GDPR) and, if necessary, additional measures are taken or the requirements of Article 49 are met (e.g. consent has been given).
8. How long are my data stored?
We process your personal data only as long as necessary to fulfill the processing purposes described above. Once the data are no longer needed for this purpose, they are erased unless their further processing is necessary – for a limited period – for the following purposes:
- fulfilment of retention obligations according to commercial and tax law: the German Commercial Code (HGB) and the German Money Laundering Act (GwG) should be mentioned. The retention and documentation periods prescribed there can be up to ten years.
- preservation of evidence in the context of the statute of limitations. Pursuant to Sections 195ff. of the German Civil Code (BGB) these statutory limitation periods can be up to 30 years, whereby the normal limitation period is three years.
If your proposed study is not eligible for funding, the personal data will be deleted six months after our final decision, with the exception of your name and contact details, which we store for five years. In the case of a grant being approved, we store or process the data for a period of ten years after completion of the study.
9. What rights do I have as a data subject?
As a data subject you have the right to access pursuant to Article 15 of the GDPR, the right to rectification pursuant to Article 16 of the GDPR, the right to erasure pursuant to Article 17 of the GDPR, the right to restriction of processing pursuant to Article 18 of the GDPR and the right to data portability according to Article 20 of the GDPR. With respect to the right to access and the right to erasure, the limitations set forth in Sections 34 and 35 of the BDSG apply. You also have the right to lodge a complaint with a responsible data protection supervisory authority (Article 77 of the GDPR in conjunction with Section 19 of the BDSG).
You also have the right to object under Art. 21 GDPR. You can object to the processing of personal data on the basis of Art. 6 para. 1 lit. e or f GDPR at any time without giving reasons.