Responsible in terms of the EU general data protection regulation and other national data protection laws of the member states and other data protection regulations

The responsible person in accordance with Article 4 para 7 of the EU General Data Protection Regulation (GDPR) is BfArM Office Cologne, Waisenhausgasse 36-38a, 50676 Cologne, represented by the president Prof. Dr. Karl Broich.

Data protection officer of the responsible person

You can contact the data protection officer Mr. Arian Mehrpuyan at the following e-mail: datenschutz@bfarm.de

Contact by email

Contact with BfArM by email is possible via various functional email boxes alongside the person-bound official email addresses of the employees.

If you send us an e-mail, the data transmitted by you (e.g. surname, first name, address), but at least the email address, as well as the information contained in the email including any personal data transmitted by you are processed for the purpose of contact and dealing with your request.

The legal basis for the processing of data transmitted in the course of sending an email is Article 6 para 1 letter e GDPR in conjunction with Article 1 para 1 and 3, Article 4 para 1 and 4 BGA-NachfG in conjunction with Article 77 para 1 AMG. Insofar as consent is requested and granted by you for the processing of data, the legal basis for this processing is Article 6 para 1 letter a GDPR.

A processing of the personal data transmitted by you is necessary for the purpose of processing your request as well as in the case of anonymous requests for individualization of the respective inquiry.

The data are erased as soon as they are no longer necessary for achievement of the purpose and regulations on storage, in particular the " Registraturrichtlinie für das Bearbeiten und Verwalten von Schriftgut in Bundesministerien", which is applied analogously in federal authorities, no longer stand in the way.

The personal data and conversations entered will be stored for a period of 10 years for the above-mentioned purposes. They will not be passed on to third parties.

Visiting our website

In the case of purely informative use of our website, i.e. if you do not register or otherwise provide us with information, we will only collect the data transmitted by your browser to our server. If you wish to view our website, we collect the following data that is technically necessary for us to display our website and to ensure stability and security:

  • Information about the browser type and version used
  • Operating system used by the accessing device
  • Website from which you arrived on our site (Referrer URL)
  • Pages and files accessed on our site
  • Where appropriate, the website you visited after our site (by clicking an external link on our website)
  • Message whether the access/retrieval was successful and the amount of data transferred
  • Date and time of your access
  • IP address

Temporary storage of the IP address by the system during the current session is technically necessary to enable delivery of the website to the user's computer.

The listed data is also stored in the log files of our system. However, before the IP address is saved, it is shortened by two bytes (e.g.: 192.168.xxx.xxx). In this way, it is no longer possible to assign the shortened IP address to the calling computer. Other data which allow the data to be assigned to users are not stored.

The aforementioned data is also not stored together with other personal data of the user.

The legal basis for the temporary storage of data is Article 6 para 1 letter e GDPR in conjunction with Section 3 BDSG in conjunction with Article 1 para 1 and 3, Article 4 para 1 and 4 BGA-NachfG in conjunction with Article 77 para 1 AMG.

The data will be deleted as soon as they are no longer necessary for the purpose for which they were collected. In the case of the collection of personal or personally identifiable data for the provision of the website, this is the case as soon as the respective session is ended. The data stored in the log file can no longer be assigned to the users. They are stored for 4 months for the purpose of optimising the website and ensuring the security of our information technology systems. The data will not be passed on to third parties or used in any other way.

The complete IP address will only be saved in case of suspicion of misuse and error analysis. It is used exclusively for the purpose of averting danger in the event of attacks on the information technology systems or for error analyses in order to be able to analyse and correct any errors that may occur.

The legal basis for this is Article 6 para 1 sentence 1 letter e GDPR in conjunction with § 3 BDSG. All IP addresses stored in this context are deleted after 7 days.

Use of cookies

In addition to the aforementioned data, cookies are stored on your computer when you use our website. The precondition for storage of the cookies is that acceptance of cookies has been activated in your browser settings (e.g. Microsoft Edge, Internet Explorer, Mozilla Firefox, Opera, Apple Safari).

