Data Protection Declaration

Status: 22 October 2020

1. General Information

a) Controller

The controller within the meaning of the General Data Protection Regulation (hereinafter "GDPR") is Gilead Sciences GmbH, Fraunhoferstrasse 17, 82152 Martinsried / Munich, Germany (hereinafter "Gilead Sciences GmbH" or "we").

b) The competent supervisory authority for Gilead Sciences GmbH is:

Bayerisches Landesamt für Datenschutzaufsicht, Postfach 606, 91511 Ansbach, Germany

Phone: +49 981 53 1300, Fax: +49 981 53 98 1300, email: [email protected]

(c) Definitions

The data protection declaration of Gilead Sciences GmbH is based on the terms used by the European Legislative and Regulation Authority when the GDPR was issued.

We use the following terms, among others, in this data protection declaration:

aa) Personal data

Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject“). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(bb) Data subject

Data subject means any identified or identifiable natural person whose personal data are processed by the controller.

(cc) Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

dd) Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.

(ee) Pseudonymisation

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

ff) Controller or data controller

Controller or data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

(gg) Processor

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

hh) Recipient

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

(ii) Third party

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

jj) Consent

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

2. Collection and use of personal data and your other use of our website

a) If we evaluate your usage behaviour on our website without your express consent, we use your data exclusively in anonymised or pseudonymised form. Please refer to Section 3 of this data protection declaration for details.

b) We work together with service providers who process certain data as processors. This is done exclusively in accordance with the applicable data protection law. In particular, we have concluded agreements with our service providers on commissioned data processing, which in particular meet the requirements of Articles 28 and 29 GDPR. Through careful selection and regular checks, we ensure that our service providers take all organisational and technical measures necessary to protect your data.

3. Automatic collection, processing and use of data during your visit to our website

a) Data collection when visiting our website

When you visit our website, our web server temporarily records the domain name or the IP address of the requesting computer as well as date and time of access, the file request of the client (file name and URL), the HTTP response code and the website from which you are visiting us, as well as the number of bytes transferred during the connection and, if applicable, further technical information which we use and statistically evaluate for the technical processing of the use of the website (delivery of the contents, guarantee of the functionality and security of the website, defence against cyber-attacks and other abuses).

The temporary storage of the above-mentioned information for the duration of the session by the system is necessary to enable the website to be delivered to your computer.

Some of this data is also stored in the log files of our system. This is done to ensure the functionality of the website and to optimise the website and ensure the security of our IT systems. The log files are deleted after 26 days at the latest.

This processing and storage is carried out to protect our legitimate interest in making our website as user-friendly, secure and attractive as possible (legal basis: Art. 6(1) lit. (f) GDPR).

For this purpose we also use cookies as described in the following Sections.

b) Use of cookies and analysis services

Among other things, we use cookies to process your data. Cookies are files that are stored on the hard disk of your computer and that our server accesses when you visit our website. Such cookies may also be accessed by the analysis services mentioned in Section 3c), which analyse the use of our website on our behalf.

When accessing our website, every user is informed about the use of cookies and analysis services (Sections 3b) and 3c).

Technically required cookies are always active and cannot be deactivated. These cookies are necessary for the functioning of our website and cannot be deactivated in our systems. The legal basis for this processing is Art. 6(1) lit. (f) GDPR. As a rule, these cookies are only set in response to actions you take which correspond to a service request, such as defining your data protection settings, logging in or filling out forms. You can set your browser to block these cookies or to notify you about these cookies. However, some areas of the website may then not function.

With your consent, we may also use the data mentioned in Section 3a) to draw conclusions about your interests from your usage behaviour and to adapt the offer of our website to your interests, to make our website as user-friendly, secure and attractive as possible and to promote the sale of our products and services (profiling).

However, profiling is only carried out in each case on the basis of your consent (legal basis: Art. 6(1) lit. (a) GDPR).

We also use cookies and analysis services. We only use all cookies that are not technically necessary if you have given us your consent in our cookie manager (legal basis: Art. 6(1) lit. (a) GDPR).

Our cookie manager explains which cookies we use for which purposes, how long these cookies are stored and which options you have in this context. You can find it here: [link] . You can use our cookie manager to individually select which processing you want to allow and change this selection at any time using our cookie manager.

