Information Notice for Customers

Your rights and how we handle your data Information according to Art. 13 and 14 of the General Data Protection Regulation (GDPR)

This information notice aims to provide you with an overview of how we process your personal data, as well as your rights surrounding this. The particular data that is processed in detail and the way in which it is used depends largely on the services requested or agreed in each case. For this reason, not all sections of the information notice will be relevant to you.


1. Who is responsible for data processing?

Within the scope of the GDPR, the responsible party is:

Medios AG
Represented by member of the executive board Christoph Prußeit
Heidestraße 9 | 10557 Berlin, Germany
Phone: +49 30 232 566 800

Medios Manufaktur GmbH, represented by its Managing Director Annette Jörren
Medios Individual GmbH, represented by its Managing Director Susanne Wasserbäch
Medios Pharma GmbH, represented by its Managing Director Uwe Blechinger
Medios Digital GmbH, represented by its Managing Director Felix Schneider
Cranach Pharma GmbH, represented by its Managing Director Maik Wolf
Kölsche Blister GmbH, represented by its Managing Director Matthias Struck

Joint responsibility is governed by an agreement between the companies. The companies use the same database solution as part of their operations and have access to a common set of data where necessary. Each company is independently responsible for the lawful processing of personal data and for granting the rights of data subjects, including the provision of mandatory information. Where necessary, the companies will support each other in this respect.

You can contact our external data protection officer at:

Data Protection Officer, Medios AG
c/o activeMind AG

Management and Technology Consulting
Kurfürstendamm 56
10707 Berlin, Germany
Phone: +49 (0)30 / 770191070


2. Type of personal data collected

We process the following personal data that we receive from you as part of our business relationship:

  • Company name with legal form and address
  • Titles and names
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Area of activity or position
  • Health data


3. We process your data for the following purposes and on the following legal basis

We process personal data in accordance with the provisions set out in the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz—BDSG):

a) To fulfil contractual obligations (Art. 6(1)(b) GDPR)

Data is processed in order to take steps prior to entering a contract (e.g. creation of offers), as part of our contract and as part of supplementary contractual services (e.g. warranty notifications or manufacturer returns)

b) Due to legal requirements (Art. 6(1)(c) GDPR)

We are subject to various legal obligations which encompass data processing. These include, for example:

  • Fiscal control, reporting obligations and retention obligations
  • Obligations under the German Commercial Code (Handelsgesetzbuch—HGB) and the German Fiscal Code (Abgabenordnung—AO)
  • Obligations under the German Money Laundering Act (Geldwäschegesetz)
  • Fulfilment of requests and requirements from regulatory, law or court authorities

c) In the context of balancing interests (Art. 6(1)(f) GDPR)

If necessary, we process your data beyond the strict fulfillment of the contract to safeguard the legitimate interests of ourselves or of third parties. Examples of such cases include:

  • Measures to ensure building and plant safety (e.g. operation of surveillance cameras, access controls, locking systems)
  • The assertion of legal claims and defense in legal disputes
  • The processing of your data in our resource planning system


4. Who receives your data

 a) Within our company

Our employees, insofar as this is necessary to contact you and for the fulfillment of our contractual and legal obligations (including the fulfillment of pre-contractual measures).

b) In the context of order processing

Your data may be passed onto service providers that represent us as contract processors. These may be other companies within the Group and/or external service providers from the following areas:

  • Support or maintenance of computing or IT applications
  • Accounting
  • Data destruction


All service providers are contractually bound and in particular are obligated to treat your data confidentially.

c) Other recipients (third parties)

Data will only be passed onto recipients outside of our company where this is compliant with the applicable data protection regulations. Recipients of personal data can be, for example:

  • Public authorities and institutions (e.g. financial and law enforcement agencies) if there is a legal or regulatory obligation to do so
  • Credit and financial service providers (settlement of payment transactions)
  • Tax advisors, accountants, auditors or tax auditors (statutory audit mandate)
  • Lawyers
  • External data protection officers


5. Is data transferred to a third country or to an international organization?

Data will only be transferred to parties in countries outside of the European Economic Area (EEA) (referred to as third countries) when:

  • This is required by law (e.g. tax reporting obligations)
  • You have given us your consent
  • We have concluded an order processing contract with our service provider. In this case, your data will only be transmitted if either
    • The European Commission has decided that there is an adequate level of protection in the third country (Art. 45 GDPR) or
    • Appropriate guarantees are in place (standard safeguard clauses adopted by the EU Commission)
  • It is necessary for the fulfillment of the contract

Currently, your data is processed by service providers based outside the European Union and in countries outside the European Economic Area (EEA) on the basis that:

We have contractually agreed with our service providers that guarantees for data protection must always be put in place with their contractual partners, in compliance with the European standard for data protection. On request, we will provide you with a copy of these guarantees.


6. How long will your data be stored?

We process and store your personal data for as long as this is necessary to fulfill our contractual and legal obligations. If data is no longer required for the fulfillment of contractual or legal obligations, it will be deleted on a regular basis.

The following exceptions apply:

  • Where legal retention obligations must fulfilled, e.g. German Commercial Code (HGB) and German Fiscal Code (AO). The retention or documentation periods specified in this case are typically six to ten years.
  • For the preservation of evidence within the scope of statutory limitation periods. According to Section 195 et seq. of the German Civil Code (Bürgerlichen Gesetzbuch—BGB), these limitation periods can be up to 30 years, whereby the regular limitation period is 3 years.

If the data processing takes place on the basis of the legitimate interest of ourselves or a third party, the personal data will be deleted as soon as this interest is no longer applicable. The above exceptions also apply here.


7. What data protection rights do you have?

You have the right of access pursuant to Article 15 GDPR, the right to rectification pursuant to Article 16 GDPR, the right to erasure pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to object under Article 21 GDPR and the right to data portability under Article 20 GDPR.

Restrictions may apply for the right of access and the right to erasure in accordance with sections 34 and 35 of the German Federal Data Protection Act.

In addition, there is a right to lodge a complaint with a supervisory authority (Article 77 GDPR in conjunction with Section 19 of the German Federal Data Protection Act. A list of supervisory authorities (for the non-public sector) with addresses can be found at:


8. Is there an obligation for you to provide data?

Within the scope of the contractual relationship, you must provide personal data that is necessary for the commencement, performance and termination of the contractual relationship and for the fulfillment of the associated contractual obligations, as well as any data that we are legally obligated to collect. Without this information, it will generally be impossible for us to enter into or carry out a contract with you.

Information about your right to object pursuant to Article 21 of the General Data Protection Regulation (GDPR)

Right to object on a case-by-case basis

At any time, you have the right to object to the processing of your personal data, which is carried out on the basis of Article 6(1)(f) GDPR (data processing based on a balance of interests), for reasons that arise from your individual circumstances.

If you object, we will no longer process your personal data unless we can demonstrate compelling, legitimate grounds for the processing of this data that override your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.


Sending an objection

If you would like to exercise your right to object, simply send an email to: