Privacy Statement

1. Preamble
2. General Information
2.1 Controller
2.2 Data Protection Officer
3. The Processing Activities in Detail
3.1 Operation of our Services
3.2 Contact Forms
3.3 Newsletter
3.4 Cookies
4. Data Transfers
4.1 Merck Group
4.2 Service Provider
4.3 Public Authorities
5. Your Data Protection Rights
5.1 Exercise your data protection rights

1. Preamble

This privacy notice is addressed to all visitors and users of our M-Trust™ website and ChemiSphere app (“user” or “you”) of the Merck Group (“Merck”, “us”).

This privacy policy describes how Merck will use the personal data of the users within the scope of the operation of our websites and/or apps (“services”). "Personal Data" in this document means all information that relates to a natural person and with which this person can be directly or indirectly identified.

Should you have questions or queries regarding the processing of your personal data by Merck, please feel free to contact our Data Protection Officer via privacy@merckgroup.com or the other contact details provided below.

2. General Information

This section informs you who is the controller of the processing of your personal data, how you may contact the controller and which rights you have as a data subject in this context.

2.1 Controller

The data controller means the person who determines the purposes and means of the processing of your personal data. For the processing activities described of in this privacy notice, the controller is

Merck KGaA
Frankfurter Strasse 250
64293 Darmstadt, Germany
Phone: +496151 72-0
Telefax: +49 615172-2000

2.2 Data Protection Officer

Merck has appointed a Data Protection Officer. You may reach him/her as follows:

Group Data Privacy Officer
Merck KGaA
Frankfurter Strasse 250
64293 Darmstadt, Germany
+49615172-0
privacy@merckgroup.com

You are also welcome to exercise your data protection rights by submitting your request directly in our Data Privacy Portal.

3. The Processing Activities in Detail

This section explains the different data processing activities in which Merck processes your personal data for the operation of our services and the provision of information and functionalities.

In general, you are neither contractually nor statutorily obliged to provide your personal data for the below purposes, however your decision to not provide your data may lead to negative consequences, such as reduced features and functionalities and/or, in rare cases, the impossibility to use our information and services offered in this context.

3.1 Operation of Services

We process your personal data for the purpose of the operation of our services. Whenever you access our services, you automatically transfer personal data to our servers for technical reasons.

This processing activity may include the following data categories:

  • Your IP address;
  • Identifier (manufacturer, version, type of webbrowser, operating system);
  • Language settings of your web browser;
  • The time of your visit and visited subpages of ourwebsite;
  • Your referrer URL (i.e., the URL of the page fromwhich you visit us);
  • The data volume accrued during your visit to ourwebsite;
  • Access status (file transferred, file not found,etc.); and
  • Name of the provider of your internet access.

The data processing is based on our legitimate business interests. We process these data for the purpose of presenting our services and to ensure its technical stability and security (e.g., to prevent hacker attacks).

No automated decision-makingor profiling takes place.

3.2 Contact Forms

We process your personal data to operate the contact form we provide in our service. This enables you to contact us, and e.g., ask for additional information or issue other service requests.Your personal data will only be processed for the purpose of responding to your inquiry.

This processing activity may include the following data categories:

  • The contact information you provided to us (such asyour name and email address); and
  • Other personal information that you include in yourrequest.

The processing is based on our legitimate business interests. It serves our and your legitimate interest in answering your inquiry in a quick and competent manner.

Your personal data will be deleted once there is no commercial interaction anymore, e.g. when customer decides to not use product any longer.

No automated decision-making or profiling takes place.

3.3 Newsletter

We process your personal data if you subscribed to our email newsletter. If you would like to receive our newsletter, you may enter your email address in our registration form and click the "Submit" button. You will then receive an email from us to your email address. You may complete the registration and thus verify your email address for sending newsletters by clicking on the confirmation link in this email.

This processing activity may include the following data categories: The information you provided to subscribe, such as your name, email address and personal/professional interests.

The processing is based on your explicit consent you provided to us in the course of the subscription process.

Your personal data will be deleted when you withdraw your consent, e.g., by clicking on the unsubscribe button which is included in any of our newsletters.

No automated decision-making or profiling takes place.