You can also prevent or restrict the storage of cookies on your hard drive by setting your browser to refuse cookies or by asking you whether you agree to cookies before they are stored, if desired. Once cookies have been set, you can delete them at any time. Please refer to the operating instructions of your browser to see how this works. If you do not accept cookies, this can lead to restrictions in the use of our service.

c) Use of Google Analytics

If you have given your consent, our website uses Google Analytics, a web analysis service of Google LLC. The responsible service provider is Google Ireland Limited with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

Google Analytics uses so-called "cookies", text files which are stored on your computer and which enable an analysis of your use of the website (see Section 3b)). The information generated by the cookie about your use of this website, such as pages visited and

  • browser type / version,
  • operating system used,
  • referrer URL (the previously visited page),
  • host name of the accessing computer (IP address),
  • time of the server request,

are usually transferred to a Google server and stored there.

It is possible that data processing may also take place in so-called third countries outside the European Economic Area, in particular through Google LLC in the USA. You should be aware that in such third countries not only the recipients may process and use your data in a way or for further purposes that would not be permitted under European law, but also that public authorities may be able to access this data to a greater extent than would be permitted in the European Economic Area. Such third countries may not have supervisory authorities and/or data processing principles and/or you may not be able to exercise the legal data protection rights described in this notice in such third countries.

On this website, Google Analytics has therefore been extended by the code "gat._anonymizeIp();" in order to ensure anonymous recording of IP addresses (so-called IP masking). This shortens the IP address of Google users within member states of the European Union or in other states which are party to the Agreement on the European Economic Area.

Only in exceptional cases the full IP address is transferred to a Google server in the United States and shortened there. The IP address transmitted by your browser within the scope of Google Analytics is not merged with other data from Google. Google has joined the Privacy Shield.

By means of an identification, for example when logging in to Google services, the above-mentioned data can also be recorded and used across devices. In this way it is possible to record that you begin your visit to us on a PC and continue it on a mobile device, and the data from both devices can be linked. We have not activated the user ID setting and therefore do not collect this data.

On the basis of this information, Google evaluates your use of the website in order to compile reports on website activities. The reports provided by Google Analytics serve to analyse the performance of our website and the success of our marketing campaigns.

The deletion of the Analytics data is set to 26 months. This time is due to our interest in being able to make comparisons with statistical data over time. Data whose retention period has been reached is automatically deleted once a month.

Deactivation Add-On: You can prevent the storage of cookies by not giving your consent to the setting of cookies or by adjusting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all functions of this website to their full extent. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available under the following link:

http://tools.google.com/dlpage/gaoptout?hl=de

In our website, which is optimised for mobile browsers, we have provided a special switch-off option.

Further information on data protection in connection with Google Analytics can be found in the Google Analytics help (https://support.google.com/analytics/answer/6004245?hl=de).

The recipient of the data is Google. We have concluded an order processing agreement with Google for this purpose. Google LLC, based in California, USA, and, where applicable, US authorities may access the data stored by Google.

Legal basis and withdrawal option
The legal basis for this data processing is your consent.
Art. 6(1) sentence 1 lit. (a) GDPR. You can withdraw your consent at any time with effect for the future by calling up the cookie settings [Please add link to cookie manager] and changing your selection there.

Further information on the terms of use of Google Analytics and on data protection at Google can be found at: https://marketingplatform.google.com/about/analytics/terms/gb/ or at https://policies.google.com/?hl=en

4. Right of access - your rights as a user

You can request information from us at any time and free of charge about your personal data stored by us. In addition, you are entitled to assert the rights of data subjects provided for by law and to demand the rectification, blocking or erasure of your personal data, with the exception of those personal data which are required by us for billing purposes or for which a statutory retention period applies.

Please send your request by email to: [email protected]

or to:

Gilead Sciences GmbH
Fraunhoferstrasse
1782152 Martinsried / Munich
Germany

You can download this data protection declaration of Gilead Sciences GmbH as PDF file here

5. Legal rights of the data subject

(a) Right of confirmation

any data subject shall have the right granted by the European legislator to obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wishes to avail himself of this right of confirmation, he or she may, at any time, contact our controller or any employee of the controller.

b) Right of access

Any data subject shall have the right granted by the European legislator to obtain from the controller free information about his or her personal data stored at any time and a copy of this information. Furthermore, the European legislator has granted the data subject access to the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing;
  • the existence of the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

The data subject also has the right to know whether personal data have been transferred to a third country or to an international organisation. If this is the case, the data subject also has the right to be informed of the appropriate safeguards relating to the transfer.

