Data Privacy Statement

We take your data privacy and the protection of your personal data seriously and our data privacy principles provide fundamental guidance to all our businesses worldwide. We comply with applicable national regulations and our understanding of data privacy is based on the European General Data Protection Regulation (GDPR), amended by local regulations in case they are stricter.

1. Preamble

This data privacy notice is addressed to all customers, vendors, suppliers, etc. (“Data Subjects”, “you”) of or in contact with legal entities of Merck KGaA, Darmstadt, Germany ( “we”, “us”). It is meant to provide details about our practices relating to what personal data we collect, why we collect it, and how you can exercise your data protection rights. "Personal Data" in this document is any information relating to an identified or identifiable natural person, by direct or indirect means. In some countries, this is also referred to as “personally identifiable information”.

We develop products and technologies in three different business sectors which are Healthcare, Life Science, and Electronics to enable brilliant people to solve global challenges. In these contexts, we process your personal data in various ways, depending on your specific role, the way we communicate and the products or services you use. Section 3 of this Privacy Statement contains further details to guide you through each individual situation.

Should you have questions or queries regarding the processing of your personal data, please contact our Group Data Protection Officer via privacy@emdgroup.com or the other contact details provided below.

2. General information

This section is about the controller of your personal data, how you may contact the controller and which rights you have as a data subject in this context. A controller is a company responsible for the handling of personal data.

3. The Processing Activities in Detail

This section explains the different data processing activities in which we process your personal data.

3.1. Processing of your Personal Data in other contexts

We also process your personal data in various situations described in this section, including any of your on and offline interactions with us regarding the products and services we offer and the business we do.

We usually process your personal data for contractual purposes and to communicate with you for commercial reasons when you or we purchase a good or service from the other. For this purpose, we only process such data which is needed to fulfill the contract itself and to comply with additional obligations we are subject to, such as tax payments.

In addition, we might use some of your personal data, based on our legitimate interest, to develop and offer our products and services, learn more about your interests, conduct marketing activities under local market rules, and continuously improve our offerings.

We also process personal data for our scientific research as a global science and technology company, based on our legitimate interest, your consent, or as permitted for such research.

Please refer to the sections below and/or individual data privacy notices which we provide in the context of our business communication with you for further details about the corresponding processing of your personal data in this context.

3.2 Privacy Notice for the emdgroup.com Website and other EMD Group Websites

This section explains the different data processing activities in which Merck KGaA, Darmstadt, Germany processes your personal data for the operation of the services provided on this website www.emdgroup.com and other EMD Group websites (collectively, “Services” or "Websites").

4. DATA RETENTION

Unless otherwise stated in this Privacy Notice, your personal data are regularly deleted as soon as they are no longer necessary to fulfil the purpose of the processing, or the processing is otherwise inadmissible. This is usually the case if the data is no longer necessary to meet our business interests or for the provision of the services requested by you, no statutory data retention obligations apply, or you withdrew your consent.

For more information about how long we store cookies for, please see above.

Your IP address, which is collected while browsing our Websites, is stored for a period of time of 7 days unless a reasonably justified incident indicates a longer storage period (e.g., due to a hacking attack).

Under certain circumstances, your data must also be kept longer, e.g., if a so-called Legal Hold or Litigation Hold (i.e., a ban on deleting data for the duration of the procedure) is ordered in connection with official or legal proceedings. Data without any personal identifiable information may be stored permanently.

5. RECIPIENTS OF PERSONAL DATA

We might share your personal data with third parties, such as our service providers and vendors, financial institutions to process payments, lawyers and auditors, our affiliates, etc. to the extent required to meet our business objectives and fulfill our Services and to comply with our legal or regulatory obligations. For this purpose, we enter into adequate data protection agreements with these parties to the extent legally required and in this context safeguard that these recipients agree on technical and organizational security measures to protect your data adequately.

We might also transfer personal data to other members of our corporate family.

6. DATA TRANSFER TO THIRD COUNTRIES

Should such data transfer involve the transmission of your personal data to countries outside the EU/EEA that do not have an adequate level of data protection compared to the EU, we safeguard such level of data protection by entering into standard contractual clauses with any such recipients if no adequacy decision justifies such transfer. This ensures that your data protection rights are protected. You may download a copy of these standard contractual clauses at the following URL: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

7. AUTOMATED DECISION-MAKING

We generally do not use automated decision-making within the meaning of Article 22 GDPR. If we make use of automated decision-making or profiling, you will be informed through a separate privacy notice.

8. OBLIGATION TO PROVIDE PERSONAL DATA

In general, you are neither contractually nor statutorily required to provide your personal data for the above purposes, however your decision to not provide your data may reduce features and functionalities, the impossibility to use our information and services offered in this context, the denial of access to our services and/or exclusion from our business activities to the extent the processing of your personal data is key in these contexts.

The information required for registration on our Website or for contacting us is marked as mandatory in the corresponding area (e.g., a contact form) of the Website; if you do not provide this mandatory information, we cannot enable you to use the respective functionality.

9. YOUR DATA PROTECTION RIGHTS

Depending on your location and the applicable law, you have or might have the following data protection rights:

  • Right of access: You have the right to obtain information on the processing of your personal data and to receive a copy of these data.
  • Right to rectification: You have the right to request that we correct or complete your inadequate, incomplete or inaccurate personal data.
  • Right to erasure: Under certain circumstances, you have the right to request that we delete your personal data.
  • Right to restriction of processing: Under certain requirements, you may request us to restrict the processing of your personal data.
  • Right to data portability: You have the right to receive your personal data in a structured, common, and machine-readable format and request that these data are transferred to another data controller, if applicable under the specific circumstances.
  • Right to object: You might have the right to object to the processing of your personal data by us, in particular if the processing of your personal data is based on (i) the necessity of the performance of a task in the public interest, or (ii) legitimate interests. We will then stop the processing of your personal data unless we remain legally authorized to do so.
  • Right to lodge a complaint with a supervisory authority: You might have the right to lodge a complaint with a supervisory authority against the processing of your personal data if you believe that the processing of your personal data violates data protection regulations.

10. Privacy Rights for Residents of California, Colorado, Connecticut, Utah and Virginia

The following terms apply to the personal information of residents of California, Colorado, Connecticut, Utah and Virginia (the “States”). These provisions are intended to comply with privacy laws enacted by the States (the “State Privacy Laws”), including the California Consumer Privacy Act, the California Privacy Rights Act and related regulations (collectively, the “CCPA”). These provisions supplement the other sections of our Privacy Policy. Any terms that are defined in the State Privacy Laws have the same meaning here.

Last Modified: August 2022

Group Data Protection Officer

at Merck KGaA, Darmstadt, Germany