Data Privacy Statement

We take your data privacy and the protection of your personal data seriously and our data privacy principles provide fundamental guidance to all our businesses worldwide. We comply with applicable national regulations and our understanding of data privacy is based on the European General Data Protection Regulation (GDPR), amended by local regulations in case they are stricter.

1. Preamble

This data privacy notice is addressed to all customers, vendors, suppliers, etc. (“Data Subjects”, “you”) of or in contact with legal entities of Merck KGaA, Darmstadt, Germany ( “we”, “us”). It is meant to provide details about our practices relating to what personal data we collect, why we collect it, and how you can exercise your data protection rights. "Personal Data" in this document is any information relating to an identified or identifiable natural person, by direct or indirect means. In some countries, this is also referred to as “personally identifiable information”.

We develop products and technologies in three different business sectors which are Healthcare, Life Science, and Electronics to enable brilliant people to solve global challenges. In these contexts, we process your personal data in various ways, depending on your specific role, the way we communicate and the products or services you use. Section 3 of this Privacy Statement contains further details to guide you through each individual situation.

Should you have questions or queries regarding the processing of your personal data, please contact our Group Data Protection Officer via privacy@emdgroup.com or the other contact details provided below. You are also welcome to exercise your data protection rights by submitting your request directly in our Data Privacy Portal.

2. General information

This section is about the controller of your personal data, how you may contact the controller and which rights you have as a data subject in this context. A controller is a company responsible for the handling of personal data.

The data controller means the company (legal person) who determines the purposes and means of the processing of your personal data. For the overarching processing activities described in this privacy notice, Merck KGaA, Darmstadt, Germany is the data controller. In addition, any affiliate of Merck KGaA, Darmstadt, Germany, that processes personal data might become a controller or joint controller of such data. This includes, without limitations, any legal entity of the Merck KGaA, Darmstadt, Germany group you enter into an agreement with.

Merck KGaA, Darmstadt, Germany
Frankfurter Strasse 250
64293 Darmstadt, Germany

Phone: +49 6151 72-0
Telefax: +49 6151 72-2000

3. The Processing Activities in Detail

This section explains the different data processing activities in which we process your personal data.

3.1. Processing of your Personal Data in other contexts

We also process your personal data in various situations described in this section, including any of your on and offline interactions with us regarding the products and services we offer and the business we do.

We usually process your personal data for contractual purposes and to communicate with you for commercial reasons when you or we purchase a good or service from the other. For this purpose, we only process such data which is needed to fulfill the contract itself and to comply with additional obligations we are subject to, such as tax payments.

In addition, we might use some of your personal data, based on our legitimate interest, to develop and offer our products and services, learn more about your interests, conduct marketing activities under local market rules, and continuously improve our offerings.

We also process personal data for our scientific research as a global science and technology company, based on our legitimate interest, your consent, or as permitted for such research.

Please refer to the sections below and/or individual data privacy notices which we provide in the context of our business communication with you for further details about the corresponding processing of your personal data in this context.

We process your personal data for the initiation and the fulfilment or performance of contracts, including the administrative management of related order inquiries and assignments, both on and offline.

This processing activity may include the following data categories:
- Your contact information (e.g., name, title, form of address or salutation, address, gender, telephone numbers, email address, place of work, etc.);
- Your payment details (e.g., bank account number, bank code, credit institute, tax identification number).
The processing of your personal data is necessary for the performance of a contract with you as an individual or is necessary to safeguard our legitimate interests of conducting business with your employer. If you choose not to provide your data, we may be unable to establish and maintain contact with you in the context of the specific contract.
If and to the extent that we provide services or goods to you, or receive them from you, we may process your personal data, e.g., to receive your services and/or provide our goods and prepare invoicing.

This processing activity may include the following data categories:
- Your contact information (e.g., name, title, form of address or salutation, address, gender, telephone numbers, email address);
- Accounting data (e.g., purchased goods and services, bank details, customer number, tax identification number, tax category);
- Details on your profession (e.g., job title, position, personnel number, place of work, branch office, department).
The processing of this personal data is based on the necessity for the performance of a contract with you as an individual or is necessary to safeguard our legitimate interests of conducting business with your employer. If you choose not to provide personal data, we usually cannot establish and maintain contact with you, issue and/or receive invoices and receive or deliver services and/or goods in the context of the specific contract.
You may register on some of our Websites and create an account. When you create an account on our Websites or log in as a registered user, we collect the personal data you provided during registration.

This processing activity may include, among others, the following data categories:
- Your contact information (e.g., name, title, form of address or salutation, address, gender, telephone numbers, email address);
- Accounting data (e.g., purchased goods and services, bank details, customer number, tax identification number, tax category);
- Details on your profession (e.g., job title, position, personnel number, place of work, branch office, department).
The data will be processed and used by us for the entire time your account exists, for our service and technical administration and to the legally permissible extent for our own marketing purposes.
The processing of your personal data is based on the necessity for the performance of a contract with you or is necessary to safeguard our legitimate interests of conducting business with you.
This processing activity may include the following data categories:
- Your contact information (e.g., name, title, form of address or salutation, address, gender, telephone numbers, email address);
- Details on your profession (e.g., job title, position, personnel number, place of work, branch office, department).
If you would like to subscribe to any of our available newsletters, you may enter your email address in our registration form and click the "Send" button. You will then receive an email from us to your email address. You may complete the registration by verifying your email address by using the answer function in your email program.

