Privacy Policy | komtur.com

Below you will find information on how Komtur Pharmaceuticals e.K. (“Komtur”) processes personal data. Personal data means any information relating to an identified or identifiable natural person.

Personal data may be collected and processed for various purposes when you use our website, interact with our services, communicate with us as a business partner, apply for a position, use KOMfinder, or submit or route safety-related information. This Privacy Policy explains what data we process, for what purposes, on what legal basis, to whom it may be disclosed, how long it is kept, and what rights you have under applicable data protection law.

If you have any questions regarding data protection, please contact us using the details set out below.

1. Controller and General Information

Controller

Komtur Pharmaceuticals e.K. Am Flughafen 6 79108 Freiburg im Breisgau Germany

Phone: +49 (0)761 504 23 0 Email: info[@]komtur[.]com

Komtur Pharmaceuticals e.K. is the controller within the meaning of the GDPR, unless this Privacy Policy expressly states otherwise.

Data Protection Officer

We have appointed a Data Protection Officer.

You can contact the Data Protection Officer by email at: datenschutz[@]komtur[.]com

or by post at the above address (Attn.: Data Protection Officer). General legal bases for processing

Depending on the specific processing activity, we process personal data on one or more of the following legal bases:

Art. 6(1)(a) GDPR — consent

Art. 6(1)(b) GDPR — performance of a contract or pre-contractual measures

Art. 6(1)(c) GDPR — compliance with a legal obligation

Art. 6(1)(f) GDPR — legitimate interests

Where special categories of personal data are processed, such as health data, we rely on an additional basis under Art. 9(2) GDPR, in particular:

Art. 9(2)(a) GDPR — explicit consent

Art. 9(2)(i) GDPR — public interest in the area of public health

other applicable exceptions under Art. 9(2) GDPR where relevant to the specific processing activity

Where storage of, or access to, information on your end device takes place, the applicable legal basis under the TDDDG also applies. For strictly necessary technologies, § 25(2) TDDDG applies. For non-essential cookies or similar technologies, we rely on consent under § 25(1) TDDDG and, where personal data is subsequently processed, Art. 6(1)(a) GDPR.

Where we process data of contact persons acting on behalf of a company, hospital, pharmacy, authority, supplier, customer, or other organisation, the legal basis is often Art. 6(1)(f) GDPR. Our legitimate interest is the efficient, secure, and transparent initiation, performance, documentation, and management of business relationships and regulatory processes.

Provision of personal data

Unless expressly stated otherwise, there is no legal obligation to provide personal data. However, where fields or data are identified as mandatory, provision of that data may be required by law, contract, or for the performance of pre-contractual measures or the use of a service. If you do not provide the mandatory data, we may be unable to respond to your request, process your application, create or maintain an account, provide a service, or fulfil contractual or regulatory obligations, as applicable. Automated decision-making

Komtur does not currently carry out automated decision-making, including profiling, within the meaning of Art. 22 GDPR. Should this change, this Privacy Policy will be updated accordingly. General information on recipients, retention and transfers

Within Komtur, personal data is disclosed only to those departments and persons who need it for the relevant purpose. We also use carefully selected service providers acting as processors where necessary.

Unless a specific retention period is stated below, we retain personal data only for as long as necessary for the relevant purpose, and thereafter only where statutory retention obligations, limitation periods, or overriding legitimate interests require further storage.

Where personal data is transferred outside the EU or EEA, we do so only in accordance with Chapter V GDPR.

Controller / joint controller / processor roles

Unless expressly stated otherwise, Komtur acts as the controller for the processing activities described in this Privacy Policy. Depending on the specific engagement and processing activity, Komtur may also act as an independent controller, joint controller, or processor where this follows from the actual processing arrangement and applicable law. Where Komtur acts as a joint controller, the essence of the arrangement will be made available in accordance with Art. 26 GDPR.

Sources of personal data

Personal data is generally collected directly from the data subject. Where necessary and lawful, we may also obtain personal data from third parties, such as employers, business partners, group companies, service providers, public registers, publicly available sources, authorities, or other persons involved in the relevant process. Where we do not collect personal data directly from you, we will provide the information required by Art. 14 GDPR unless a statutory exemption applies.

