Privacy Policy

Last Update: 02. December 2025 

Orientation guide 
MEDICE UK takes the protection of your personal data very seriously. The following information is intended to give you an overview of how your personal data is processed on this website and when using MEDICE UK´s services relating to the hiToco application from our sister company, Medigital GmbH. 

An overview of the individual chapters for better orientation can be found here: 

1. Preamble - Here you will find a brief overview of the content of the website and the data protection topics. 

2. Contact - How can you get in touch with us quickly and easily? 

3. Data processing and storage - Which of your data is stored and processed, how, for what purpose, where, by whom and for how long? 

4. Legal basis - On what legal basis do we process your data? 

5. Data transfer - Under what circumstances do we transfer your data to third parties? 

6. Data security - What do we do to protect your data in the best possible way? 

7. Your rights - Here you will find an overview of all your rights as a data subject. 

1. Preamble 
When using this website, personal data may be processed. The data protection term "personal data" refers to all information that relates to an identified or identifiable person. The IP address can also be personal data. An IP address is assigned to every device connected to the internet by the internet provider so that it can send and receive data. When you use the website, we collect information that you provide yourself. We also automatically collect certain information about your use of the website during your visit to the website.

If the processing of personal data is necessary and there is no legal basis for such processing, we generally obtain your consent. 

As the controller, we have implemented numerous technical and organisational measures to ensure the most complete protection of the personal data processed. 

The hiToco® application supports parents/carers of children with a (suspected) diagnosis of attention deficit/hyperactivity disorder (“ADHD”) and/or oppositional defiant disorder (“ODD”) through digitally guided parent training (including psychoeducation) for the treatment of the child (patient). The purpose is to reduce expansive behavioural problems associated with the disorder(s). Our sister company, Medigital GmbH, as the manufacturer of the app, is responsible for data processing in connection with the use of the app, in accordance with EU General Data Protection Regulation (hereinafter "GDPR "), the UK GDPR. 

Further information on data protection within the hiToco® app can be found here: https://hitoco.co.uk/app/privacypolicy  

2. Contact 
Controller within the meaning of. Art. 4 (7) of the GDPR, the UK GDPR, the UK Data Protection Act 2018 and other data protection regulations is: 

MEDICE UK Ltd 
Address: Ground Floor, Unit B, The Chase, Foxholes Business Park, Hertford, Hertfordshire, SG13 7NN 

Phone: 0204 582 2845 
E-Mail:  enquiries@medice.co.uk 

Persons authorised to represent the company in the UK: 
James Cox 

Body responsible for data protection: 
If you have any questions about our data protection measures, the processing of your data or the protection of your rights as a data subject, please contact us as follows: 

MEDICE UK 
Data protection 
Address: Ground Floor, Unit B, The Chase, Foxholes Business Park, Hertford, Hertfordshire, SG13 7NN 
Phone: 0204 582 2845 
E-Mail:  enquiries@medice.co.uk 

3. Data processing and storage 

The following personal data may be collected and processed when you visit our website and use MEDICE UK's services in connection with the hiToco app: 

 3.1 Technology 

When using our website for information purposes only, we only collect data that is technically necessary for the provision of the service. This is data that your browser transmits to our server (in “server log files"). Our website collects a range of general data and information each time you or an automated system accesses a page. This general data and information is stored in the server log files. The following can be recorded: 

1. Browser types and versions used, 

2. The operating system used by the accessing system, 

3. The website from which an accessing system reaches our website (“referrer”), 

4. The sub-websites that are accessed via an accessing system on our website,

5. The date and time of access to the website, 

6. A shortened Internet Protocol address (anonymised IP address) and, 

7. The Internet service provider of the accessing system. 

When using this general data and information, we do not draw any conclusions about your identity. Rather, this information is required to: 

1. deliver the content of our website correctly, to optimise the content of our website and the advertising for it, 

2. to ensure the permanent functionality of our IT systems and the technology of our website and 

3. to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber-attack.  

This collected data and information is therefore evaluated by us both statistically and with the aim of increasing data protection and data security in our company to ultimately ensure an optimal level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by a data subject. 

The legal basis for data processing is Art. 6 para. 1 lit. f) GDPR/UK GDPR. Our legitimate interest follows from the purposes listed above. 

3.2 Hosting by Amazon Web Services - AWS 

We host our website with Amazon Web Services (AWS). The provider is Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg. 

When you visit our website, your personal data is processed on AWS servers. This may also involve the transfer of personal data to AWS' parent company in the USA. 

To protect your data, we have concluded data processing agreements with the service provider based on the European Commission's standard contractual clauses pursuant to Art. 46 (2) (c). 

The use of AWS is based on our legitimate interest in the reliable presentation of our website pursuant to Art. 6 (1) (f) GDPR/UK GDPR. 

Amazon Web Services EMEA SARL is certified as a US company under the EU-US Privacy Framework and thus guarantees a level of data protection that is appropriate to the GDPR/UK GDPR. This means that the adequacy decision of the EU Commission pursuant to Art. 45 GDPR /UK GDPR applies. 

For more information on AWS' privacy policy, please visit: https://aws.amazon.com/privacy/  

3.3 Cookies 

3.3.1 General information about cookies 

Cookies are small files that your browser automatically creates, and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our website. 

Information is stored in the cookie that results in each case from the connection with the specific end device used. However, this does not mean that we obtain direct knowledge of your identity. 

The use of cookies serves to make the use of our website more pleasant for you. For example, we use “session cookies” to recognise that you have already visited individual pages of our website. These are automatically deleted after you leave our site. 

In addition, we also use temporary cookies to optimise user-friendliness, which are stored on your end device for a specified period of time. If you visit our site again to use our services, it is automatically recognised that you have already visited us and which entries and settings you have made so that you do not have to enter them again. 

We also use cookies to statistically record the use of our website and to evaluate our offer for you for the purpose of optimisation. These cookies enable us to automatically recognise that you have already visited our website when you visit it again. The cookies set in this way are automatically deleted after a defined period of time. The respective storage duration of the cookies can be found in the settings of the consent tool used.  

3.3.2 Legal basis for the use of cookies 

The data processed by the cookies, which are required for the proper functioning of the website, are therefore necessary to safeguard our legitimate interests and those of third parties in accordance with Art. 6 para. 1 lit. f) GDPR/UK GDPR. 

For all other cookies, you have given your consent to this via our opt-in cookie banner within the meaning of Art. 6 para. 1 lit. a) GDPR/UK GDPR. 

3.3.3 Notes on avoiding cookies in common browsers 

You can delete cookies, allow only selected cookies or completely deactivate cookies at any time via the settings of the browser you are using.  

Further information can be found on the support pages of the respective providers:   

• Chrome: https://support.google.com/chrome/answer/95647?tid=311178978.  

• Safari: https://support.apple.com/en-gb/guide/safari/sfri11471/mac 

• Firefox: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox?tid=311178978 
  

• Microsoft Edge: https://support.microsoft.com/en-us/windows/manage-cookies-in-microsoft-edge-view-allow-block-delete-and-use-168dab11-0753-043d-7c16-ede5947fc64d 

3.4.4 Werkbank Consent Management and Identity and Access Management Tool 

We use Vinegar, a self-hosted consent management platform (CMP) from Werkbank GmbH, Viktoriastraße 75, 44787 Bochum, to manage user consent to cookies and other tracking technologies on our platform. This tool ensures compliance with GDPR/UK GDPR and other applicable data protection laws by allowing users to review and adjust their cookie settings at any time. 