This processing activity includes the following data categories: The information you provided to subscribe, such as your title, name, email address and personal/professional interests.
The processing is based on your consent you provided to us in the course of the subscription process. You have the right to withdraw your consent at any time, e.g., by filling the form on our website to unsubscribe.
Other processing in this regard is based on our legitimate business interests. We have a legitimate interest in informing our clients of news, events, etc. to gain new leads and establish and maintain a long-term business relationship.

We aim to present you information that could be of interest to you and to communicate seamlessly over various channels (phone, email, SMS, mail, social media messages) without sending redundant information. Our communication with you is based on the information we collect about you and are permitted to use. For example, we may use the combination of your email address and certain browsing data to provide you with information about a product you look up on one of our websites. Based on the information we collect, we may internally indicate that you are interested in certain categories of information.

We may also use profiling procedures to optimize and personalize our customer relationship management and our advertising measures. To optimize and personalize our advertising measures, we create customer profiles and assign customers to specific customer segments on the basis of these customer profiles. On the basis of this segmentation, we can manage the type, content and frequency of specific advertising measures for specific target groups. For profiling purposes and based on our legitimate interest, we use data that we receive from you as part of our business relationship. This includes personal data, such as your purchasing history and browsing data. Profiling may also be related to usage data that we create by measuring and evaluating the customer's interaction with electronic advertising, and in particular by measuring and evaluating the open and click rate in email newsletters or other commercial messages.
If we receive your contact details from business events, for example as part of a business appointment (e.g., by exchanging business cards) or as part of an assignment, we use your contact and business details to maintain our business contacts. For this purpose, we usually transfer your contact details to our CRM (Customer Relationship Management).

This processing activity may include the following data categories:
- Your contact information (e.g., name, title, form of address or salutation, address, gender, telephone numbers, email address);
- Details on your profession (e.g., job title, position, personnel number, place of work, branch office, department, qualifications).
This data processing is based for our legitimate business interests. We have a legitimate economic interest in maintaining contacts beyond the initial contact and in using them to establish and develop a business relationship and to remain in contact with the parties concerned. Such business contacts could also be easily processed in our e-mail communication with you and then kept in typical business software, either centrally or on the electronic devices of our employees.
We process your personal data, if you enter and submit your data via one of our contact forms or contact us otherwise, e.g., in the context of a service request or via the contact form we provide on our Websites. Your data will be processed to handle your specific request, e.g., by answering or forwarding your request to a competent department and will only be processed for the purpose of responding to your inquiry.

This processing activity may include the following data categories:
- Your contact information (e.g., name, title, form of address or salutation, address, gender, telephone numbers, email address);
- Details on your profession (e.g., job title, position, personnel number, place of work, branch office, department, qualifications);
- Any further information you provide to us, e.g., in the process of your request or which is otherwise required to answer your request.
The processing and use of your data are necessary for answering your inquiry in a quick and competent manner and is based for the rest on our legitimate interest to communicate with our contacts and customers and in particular provide customer service. The processing of your personal data is also necessary to process your inquiry and to establish or maintain contact.
We may process your personal data for the purpose of an orderly and lawful accounting. This is necessary, e.g., to process and record invoices, issue monetary compensation or refunds and to verify claims. In addition, we are subject to legal documentation and retention obligations based on tax and accounting laws which also involve the processing of your personal data. The record keeping, documentation and archiving of such documents usually takes place in our IT systems and in some cases also in the form of paper files.

This processing activity may include the following data categories:
- Your contact information (e.g., name, title, form of address or salutation, address, gender, telephone numbers, email address, etc.);
- Accounting data (e.g., purchased goods and services, bank details, customer number, tax identification number, tax category, etc.);
- Details on your profession (e.g., job title, position, personnel number, place of work, branch office, department, etc.).
The data processing is necessary for us to manage, document, maintain and archive files and documents to fulfill our legal obligations under tax, commercial and corporate laws. If and to the extent such laws do not apply for the processing of your personal data in this context, this processing activity relies on our legitimate business interest to establish and maintain an adequate accounting process, in particular to issue or settle invoices.
We may process your personal data for the purpose of maintenance and improvement of health-related topics by developing and applying measures to prevent, diagnose, treat, recover, or cure diseases, illness, injuries, and other physical and mental impairments. We process personal data especially in the fields of general medicine, endocrinology, fertility, neurology, immunology, and oncology.

This processing activity may include the following data categories:
- Your contact information (e.g., name, title, form of address or salutation, address, gender, telephone numbers, email address, date and place of birth, country of birth, nationality, etc.);
- Health information (e.g., diagnosis, existence of an illness or disability, details about accidents, treatment history, relevant health parameters, etc.).
In these cases, the legal basis of the data processing depends on the specific context. The processing may be necessary to safeguard our legitimate interests for the purposes of maintaining and improving health-related matters. We are also required to process your personal data where we have a legal obligation. Furthermore, we process your data if you have expressly consented to the processing in question, e.g., regarding the processing of your special categories of personal data (in particular, your health data).
We may process your personal data within the context of scientific research and our Life Science business. This includes for example processing of data of individuals who work in the fields of drug research, biopharmaceutical production, biotechnology, industrial microbiology, clinic and diagnostics, food analysis, quality control for pharmaceuticals, governmental and academic research, and environmental analyses.