2. Your Rights as a Data Subject

Under the GDPR, you have the following rights, subject to the applicable statutory conditions and limitations. Right to withdraw consent

Where processing is based on consent, you may withdraw your consent at any time with effect for the future. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Right to object

Where processing is based on Art. 6(1)(e) or Art. 6(1)(f) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data.

If personal data is processed for direct marketing purposes, you have the right to object at any time to such processing. If you object, your personal data will no longer be used for direct marketing.

Right of access

You have the right to obtain confirmation as to whether we process personal data concerning you and, where that is the case, access to that personal data and to the information required by law.

Right to rectification

You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data.

Right to erasure

You have the right to request the deletion of your personal data where the legal requirements are met.

Right to restriction of processing

You have the right to request restriction of processing where the legal requirements are met, in particular where the accuracy of the data is contested, the processing is unlawful, the data is required for legal claims, or an objection is pending.

Right to data portability

Where processing is based on consent or contract and carried out by automated means, you have the right to receive the personal data you provided in a structured, commonly used and machine-readable format, and to request transmission to another controller where technically feasible.

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement.

The competent supervisory authority for Komtur is:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg

Heilbronner Straße 35, DE-70191 Stuttgart, Germany

Email: poststelle[@]lfdi[.]bwl.de

Telephone: +49 (0)711 615541-0

3. Purpose and Scope of This Website

This website provides information about Komtur Pharmaceuticals, its services, and its business activities. It also offers communication channels and certain business-facing tools, including contact forms, KOMfinder, and a pharmacovigilance routing function.

Unless expressly indicated otherwise, this website is not intended as an online intake form for patient case details, medical documentation, or other health information. Information provided on this website is for general informational purposes and does not constitute medical advice.

4. Privacy Information for Website Visitors

SSL / TLS encryption

This website uses SSL or TLS encryption to protect the transmission of confidential content. You can recognise an encrypted connection by the “https://” prefix and the lock symbol in your browser.

Cookies and similar technologies

We use cookies and similar technologies on our website.

Some cookies and technologies are technically necessary to provide the website, maintain security, manage consent choices, or deliver functions expressly requested by you. In these cases, storage of or access to information on your end device is carried out on the basis of § 25(2) TDDDG. Where personal data is processed in that context, the legal basis is generally Art. 6(1)(f) GDPR, based on our legitimate interest in secure and technically correct website operation.

Other cookies and similar technologies are used only with your consent. In those cases, the legal basis is § 25(1) TDDDG and Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future.

You can also configure your browser to notify you of cookies, to allow cookies only in individual cases, to exclude acceptance in certain cases or generally, and to automatically delete cookies when closing the browser. Disabling cookies may limit website functionality.

We use the consent management platform of Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany (hereinafter "Usercentrics").

When you visit our website, Usercentrics may process your consent status, the withdrawal of consent, your IP address, browser information, device information, and the time of your visit. Usercentrics also stores information in your browser in order to associate the consent decision with your device and to document it in accordance with legal requirements. The related data is stored until you request deletion, delete the relevant cookie yourself, or the purpose no longer applies, unless statutory retention obligations require longer storage.

The processing is carried out to obtain, manage, and document legally required consent decisions. The legal basis is Art. 6(1)(c) GDPR in conjunction with the applicable data protection and e-privacy requirements. The related end-device storage/access is based on § 25(2) TDDDG to the extent strictly necessary for consent management. We have concluded a Data Processing Agreement with Usercentrics.

Further information on Usercentrics’ data protection practices is available in the provider’s privacy policy.

Hosting

This website is hosted by Mittwald CM Service GmbH & Co. KG, Königsberger Straße 4-6, 32339 Espelkamp, Germany (hereinafter referred to as Mittwald).

Further information on Mittwald’s data protection practices is available in the provider’s privacy policy.

The hosting is carried out for the secure and reliable provision of the website. The legal basis is Art. 6(1)(f) GDPR. Where hosting-related technologies require consent under § 25 TDDDG, we obtain that consent where legally required. We have concluded a Data Processing Agreement with the provider.

Server log files

When you visit our website, the hosting provider and/or we automatically collect and store information in server log files. This may include browser type and version, operating system, referrer URL, hostname of the accessing computer, time of the server request, and IP address.