Vinegar collects and processes the following data:  

• User consent settings for cookies and tracking technologies  

• Anonymised user IDs to store settings across sessions  

• Timestamps of consent actions  

The collected data is processed and stored on the servers of our service provider Werkbank GmbH. There are no plans to transfer the data to third parties or to countries outside the EU. To this end, a corresponding agreement on data processing on behalf of the client in accordance with Art. 28 GDPR/UK GDPR has been concluded with the service provider.  

3.4.5 Cookies used on this platform 

Below you will find a list of the cookies currently used on this platform. This list contains the names of the individual cookies, a brief description of their function, their duration and information on whether or not these cookies require consent in accordance with the EU Cookie Directive. 

The names of the individual cookies displayed under the page settings may vary, depending, among other things, on which browser you are using, which websites you visited before visiting this platform, or whether you were redirected to this platform from a website/social media page.  

Cookie name: Vinegar
Provider: Werkbank GmbH
Duration: 1 year
Description: Vinegar is used to obtain and document your consent to the use of cookies in your browser. Further information can be found in section 3.4.4.
Consent requirement: No

Cookie name: Meta-Pixel
Provider: Meta Platforms, Inc.
Duration: 5 years
Description: Meta-Pixel is used to evaluate Meta advertisements for statistical and market research purposes. Further information can be found in Section 3.10.
Consent requirement: Yes

Cookie name: Microsoft Clarity
Provider: Microsoft Corporation (MSFT)
Duration: 1 year
Description: Microsoft Clarity is a tool for analysing user behaviour. We use it to understand how users interact with our website. Further information can be found in section 3.10.
Consent requirement: Yes

Cookie name: Google Ads
Provider: Google Ireland Limited
Duration: 30 days
Description: Google Ads is used to promote our app by displaying interest-based advertising on third-party websites and Google search results, as well as showing third-party advertising on our website. Further information can be found in Section 3.11.
Consent requirement: Yes

Cookie name: Matomo
Provider: InnoCraft Ltd.
Duration: 13 months
Description: Matomo is used for web analysis to collect, gather and evaluate data on visitor behaviour on our platform. Further information can be found in section 3.10.
Consent requirement: Yes

Cookie name: Google Analytics
Provider: Google Ireland Limited
Duration: 2 years
Description: Google Analytics/Remarketing monitors data traffic, search queries and platform visits. It distinguishes between users. If cookies are accepted, data is personalised for analysis and performance; if rejected, data remains anonymous. Further information can be found in section 3.10.
Consent requirement:
– Anonymous data: No
– Personalised data: Yes

Cookie name: Google Tag Manager
Provider: Google Ireland Limited
Duration: 1 day
Description: Google Tag Manager allows automatic tracking of which button, link or personalised image users click on, helping make platform content more interesting. Further information can be found in section 3.11.
Consent requirement: Yes

3.4 Contacting us / Contact form   

When you contact us (e.g., by phone, contact form, or email), we collect and process your personal data.  

When you use our contact form to arrange an informational meeting (via Microsoft Teams or by phone), MEDICE UK Ltd. and the service provider salesforce.com Germany GmbH, commissioned by our parent company MEDICE Arzneimittel Pütter GmbH & Co. KG, collect and process your contact details (first and last name, email address, telephone number if applicable) for the purpose of arranging and conducting the requested informational meeting.  

All information on data protection and your rights as a data subject can be found here.

Once your request has been processed, all data collected in the course of contacting us will be deleted. This is the case if it can be inferred from the circumstances that the matter in question has been conclusively clarified and there are no legal retention obligations that prevent deletion.  

3.5 Newsletter and marketing activities 

As part of our marketing activities, we retain the right to send out digital newsletters containing information about products, events, promotions, offers, and advertising for the hiToco application and the ADHS (ADHD) brand world of the MEDICE Health Family. 

Our marketing activities are primarily aimed at customer loyalty and retention, information sharing, market and opinion research, improving our offerings, and automating communication. 

Your contact details (name, email address) are used to send the newsletters.  