This processing activity may include the following data categories:
- Your contact information (e.g., name, title, form of address or salutation, address, gender, telephone numbers, email address, date and place of birth, country of birth, nationality, etc.);
- Accounting data (e.g., purchased goods and services, bank details, customer number, tax identification number, tax category, etc.);
- Details on your profession (e.g., job title, position, personnel number, place of work, branch office, department, etc.).
In these cases, the legal basis of the data processing depends on the specific context. This processing can be necessary to safeguard our legitimate interests for the purposes of maintaining and improving health-related matters as well as scientific research and to sell our Life Science products. We are also required to process your personal data where we have a respective legal obligation. Furthermore, we process your data if you have explicitly consented to the processing in question, e.g., regarding the processing of your special categories of personal data (in particular your health data).
We process your personal data in the context of our Electronics business offerings related to architecture, such as energy-efficient windows, smart glass and façades, innovations in mobility, display applications, plastics and specialty coatings, innovative semiconductor materials, cosmetics and high-tech chemicals for advanced industries such as photonics, solar, and lighting.

This processing activity may include the following data categories:
- Your contact information (e.g., name, title, form of address or salutation, address, gender, telephone numbers, email address);
- Details on your profession (e.g., job title, position, personnel number, place of work, branch office, department, education).
The data processing is based on the necessity for the performance of a contract with you as an individual or is necessary to safeguard our legitimate interests of manufacturing, distributing, selling, and improving our Electronics products as well as scientific research. We have a legitimate economic interest to process personal data for the purpose of developing innovative and appealing products to increase sales, monitor technological developments and develop commercial business models.
We also process data collected within the scope of our whistleblower system ("SpeakUp Line") exclusively for the processing and follow-up of the reports received, where employees as well as external stakeholders can inform us confidentially about potential violations of rules and laws and non-compliant behavior so that we can investigate in such issues.

In such cases, we process the description of the issue (including time, place and persons involved) which we receive from the person who issued the notification. We may process further personal data, which is required to clarify and solve issues which we investigate.

This processing is based on our legitimate interest to avoid financial and reputational damages caused by compliance issues. The use of our whistleblower system is entirely voluntary and always possible in an anonymous way for the whistleblower. Further information on the processing of personal data in this context can be found in the data privacy statement for our SpeakUp Line under the following link: www.bkms-system.net/ISPEAKUP
We process your data for events we either provide on our own or for which we act as a sponsor and receive certain information about you. These events could vary from a singular meeting to a conference over several days, publicly accessible or addressed only to a specific audience, in our own facilities or other locations.

Depending on the event, the data we collect varies and could contain:
- Your contact information (e.g., name, title, form of address or salutation, address, gender, telephone numbers, email address),
- Details on your profession (e.g., job title, position, personnel number, place of work, branch office, department, education),
- Information about your travel to the event (e.g., hotel accommodation, flights, transportation),
- Your bank account data in case of payments to you as a speaker or reimbursements of your costs for participation.
Such data is typically used for the participation in the event. In case of payments, we might be required to report them to authorities (e.g., tax authorities).
We perform different surveys, market analyses, and scientific research. This includes customer satisfaction, the development of new products or services or even predictive analyses of future behavior of customers or market developments.

The data we collect for such processing activities varies broadly depending on the specific purpose. If possible, we pseudonymize or even anonymize personal data before or in the course of our analyses. In most cases, in particular, when the processing requires an identifier that might lead to you as an individual, we ask for your consent prior to such processing.

We may also collaborate with other companies or institutes in case of scientific research. In such cases, we enter into specific agreements with these third parties to value the confidentiality of your data.
When visiting our facilities, we might process your personal data as part of our visitor management. We might offer you a parking space or provide you with internet connectivity via our Wi-Fi network.

This includes mainly:
- Your contact information (e.g., name, title, form of address or salutation, address, gender, telephone numbers, email address),
- Details on your profession (e.g., job title, position, personnel number, place of work, branch office, department, education),
- Details on the visit on in our facilities (e.g., data of visit, purpose of visit, contact person at our facilities).
As a part of our security concept, we also maintain a series of technical and organizational measures to protect our facilities, including CCTV. We process only such data which is necessary to maintain this level of security based on our legitimate interests or legal obligations we are subject to.

3.2 Privacy Notice for the emdgroup.com Website and other EMD Group Websites

This section explains the different data processing activities in which Merck KGaA, Darmstadt, Germany processes your personal data for the operation of the services provided on this website www.emdgroup.com and other EMD Group websites (collectively, “Services” or "Websites").

We process your personal data for purpose of the operation of our Websites. You can access our Websites without directly providing personal information. However, whenever you access our services, you automatically transfer personal data to our servers for technical reasons.