3.4 Cookies

Cookies improve the user experience on our services because they allow, e.g., the system to recognize returning visitors. The term "cookies" in this privacy notice refers to cookies and similar technologies. The term "computer" in this privacy notice refers to computers, smartphones and all other devices with internet access. Cookies are small, usually randomly coded text files that are sent to your computer and stored there. These cookies allow your browser to track certain information that may be retrieved and used by internet servers at a later stage. Merck uses cookies and similar technologies on its services for several reasons, for example:

  • Websites load faster;
  • Websites may be browsed faster;
  • Your settings, such as language and time zone, may be saved;
  • Security on websites is improved since your identity may be verified; and
  • Your log-in to secured websites is facilitated.

We included the following three categories of cookies on our services:

3.4.1 Necessary Cookies

These cookies are necessary to safeguard the functionalities of our services and for the website to operate. Cookies are set, in particular, in response to your actions and depend on your specific service requests (e.g., setting your privacy preferences, filling out forms, or logging in). More specifically, we set the following cookies:

  • __Host-next-auth.csrf-token: A token used to verify the current request. It's purpose is to prevent CSRF (Cross-Site Request Forgery) attacks. It expires at the end of each session.
  • __Secure-next-auth.callback-url: Stores the initially requested URL to redirect the user to after successful authentication. It expires at the end of each session.
  • __Secure-next-auth.session-token: A session cookie containing an encrypted access token for authenticating the currently logged-in user against the backend. The session token also contains information to identify the current user (like their email address). It expires after 30 days.
  • incap_ses_*: This cookie is used by Imperva Incapsula to manage user sessions, enhance website security, and ensure optimal performance by distinguishing between legitimate users and malicious entities. It expires at the end of each session.
  • visid_incap_*: This cookie is used by Imperva Incapsula to identify unique visitors, ensuring consistent security and performance during their visit. It helps distinguish individual users without storing personal information. It expires after 1 year.

The processing is based on our legitimate business interest to be able to provide our basic webservices in a secure and useful manner. Our website cannot function without these cookies and they can only be disabled by changing your browser preferences.

No automated decision-making or profiling takes place.

3.4.2 Functional Cookies

These cookies enable the provision of advanced functionalities and are used for personalization. The cookies are set in particular in response to your actions and depend on your specific service requests (e.g. setting the language). More specifically, we set the following cookies:

  • ld-cookie-consent: The cookie stores the user's preferences regarding cookie usage on the website. This cookie ensures that the user's settings are respected and that they are not repeatedly prompted for cookie consent on subsequent visits.

The processing is based on your explicit consent you provided to us in the course of the subscription process. You either grant your consent by accepting all cookies in our cookie banner or by activating the cookie type you have selected. Your consent is voluntary, and you may revoke it at any time with effect for the future. You can revoke your consent by reopening our Cookie Center and deactivating the cookie type. If you do not grant your consent or revoke it, this will not result in any disadvantages for you. However, without your consent, the functions explained above will not be available to you.

No automated decision-making or profiling takes place.

3.4.3 Targeting Cookies

These cookies may be set to learn more about your interests and show you relevant ads on other websites. These cookies work by uniquely identifying your browser and device. By integrating these cookies, we aim to learn more about your interests and your surfing behavior and to be able to place our advertising in a targeted manner. More specifically, we set the following cookies:

  • _ga: Used to distinguish unique users by assigning a randomly generated number as a client identifier. This helps calculate visitor, session, and campaign data for the site's analytics reports. This cookie expires after 2 years.
  • _gid: Stores and updates a unique value for each page visited, helping track user behavior on the site. This cookie expires after 24 hours.
  • _gat: Throttles the request rate, limiting the collection of data on high traffic sites. This cookie expires after 1 minute.

The processing is based on your explicit consent you provided to us in the course of the subscription process. You either grant your consent by accepting all cookies in our cookie banner or by activating the cookie type you have selected. Your consent is voluntary, and you may revoke it at any time with effect for the future. You can revoke your consent by reopening our Cookie Center and deactivating the cookie type. If you do not grant your consent or revoke it, this will not result in any disadvantages for you. However, without your consent, the functions explained above will not be available to you.

Please note that the use of Google Analytics has been extended by the plug-in "AnonymizeIP", to ensure an anonymized collection of your IP address, so that we cannot relate your data to your person. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google.