This data is not merged with other data sources for the purpose of personally identifying you through normal website use. The processing is necessary to ensure technical functionality, system security, error analysis, and defence against misuse. The legal basis is Art. 6(1)(f) GDPR.

Web analytics with Matomo

We use Matomo, an open-source web analytics service, to analyse how our website is used and to improve the website and our services.

Matomo may process usage data such as visited pages, interaction events, browser and device information, referrer data, and IP-related information. IP anonymisation is enabled before storage.

Where Matomo uses cookies or comparable technologies that are not strictly necessary, the legal basis is your consent under Art. 6(1)(a) GDPR and § 25(1) TDDDG. To the extent Matomo is operated in a privacy-friendly configuration without requiring consent for a particular processing step, the legal basis is Art. 6(1)(f) GDPR.

Matomo is provided via InnoCraft Ltd, Wellington, New Zealand. We have concluded a Data Processing Agreement with the provider. New Zealand benefits from an adequacy decision of the European Commission.

Further information on Matomo’s data protection practices is available in the provider’s privacy policy.

SalesViewer technology

This website uses SalesViewer® technology from SalesViewer® GmbH to identify company-related visits and usage patterns in a B2B context.

According to the information currently published for this website, the data processed through SalesViewer is hashed and pseudonymised and is not used to identify individual visitors personally. Data is stored only as long as necessary for the purpose.

To the extent no consent is required under § 25 TDDDG, the legal basis is Art. 6(1)(f) GDPR based on our legitimate interest in business-oriented website analysis, market research, and optimisation. If consent is legally required for a particular implementation, we will rely on Art. 6(1)(a) GDPR and § 25(1) TDDDG.

You may object to or opt out of this processing at any time via the opt-out mechanism provided by SalesViewer. An opt-out cookie is stored on your device for this purpose. If you delete your browser cookies, you may need to set the opt-out again.

Contact form

If you contact us using a website contact form, we process the data you enter, such as your name, contact details, company information, and message content, in order to process your request and handle follow-up questions.

Where form fields are marked as mandatory, provision of that data is necessary for us to process your inquiry. If you do not provide the mandatory data, we may be unable to respond to your request or provide the requested service.

The legal basis is Art. 6(1)(b) GDPR where your inquiry relates to pre-contractual measures or a contract with you. In all other cases, the legal basis is Art. 6(1)(f) GDPR based on our legitimate interest in efficient and documented communication. If we expressly request your consent for a specific processing activity, the legal basis is Art. 6(1)(a) GDPR.

We currently use Basin, operated by Moonshot Ventures Inc., 30060 Harris Rd, Abbotsford BC V4X 1V6, Canada, as the technical service provider for web forms. We have concluded a Data Processing Agreement with the provider. Further information on the provider’s data protection practices is available in its privacy policy. Canada benefits from a European Commission adequacy decision for commercial organisations. The data is kept until your request has been fully dealt with and thereafter only as long as necessary for follow-up, documentation, statutory retention, or legal defence.

Contact by email, phone or fax

If you contact us by email, telephone, or fax, we process your contact details and the content of your communication for the purpose of handling your request, documenting the communication, and carrying out any resulting business or compliance steps.

If we request information that is necessary to identify your request or process it properly and you do not provide that information, handling of your inquiry may be delayed or may not be possible.

The legal basis is Art. 6(1)(b) GDPR where your inquiry relates to pre-contractual measures or a contract with you. In all other cases, the legal basis is Art. 6(1)(f) GDPR.

Please note that general contact channels are not intended as dedicated adverse event intake channels unless expressly designated for that purpose. Where a communication nevertheless contains safety-relevant information, quality complaints, or product-safety information, we may forward it internally to the responsible pharmacovigilance, quality, medical information, or compliance function and process it in accordance with Section 8 of this Privacy Policy.

Routing of inquiries within the Komtur group

Depending on the information you provide, including the selected country, region, product, service, or topic, your inquiry may be forwarded to the relevant Komtur affiliate, branch, or office responsible for that market, territory, product line, or service area. Such entities may receive your personal data for the purpose of handling your inquiry, providing services, managing business relationships, or fulfilling regulatory and compliance obligations. Where a receiving Komtur entity independently determines the purposes and means of subsequent processing, it will act as an independent controller for that subsequent processing.