Cookies are small text files that are stored on your computer when you access specific pages or functions. The cookies contain a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again. Our cookies cannot be assigned to individuals and do not contain personal information. They do not harm your computer and do not contain viruses.

You can generally use this Internet offer without accepting cookies. However, we use session cookies for our search applications and special pages (for example in the download area or when logging into restricted areas) to facilitate your use of the site. These temporary cookies are automatically removed from your computer after the browser session has finished. You can continue to use our search applications even if you disable the storage of cookies.

In addition, a session cookie is set after the click on the "Close" button in the banner reference displayed at the end of the browser window when you first visit our website. In this way, the banner reference is hidden for the time of the browser session. After the end of the browser session, this cookie is automatically removed from your computer again.

You can prevent storage of cookies on your computer via the settings in your browser. You can also delete cookies manually or set your browser such that it automatically deletes all the cookies after the end of the session. Please remember that the Matomo deactivation cookie (see "Objection against use of the Matomo analysis tool") is also erased and you must again object to recording of statistical data when you use our website next.

Use of the Matomo analysis tool

We use the Matomo analysis service in order to analyse the use of our website and to improve it regularly. With the statistics which we obtain, we can improve our offer and make it more interesting for you as a user.

This website uses Matomo with an extension for anonymisation of the IP addresses. In this way, IP addresses are processed curtailed, a direct reference to a person can be ruled out in this way. The IP address transmitted by your browser via Matomo is neither merged with other data collected by us nor passed on to third parties.

If individual pages of our website are accessed, the following data are stored:

  • two bytes of the IP address of your accessing system (anonymous)
  • browser type and version
  • operating system used
  • the accessed website
  • the website, from which you access us (referrer URL) - to the extent that your browser does not suppress this
  • the pages and files which you access on our website
  • if applicable, the website which you visit after ours (by clicking of an external link on our website)
  • date and time of your access
  • the duration of your stay on the website
  • the frequency of your access to the website
  • your location (country)

Within the framework of our web analysis, no tracking cookies are set on your computer. The Matomo software and the data collected by means of Matomo are exclusively operated, stored and processed on our own servers.

Objection against use of the Matomo analysis tool

If you do not agree to the completely anonymous storage and evaluation of the data from your visit, you can object to the storage and use below by a mouse click at any time.

In this case, a so-called opt-out cookie (deactivation cookie) will be placed on your browser, with the result that Matomo does not collect any more session data.

Preventing the use of Matomo is possible by removing the following tick and thus activating the opt-out plug-in:

In addition, the "Do not track" function has been activated in our Matomo installation. If your browser does support this function and you have activated the function in the browser settings, no data are recorded by Matomo, even if you do not use the aforementioned deactivation cookie.

Functions and offers on our website

We offer further services in addition to the purely informational use of our website. To do this, we typically require additional personal information that is subject to the aforementioned principles of data processing.

We use external service providers to process your data. These third parties are bound by our instructions and are subject to our control.

We do not transfer your personal data to third parties for commercial purposes, and only in a few cases do we forward your personal data to such third parties. You will receive more information when entering your personal data, and below in the description of the offer.

AMIce for the federal states and AMIce for enclosed groups of users

The competent senior federal authorities transmit your personal data (name) stated as part of the registration information for drugs as Qualified Person, Graduated Plan Representative or information representative.

By storing the data in "AMIce for the federal states", the data is also available to the Federal Ministry of Health, its subordinate institutes as well as the drug monitoring authorities and investigative bodies of the federal states.

By providing the data, BfArM enables monitoring of the dealings with drugs by the competent state authorities and thus fulfils its statutory commission formulated in § 67a AMG. The legal basis for this is Article 6 para 1 sentence 1 letter c and e GDPR in conjunction with Section 3 BDSG in conjunction with Article 1 para 1 and 3, Article 4 para 1 and 4 BGA-NachfG in conjunction with Article 77 para 1 AMG.

Your personal data are erased no later than 15 years after the end of the marketability of the drug in question.