3.4.4 Management and Deletion of Cookies

Some computer browsers automatically accept all cookies. In this case, you may not see the Cookie Center which allows you to manage your cookies individually. However, you can change your browser settings to block all cookies. You may also be able to configure your browser settings so that only certain types of cookies are blocked or so that you are notified as soon as a new cookie is to be stored on your computer. In this case, you can accept or reject cookies individually. If this function is available to you, you will find more detailed explanations in the help function of your browser. There you will also find information on how to delete all or certain cookies for which you have given us your consent. For more information on managing and deleting cookies for popular browsers, please see the following links: Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, Microsoft Edge, Apple Safari.

4. Data Transfers

We transfer your personal data as follows.

4.1 Merck Group

To our worldwide affiliates, to the extent that this is permissible within the framework of the purposes and legal bases stated under 3. In these cases, our group companies will use the personal data for the same purposes and under the same conditions as described in this privacy notice (e.g., answering your inquiry about a product that falls within the area of expertise of a foreign Merck affiliate). A list of our affiliated group companies and their contact details can be found here. If and to the extent we transfer your personal data in this context to a country outside the EU or the EEA and to which no adequacy decision of the European Commission exists, we safeguard an adequate level of data protection by entering into the EU standard contractual clauses with such affiliate. You may obtain these EU standard contractual clauses here.

4.2 Service Provider

We may also engage service providers (data processors) within (e.g. shared service centers) or outside the Merck Group (e.g. hosting providers, support service providers) to process personal data in accordance with our instructions. In these cases, we retain control over and remain fully responsible for your personal data. We will take all reasonable safeguards required by applicable law to ensure the integrity and security of your personal data when engaging such service providers and will, should these service providers process your personal data in a country outside the EU or the EEA, safeguard an adequate level of data protection by entering into the EU standard contractual clauses with such service provider. You may obtain these EU standard contractual clauses here.

4.3 Public Authorities

In certain cases, we are required by law to transfer data to a requesting public authority.

Upon submission of a court order, we may be obliged by national Copyright Acts to provide owners of copyright and ancillary copyrights with information about customers who are alleged to have infringed copyright laws. In these cases, we may be obliged to transfer your personal data, in particular your user ID of an IP address allocated at the time requested and, if known, your name and address.

In other respects, personal data will only be transferred to state institutions and public authorities within the framework of mandatory national legal provisions or if disclosure is necessary in the event of attacks on the network infrastructure for legal or criminal prosecution.

5. Your Data Protection Rights

You have or might have the following data protection rights:

  • Right of access: You have the right to obtain information on the processing of your personal data and to receive a copy these data.
  • Right to rectification: You have the right to request that we correct or complete your inadequate, incomplete or inaccurate personal data.
  • Right to erasure: Under certain circumstances, you have the right to request that we delete your personal data.
  • Right to restriction of processing: Under certain requirements, you may request us to restrict the processing of your personal data.
  • Right to data portability: You might have the right to receive your personal data in a structured, common and machine-readable format and request that these data are transferred to another data controller, if applicable under the specific circumstances.
  • Right to object: You might have the right to object to the processing of your personal data by us, in particular if the processing of your personal data is based on (i) the necessity of the performance of a task in the public interest, or (ii) legitimate interests. We will then stop the processing of your personal data unless we remain legally authorized to do so.
  • Right to lodge a complaint with a supervisory authority: You might have the right to lodge a complaint with a supervisory authority against the processing of your personal data if you believe that the processing of your personal data violates data protection regulations.

5.1 Exercise your data protection rights

You may exercise your data protection rights by submitting a request in our Data Privacy Portal. We take our responsibility for the protection of your rights very seriously. Our privacy experts will examine your request and answer it as soon as possible.

Withdrawal of consent
In case you granted us your consent to process your personal data, you may withdraw this consent with effect for the future, depending on the specifications of the respective processing activity. We will then stop the processing of your personal data, unless we have a legal permission to do so. Please note that your withdrawal has effect for future processing operations only and does not make data processing operations, which we executed before such withdrawal, unlawful.

To withdraw your consent, you may send an email to service@merckgroup.com. If you withdraw your consent, you may no longer be able to use the services affected by the withdrawal. Apart from that, you will not suffer any further disadvantages.
If you do not specify your withdrawal to a specific processing operation, we will assume that you withdraw your consent regarding all processing of your personal data that is based on your consent.

This Data Privacy Statement is up-to-date and dates from August 2024. We reserve the right to amend the data privacy declaration at any time with effect for the future, in particular to adapt it to a further development of the website or the implementation of new technologies.