We use CRM solutions from salesforce.com Inc. (“salesforce”), One Market Street, Suite 300, San Francisco, CA 94105, USA. We use these CRM solutions (customer relationship management solutions) for the management of customer and consent data, sales management, and the automated sending of newsletters. Salesforce.com Inc. is a US company certified under the EU-US Data Privacy Framework, which means that the adequacy decision of the EU Commission pursuant to Art. 45 GDPR/UK GDPR applies and thus confirms an adequate level of data protection. 

Further information about Salesforce can be found at: Salesforce Privacy Information | Salesforce  

MEDICE UK only uses service providers with whom a corresponding contract agreement in accordance with Art. 28 GDPR/UK GDPR exists. 

The legal basis for the processing of your data in connection with the sending of newsletters is your voluntary consent in accordance with Art. 6 (1) (a) GDPR/UK GDPR. 

You can revoke your consent at any time without giving reasons and unsubscribe from the newsletter. For this purpose, there is a corresponding link/contact in every newsletter. 

3.10 Web analysis 

Meta Pixel 

This website uses the ‘Meta Pixel’ from Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA (Meta’). If explicit consent is given, this allows the behaviour of users to be tracked after they have seen or clicked on a Facebook advertisement. This process serves to evaluate the effectiveness of Facebook advertisements for statistical and market research purposes and can help to optimise future advertising measures. 

When visiting the website, the following data, among other things, may be processed by the Meta Pixel: 

• IP address, 

• device information, 

• browser history 

• Interactions on our website (e.g. page views, clicks, conversions). 

The data is stored and processed by Meta so that it can be linked to the respective user profile and Meta can use the data for its own advertising purposes in accordance with the Meta (Facebook) Data Use Policy (https://www.facebook.com/about/privacy/). This enables Meta and its partners to place advertisements on and outside of Facebook. A cookie may also be stored on your computer for these purposes. 

The collected data is stored by Meta for a period of 180 days and then removed if the website is not visited again by the user. 

These processing operations are carried out exclusively with the express consent of the user in accordance with Art. 6 (1) (a) GDPR/UK GDPR. 

This US company is certified under the EU-US Data Privacy Framework. An adequacy decision in accordance with Art. 45 GDPR/UK GDPR has been issued, meaning that personal data may be transferred without further guarantees or additional measures. 

Matomo / Matomo Tag Manager 

We have integrated the open source web analytics service Matomo from InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, into this platform. Matomo is a software tool for web analysis, i.e. for collecting, gathering and evaluating data on the behaviour of visitors to websites or applications.  

Among other things, data is collected about which website a data subject came to a website from (known as the referrer), which subpages of the website were accessed, how often and for how long a subpage was viewed. This is used to optimise the website and for cost-benefit analysis of internet advertising. 

The software is operated on the server of the controller, and the log files, which are sensitive in terms of data protection, are stored exclusively on this server. 

Matomo sets cookies on your IT system. Setting the cookie enables us to analyse the use of our platform. Each time the platform is accessed, the Matomo component automatically prompts the internet browser on your IT system to transmit data to our server for the purpose of online analysis. As part of this technical process, we obtain personal data, such as the IP address of the data subject, which we use, among other things, to track the origin of visitors and clicks. We do not pass on this personal data to third parties. 

There is a corresponding contractual agreement with the service provider in accordance with Art. 28 GDPR/UK GDPR. 

These processing operations are carried out exclusively with your express consent in accordance with Art. 6 (1) (a) GDPR/UK GDPR via the corresponding cookie banner. 

The privacy policy of InnoCraft Ltd. can be found at: https://matomo.org/privacy/   

The Matomo Tag Manager is an extension of the open source Matomo web analytics solution for managing JavaScript and HTML tags used to implement tracking, analytics and marketing tools. The Tag Manager is used to integrate tracking events (marketing cookies) and control the integration of third-party code. The legal basis for data processing is Art. 6(1)(f) GDPR/UK GDPR. The legitimate interest lies in the error-free functioning of the website. The data is deleted as soon as the purpose for which it was collected has been fulfilled. 

