Bionorica® Decoding Nature. Empowering Health.

Privacy Policy Health Care Professionals

Last update: April 2026

Dear Health Care Professionals,

With this privacy policy we would like to inform you about

  • what personal data we process,
  • what we use these data for,
  • how you can object to its use or withdraw your consent, and
  • what other rights you have as a data subject and how you can assert them.

1. Who is responsible for data processing and whom can I contact?

The responsible body for data processing (data controller) in the sense given in the GDPR is:

Bionorica SE
Kerschensteinerstr. 11–15
92318 Neumarkt, Germany
Phone: +49 (0) 9181 231-90
Fax: +49 (0) 9181 231-265

Our company data protection officer can be reached via email at datenschutz@bionorica.de or by post at the above address (please include the line ‘ATTENTION: Company Data Protection Officer’).

As parent company of the Bionorica group we pursuant of a consistent corporate management structure provide different services for our subsidiaries (e.g. cross-company IT-, communication- and database-systems, central HR or financial accounting services as similar activities at our headquarter in Neumarkt) and also process personal data in this context.

In terms of data protection law, this processing is carried out under the joint responsibility of Bionorica SE and the respective subsidiary in accordance with Art. 26 GDPR. The following key points apply to joint processing:

  • Bionorica SE and the respective subsidiary are equally responsible for the legality of the joint processing and take appropriate technical and organizational measures so that the rights of the data subjects are guaranteed at all times.
  • Bionorica SE undertakes to publish the information required by Art. 13 and 14 GDPR, including in regard to joint processing.
  • In order to ensure adequate transparency and reliable assertion of data subject rights, all data subject rights during joint processing can always be asserted against Bionorica SE as the parent company.
  • Bionorica SE and the respective subsidiary are equally responsible for the information obligations resulting from Art. 33, 34 GDPR towards the supervisory authority or data subjects affected by a violation of the protection of personal data.
  • Both parties are jointly liable for the damage caused by processing that does not comply with the GDPR in the external relationship together towards the data subject.

We would be happy to provide you with an extract from our "Agreement on the joint processing of personal data in accordance with Art. 26 GDPR", as well as an overview of the processing operations for which the subsidiary is solely responsible and those for which we are jointly responsible. For this purpose, please also contact the above-mentioned contact.

2. Am I obligated to provide data?

In the context of our business relationship, you are only required to provide the personal data which are necessary for entering into and conducting a business relationship (and, where applicable, for fulfilling the associated contractual obligations) or which we are legally obligated to collect. Without these data, we will usually not be able to enter into or conduct a business relationship with you.

3. Which sources and data does Bionorica SE use?

We process personal data which we receive from you within the scope of our business relationship. We also process personal data that we lawfully obtain from publicly accessible sources (e.g. commercial registers, public media) or that is lawfully provided to us by other companies within the Bionorica Group or by other third parties (e.g. credit reference agencies).

The personal data we process includes, in particular:

  • personal details (name, address and other contact data)
  • order data (e.g. information on orders and deliveries)
  • data relating to the performance of the contract (e.g. information on achieved sales)
  • marketing and sales data (e.g. in the context of customer targeting)
  • documentation from meetings and field sales reports
  • information regarding participation in scientific and product-related training events (including the number of participants from your pharmacy/medical office, affiliation with the pharmacy or medical office, and employment status)
  • as well as other data comparable to the categories mentioned above.

4. Processing purposes and legal basis

We process personal data for the purposes of standard industry collaboration with Health Care Professionals in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) according to the following legal bases:

4.1. To fulfil contractual obligations (Art. 6 para. 1 cl. 1 lit. b GDPR)

Data are processed for performance of contracts concluded with our customers (e.g. sales contracts with pharmacies) and for implementation of pre-contractual measures at the request of our customers.

