PeakData AG (“Peak Data”, “we”, “us” or “our”), are pleased about your visit to our website and your interest in our products and services. We take the protection of your personal data and their confidential treatment seriously.
Your personal data will be processed in accordance with the legal provisions of the data protection laws of Switzerland and the European Union, in particular the General Data Protection Regulation (hereinafter “GDPR”).
1. Who are we
PeakData AG is a company located in Switzerland. Our software platform connects healthcare practitioners, as well as other experts in all sorts of therapeutic areas with healthcare providers.
In regards to the processing of your data, PeakData can act as a Controller, a Joint-Controller, or a Processor. We are Controllers when fully in charge of all decisions related to the processing of personal data, e.g., our website Cookies.
When we process data for our partners, but also have a say in what to do with it, we are Joint-Controllers. Finally, when we process our partner’s data and merely abide by their demands, we are Processors.
Our address is:
CH – 6300 Zug
Our EU Registered Office is:
PeakData Netherlands B.V.
2. Data Protection Laws
Data protection laws regulate how organizations treat your personal data. Personal data is all information that directly identifies you as an individual (such as name, telephone number, e-mail, government issued ID, etc.) or information that can directly or indirectly identify you as a person (Information combined with other information to identify you, – e.g., IP address + GPS location).
3. What data do we collect about you?
3.1 When you visit our website:
The use of our website is generally possible without registration. However, even when you use our website for purely informational purposes, personal data may be collected and processed automatically. In this case we process cookies and tracking technologies.
3.1.1 Cookies and tracking
It is possible to instruct your browser to refuse all Cookies, or to indicate when a Cookie is being sent to your browser. You can also use the setting to allow only the strictly necessary Cookies, that way you can still use the website while maintaining tracking to a minimum. On the other hand, instead of using the browser settings, you can make all these choices by using our Cookie banner options.
If you provide us with personal data by e-mail, this is always done on a voluntary basis. In any case, this includes your name and e-mail address in order to send you an answer, as well as the other information that you send us in the context of your message. Your personal data will be processed by us to protect our legitimate interests. Legitimate interest can be our own interest or the interest of third parties. They can include commercial interests, individual interests or a broader societal benefit. In this case, we have the legitimate interest to answer your inquiries appropriately. Alternatively, if the request aims at the conclusion of a contract, our legal basis would be the performance of a contract.
3.2 When you use our services- PeakData Platform
If you decide to make use of our services, you must register on our respective platform. We collect the following data from our customers during the registration process:
First and last name
Profile picture (optional)
When logging in to our platform, we store the current IP address of the user and the last log-in.
The legal basis to process your data is the performance of a contract. The performance of a contract is when:
- We have a contract with you and we need to process your personal data to comply with the obligations under the contract.
- We have a contract with your employer and we need to process your personal data so that we can comply with specific counter-obligations under the contract (e.g., identifying login times, dates, and activity).
- We haven’t yet got a contract with you, but you have asked us to do something as a first step (e.g., provide a quote) and we need to process your personal data to do what you ask. This applies even if you don’t actually go on to enter into a contract with us, as long as the processing was in the context of a potential contract with you.
3.3 Healthcare professionals:
We collect personal data from publicly available sources, for example, social media or academic Journals. The legal basis for processing your data is legitimate interests. Legitimate interests can be our own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits. In this case, we have legitimate interests because we need to collect this information to connect healthcare providers and healthcare professionals.
The data that we may collect regarding healthcare professionals are:
- Name of Healthcare professional (including titles)
- Professional Contact details
- Professional Status (institution for which the healthcare professional is working/ed, working title, field of specialization)
- Research Papers published by the Healthcare professional and all information relevant to the publications
- Clinical trials associated with the Healthcare professional and all information relevant to the clinical trials
- Medical associations associated with the Healthcare professional
- Conferences and scientific events in which the Healthcare professional participated
- Grants and funding associated with the Healthcare professional
3.3.1 HCP Notification
PeakData enter into three types of agreements when gathering and sharing HCP data. Controller to Processor, Controller to Controller, and Joint Controller. The notification methods for these are outlined below.
It is the responsibility of our customers receiving the HCP information to notify any HCPs about the processing of their data within 30 days of receipt of any data from PeakData. We also request that data subjects are informed of information being shared with us by our customers, such as the HCP list, prior to the data being shared.
Controller to Controller
Where we act as an individual controller, PeakData do not collect any contact details relating to healthcare professionals since this is not required to perform our processing activity, and as such, PeakData do not reach out to any individuals.
PeakData falls under the Article 14(5) exemption of disproportionate effort.
It is the responsibility of our customers receiving the HCP information to notify any HCPs about the processing of their data within 30 days of receipt of any data from PeakData, related to any individuals they intend to contact.
Controller to Processor
In some cases, we may act as a data processor for our customers. This would be similar to the Joint Controller arrangement where we receive data from the customer for us to process, however, in this case, we would not process data for our own purposes, and so wouldn’t be considered a data controller.