Depending on the selected country, region, product, service, or inquiry type, personal data submitted through this website or otherwise communicated to Komtur may be forwarded to the relevant Komtur affiliate, branch, or office, including in particular:

Komtur Pharmaceuticals e.K. – Freiburg, Germany Komtur Pharmaceuticals Iberia, S.L. – Gavà (Barcelona), Spain Komtur Pharmaceuticals Italia S.r.l. – Milan, Italy Komtur Polska Sp. z o.o. – Warsaw, Poland Komtur Pharmaceuticals Czech s.r.o. – Říčany / Prague area, Czech Republic Komtur Pharmaceuticals Slovakia s.r.o. – Bratislava, Slovakia Komtur Pharmaceuticals Bulgaria EOOD – Sofia, Bulgaria Komtur Pharmaceuticals UK Ltd. – Coventry, United Kingdom Komtur Pharmaceuticals LP – Mooresville, North Carolina, USA Komtur Pharmaceuticals do Brasil – Hortolândia / São Paulo, Brazil Komtur Pharmaceutical Technology Services Co., Ltd. – Shanghai, China

Depending on the operating model for the relevant market, some territories may also be managed through another Komtur entity or local office.

Pharmacovigilance routing tool on the website

We provide a website feature that allows users to select a product and a country/region in order to display the appropriate pharmacovigilance reporting route.

This feature is a routing tool only. It is not an online adverse event reporting form and is not intended to collect patient identifiers, health data, case narratives, attachments, or other safety-report content through the website itself. Users should not enter patient details, medical documentation, or other health information on this page.

For this feature, we process only the information necessary to generate the routing result and to operate the website securely, in particular the selected product, the selected country/region, and technical data required for operation, security, troubleshooting, and abuse prevention, to the extent that such information can be linked to an identifiable user via normal website operation. The legal basis is Art. 6(1)(f) GDPR based on our legitimate interest in providing a compliant routing function and ensuring secure website operation. Where storage of or access to information on the user’s end device is strictly necessary for this function, § 25(2) TDDDG applies.

Where the selected product and territory are managed by Komtur for pharmacovigilance purposes, the tool displays the designated Komtur pharmacovigilance reporting route. Where they are not managed by Komtur, the tool displays that Komtur is not the appropriate pharmacovigilance contact and directs the user to the relevant local route, such as the local marketing authorisation holder, local representative, and/or national competent authority, as applicable. EU pharmacovigilance guidance expects companies to screen digital media under their management or responsibility for potential reports and confirms that company websites may be used to facilitate reporting by providing appropriate forms or contact details.

5. Privacy Information for Business Partners

If you or the organisation you work for wishes to establish, maintain, or perform a business relationship with Komtur Pharmaceuticals, we process the personal data necessary for qualification, contracting, compliance, logistics, and communication.

Personal data relating to business partners and contact persons is generally collected directly from the relevant business partner or contact person. Where necessary for qualification, contracting, supply-chain execution, compliance, or documentation, we may also receive such data from your employer or principal, affiliated companies, manufacturers, distributors, logistics partners, authorities, public registers, or other parties involved in the relevant transaction or qualification process.

This may include company name, legal form, address, business email address, business telephone number, fax number, contact person details, position/function, VAT identification number, licences or permits relevant to pharmaceutical trade, contract data, order data, delivery data, payment data, correspondence, meeting data, and compliance-related documentation.

Where you are yourself the contractual party, the legal basis is Art. 6(1)(b) GDPR. Where you act as a contact person on behalf of a company or institution, the legal basis is generally Art. 6(1)(f) GDPR. Where processing is necessary to comply with legal and regulatory obligations, the legal basis is Art. 6(1)(c) GDPR. This includes, in particular, obligations connected with supplier/customer qualification, documentation, and delivery controls under applicable pharmaceutical wholesale-distribution requirements, including the AM-HandelsV and EU Good Distribution Practice requirements.

Where certain information is required for supplier/customer qualification, contracting, delivery, invoicing, export/import handling, or compliance checks, provision of that data may be necessary by law or for the performance of the business relationship. If the necessary data is not provided, Komtur may be unable to establish or continue the business relationship, process an order, complete qualification, or fulfil regulatory obligations.