If a data subject wishes to exercise this right of access, he or she may, at any time, contact our controller or any employee of the controller.

c) Right to rectification

Any data subject shall have the right granted by the European legislator to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

If a data subject wishes to exercise this right to rectification, he or she may, at any time, contact our controller or any other employee of the data controller.

d) Right of erasure (right to be forgotten)

Any data subject shall have the right granted by the European legislator to obtain from the controller the erasure of personal data concerning him/her without undue delay, where one of the following grounds applies, as long as the processing is not necessary:

  • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  • The data subject withdraws consent to which the processing is based according to lit. (a) of Article 6(1) GDPR, or lit. (a) of Article 9(2) GDPR, and where there is no other legal ground for the processing.
  • The data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR.
  • The personal data have been unlawfully processed.
  • The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  • The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

If one of the aforementioned reasons applies, and a data subject wishes to request the erasure of personal data stored by the Gilead Sciences GmbH, he or she may, at any time, contact the contact details given in Section 4.

Where the Gilead Sciences GmbH has made personal data public and our company, as the controller, is obliged pursuant to Article 17(1) to erase the personal data, the Gilead Sciences GmbH, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested erasure by such controllers of any links to, or copy or replication of, those personal data, as far as processing is not required.

e) Right to restriction of processing

Each data subject shall have the right granted by the European legislator to obtain from the controller restriction of processing where one of the following applies:

  • The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
  • The processing is unlawful, and the data subject opposes the erasure of the personal data and requests instead the restriction of their use instead.
  • The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
  • The data subject has objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

If one of the aforementioned conditions is met, and a data subject wishes to request the restriction of the processing of personal data stored by the Gilead Sciences GmbH, he or she may at any time contact the contact details provided in Section 4.

(f) Right to object

Each data subject shall have the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time, to processing of personal data concerning him or her, which is based on lit. (e) or (f) of Article 6(1) GDPR.

The Gilead Sciences GmbH shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Where the personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing; which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Where personal data are processed by the Gilead Sciences GmbH for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, the data subject, on grounds relating to his or her particular situation, shall also have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

In order to exercise the right to object, the data subject may directly contact the contact details provided in Section 4.

h) Right to withdraw data protection related consent

Each data subject shall have the right granted by the European legislator to withdraw his or her consent to processing of his or her personal data at any time.

If the data subject wishes to exercise the right to withdraw the consent, he or she may, at any time, contact the contact details provided in Section 4.

6. Legal basis for the processing

Art. 6(1) lit. (a) GDPR serves Gilead Sciences GmbH as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as is the case, for example, when processing operations are necessary for the supply of goods or to provide any other service, the processing is based on Article 6(1) lit. (b) GDPR. The same applies to such processing operations which are necessary for carrying out pre-contractual measures. Is Gilead Sciences GmbH subject to a legal obligation by which processing of personal data is required, such as for the fulfilment of tax obligations, the processing is based on Art. 6(1) lit. (c) GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. Then the processing would be based on Art. 6(1) lit. (d) GDPR. Finally, processing operations could be based on Article 6(1) lit. (f) GDPR. This legal basis is used for processing operations which are not covered by any of the abovementioned legal grounds, if processing is necessary for the purposes of legitimate interests pursued by Gilead Sciences GmbH or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. Such processing operations are particularly permissible because they have been specifically mentioned by the European legislator. It considered that a legitimate interest could be assumed if the data subject is a client of the controller (Recital 47 Sentence 2 GDPR).

7. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, such as the authority referred to in Section 1b of this data protection declaration or the regulatory authority of your place of residence or employment.

8. The period for which the personal data will be stored

The personal data of the data subject will be erased or blocked as soon as the purpose of the storage no longer applies. Storage may also take place if this is provided for by law. Blocking or erasure of the data is also carried out when a legally prescribed storage period expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

This data protection declaration has been prepared in part based on sample texts from DGD Deutsche Gesellschaft für Datenschutz GmbH, RC GmbH and WBS-LAW.