Further information on this can be found at: https://matomo.org/faq/tag-manager/faq_26538/  

Microsoft Clarity 
On our website, we use the web analytics service Microsoft Clarity from Microsoft Ireland Operations Limited, hereinafter referred to as ‘Microsoft’. 

The Microsoft Clarity service is used to analyse the usage behaviour of our website in order to compile reports on website activity and to provide other services related to website and internet usage for the purposes of market research and the needs-based design of our website. 

In this context, pseudonymised usage profiles (without direct reference to your person) are created and cookies are set on your device. 

The following data is collected and processed: 

• Anonymised IP addresses 

• Location information 

• Access times 

• Browser information (access via Edge, Chrome, etc.) 

• Screen resolution 

• Language settings 

• Visited websites/subpages 

• Date and time of access 

• User behaviour such as clicks, scrolls and mouse movements 

These processing operations are carried out exclusively with your express consent in accordance with Art. 6 (1) (a) GDPR/UK GDPR via the corresponding cookie banner. 

The parent company Microsoft Corporation is certified as a US company under the EU-US Privacy Framework, which means that the adequacy decision of the EU Commission pursuant to Art. 45 GDPR/UK GDPR applies and thus confirms an adequate level of data protection. Corresponding contractual agreements have been concluded with the service provider in accordance with Art. 28 GDPR/UK GDPR on the basis of the European Commission's standard contractual clauses. 

Microsoft's privacy policy can be found at: https://privacy.microsoft.com/de-de/privacystatement 

Google Analytics 4 (GA4) 

On our platform, we use the web analytics service Google Analytics 4 (GA4) provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). 

This creates pseudonymised usage profiles and uses cookies (see section 3.4 "Cookies").  

The following data on platform usage is collected from you by the cookies, among other things: 

• IP address (short-term collection without permanent storage) 

• Location data 

• Browser type/version 

• Operating system used 

• Referrer URL (previously visited page) 

• Time of server request 

The pseudonymised data may be transferred by Google to a server in the USA and stored there. 

The information is used to evaluate the use of the platform, to compile reports on platform activities and to provide other services related to platform use and internet use for the purposes of market research and the needs-based design of the platform. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of the platform.  

These processing operations are carried out exclusively with your express consent in accordance with Art. 6 (1) (a) GDPR/UK GDPR via the corresponding cookie banner. 

The default data storage period set by Google is 14 months. Otherwise, personal data is stored for as long as it is necessary to fulfil the purpose of processing. The data is deleted as soon as it is no longer required to achieve the purpose. 

The parent company Google LLC is certified as a US company under the EU-US Privacy Framework, which means that the adequacy decision of the EU Commission pursuant to Art. 45 GDPR/UK-GDPR applies and thus confirms an adequate level of data protection. To protect your data, we have also concluded agreements on order processing in accordance with Art. 28 GDPR/UK GDPR, based on the standard contractual clauses of the European Commission.  

For more information on Google LLC's privacy policy regarding the use of GA4, please visit: https://support.google.com/analytics/answer/12017362?hl=en&sjid=359143587556839491-EU 

3.10 Advertising 

Google Ads with conversion tracking 

We have integrated Google Ads into this app. The operating company for Google Ads services is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ads is an internet advertising service that allows advertisers to place ads in Google search engine results and on the Google advertising network. Google Ads allows advertisers to specify certain keywords in advance, which are then used to display an ad in Google's search engine results only when the user enters a keyword-relevant search result in the search engine. In the Google advertising network, the ads are distributed to relevant websites using an automatic algorithm and taking into account the predefined keywords. 

The purpose of Google Ads is to promote our app by displaying interest-relevant advertising on the websites of third-party companies and in the search engine results of the Google search engine, and to display third-party advertising on our website. 