Your data may be disclosed, where necessary, within the Komtur group and to relevant internal departments such as contract and master-data management, order processing, project management, logistics, procurement, finance, accounting, quality assurance, and compliance. Data may also be disclosed to shipping service providers, freight carriers, customs authorities, manufacturers, distributors, financial institutions, tax advisers, IT service providers, document destruction providers, auditors, authorities, and other recipients where necessary for the relevant purpose.

As a rule, we retain business-partner data for the duration of the business relationship and thereafter for the period required by statutory commercial, tax, pharmaceutical, and civil-law retention or limitation periods. Accounting and tax-relevant documents are generally retained for six or ten years, depending on the applicable legal requirement.

If you cease to be the contact person for one of our business partners, you may notify us accordingly. We will then update, restrict, or block your contact data for future business communication, as appropriate.

6. Privacy Information for Applicants

You may apply to Komtur Pharmaceuticals by email, post, or any other application channel we make available. In that context, we process the personal data contained in your application, such as contact data, CV, certificates, references, interview notes, correspondence, and any other information you provide.

We process this data for the purpose of carrying out the application procedure and deciding whether to establish an employment relationship. In Germany, the principal legal basis is § 26 BDSG in conjunction with Art. 88 GDPR; where applicable, Art. 6(1)(b) GDPR also applies in relation to pre-contractual steps. If you give consent to a specific additional processing activity, such as inclusion in an applicant pool, the legal basis is Art. 6(1)(a) GDPR. Applicants are treated as employees for the purposes of § 26 BDSG.

Where we request information that is necessary to assess your application or carry out the recruitment process, provision of that data is required for the application procedure. If you do not provide the necessary data, we may be unable to consider your application or continue the recruitment process.

If you voluntarily provide special categories of personal data, such as health data, we process them only to the extent permitted by law and only where necessary for the application process or where you have provided a valid consent.

Your data is disclosed internally only to those persons involved in the recruiting decision. If your application is successful, the data required for the employment relationship will be transferred to your personnel file and further processed in accordance with the applicable employee-data rules.

If we do not offer you a position, if you reject an offer, or if you withdraw your application, we may retain your application data for up to six months after the end of the application process, based on Art. 6(1)(f) GDPR, in order to defend legal claims. Longer retention may occur where legal obligations apply or where further retention is necessary in connection with a dispute.

If we wish to include you in an applicant pool, we will request your separate consent. In that case, your application data may be retained in the applicant pool for up to two years from consent, unless you withdraw your consent earlier or statutory reasons require a different retention period.

7. Privacy Information for the Use of KOMfinder

KOMfinder is an online portal made available by Komtur Pharmaceuticals to enable registered users to check medicine availability and related business information.

To use KOMfinder, registration is required. In this context, we process the data necessary to create and manage your account and provide portal functions. This may include title, first name, last name, company email address, organisation details, access credentials, account metadata, and any data necessarily generated through portal use.

Fields marked as mandatory are required to create and maintain your KOMfinder account and to provide portal functions securely. If you do not provide the mandatory data, registration, account administration, or continued use of the portal may not be possible.

The processing is carried out to register users, provide access, manage accounts, communicate important technical or service-related changes, protect the portal against misuse, and document its use where necessary. The legal basis is Art. 6(1)(b) GDPR where you are yourself the user of the contractual digital service. Where you use KOMfinder on behalf of a company or institution, the legal basis is generally Art. 6(1)(f) GDPR based on our legitimate interest in securely and efficiently providing the portal to business users.

KOMfinder is hosted on a Komtur-owned server in a German data centre. When KOMfinder is used, server log files may be processed, in particular browser type and version, operating system, referrer URL, hostname, time of server request, and IP address. The legal basis for that processing is Art. 6(1)(f) GDPR. This data is not combined with other data sources for ordinary portal use.

We keep KOMfinder account data for as long as the account exists and thereafter only as long as necessary for deactivation handling, security, documentation, statutory retention, or legal defence.

Komtur Pharmaceuticals may process personal data for pharmacovigilance and related product-safety purposes where safety-relevant information is submitted to a designated Komtur safety channel or otherwise comes to Komtur’s attention through channels under its management or responsibility.