ATC/DDD

Once a year, the official version of the ATC classification including DDD information is issued according to § 73 subparagraph 8 sentences 5 and 6, Vol. V of the German Social Code. It is processed by the (AG) ATC/DDD work group, which members are appointed by the Federal Ministry of Health (BMG).

Your personal data stated as a member of the work group are exclusively used by us for internal communication. In some cases, documents with personal data, e.g. names and addresses of contacts with the pharmaceutical enterprises, expert analysts etc., are enclosed with the applications by the pharmaceutical associations or pharmaceutical enterprises. All these documents are exclusively used by us within the framework of the processing of the application in question. The legal basis is Article 6 para 1 sentence 1 letter c GDPR.

The work group distribution list with names, addresses, e-mail addresses and telephone numbers of the work group members is forwarded upon request to the WIdO (AOK Research Institute), which is a member of the work group and which has a contract for works with BfArM relating to the adaptation of the international ATC classification to the peculiarities of the German medication market.

The data are erased as soon as they are no longer necessary for achievement of the purpose of their collection.

Database search flat fees

If you would like to make use of our database offer at a charge, statement of your personal data is necessary for the conclusion of the contract. We process the data stated by you for handling of the contract and of payments which are due within the framework of the use of our database offer at a charge. For this, we can forward your payment data to the responsible federal treasury for the purpose of order and payment handling.

The legal basis is Article 6 para 1 sentence 1 letter b GDPR. On the basis of commercial and fiscal law requirements, we are obliged to store your address, payment and order data for a period of ten years.

Insofar as you use our search and capture applications, we will store your customer number to analyse and correct any errors that may arise. The log data will be deleted after 7 days. The legal basis is Article 6 para 1 sentence 1 letter c GDPR.

German Register of Online Medicine Retailers

This register contains pharmacies and other medicine retailers who are officially authorised to sell drugs for human use via the internet. The legal basis for the register is formed by §§ 43 subsection 1 and 67 subsection 8 of the German Drug Law (AMG). No personal data are recorded in the register itself.

Your personal data which you state as the agent of the authority for the recording of pharmacies and other traders for the German Register of Online Medicine Retailers are exclusively used by us for the documentation of the registration. They are not published in the public mail-order trade register. The legal basis is Article 6 para 1 sentence 1 letter c GDPR.

Iris Institute: SharePoint, version administration system (Git and subversion)

To apply for access to SharePoint or other repositories, we need your contact data (name, e-mail) and consent to their processing. The legal basis is Article 6 para 1 sentence 1 letter a GDPR.

Your personal data are exclusively processed for the purpose of registration. They are not forwarded to third parties.

You can withdraw your consent at any time by contact form to Iris Institute. In this case, your data and your user account are erased. If you leave the core group, your data and your user account are erased.

Medical Devices Information System - Login details, notifications, competent authorities, incidents