4.2. Based on legitimate interests (Art. 6 para. 1 cl. 1 lit. f GDPR)

In addition, we process personal data to safeguard our legitimate interests in ensuring the proper organisational and operational structure required for managing a pharmaceutical company. This may include, in particular, the following legitimate interests:

  • assertion of legal rights and defending ourselves in legal disputes
  • ensuring the IT security and safeguarding of IT operations of our company
  • measures for business management and improvement of services and products
  • conduction of visits by field sales representatives to doctors’ premises
  • conducting day-after-visit surveys with pharmacists and doctors
  • comparison with sanctions lists that go beyond the legally prescribed but usual.

Whilst that, we always assess on a case-by-case basis whether our interests in processing outweigh the interests of a data subject in non-processing.

4.3. Based on your consent (Art. 6 para. 1 cl. 1 lit. a GDPR)

If you granted us consent to process personal data for specific purposes (e.g. consent to be photographed at a specific event you are attending), this processing is lawful based on this consent.

After granting your consent, you can withdraw it at any time. This also applies to the withdrawal of declarations of consent given to us before the GDPR came into effect. Please note that withdrawal of your consent does not affect the lawfulness of processing carried out up to the time of withdrawal.

You can withdraw consent free of charge by sending a formless statement to the contact given in Section 1. If you withdraw your consent by telephone, we may ask you to provide additional proof of your identity in another way.

4.4. To comply with legal obligations (Art. 6 para. 1 cl. 1 lit. c GDPR) or in the public interest (Art. 6 para. 1 cl. 1 lit. e GDPR)

Like every company, Bionorica SE has numerous legal obligations which make processing of personal data necessary. As examples, e.g., identification obligations for prevention of money laundering, comparison with legally prescribed sanctions lists or meeting of tax obligations and regulatory documentation requirements for medicinal products can be stated here. Furthermore, in a few exceptional cases, processing may be necessary in regard to public interest (e.g. the transmission of pseudonymised adverse drug reactions (e.g. side effects) and potential quality defects to the relevant authorities).

5. When is automated individual decision-making used?

We generally do not use automated decision-making according to Art. 22 GDPR for establishing and conducting the business relationship. If we employ these techniques in individual cases, we will inform you about this separately insofar as we are required to do so by law.

6. Who gets my data?

Within Bionorica SE, access to your data is granted to those positions and departments that require it for the purposes of our lawful processing.

Carefully selected and controlled service service providers engaged by us may also also be granted access to data; access to your data is granted to those positions and departments that require it for the purposes of our lawful processing. These may include, for example, companies in the fields of IT services, logistics, print services, telecommunications as well as consultancies and marketing agencies.

Data will only be disclosed to recipients outside Bionorica if we have a legal basis for doing so (e.g. legal obligation, consent, legitimate interest).

7. Are data transferred to companies in third countries or to international organisations?

Data are only transferred to locations in countries outside the European Union (so-called third countries) if, in addition to general requirements for data transfer, there is also an adequacy decision (Art. 45 GDPR) or appropriate safeguards (Art. 46 GDPR) and, if necessary, additional measures are taken or the requirements of Art. 49 are fulfilled (for example, the corresponding consent).

8. How long are my data stored?

We process your personal data only as long as necessary for fulfilment of our processing purposes described above. Once the data are no longer needed for fulfilment of the processing purposes described above, they are erased. In addition, data may be processed on a temporary basis for the following purposes:

  • fulfilment of commercial, tax or other legal retention obligations. The retention or documentation periods prescribed there are up to ten years.
  • preservation of evidence in the context of the statute of limitations. Pursuant to Sections 195ff. of the German Civil Code (BGB) these statutory limitation periods can be up to 30 years, whereby the normal limitation period is three years.

9. What rights do I have as a data subject?

As a data subject you have the right to access pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to erasure pursuant to Art. 17 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR, and the right to data portability according to Art. 20 GDPR. With respect to the right to access and the right to erasure, the limitations set forth in Sections 34 and 35 BDSG apply. You also have the right to lodge a complaint with a responsible data protection supervisory authority (Art. 77 GDPR in conjunction with Section 19 BDSG).

Furthermore, you have the right to object under Art. 21 GDPR and you can object to the processing of personal data for advertising purposes including the analysis of customer data or the transmission to third parties for advertising purposes at any time without giving reasons.