Depending on the specific engagement and processing activity, Komtur may act as an independent controller, joint controller, or processor for pharmacovigilance-related processing. Where Komtur acts as a joint controller, the essence of the arrangement will be made available in accordance with Art. 26 GDPR.

This may include information relating to adverse events, adverse reactions, product complaints with a possible safety relevance, exposure during pregnancy or breastfeeding, medication errors, misuse, abuse, off-label use, lack of efficacy where relevant, quality defects with safety impact, medical information follow-up, and other matters that may need to be documented, assessed, validated, followed up, transferred, or reported under applicable law or contractual safety responsibilities.

Pharmacovigilance and safety data may be obtained directly from reporters or indirectly from healthcare professionals, patients, business partners, sponsors, manufacturers, distributors, marketing authorisation holders, service providers, authorities, public databases, or other persons involved in the relevant safety matter, where lawful and necessary for the applicable pharmacovigilance or product-safety purpose.

Depending on the report, the personal data processed may include reporter details, professional role, organisation, contact details, limited patient identifiers, age or date of birth where relevant, sex, product information, indication, batch or supply data where relevant, event details, case narrative, attachments submitted outside the routing tool, and follow-up correspondence.

Where Komtur is subject to pharmacovigilance or related legal obligations, the principal legal bases are Art. 6(1)(c) GDPR and, where health data is involved, Art. 9(2)(i) GDPR. Depending on Komtur’s role and the specific context, additional or alternative bases may include Art. 6(1)(f) GDPR and, where applicable, Art. 9(2)(f) GDPR. The applicable medicinal-product framework includes Directive 2001/83/EC, Commission Implementing Regulation (EU) No 520/2012, and the EMA Good Pharmacovigilance Practices. Current EMA guidance also states that marketing authorisation holders should regularly screen internet or digital media under their management or responsibility for potential reports and that unsolicited cases from internet or digital media should be handled as spontaneous reports.

Where reporter contact details or other follow-up information are necessary to validate, assess, document, investigate, or report a safety case, failure to provide that information may limit Komtur’s ability to complete case assessment, follow-up, or regulatory reporting obligations.

Pharmacovigilance and safety data may be disclosed, where necessary and lawful, to internal safety, quality, medical information, regulatory, legal, and compliance functions; to clients, sponsors, manufacturers, distributors, marketing authorisation holders, local representatives, qualified persons or safety service providers; and to competent authorities, the European Medicines Agency, EudraVigilance participants, ethics committees, auditors, or other recipients where disclosure is required or appropriate for the relevant safety purpose.

Pharmacovigilance and safety data is retained for as long as required by applicable pharmacovigilance, medicinal-product, quality, contractual, documentation, and limitation-period obligations. Because this processing is often mandatory and performed for reasons of public health and legal compliance, rights such as erasure, restriction, or objection may be limited to the extent continued processing is required by law or necessary to protect public health or defend legal claims.

9. International Data Transfers

Where personal data is transferred outside the EU or EEA, we ensure that an appropriate transfer mechanism under Chapter V GDPR is in place.

Depending on the recipient and the specific processing activity, personal data may be transferred to service providers or to relevant Komtur affiliates or offices outside the EU or EEA. Such transfers may include, for example, transfers to Switzerland, the United Kingdom, the United States, Brazil, Canada, New Zealand, or China, depending on the selected market, product, service, inquiry type, or technical service provider. Where the destination benefits from a European Commission adequacy decision, Komtur relies on that decision. Where no adequacy decision applies, Komtur implements appropriate safeguards in accordance with Chapter V GDPR, such as the European Commission’s Standard Contractual Clauses and, where necessary, supplementary measures.

10. Technical and Organisational Measures

Komtur Pharmaceuticals implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.

These measures include, in particular, secure hosting arrangements, encryption in transit where appropriate, access controls, role-based access management, logging, need-to-know principles, vendor management, data minimisation, and ongoing security and compliance monitoring. The specific measures applied depend on the nature, scope, context, and purposes of the processing as well as the risks to the rights and freedoms of natural persons.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time, in particular where legal requirements, regulatory expectations, technologies, service providers, or business processes change.

The current version will always be made available on this website.

Last updated: 17 March 2026