Privacy Statement
AmerisourceBergen Global Manufacturer Services GmbH (“AB Swiss Co”) is committed to protecting and respecting your privacy. This Privacy Statement (together with our Cookie Policy) will explain how AB Swiss Co uses the personal data we collect from/of individuals who are granted access (hereafter “Authorized Users”) to our web-based CERTIO® platform (“Certio”). Please read the following carefully and completely before using Certio.
The terms “we”, “us”, and “our” refers to AB Swiss Co, and the terms “you” and “yours” refer to you, as an Authorized User of Certio. AB Swiss Co is the so-called controller, i.e. it determines the purposes and means of the processing of personal data. Inquiries related to data protection in reference to our activities may be sent to our global Privacy Office at the address listed at the bottom of this Privacy Statement.
Types of Users
This Privacy Statement applies to the following categories of Authorized Users:
1. Customers. This category includes users who interact with Certio in their category as purchasers of products or services from AB Swiss Co.
2. Prospective Customers. This category includes users who interact with Certio for a demonstration of its capabilities in the event they may choose to purchase products or services from AB Swiss Co.
3. Employees. This category includes users who interact with Certio in connection with their role as employees or contractors of AB Swiss Co. or its affiliates.
Certio is not made available to the public nor to children.
Collection and Use of Your Information.
The amount and type of information we collect depends on how you use Certio. AB Swiss Co may collect information about you in various ways or from various sources, including (a) information you provide directly to us, (b) information we collect about you when you log into Certio or use our services, and (c) information we received from other sources. Any or all of these types of information may include “Personal Data,” which means any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Information We Collect Directly From You
We may collect information directly from you when you: complete the Certio User Request Form, log on to Certio, utilize our “Contact Certio Support” link in the Certio site map, contact “Support” via a root menu item, choose to use our services, or participate in programs or otherwise provide information directly to us. Additionally, in our “User Request Form” which you submitted in order to access Certio, you provided us the following information: (1) date of request, (2) your Company name, (3) your full name (first and last name), (4) your address and country and state of residence, (5) your email address, (6) whether you are a new user or requesting termination as a user, (7) your role title, and (8) your functional area.
In addition to any items listed in our Cookie Policy and our Certio User Request Form, we will collect data in connection with the use of our website. This includes, for example, the following data:
1. the remote address or IP address of the end device and device ID;
2. information about your device, the operating system of your end device or language settings;
3. the client app and HTTP User Agent (i.e. Browser used to access our website)
4. the HTTP Referrer that directed you to our website;
5. information about your internet provider;
6. accessed content or protocols in which the use of our systems is recorded;
7. date and time of access to the website and your approximate location; and
8. details of the content and files accessed in the user account
This data is collected by using an automated logging process that examines and stores generic non-personal information on each Authorized User’s Client/browser the Authorized User is using. This allows us to determine the number of site visitors, browser versions, etc.
We may use the Personal Data that we collect directly from you to fulfill our obligations arising from contracts entered into between your Company (your employer or company for which you are considered part of the workforce personnel) and us and providing you and your Company with information, product, and services that the Company requested:
1. to ensure security of Certio;
2. to create and manage your user account;
3. to develop and provide data support services that we offer;
4. to send you service-related communications;
5. to trouble-shoot issues you may experience when using Certio;
6. to coordinate with our vendor(s), to further troubleshoot and resolve any issues you may experience when using Certio;
7. to coordinate with our affiliates from whom we source certain data feed elements used in Certio; and/or
8. to coordinate with our affiliates to further troubleshoot and resolve issues you may experience while using Certio.
Information We Receive From Other Sources
We work closely with third parties (for example, our affiliates, customers, business partners, sub-contractors/vendors in technical and delivery services, and other contractors or consultants), and we may receive information about you from them. For example, our customers who have contracted for access to Certio will provide us information about you if they choose to designate you as one of their authorized representatives for accessing Certio. Please be advised that any information provided to us by a third party may also be subject to that third party’s privacy statement/policy. We may use Personal Data we receive from other sources, in combination with information we collect either directly from you or about you, for the same purposes as we use the information we collect either directly from you or about you.