If you access our app via a Google ad, Google will place a so-called conversion cookie on your IT system. A conversion cookie expires after thirty days and is not used to identify you. The conversion cookie is used to track whether certain subpages, such as the shopping basket of an online shop system, have been accessed on our website, provided that the cookie has not yet expired. The conversion cookie allows both us and Google to track whether a user who accessed our website via an AdWords ad generated a sale, i.e. completed or cancelled a purchase. 

The data and information collected through the use of the conversion cookie is used by Google to compile visit statistics for our website or app. We in turn use these visit statistics to determine the total number of users who were referred to us via Ads, i.e. to determine the success or failure of the respective Ads and to optimise our Ads for the future. Neither our company nor other Google Ads advertisers receive information from Google that could be used to identify you. 

The conversion cookie stores personal information, such as the websites you have visited. Each time you visit our website, personal data, including the IP address of the Internet connection you are using, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may pass on this personal data collected via the technical process to third parties. 

The parent company Google LLC is certified as a US company under the EU-US Data Privacy Framework. This means that an adequacy decision pursuant to Art. 45 GDPR/UK GDPR has been made, so that personal data may be transferred without further guarantees or additional measures. 

You can view the privacy policy and further information from Google AdSense at: Privacy Policy – Privacy & Terms – Google 

3.11 Plugins and other services 

Google Tag Manager 

We use the Google Tag Manager service on this platform. Google Tag Manager is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland Limited is part of the Google group of companies, headquartered at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. 

This tool allows "tags" (i.e. keywords that are embedded in HTML elements) to be implemented and managed via an interface. By using Google Tag Manager, we can automatically track which button, link or personalised image you have actively clicked on and can then record which content on our platform is of particular interest to you.

The tool also triggers other tags, which may in turn collect data. Google Tag Manager does not access this data. If you have deactivated tracking at the domain or cookie level, this will remain in effect for all tracking tags implemented with Google Tag Manager. 

These processing operations are carried out exclusively with your express consent in accordance with Art. 6 (1) (a) GDPR/UK GDPR via the corresponding cookie banner. 

The parent company Google LLC is certified as a US company under the EU-US Data Privacy Framework. This means that an adequacy decision pursuant to Art. 45 GDPR/UK-GDPR is in place, so that personal data may be transferred without further guarantees or additional measures. To protect your data, we have also concluded agreements on order processing pursuant to Art. 28 GDPR/UK GDPR, based on the standard contractual clauses of the European Commission. 

Further information on Google Tag Manager and Google's privacy policy can be found at: https://policies.google.com/privacy?hl=en&gl=de 

3.6 Cooperation with the parent company and other subsidiaries 

To safeguard the legitimate interests of MEDICE Health Family Holding GmbH pursuant to Art. 6 para. 1 lit. f) GDPR/UK GDPR in optimising the advertising and sales market presence of our parent company and subsidiaries, it may be necessary for us to share certain personal data within MEDICE Health Family Holding GmbH. This applies in particular to possible contact data, information about your interests and your customer profile as well as your use of our products and services. 

The joint processing of this data takes place within the framework of joint responsibility in accordance with Art. 26 GDPR/UK GDPR. The participating companies within MEDICE Health Family Holding GmbH have defined in an agreement how the respective tasks and responsibilities with regard to the processing of personal data are distributed and who fulfills which obligations under the GDPR/UK.GDPR. 

The shared data can be used for this purpose: 

• Optimise our marketing and sales strategies. 

• To conduct market research and analyses to further improve our products and services. 

The companies involved within MEDICE Health Family Holding GmbH ensure that suitable technical and organisational measures are taken to protect your personal data. The transmission and processing of your data is always carried out in accordance with the applicable data protection regulations. 