This processing activity may include the following data categories:
- IP address of the requesting device;
- Date and time of your access;
- Name and URL of the retrieved file;
- Transferred data volume;
- Access status (file transferred, file not found, etc.);
- Identification data of the browser and operating system used;
- Name of the provider of user's internet access; and
- Website from which access is made.
This processing is based on our legitimate business interests. We process this data for the purpose of presenting our Websites and to ensure its technical stability and security (e.g., to prevent hacker attacks).
Cookies improve the user experience on our websites because they allow, e.g., the system to recognize returning visitors. The term "cookies" in this privacy notice refers to cookies and similar technologies. Cookies are small, usually randomly coded text files that are sent to your computer and stored there. These cookies allow your browser to track certain information that may be retrieved and used by internet servers at a later stage. Merck KGaA, Darmstadt, Germany uses cookies and similar technologies on its websites for several reasons, for example:
- Websites load faster;
- Websites may be browsed faster;
- Your settings, such as language and time zone, may be saved;
- Security on websites is improved since your identity may be verified; and
- Your log-in to secured websites is facilitated.
We include the following three categories of cookies on emdgroup.com:
These cookies are necessary to safeguard the functionalities of our websites, the services provided thereon and for the website to operate. Cookies are set in response to your actions and depend on your specific service requests (e.g., setting your privacy preferences, filling out forms, or logging in). More specifically, we set the following cookies:
- ___utmvc: This cookie is set by a third-party service to filter out malicious requests. The cookie is usually deleted within 29 seconds.
- AWSALBCORS: This cookie is managed by Amazon Web Services (AWS) and is used for load balancing. The cookie is usually deleted within seven days.
- AWSELBCORS: With CORS (cross-origin resource sharing) requests, some browsers require SameSite=None; Secure to enable stickiness. In this case, Elastic Load Balancing creates a second stickiness cookie, AWSELBCORS, which includes the same information as the original stickiness cookie (AWSELB) plus this SameSite attribute. The cookie is usually deleted when you close your browser.
- muser: This cookie is used to detect if the user is a Merck KGaA, Darmstadt, Germany employee based on their IP address. It expires after 30 days or upon the withdrawal of your consent.
- sessionid: This cookie consists of 32-bytes long random string value, which is the backend session identifier set whenever the application's user signs in, so the application can identify the user when displaying a certificate of analysis file. This cookie is deleted when the session ends, meaning when the user leaves the website.
- versum_location: This cookie provides the user with slightly different content in various places on the website based on the user’s location. It expires after 30 days or upon the withdrawal of your consent.
The processing is based on our legitimate business interest to provide our basic webservices in a secure and useful manner. Our website cannot function without these cookies, and they can only be disabled by changing your browser preferences. Please note, if you object to the use of these necessary cookies, our Services might not be available to you.
These cookies enable the provision of advanced functionalities and are used for personalization. The cookies are set in response to your actions and depend on your specific service requests (e.g., pop-up notification choices). More specifically, we set the following cookies:
- __cf_bm: This cookie helps manage incoming traffic that matches criteria associated with bots. It expires after 30 minutes or upon the withdrawal of your consent.
- _svcsc: This cookie is to support audience specific web sites. It expires after 1 minute or upon the withdrawal of your consent.
- ADRUM_BTa: AppDynamics server-side agent cookie provides Okta with performance data for troubleshooting and SLA compliance. It expires after 32 seconds or upon the withdrawal of your consent.
- AKA_A2: This cookie provides an Advanced Acceleration feature, which enables DNS Prefetch and HTTP2 push. It expires after 1 hour or upon the withdrawal of your consent.
- AkamaiAnalytics_BrowserSessionId: This cookie assigns an anonymous identifier to each visitor who plays a video. Used to analyze the video media player. It expires when you close your browser or upon the withdrawal of your consent.
- Bcookie: This cookie is used for sharing the content of the website via social media. It expires after 2 years or upon the withdrawal of your consent.
- CraftSessionId: This cookie is associated with the Craft web content management system, where is functions as an anonymous session identifier. It expires when you close your browser or upon the withdrawal of your consent.
- FASRV: This cookie is needed to enable forms from FormAssembly to work when embedded. It expires after when you close your browser or upon the withdrawal of your consent.
- FORMASSEMBLY: This cookie is used to provide our users with online forms. User’s session will be stored within a cookie. It expires when you close your browser or upon the withdrawal of your consent.
- has_js: This cookie is used to indicate whether or not the visitor’s browser has JavaScript enabled. It expires when you close your browser or upon the withdrawal of your consent.
- HTML_BitRateBucketCsv: This cookie measures the playback time of videos in the video media player per visitor depending on the bit rate. Used to analyze the video media player. It expires when you close your browser or upon the withdrawal of your consent.
- HTML_isPlayingCount: This cookie counts the number of times a specific video was played in the video media player. Used to analyze the video media player. It expires when you close your browser or upon the withdrawal of your consent.
- HTML_VisitCountCookie: This cookie counts the number of views of a video in the video media player. Used to analyze the video media player. It expires when you close your browser or upon the withdrawal of your consent.