Legal Basis Under EU General Data Protection Regulation for Processing Personal Data of EU Residents
Where you have consented to data processing, your consent provides the legal basis to process your Personal Data (defined above). You have the right to withdraw consent at any time. Please note that your withdrawal of consent to collect and process your Personal Data will not affect the lawfulness of processing your Personal Data based on your consent before you withdrew your consent. We may also process your Personal Data on the basis of contractual necessity to perform a contract we have with you. We may also process your Personal Data on the basis of our legitimate interests, including in providing and improving our services. For example, AB Swiss Co has a legitimate interest in understanding your login history so we can assess your interaction with our services. We also have a legitimate interest in providing and developing interesting features to provide our Authorized Users. Where we rely on legitimate interests to process your Personal Data, you have the right to object to such processing (meaning you can ask us to stop). You can use your browser privacy settings to control certain ways in which we process your Personal Data, but doing so can impact your user experience. For example, we use cookies during the authentication process to access Certio, and if you clear or refuse use of cookies, then we cannot authenticate you as an Authorized User. If you clear cookies, then you would need to agree to the use of cookies again in order to access Certio. If you refuse the use of certain cookies, you will no longer be able to access Certio, and your company may need to replace you with another Authorized User. You can also contact us, using the details provided in this Privacy Statement, to object to other forms of processing.
Direct Marketing
We may use information we collect to directly market AB Swiss Co services and products to you in your capacity as a customer unless:
1. You have opted out of this use of your Personal Information in accordance with this Privacy Statement; or
2. AB Swiss Co has reason to know that you are in the European Union and have not opted into this use of your Personal Information.
Sharing Your Information
Sharing Information with AB Swiss Co Affiliates – AB Swiss Co may share information (including Personal Data) with AB Swiss Co affiliates for the same purposes and under the same legal justifications, as applicable, that are described for AB Swiss Co under this Privacy Statement.
Sharing Information with Service Providers – We may share information (including Personal Data) either that we collect directly from you or that we collect about you with certain third-party service providers to perform a variety of services on our behalf. These service providers include business partners, suppliers, vendors, and sub-contractors for the performance of any contract we enter into with them or you, or for assisting us in the administration and improvement of Certio. Please note that we provide our service providers with only that Personal Data which is necessary for them to perform services for us and contractually restrict with use to those purposes. There also may be instances where AB Swiss Co may share information (including Personal Data) with third parties who have not been retained by us (directly or indirectly). For example, we may make such a disclosure: as required by applicable law, court order or governmental regulation; if such disclosure is otherwise necessary in support of any criminal or other legal investigation here or abroad; in order to enforce or apply our User Terms and Conditions or other agreements; or to protect the rights, property or safety of AB Swiss Co or our customers. Information we collect (including Personal Data) also may be transferred to a third party in the event that AB Swiss Co or part of it is sold, assigned, or transferred, or is part of the process of considering such a transaction, in which case we will use reasonable endeavors to ensure the actual or proposed buyer, assignee, or transferee treats your information in accordance with this Privacy Statement.
Updating and Accessing Your Information
We encourage you to update the information that you provide to us, such as providing us with a new mailing or email address (or other changes in your information submitted on the User Access Form). This will help us to continue to provide information to you that best meets your needs. In addition, AB Swiss Co complies with laws and regulations applicable to certain rights that permit access or amendments to data in our files, including the Swiss Federal Data Protection Act. You may have rights to access, correct, delete, or transfer your information. If you are a data subject under the GDPR, or you are covered by Switzerland’s data protection laws, you may be entitled to rights such as:
1. Rights of access – the ability to request that AB Swiss Co provide copies of your personal data.
2. Right to rectification – the right to request that AB Swiss Co correct any personal data you believe is inaccurate or incomplete.
3. Right to erasure (“right to be forgotten”) – the right to request that AB Swiss Co erase your personal data, under certain conditions.
4. Right to restrict processing – the right to request that AB Swiss Co to restrict the processing of your personal data, under certain conditions.
5. Right to object to processing – the right to object to AB Swiss Co’s processing of your personal data, under certain conditions.
6. Right to data portability – the right to request that AB Swiss Co transfer the personal data that we have collected to another organization, or directly to you, under certain conditions.
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact our Office of Privacy, privacy@cencora.com.
Lodging a Complaint
Depending on the jurisdiction in which you live, if you believe that we are not processing your Personal Data in accordance with the requirements set forth in this Privacy Statement or applicable data protection laws, you may have a right to lodge a complaint with a supervisory authority regarding this Privacy Statement.