Further information on data protection, your rights as a data subject and data processing by MEDICE Arzneimittel Pütter GmbH & Co. KG, as the parent company of MEDICE Health Family Holding GmbH, can be found here: https://medice-health-family.com/de-en/footer/dse/privacy-policy-medice-arzneimittel-puetter-gmbh-co-kg 

Further information on data protection, your rights as a data subject, and data processing by Medigital GmbH as the manufacturer of the hiToco app can be found here: https://medice-health-family.com/de-en/footer/dse/privacy-policy-medigital 

If you have any questions about the joint processing of your data within MEDICE Health Family Holding GmbH or would like to assert your data protection rights, you can contact our team at  enquiries@medice.co.uk at any time, please put the words ‘Data Protection’ in the subject line.  

3.7 Purposes of the processing 

The personal data may be processed for the following purposes: 

• For the fulfillment of contractual obligations or in the context of pre-contractual measures 

• For the provision and delivery of our range of services 

• To provide and ensure the functionality of the website  

• To protect the rights and interests of MEDICE UK and third parties (e.g. users, employees) 

• For communication and contact 

• To fulfill legal obligations 

• To permanently guarantee the technical functionality and user-friendliness of the website  

• In rare cases to defend against legal claims or to combat fraud  

• For market research and marketing purposes 

• For processing and verification of vigilance notifications 

3.8 Storage and deletion periods 

Unless otherwise stated in this privacy policy or the offer-related data protection information, we will only store your personal data for as long as is necessary to fulfill the stated processing purposes, to fulfill our contractual or legal obligations or to pursue and defend against legal claims.  

The statutory retention obligations arise in particular from commercial or tax law regulations. 

4. Legal basis 

The legal basis for the processing of your personal data may be your informed, voluntary consent in accordance with Art. 6 para. 1 lit. a) in conjunction with Art. 7 GDPR/UK GDPR. Art. 7 GDPR/UK GDPR, the performance of a contract to which you are a party or the performance of pre-contractual measures pursuant to Art. 6 para. 1 lit. b) GDPR/UK GDPR, the fulfillment of a legal obligation pursuant to Art. 6 para. 1 lit. c) (in the case of drug safety reports in conjunction with Art. 9 para. 2 lit. i) GDPR/UK GDPR, §22 para. 1 no. 1 lit. c) BDSG-neu and §63c AMG) or the protection of our legitimate interests or those of a third party pursuant to Art. 6 para. 1 lit. f) GDPR/UK GDPR. 

5. Data transmission 

We only pass on your personal data to third parties if: 

1. You have given us your express consent to do so in accordance with Art. 6 para. 1 lit. a) GDPR/UK GDPR,  

2. The disclosure is permitted in accordance with Art. 6 para. 1 lit. f) GDPR/UK GDPR to protect our legitimate interests and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,  

3. If there is a legal obligation for disclosure pursuant to Art. 6 para. 1 lit. c) GDPR/UK GDPR, and  

4. This is legally permissible and necessary for the processing of contractual relationships with you in accordance with Art. 6 para. 1 lit. b) GDPR/UK GDPR. 

    

As part of the processing operations described in this privacy policy, personal data may be transferred to the USA. Companies in the USA only have an adequate level of data protection if they have certified themselves under the EU-US Data Privacy Framework and thus the adequacy decision of the EU Commission pursuant to Art. 45 GDPR/UK GDPR applies.  

We have explicitly stated this for the service providers concerned in the privacy policy. To protect your data in all other cases, we have concluded data processing agreements based on the European Commission's standard contractual clauses. If the standard contractual clauses are not sufficient to establish an adequate level of security, your consent may serve as the legal basis for the transfer to third countries in accordance with Art. 49 para. 1 lit. a) GDPR/UK GDPR. This may not apply in the case of data transfer to third countries for which the European Commission has issued an adequacy decision pursuant to Art. 45 GDPR/UK GDPR. 

Under these conditions, recipients of personal data may be, for example 

• Companies affiliated with MEDICE UK, insofar as this is necessary for the purpose of data processing. 