- HTML_VisitIntervalStartTime: This cookie measures the start time of an interval between visits to a website in the video media player. Used to analyze the video media player. It expires when you close your browser or upon the withdrawal of your consent.
- HTML_VisitValueCookie: This cookie calculates the value of the visit to the website from the playback time of a video in the video media player when it is accessed and the number of rebuffer processes during playback. Used to analyze the video media player. It expires when you close your browser or upon the withdrawal of your consent.
- incap_ses_...: This cookie is used for visitor recognition. It expires when you close your browser or upon the withdrawal of your consent.
- nxrCookieAgreement: This cookie is to collect and store user consent to the use of cookies. It expires after one day or upon the withdrawal of your consent.
- personalization_id: This cookie allows users to share posts. It expires after two years or upon the withdrawal of your consent.
- PHPSESSID: This cookie is native to PHP and enables websites to store serialized state data. It expires when you close your browser or upon the withdrawal of your consent.
- RT: This cookie is used to interface with LinkedIn. It expires after seven days or upon the withdrawal of your consent.
- VISITOR_INFO1_LIVE: This cookie is used to estimate user bandwidth on pages with built-in YouTube videos. It expires after six months or upon the withdrawal of your consent.
The processing is based on your consent you provided to us. You either grant your consent by accepting all cookies in our cookie banner or by activating the cookie type(s) you have selected. Your consent is voluntary, and you may withdraw it at any time with effect for the future. You can withdraw your consent by reopening our cookie banner and deactivating the cookie type. If you do not grant your consent or withdraw it, this will not result in any disadvantages for you. However, without your consent, the functions explained above may not be available to you.
These cookies may be set to analyze your interests and show you relevant ads on other websites. These cookies work by uniquely identifying your browser and device. By integrating these cookies, we aim to learn more about your interests and your behavior on our websites in order to place our advertising in a targeted manner. More specifically, we set the following cookies:
- _fbp: This cookie is used by Facebook to deliver a series of advertisement products on Facebook. It expires after three months or upon the withdrawal of your consent.
- _ga: This cookie is associated with Google Universal Analytics (Google LLC) – an update to Google LLC's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a customer identifier. It is included in every page request on a website and is used to calculate visitor, session and campaign data for website analytics reports. By default, it is set to expire after 2 years or upon the withdrawal of your consent.
- _gat…: This cookie is linked to Google Universal Analytics (Google LLC). It is used to throttle the request rate and limit data collection on high-volume websites. This cookie expires after 10 minutes or upon the withdrawal of your consent.
- _ _gat_UA-43815746-1: This cookie is used by Google Analytics to limit the request rate. It expires after one minute or upon the withdrawal of your consent.
- _gat_gtag_UA_43815746_1: This cookie is used to deliver adverts more relevant to you and your interests. It is also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. It expires after one minute or upon the withdrawal of your consent.
- _gid: This cookie contains a randomly generated user ID. This ID allows Google Analytics (Google LLC) to recognize returning users to this website and merges data from previous visits. It expires after one day or upon the withdrawal of your consent.
- igodigitalst: This cookie is used to capture customer behavior to improve the quality of the experience of our online customers, including enhanced browsing experiences. It expires after one hour or upon the withdrawal of your consent.
- igodigitalstdomain: This cookie is used to capture customer behavior to improve the quality of the experience of our online customers, including enhanced browsing experiences. It expires after one hour or upon the withdrawal of your consent.
- igodigitaltc2: This cookie is used to capture customer behavior to improve the quality of the experience of our online customers, including enhanced browsing experiences. It expires after 10 years or upon the withdrawal of your consent.
- mf_[website-id]: This cookie is used for identifying the current session to allow mouseflow to measure interaction with the website. The cookie contains information about the current session but does not contain any information that can identify the visitor. This cookie is deleted when the session ends, meaning when the user leaves the website.
- mf_user: This cookie is used for checking if the user is new or returning and allows mouseflow to measure interaction with the website. This is done simply by a yes/no toggle and no further information about the user is stored. This cookie has a lifetime of 90 days.
- sticky: This cookie is used for the tracking of purchases through an affiliate link. It expires when you close your browser or upon the withdrawal of your consent.
- uniqueid: This cookie registers a unique ID that is used to generate statistical data on how the visitor uses the website. It expires after 2 years or upon the withdrawal of your consent.
- visid_incap_...: This cookie is used for visitor recognition for linking certain sessions to a specific visitor. It expires after one year or upon the withdrawal of your consent.
- YSC: This cookie is used to register a unique ID to keep statistics of YouTube videos that the user has seen. It expires when you close your browser or upon the withdrawal of your consent.
The processing is based on your consent you provided. You either grant your consent by accepting all cookies in our cookie banner or by activating the cookie type(s) you have selected. Your consent is voluntary, and you may withdraw it at any time with effect for the future. You can withdraw your consent by reopening our cookie banner and deactivating the cookie type. If you do not grant your consent or withdraw it, this will not result in any disadvantages for you. However, without your consent, the functions explained above will not be available to you.