Data Transfer
You acknowledge that the Internet is a global environment and your use of internet data can involve the collection, processing and transmission of data on an international basis. You further acknowledge that AB Swiss Co is located solely within Switzerland and it collects and stores data in Switzerland. Further, we may share your information with third parties and AB Swiss Co affiliates, which may be located in, or use technology, equipment, products, and services located in, countries different from that in which your information is located or stored. These may be located outside the European Economic Area (EEA) and Switzerland (especially in the USA), but also in other regions and countries worldwide, e.g. India and the United Kingdom. For example, we may transmit data to authorities and other persons abroad if we are legally obliged to do so or, for example, in the context of a company sale or legal proceedings. Not all these countries currently guarantee an adequate level of data protection according to the standards of Swiss law. We therefore take contractual precautions to contractually compensate for the lower level of legal protection, especially with the standard contractual clauses issued by the European Commission and recognized by the Swiss Data Protection and Information Commissioner (FDPIC). For more information and a copy of these clauses, please visit www.edoeb.admin.ch/edoeb/en/home/data-protection/handel-und-wirtschaft/transborder-data-flows.html.
How long do we process personal data?
We store and process your personal data as long as it is necessary for the purpose of the processing (in the case of contracts, usually for the duration of the contractual relationship), as long as we have a legitimate interest in storing it (e.g. to enforce legal claims, for archiving and or to ensure IT security) and as long as the data is subject to a legal retention obligation (for example, for certain data, a ten-year retention period applies). If there are no legal or contractual obligations to the contrary, we will destroy or anonymise your data after the storage or processing period has expired within our normal processes.
Security of Your Information
We use appropriate technical, administrative and physical safeguards to protect data that pertains to you from loss, misuse or alteration. You acknowledge and agree that no organization can guarantee absolute security of Personal Data, and any transmission of Personal Data is at your own risk. Although AB Swiss Co makes a genuine effort to ensure the security of information and transactions conducted on Certio, it cannot and does not guarantee the communications and transactions conducted on Certio will be secure. You acknowledge this and that system failures may limit your ability to use Certio services. You agree to assume all risk and liability arising from your use of Certio and AB Swiss Co’s services accessed via Certio, including the risk posed by any breach in the security of communications and transactions you conduct in or via Certio.
You have previously agreed to our User Terms and Conditions which further govern the security of your log-in credentials and your responsibilities with respect to the same.
Modifications and Updates to this Privacy Statement
This Privacy Statement becomes effective as of February 1, 2024. AB Swiss co may update and modify this Privacy Statement at any time and from time-to-time, and such updates and modifications will be effective immediately upon posting the updated or modified Privacy Statement. You agree to review this Privacy Statement periodically to be aware of such updates and modifications and your continued access or use of Certio after any updates or modifications will be deemed your conclusive acceptance of the updated or modified Privacy Statement.
Cookie Policy
Our Cookie Policy which was provided to you at the same time as this Privacy Statement explains what cookies are, how we use cookies, and what types of cookies we use. Although you are not required to accept cookies or provide AB Swiss Co information when you visit Certio, if you set your browser to reject cookies (or decide not to provide AB Swiss Co with certain information) then you will not be able to access and use Certio.
California Supplement
The following California Supplement (“Supplement”) sets forth the privacy policies and practices of AB Swiss Co as they relate to the collection, use, and disclosure of information in connection with/within Certio. This Supplement amends our privacy statement (above) and applies solely to Authorized Users who reside in the states of California or Nevada (“Californians” and “Nevadans”, respectively) and is adopted pursuant to the California Consumer Privacy Act (“CCPA”) and NRS § 603A.
Information We Collect, Disclose, or Sell:
AB Swiss Co does not sell and has not sold in the last twelve (12) months any Personal Information, Device Information, or Other Information to any third party. AB Swiss Co has collected or disclosed for a business purpose the following categories of Personal Information, Device Information, or Other Information from Californians or Nevadans in the past twelve (12) months:
1. A. Identifiers – a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
Collected: Yes
Disclosed: Yes
2. B. Personal Information categories listed in the California Customer Records Statute (Cal. Civ. Code § 1798.80(e)) – A name, signature, Social Security number, physical characteristic or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education status, employment status, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some Personal Information in this category may overlap with other categories.
Collected: Yes
Disclosed: Yes
1. C. Protected classification characteristics under California or US federal law – Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy, childbirth and related medical conditions), sexual orientation, veteran or military status, or genetic information (including familial genetic information).