   

• Public bodies and institutions (e.g. European Central Bank, tax authorities, Federal Central Tax Office, public prosecutor's offices) if there is a legal or official obligation. 

   

• Processors to whom we transfer personal data in order to carry out the business relationship with you, e.g. for services in connection with archiving, document processing, call center services, controlling, compliance, data destruction, purchasing, debt collection, customer administration, lettershops, marketing, media technology, reporting, support/maintenance of IT applications, risk controlling, telephony, dispatch of goods, website management, payment transactions. 

• Persons bound to professional secrecy (e.g. lawyers, tax consultants, auditors) for support in the fulfillment of legal or official obligations as well as for the prosecution and defense of legal claims and criminal prosecution. 

Other data recipients may be those bodies for which you have given your consent to the transfer of data. 

MEDICE UK ensures that your data will only be passed on to bodies that can demonstrate a suitable data protection concept in accordance with the applicable regulations and laws and with which, if necessary, corresponding contractual agreements in accordance with Art. 26 and Art. 28 GDPR/UK GDPR exist. 

6. Data security 

The security of your personal information is very important to us.   

Any collection, storage, use and transmission of data involves confidentiality risks (e.g. the possibility of identifying the person concerned). These risks cannot be completely ruled out and increase the more data that can be linked together. MEDICE UK assures you that it will do everything possible in accordance with the state of the art to protect the transmission of your data. 

To this end, we take the following technical and organisational measures, among others: 

• SSL/TLS encryption: Personal data is only transmitted via state-of-the-art encrypted connections. We implement the applicable requirements of the Federal Office for Information Security and use this technology to protect the transmission of your data. 
  

• Different passwords for all software tools used internally 

• Multi-factor authentication to access internal systems and data 

• Virus protection for all IT hardware used 

• Firewall for our internal company network 

• Regular training on data security and protection for all employees 

• Regular updates of all software components 

• Regular data backups to ensure availability 

• Regular risk analyses of the corresponding IT systems 

7. Your rights 

When processing your personal data, our aim is to guarantee your data protection rights at all times. Our service times and all contact options can be found under point 2 "Contact". 

You can exercise the following rights in relation to your personal data: 

• You can request information about the processing of your data.  

• You can request that your personal data be amended if it is incorrect or incomplete.   

• You can request restrictions on the processing of your personal data. (1) For the duration of the review of the accuracy of the data. (2) If the processing is unlawful and you refuse deletion. (3) If the data is no longer needed by the controller for the purposes of processing, but you need it to assert, exercise or defend legal claims. (4) In the event of an objection to the data processing, if the corresponding balancing of interests has not been clarified. 

• You can request that the data collected about you be transferred to you or to a body designated by you.  

• If there is a basis for complaint, you can lodge a complaint with the competent data protection authority. 

You can contact the Information Commissionor´s Office (ICO) at: 

Information Commissioner’s Office 
Wycliffe House 
Water Lane 
Wilmslow 
Cheshire 
SK9 5AF 

Helpline number: 0303 123 1113 

ICO website: https://www.ico.org.uk 

• You can request the deletion of the data collected about you. 

• You can informally object to the processing of your personal data at any time without giving reasons. If the processing is based on Art. 6 para. 1 lit. e) or f) GDPR/UK GDPR. 

• You can revoke your consent to data processing informally at any time without giving reasons 

• You will not suffer any disadvantages in the event of an objection/revocation. The objection applies with effect for the future; the previous data transfers remain lawful. From now on, your data will only be processed by MEDICE UK to a limited extent if this is required by law in accordance with Art. 6 para. 1 lit. c) and our legitimate interest in accordance with Art. 6 para. 1 lit. f) GDPR/UK GDPR.  

If you have any further questions about the handling of your personal data or would like to make use of your other rights, please contact us at enquiries@medice.co.uk or 0204 582 2845.