Please note that the use of Google Analytics has been extended by the plug-in "AnonymizeIP", to ensure an anonymized collection of your IP address, so that we cannot relate your data to your person. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google.
You can manage your decision on the use of cookies by reopening our cookie banner or by changing your browser preferences. Some computer browsers automatically accept all cookies. In this case, you may not see the cookie banner which allows you to manage your cookies individually. However, you can change your browser settings to block all cookies. You may also be able to configure your browser settings so that only certain types of cookies are blocked or so that you are notified as soon as a new cookie is to be stored on your computer. You may accept accept or reject cookies individually. If this function is available to you, you will find more detailed explanations in the help function of your browser. There you will also find information on how to delete all or certain cookies for which you have given us your consent. For more information on managing and deleting cookies for popular browsers, please see the following links: Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, Microsoft Edge, Apple Safari.
We may process your personal data to display maps, a service provided by Google LLC.

This processing activity may include the following data categories which will be transmitted to Google LLC in the United States of America:
- The technical data as described in Section 3;
- Your location;
- The content you access (e.g., places); and
- The frequency of these accesses.
The processing is based on our (and your) legitimate business interest to guide you to our premises and facilitate your route planning.

The use of this service is not possible without your data and is automatically provided when you open a sub-page on which Google Maps is integrated. We process no further personal data than those specified in Section 3. Information on data processing by Google can be found in Google's privacy policy under the following link: https://policies.google.com/privacy?hl=en.

We do not conduct automated decision-making or profiling in this context.
We use social media plugins from various social networks (e.g., Facebook). With the help of these plugins, you can share content or recommend products. The plugins are deactivated by default and therefore do not send data to other websites. By clicking on the symbol of such social network on emdgroup.com and the confirmation by a second click on "OK" on the site following, you can activate plugins and thus provide your consent to the processing of your personal data in this context (so-called 2-click solution).

If these plugins are activated, your browser establishes a direct connection with the servers of the respective social media network as soon as you access the operator's website. The content of the plugin is transmitted directly from the social media network to your browser and embedded into the website.

By embedding the plugins, the social media network receives the information that you have visited the respective page of the operator. If you are logged in to the social media network, it can allocate the visit to your account. When you interact with the plugins, the corresponding information is transferred directly from your browser to the social media network and stored there.

Even if you are not logged in to social media networks, websites with active social media plugins can still send data to these networks. With an active plugin, a cookie with an identifier is placed each time the website is accessed. Since your browser sends this cookie every time you connect to a network server without being asked, the network can use it to create a profile of the websites visited by the user associated with the ID and it would also be possible to assign this identifier to a person later - for example when logging on later to the social media network.

For the purpose and scope of data collection and the further processing and use of the data by social media networks, as well as your rights and options for the protection of your privacy, and in particular your right to revoke your consent, please refer to the data protection notices of the respective networks.
- Facebook (provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304 USA): You can view Facebook’s privacy policy here:
  https://www.facebook.com/about/privacy/your-info#public-info
- Twitter (provided by Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA): You can view Twitter’s privacy policy here:
  https://twitter.com/privacy
- LinkedIn (provided by LinkedIn Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA): You can view LinkedIn’s privacy policy here:
  https://www.linkedin.com/legal/privacy-policy
- YouTube (provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA): You can view Google’s privacy policy here:
  https://www.google.de/intl/de/policies/privacy/
- Instagram (provided by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA): You can view Instagram’s privacy policy here:
  https://help.instagram.com/155833707900388

4. DATA RETENTION

Unless otherwise stated in this Privacy Notice, your personal data are regularly deleted as soon as they are no longer necessary to fulfil the purpose of the processing, or the processing is otherwise inadmissible. This is usually the case if the data is no longer necessary to meet our business interests or for the provision of the services requested by you, no statutory data retention obligations apply, or you withdrew your consent.

For more information about how long we store cookies for, please see above.

Your IP address, which is collected while browsing our Websites, is stored for a period of time of 7 days unless a reasonably justified incident indicates a longer storage period (e.g., due to a hacking attack).

Under certain circumstances, your data must also be kept longer, e.g., if a so-called Legal Hold or Litigation Hold (i.e., a ban on deleting data for the duration of the procedure) is ordered in connection with official or legal proceedings. Data without any personal identifiable information may be stored permanently.

5. RECIPIENTS OF PERSONAL DATA

We might share your personal data with third parties, such as our service providers and vendors, financial institutions to process payments, lawyers and auditors, our affiliates, etc. to the extent required to meet our business objectives and fulfill our Services and to comply with our legal or regulatory obligations. For this purpose, we enter into adequate data protection agreements with these parties to the extent legally required and in this context safeguard that these recipients agree on technical and organizational security measures to protect your data adequately.

We might also transfer personal data to other members of our corporate family.

6. DATA TRANSFER TO THIRD COUNTRIES

Should such data transfer involve the transmission of your personal data to countries outside the EU/EEA that do not have an adequate level of data protection compared to the EU, we safeguard such level of data protection by entering into standard contractual clauses with any such recipients if no adequacy decision justifies such transfer. This ensures that your data protection rights are protected. You may download a copy of these standard contractual clauses at the following URL: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

7. AUTOMATED DECISION-MAKING

We generally do not use automated decision-making within the meaning of Article 22 GDPR. If we make use of automated decision-making or profiling, you will be informed through a separate privacy notice.

8. OBLIGATION TO PROVIDE PERSONAL DATA

In general, you are neither contractually nor statutorily required to provide your personal data for the above purposes, however your decision to not provide your data may reduce features and functionalities, the impossibility to use our information and services offered in this context, the denial of access to our services and/or exclusion from our business activities to the extent the processing of your personal data is key in these contexts.

The information required for registration on our Website or for contacting us is marked as mandatory in the corresponding area (e.g., a contact form) of the Website; if you do not provide this mandatory information, we cannot enable you to use the respective functionality.