Collected: No
Disclosed: No
2. D. Commercial Information – Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Collected: Yes
Disclosed: Yes
3. E. Biometric Information – genetic, physiological, behavioral characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, face prints, and voiceprints, iris or retina scans, keystroke, gain, or other physical patterns and sleep, health or exercise data.
Collected: No
Disclosed: No
4. F. Internet or other similar network activity – browsing history, search history, or information on a Californian’s or Nevadan’s interaction with a website, application, or advertisement.
Collected: Yes
Disclosed: Yes
5. G. Geolocation Data – physical location or movements.
Collected: Yes
Disclosed: Yes
6. H. Sensory data – audio, electronic, visual, thermal, olfactory, or similar information.
Collected: No
Disclosed: No
7. I. Professional or employment-related information – current or past job history or performance evaluations.
Collected: Yes
Disclosed: Yes
8. J. Non-public education information (USC §1232g, 34 CFR Part 99) – education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
Collected: No
Disclosed: No
9. K. Inferences drawn from other Personal Information – profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Collected: No
Disclosed: No
Californians’ and Nevadans’ Rights and Choices - You have the right to request that AB Swiss Co disclose certain information to you about our collection and use of your information over the past twelve (12) months. Once we receive and confirm your verifiable request (see Exercising Californian or Nevadan Access, Data Portability, and Deletion Rights), we will disclose to you any of the following data that were designated in the verifiable request:
1. The categories of Personal Information we collected about you.
2. The categories of sources for the Personal Information we collected about you.
3. Our business or commercial purpose for collecting any Personal Information.
4. The categories of third parties with whom we share Personal Information.
5. The specific pieces of Personal Information we collected about you.
6. If we disclosed your Personal Information for a business purpose, a list describing our: disclosures for a business purpose, identifying the categories of Personal Information that each category of recipient obtained.
Californians’ and Nevadans’ Deletion Request Rights - You have the right to request that AB Swiss Co delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
1. Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
3. Debug products to identify and repair errors that impair existing intended functionality.
4. Exercise free speech, ensure the right of another Californian or Nevadan to exercise their free speech rights, or exercise another right provided for by applicable law.
5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et seq.).
6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
7. Enable solely internal uses that we reasonably believe would be aligned with your expectations based on your relationship with us.
8. Comply with a legal obligation.
9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Exercising Californian or Nevadan Access, Data Portability, and Deletion Rights - To exercise the Californian or Nevadan access, data portability, and deletion rights described above, please submit a verifiable request to us as described under CONTACT INFORMATION below. Only a Californian or Nevadan, or a person registered with the California or Nevada Secretary of State that a Californian or Nevadan has authorized to act on his or her behalf, may make a verifiable request related to his or her Personal Information. Parents of Californians or Nevadans may also make verifiable requests on behalf of their minor children (although, as noted above, we do not offer our services, or access to Certio, to minors). You may make a verifiable request for access or data portability only twice within a twelve (12) month period. The verifiable request must:
1. Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.
2. Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable request does not require you to create an account with us, but we may treat requests made through your password-protected account as sufficiently verified when the request relates to Personal Information associated with your specific account. We will use Personal Information provided in a verifiable request only to verify the requestor’s identity or authority to make the request.
Verifiable Request Response Timing and Format - We endeavor to respond to a verifiable request within forty-five (45) days of its receipt. If we require more time (up to either forty-five (45) or ninety (90) days, depending on complexity), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will cover only the twelve (12) month period preceding the verifiable request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance. We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Non-Discrimination - We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
1. Deny you goods or services.
2. Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
3. Provide you a different level or quality of goods or services.
4. Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
Other California Privacy Rights - California’s “Shine the Light” law (Cal. Civ. Code § 1798.83) permits users that are residents of California to request certain information regarding our disclosures of Personal Information to third parties for such third parties’ direct marketing purposes. Please email or write to us as provided below to submit your request.
Global Privacy - Contact Information - If you have any questions about this Privacy Statement or the use of your Personal Information, please contact us by sending an email to privacy@cencora.com, calling us at 1-800-829-3132, or writing to the following address:
Cencora Corporation
Corporate Headquarters
227 Washington Street
Conshohocken, PA 19428
Attention: Chief Privacy Officer
privacy@cencora.com
© Copyright AmerisourceBergen Global Manufacturer Services GmbH – February 2024