  • Login details (user code) for the medical devices information system
    Personal contact information must be provided in order to obtain login details (user name and password) for the medical devices information system. The data shall be stored in the customer database and used for correspondence with the party collecting the data. Furthermore, the data shall be required for internet-based data collection and processing by competent authorities with the duty to notify.
    The legal basis for this is Article 6 para 1 sentence 1 letter e GDPR in conjunction with sections 2 and 3 DIMDIV and section 30 of the Act on Medical Devices (MPG).
    Personal contact data from the registration shall be erased as soon as it is no longer required to fulfil the purpose pursued following its storage. The deadline for the erasure of login details pursuant to section 7 DIMDIV shall be 20 years from the date the data was last amended.
  • Notifying party registration
    In order to register as a notifying party in accordance with section 25 MPG for manufacturers, authorised representatives and importers, or as a notifying party in accordance with section 30, para 2 MPG (IVD), personal contact data must be provided for security officers. The personal data, which is entered as a notifying party for security officers, shall be required for internet-based data collection and processing by competent authorities with the duty to notify.
    The legal basis for this is Article 6 para 1 sentence 1 letter e GDPR in conjunction with sections 2 and 3 DIMDIV and section 29 MPG.
    Personal contact data from the registration shall be erased as soon as it is no longer required to fulfil the purpose pursued following its storage. The deadline for the erasure of login details pursuant to section 7 DIMDIV shall be 20 years from the date the data was last amended.
  • Competent authority registration
    Personal data may be provided to register as an competent authority. The personal data provided, which is entered as an authority for the processor, shall be required for internet-based data collection and processing by competent authorities with the duty to notify.
    The legal basis for this is Article 6 para 1 sentence 1 letter e GDPR in conjunction with DIMDIV and section 29 MPG.
    Personal contact data from the registration shall be erased as soon as it is no longer required to fulfil the purpose pursued following its storage. The deadline for the erasure of login details pursuant to section 7 DIMDIV shall be 20 years from the date the data was last amended.
  • Incidences and SAE involving medical devices
    Incidences involving medical devices shall be reported by the Federal Institute for Drugs and Medical Devices (BfArM) or, according to its competency, the Paul Ehrlich Institute (PEI). Serious adverse events (SAE) within a clinical trial or performance evaluation must be reported to the competent higher federal authority (BfArM or PEI) by the sponsor and medical examiner. At this juncture, personal data may be transferred by the reporting party.
    The legal basis for this is Article 6 para 1 sentence 1 letter e GDPR in conjunction with section 2, para 1 and section 3 para 5 of the Ordinance on the Medical Devices Safety Plan (MPSV).
    The deadline for the erasure of personal data exchanged pursuant to section 7 DIMDIV shall be 20 years from the date the data was last amended.
  •  Database Search public medical devices database
    See "Database search flat fees" data privacy notice.

Medical Devices Information System - The Clinical Investigation / Performance Evaluations (CI/PE) Module

As the legal basis and the storage period are identical for entire CI/PE module, they are mentioned here in advance and are not listed again in the following individual KP/LP information.

Legal basis for the entire CI/PE module is Article 6 para 1 sentence 1 letter c GDPR in conjunction with:

  • Medical Devices Act (MPG) §§ 20 – 24,
  • DIMDI Ordinance (DIMDIV) § 3, § 3a, § 4 para. 1, No. 3 and Annex 4,
  • Ordinance on Clinical Trials with Medical Devices (MPKPV) § 3

Storage duration for the entire CI/PE module:
Personal contact data from the registration will be deleted as soon as it is no longer required to fulfil the purpose for which it was stored. The deletion period for CI/PE applications according to DIMDIV is 20 years after the last modification of the data.

Use of the CI/PE module by the sponsor

  • Registration of the user (Entering Party):
    In order to register with the Medical Devices Information System, the entering party must enter personal contact data. The data is stored in the customer database and is used for correspondence with the person entering the data and for prefilling the address notification in the system.
  • Submission of CI/PE Sponsor Application (Entering Party):
    The personal data stored in data fields in the address notification of the sponsor is stored in the address database, used to prefill the CI/PE applications and made available to the competent authorities involved for research.
    Personal data, e.g., from the principal coordinating investigator of the clinical investigation, other investigators, sponsors, sponsor's representatives, authorised representatives, manufacturers and, if applicable, other persons involved in the study, which is stored in data fields or in the attached files (general and trial site-specific attachments) as part of the application procedure, is forwarded to the ethics committees, federal state competent authorities and the higher federal authority involved in the procedure. During the ongoing procedure, the view of the attachments is controlled according to the responsibility for the supervisory authorities and ethics committees in order to enable compliance with the legal requirements.
    The e-mail address in the data field "Sponsor's e-mail address" is used for automatic notification of processes in the application procedure.
    The personal data in the forms are stored in the form database until the time of registration/evaluation. After that, they are transferred to the (searchable) database.
    The applications in the database become visible to the higher federal authorities, the state authorities responsible for monitoring and to the ethics committees in the search (database fields and general attachments).
    There is also a legal obligation according to § 33 MPG to make the data from the database available to the European database EUDAMED. Only personal data relating to the manufacturer (producers) and the sponsor is transferred.