9. YOUR DATA PROTECTION RIGHTS

Depending on your location and the applicable law, you have or might have the following data protection rights:

Right of access: You have the right to obtain information on the processing of your personal data and to receive a copy of these data.
Right to rectification: You have the right to request that we correct or complete your inadequate, incomplete or inaccurate personal data.
Right to erasure: Under certain circumstances, you have the right to request that we delete your personal data.
Right to restriction of processing: Under certain requirements, you may request us to restrict the processing of your personal data.
Right to data portability: You have the right to receive your personal data in a structured, common, and machine-readable format and request that these data are transferred to another data controller, if applicable under the specific circumstances.
Right to object: You might have the right to object to the processing of your personal data by us, in particular if the processing of your personal data is based on (i) the necessity of the performance of a task in the public interest, or (ii) legitimate interests. We will then stop the processing of your personal data unless we remain legally authorized to do so.
Right to lodge a complaint with a supervisory authority: You might have the right to lodge a complaint with a supervisory authority against the processing of your personal data if you believe that the processing of your personal data violates data protection regulations.

In case you granted us your consent to process your personal data, you may withdraw this consent with effect for the future, depending on the specifications of the respective processing activity. We will then stop the processing of your personal data, unless we have a legal permission to do so. Please note that your withdrawal has effect for future processing operations only and does not make data processing operations, which we executed before such withdrawal, unlawful.

To withdraw your consent, you may send an email to service@emdgroup.com. If you withdraw your consent, you may no longer be able to use the services affected by the withdrawal. Apart from that, you will not suffer any further disadvantages.

If you do not specify your withdrawal to a specific processing operation, we will assume that you withdraw your consent regarding all processing of your personal data that is based on your consent.

10. Privacy Rights for Residents of California, Colorado, Connecticut, Utah and Virginia

The following terms apply only to the personal information of residents of California, Colorado, Connecticut, Utah and Virginia (the “States”). These provisions are intended to comply with privacy laws enacted by the States (the “State Privacy Laws”), including the California Consumer Privacy Act, the California Privacy Rights Act and related regulations (collectively, the “CCPA”). These provisions supplement the other sections of our Privacy Policy. Any terms that are defined in the State Privacy Laws have the same meaning here. The term definitions applicable to you are those provided in the State Privacy Law of the state in which you are a resident.

The categories of personal information we may have collected from you, the sources of that personal information, and how and with whom we may have used or shared such personal information during the past year include the following:

Category of Personal Information Collected	Source of Information	Purpose for Collection	Categories of Recipients
Contact information: such as your name, address, email address, telephone numbers, or other contact information	From you, your authorized agent, or family member; from public data sources; from your health care provider or other caregiver; from other parties such as conference organizers or publishers which have received personal information from you.	To communicate with you; to enroll you in programs or services; to send you catalogs, information, newsletters, promotional materials and other offerings from us or on behalf of our partners and affiliates; to offer you the chance to participate in contests or other promotional activities; when you contact us; when you request customer service or support; to complete your registration on our websites (“Sites”); to administer your account with us.	Our service providers, and our co-marketing partners, including select partners and affiliates that we believe may have or facilitate offers that may be of interest to you.
Payment information: name, card issuer and card type, credit or debit card number, expiration date, CVV code and billing address.	From you and your payment card issuer.	To check that the right person is using the right card or account, meets the requirements of the card brands or account issuers, and to make sure we are paid for what you buy.	Our service providers who process payments for us and who are contractually required to comply with laws and requirements applicable to payment processing, which may include Payment Card Industry Data Security Standards.
Legal information: fraud checks or flags raised about your transactions, the payment card you want to use, payment card refusals, suspected crimes, complaints, claims and accidents.	From you, the police, crime and fraud prevention agencies, payment card providers, the public, regulators, your and our professional advisors and representatives.	To protect you, other customers and our business against criminal activities and risks, make sure we understand and can meet our legal obligations to you and others and can defend ourselves.	Our service providers who help us with fraud protection and credit risk reduction, and law enforcement and other governmental authorities in accordance with applicable law.
Preference information: your marketing preferences, your account settings (including any default preferences), any preferences you have indicated, the types of services/offers that interest you, the areas of our Sites or Apps that you have visited or ways that you interact with our Sites or Apps.	From you, from our website technology interaction with your browser/devices and cookies and other similar technologies tracking the pages you visit, the marketing messages you open and the links you follow.	To enhance your online shopping experience, including as a way to recognize you and welcome you to the Sites or applications (“Apps”), to provide you with customized Site or App content, targeted offers from us or others, promotions and advertising on our Sites or Apps, through other third-party sites or apps, via email, text messages, or App push notifications that are offered by us or others that might be of interest to you.	Our third-party vendors and service providers that perform website analytic services for us or enable the customization of offers to you to improve your shopping experiences through our Sites, our Apps or elsewhere.
Communications: communications we have with you. Please note that we may record calls to our customer service team or other sites for quality assurance.	From you	To handle your requests, to contact you when necessary or requested, including responding to your questions and comments and providing customer support, and to obtain customer feedback and improve our customer service and customer shopping experience.	Our service providers who assist us with customer service.
Voluntary information: any voluntary information you provide us with, such as responses to surveys or competitions and social media account details.	From you and your social media account provider.	To know you better, make our communications with you more personal, learn and improve from your survey feedback, organize events and pick competition winners.	Our service providers who administer surveys and promotions, and our co-marketing partners.
Personalization: your journey online and how you use our Sites and Apps, whether and when you open our marketing emails and respond to our advertisements.	From you, from our Sites or Apps technology interaction with your browser or devices and cookies tracking the pages you visit.	To improve our Sites, Apps, products and services, customer service, and customer shopping experience.	Our third-party vendors and service providers that perform website analytic services for us or enable the customization of offers to you to improve your shopping or website experience for our Sites, our Apps or elsewhere.
Device information: IP address, internet provider, operating system and browser used, type of device (such as laptop or smart phone), device cookie settings and other device details (such as MAC address and geolocation), if you use our Sites or Apps and permit them to obtain your precise geolocation.	From you and from our website or app technology’s interaction with your browser or devices.	To make sure our website and app technology works properly with your device and make sure you can see and use our intended website and apps on the device you are using, for analytical and demographic purposes, and to provide offers that may be of interest to you. We also will use this information to protect the security and integrity of the Site and our business, such as by protecting against and preventing fraud, unauthorized transactions, and managing risk exposure, including by identifying potential hackers and other unauthorized users.	Our service providers who help us with fraud protection, and third-party vendors and service providers that perform website analytic services for us or enable more relevant offers to you on our Sites, our Apps or elsewhere.
Information automatically collected from your browser: when you use our Sites or Apps, some data is automatically transferred from your browser to our server, including your browser type, operating system type or mobile device model, viewed webpages, links that are clicked, IP address, mobile device identifier or other unique identifier, sites or apps visited before coming to our Sites or Apps, the amount of time you spend viewing or using the Sites or Apps, the number of times you return, or other click-stream or site usage data, emails we send that you open, forward, or click through to our Sites or Apps.	From you and from our website or app technology’s interaction with your browser or devices.	We will use this information in an aggregated non-specific format for analytical and demographic purposes. We also will use this information to protect the security or integrity of our websites and our business, such as by protecting against and preventing fraud, unauthorized transactions, and managing risk exposure, including by identifying potential hackers and other unauthorized users.	Our third-party vendors and service providers that perform website analytic services for us or enable the customization of offers to you to improve your shopping or website experience and the relevance of offers to you on our Sites, our Apps or elsewhere.