Where we act as a data processor, it is the responsibility of the customer sharing data with us to provide the notification to data subjects detailing how their information is used and processed.
4. How do we share your personal data
We will give our customers (i.e., primarily diagnostics companies) access to the personal data concerning Healthcare Professionals collected from publicly available sources in order for them to discover potential customers, to contact the representatives in charge of (potential) customers and to keep track of (potential) customers.
We provide third parties access to your personal data, in particular, the following categories of recipients may be concerned:
our subcontractors, service providers (e.g., for technical infrastructure and maintenance of our website), in order for them to process data for us; we have a legitimate interest in disclosing your data to third parties.
platform customers; we have signed a contract with the user who needs to process personal data to perform the contract
domestic and foreign authorities or courts; we have a legal obligation to process personal data.
other parties in possible or pending legal proceedings; we have a legal obligation to process personal data.
5. Platform Analytics
For further details, please see the ‘about Hotjar’ section of Hotjar’s support site.
Similar to Hotjar outlined above, we also use Heap to record user behaviour on our platform.
Heap offers a user behavioural analytics product and service. With the services of Heap, we are able to collect and analyse data about how our clients interact with our services, such as the technology used, locations accessed from, preferred functionality, and most visited pages. By collecting this data, we are able to find trends, improve our services and identify security and privacy improvements more quickly.
6. Transfer to Third Countries
PeakData has offices and customers worldwide. Certain recipients are located in Switzerland, or the European Union, however, others may be located outside the European Economic Area (EEA).
If we transfer personal data to a country without adequate data protection legislation (so-called “third countries”), we ensure an appropriate level of protection as legally required by way of using appropriate contracts (Standard Contractual Clauses) or we rely on the statutory exceptions of consent, performance of contracts, the establishment, exercise or enforcement of legal claims or published personal data (Binding Corporate Rules and Derogations).
For further information please contact firstname.lastname@example.org.
7. Storage Limitation
We process your personal data in line with our retention schedule, or until:
- We become aware that the stored personal data can no longer fulfil the purpose, for which they were collected (e.g., for the duration of your subscription to our newsletter or our business relationship);
- you revoke your consent;
- we become aware that the stored personal data are no longer correct because your data has changed; or
We assure to respect your revocation, deletion, and objection rights insofar as no longer processing or storage is required for the fulfilment of a contractual relationship with us or according to mandatory law provisions (e.g., within the scope of commercial and tax law retention obligations), in which case we will only delete your personal data after these obligations have expired.
For more information about how long we store your personal data, please contact email@example.com
8. Data Subject Rights
As a person affected by data processing, you have numerous rights at your disposal. In detail, the following rights are entitled to the extent that the legal requirements are met:
Right of access to your personal data: You have the right to receive information about the personal data we have stored about you. You have the right to receive information about this personal data and other information related to the processing.
Right to rectification: You can demand that we correct incorrect personal data and, if necessary, complete it.
Right to deletion: you can request the deletion of your personal data. However, the right to deletion does not apply, if the processing of personal data is necessary to fulfil a legal obligation.
Right to restrict data processing: you have the right to restrict the processing of your personal data or request deletion if your data is not accurate; has been unlawfully processed; it is no longer needed for achieving the purpose for which it was collected, or you consider that your right of privacy overrides the legitimate interest of PeakData.
Right to data portability: If you have provided us with personal data on the basis of a contract or consent, you may request that you receive the personal data provided by you in a structured, common, and machine-readable format or that we transfer it to another responsible party (e.g., a PDF file).
Right to object: You have the right to object to data processing by us at any time for reasons arising from your particular situation, provided that this is based on the legal basis “legitimate interest”. If you exercise your right of objection, we will stop processing your personal data unless we can prove that there are compelling reasons for further processing worthy of protection that outweigh your rights.
Right to revoke your consent: If you have given us consent to process your personal data, you can revoke this consent at any time with effect for the future. The lawfulness of the processing of your personal data until the revocation remains unaffected.
Right of complaint to the competent supervisory authority: You can also lodge a complaint with the competent supervisory authority if you believe that the processing of your personal data is contrary to the law. You can contact the data protection authority responsible for your place of residence or your country or the data protection authority responsible for us.
Please note, however, that we reserve the right to enforce statutory restrictions on our part, for example if we are obliged to retain or process certain personal data, have an overriding interest (insofar as we may invoke such interests) or need the personal data for asserting claims. If exercising certain rights will incur costs on you, we will notify you thereof in advance. Please further note that the exercise of these rights may be in conflict with your contractual obligations and this may result in consequences such as premature contract termination or involve costs. If this is the case, we will inform you in advance unless it has already been contractually agreed upon.
You have the right to object at any time to the processing of your personal data on the basis of Art. 6 para. 1 lit. f GDPR (data processing on the basis of a legitimate interest) or when we process data for direct marketing. This also applies to profiling based on this provision within the meaning of Art. 4 No. 4 GDPR.
If you object, we will no longer process your personal data, unless we can prove compelling and applicable reasons for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
Last update: 05.07.2022