Use of the CI/PE module by the higher federal authorities, federal state competent authorities, competent and local ethics committees

  • Registration of users:
    The employees of the higher federal authorities, state authorities and the ethics committees are registered and stored in the customer database with address data (name, surname, institution, address, e-mail, telephone) via their respective authority. The contact data of the registered person is used to send the user code by post or e-mail, or for contact with the persons concerned.
    A deactivation or deletion of the access takes place after an informal notification by the employees themselves or after notification by the authorities.
  • Application processing KP/LP:
    Personal contact data, which you have provided as the processing person of the higher federal authority or competent ethics committee and, if applicable, the personal data of other persons involved in the study within the framework of the application procedure, is required for the approval or evaluation of the application.
    This data is made available exclusively to the sponsor via the CI/PE module until registration. After being transferred to the database, this data is available to all authorities, ethics committees and the sponsor for research purposes.
    The federal state authorities responsible for the investigational sites and the local ethics committees have read-only access to the applications relevant to them. The personal data of employees of these institutions is not collected.

Packaging Size Ordinance

Within various workflows, the work group (AG) processes ATC/DDD requests serving fulfilment of the statutory task according to § 5 Packaging Ordinance and § 73 subsection 8 sentence 5, Vol. V of the German Social Code, with the objective of fixing indices for standardised packaging sizes and, if necessary, amending them and thus facilitating the exchange of medications with identical packaging size identifications.

Your personal data stated as a member of the work group are exclusively used by us for internal communication. In some cases, documents with personal data, e.g. names and addresses of contacts with the pharmaceutical enterprises, expert analysts etc., are enclosed with the applications by the pharmaceutical associations or pharmaceutical enterprises. All these documents are exclusively used by us within the framework of the processing of the application in question. The legal basis is Article 6 para 1 sentence 1 letter c GDPR.

The work group distribution list with names, addresses, e-mail addresses and telephone numbers of the work group members is forwarded upon request to the WIdO (AOK Research Institute), which is a member of the work group and which has a contract for works with BfArM.

The data are erased as soon as they are no longer necessary for achievement of the purpose of their collection.

Your rights

You have the following rights towards us with a view to the personal data concerned with you:

Right to information according to Article 15 GDPR

With the right to information, the data subject is given extensive insight into the data concerned with him and other important criteria, such as the purposes of processing of the duration of the storage.

Right to rectification according to Article 16 GDPR

The right to rectification contains the possibility for the data subject to have incorrect personal data concerned with him corrected.

Right to erasure ("right to be forgotten") according to Article 17 GDPR

The right to erasure contains the possibility for the data subject to have data erased with the controller. However, this is only possible if the personal data concerned with him are no longer necessary, are processed unlawfully or a consent in this regard has been withdrawn.

Right to restriction of the processing according to Article 18 GDPR

The right to restriction of the processing contains the possibility for the data subject to prevent a further processing of the personal data concerned with him for the time being. A restriction comes about above all in the examination phase of other attendance to rights by the data subject.

Right to objection to the processing according to Article 21 GDPR

The right to objection contains the possibility for the data subject to object to the further processing of his personal data in certain specific situations, to the extent that this is justified by attending to public tasks or public and private interests.

Right to withdrawal of the data protection law declaration of consent

You have the right to withdraw you data protection law declaration of consent at any time. The withdrawal of the consent does not affect the lawfulness of the processing done on the basis of your consent up to the time of withdrawal.

Right to data portability according to Article 20 GDPR

The right to data portability contains the possibility for the data subject to receive the personal data concerned with him in a commonly used, machine-readable format from the controller in order to have them forwarded to another controller if need be.

You also have the right to complain to a data protection supervisory authority about the processing of your personal data by us.

Changes to this data privacy declaration

We reserves the right to occasionally amend this data privacy declaration to adapt to current circumstances. We therefore recommend that you consult our data privacy declaration regularly.

This website uses session cookies to ensure certain functionalities such as downloads or login to closed areas. In order to optimize the website, we use the analysis tool Matomo. Our Matomo installation works without tracking cookies. You will find more detailed information and the possibilities to object to the use of Matomo in our data privacy declaration.