If you are a resident of one of the States, State Privacy Law provides you with the following rights with respect to your personal information:
- The right to know what personal information we have collected, used or disclosed about you.
- The right to request that we delete any personal information we have collected about you.
- The right to request that we correct any inaccurate personal information we have collected about you.
We may collect some sensitive personal information, as that term is defined under State Privacy Laws and as described in this Privacy Policy, such as your credit card payment information or precise geolocation data. Your sensitive personal information will not be used for any additional purposes that are incompatible with the purposes listed above, unless we provide you with notice of those additional purposes.
If you are a California resident and we receive your Personal Information in the form of contact details from business events, for example as part of a business appointment (e.g., by exchanging business cards) or as part of any other form of collaboration, we may use your contact and business details to maintain our business contacts. For this purpose, we may transfer your contact details to our internal database. Pursuant to the CCPA, you have the privacy rights under State Privacy Laws with respect to your business contact Personal Information described above.

The processing activity may include the following data categories:
- Your contact information (e.g., name, title, form of address or salutation, address, gender, telephone numbers, email address); and
- Details on your profession (e.g., job title, position, personnel number, place of work, branch office, department, qualifications).
This data processing is based on our legitimate business interests. We have a legitimate economic interest in maintaining contacts beyond the initial context and in using them to establish and develop a business relationship and to remain in contact with the parties concerned.

Such business contacts could also be easily processed in our email communications with you and then kept in typical business software, either centrally or on the electronic devices of our employees.
You may submit requests to delete and/or to know personal information we have collected about you by accessing our State Privacy Rights request portal at:

https://privacyportal-de.onetrust.com/webform/71528392-912c-4f33-b3b5-9e665d0de552/44a2b69a-52e7-4f71-bd11-3c4b71ad611d

or by contacting our toll-free telephone number at:

+1 (888) 914-9661 (PIN 659429)

We will respond to your request in compliance with the requirements of the State Privacy Law or other applicable law.
When you exercise these rights and submit a request to us, we or our partners will verify your identity by asking you to authenticate your identity via standard authentication procedures. For example, we may ask for your email address, order numbers of previous orders of our products and services, the last four digits of a credit or debit card or bank account number used to make a purchase, or the date of your last purchase from us. We also may use a third-party verification provider to verify your identity.
You may permit an authorized agent to submit a request to know or to delete your Personal Information. If we receive a request on your behalf, we will ask that person to give us proof that you gave that person written permission to make a request for you. If that person does not provide us with written proof, we will deny their request so that we can protect your Personal Information.
We may retain your Personal Information for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements. We strive to retain your Personal Information no longer than is reasonably necessary to carry out the purposes listed in this Privacy Policy or as required by law. Under certain circumstances, your data may also be kept longer, e.g., if a Legal or Litigation Hold (i.e., a ban on deleting data for the duration of the procedure) is ordered in connection with official or legal proceedings. We retain your Personal Information following the end of your services or other business relationship in accordance with applicable law and our record retention and destruction policies. Data without any personal identifiable information may be stored permanently.

Last Modified: December 2022

Group Data Protection Officer

at Merck KGaA, Darmstadt, Germany

+49 6151 72-0