IDEOGEN Group GmbH Version 2.0 | March 2026
Applies to: www.ideogen.com, IDEOGEN Partner Platform, all IDEOGEN Group GmbH digital touchpoints and services
IDEOGEN Group GmbH ("IDEOGEN," "we," "us") is committed to respecting and upholding the rights of individuals with respect to their personal data. This procedure explains how you can exercise your rights as a data subject under:
This procedure covers data subject requests (DSRs) submitted in relation to all personal data processed by IDEOGEN Group GmbH as data controller. Where an IDEOGEN Group subsidiary (see Privacy Policy Section 6.1) acts as an independent controller in respect of your data, you should direct your request to that entity directly; we will however assist in routing your request where technically feasible.
You may submit a data subject request to IDEOGEN through any of the following channels:
Subject line: "Data Subject Request — [Type of Request]" (e.g., "Data Subject Request — Access Request")
Data Protection Officer IDEOGEN Group GmbH Hurdnerstrasse 119 CH-8640 Hurden SZ Switzerland
Please mark the envelope: "CONFIDENTIAL — Data Subject Request"
A dedicated data subject request form is available at www.ideogen.com/privacy/dsr-request (implemented as part of the website relaunch). The form guides you through the type of request, identity verification, and the scope of your request.
To enable us to locate your personal data and respond efficiently, please provide:
You do not need to quote specific legal provisions or formal language. A plain-language description of what you want is sufficient.
The following is a plain-language explanation of each right available to you under GDPR and/or Swiss nFADP.
What it means: You can ask us to confirm whether we hold any personal data about you, and if so, to provide you with a copy of that data along with information about how we use it, how long we keep it, who we share it with, and where it came from.
What you receive: A copy of the data we hold about you, presented in a clear and intelligible format, together with the information described in .
What it means: You can ask us to correct personal data that is inaccurate or to complete data that is incomplete.
Examples: Updating your business contact details on the Partner Platform; correcting a spelling error in your name; adding a missing organisation affiliation.
What it means: You can ask us to delete your personal data. This right applies in certain circumstances, including where the data is no longer needed, where you withdraw consent and there is no other legal basis, or where you object to processing and there are no overriding legitimate grounds.
Limitations: This right does not apply where we are required by law to retain the data (e.g., pharmacovigilance records, commercial/accounting records), or where the data is needed for the establishment, exercise, or defence of legal claims. See Section 7 for full limitations.
What it means: You can ask us to "freeze" how we use your personal data in certain situations — for example, while you contest the accuracy of the data, while we assess your objection, or while you need data that would otherwise be deleted for a legal claim.
Effect: We will continue to store the data but will not process it further (beyond storage) unless you consent, or processing is needed for legal claims or the protection of another person's rights.
What it means: Where we process your personal data on the basis of your consent or a contract, and the processing is carried out by automated means, you can ask us to provide your data in a structured, commonly used, machine-readable format (e.g., JSON, CSV). You can also request that we transmit it directly to another controller where technically feasible.
Scope: This right applies, for example, to your Partner Platform account data or marketing subscription preferences, but not to data processed on the basis of legal obligation (e.g., PV data).
What it means: You can object to our processing of your personal data in two situations:
What it means: Where we rely on your consent to process your personal data (e.g., for marketing communications, analytics cookies), you can withdraw that consent at any time.
Effect: Withdrawal does not affect the lawfulness of processing that took place before withdrawal. Once withdrawn, we will stop the relevant processing.
How: Unsubscribe link in marketing emails; cookie settings link on the website; or contact [email protected].
What it means: You have the right not to be subject to decisions made solely by automated means — without any human involvement — where such decisions produce legal or similarly significant effects.
IDEOGEN does not currently carry out such automated decision-making. See Privacy Policy Section 10 for details.
What it means: If you are not satisfied with how we have handled your request or your personal data generally, you have the right to lodge a complaint with the relevant supervisory authority. See Section 8.
To protect your personal data from unauthorised disclosure, we are required to verify your identity before fulfilling a request. The measures we take are proportionate to the nature and sensitivity of the data involved.
For most requests (e.g., access to contact form submissions, marketing preferences), we will ask you to verify your identity by:
Where a request relates to sensitive personal data (such as health data from a pharmacovigilance report or Partner Platform financial records), we will apply enhanced verification, which may include:
We will not ask you for more information than is necessary to establish your identity.
If you are acting on behalf of another individual (e.g., as a legal guardian or authorised representative), you must provide:
If we are unable to verify your identity after reasonable efforts, we may decline to fulfil the request, and will inform you of this in writing, including information about your right to complain to the supervisory authority.
We will respond to your request without undue delay and in any event within:
The 30-day clock starts from the day we receive your request or, if identity verification is required, the day we receive sufficient information to verify your identity.
Where requests are complex or numerous, we may extend the response period by a further 60 calendar days ( — for a total maximum of 90 calendar days.
If we need to extend the period, we will inform you in writing within the initial 30-day window, explaining the reasons for the extension and the expected response date.
Upon receipt of a request, we will send an acknowledgement within 5 business days, confirming receipt, providing a reference number, and confirming any identity verification steps required.
The timeframe is suspended while we await identity verification information from you. We will notify you promptly when the clock has been suspended and when it resumes.
Responses will ordinarily be provided in electronic format (by email or through a secure download link), unless you specifically request a paper response.
Where we provide a copy of personal data (e.g., in response to an access request), we will use a clear, commonly used format (e.g., PDF, structured JSON, or tabular format as appropriate).
Responses will be provided in English unless you request a response in another language in which IDEOGEN operates (French, German, or Italian), in which case we will endeavour to accommodate your preference.
Providing a copy of your personal data in response to an access request is free of charge (
If you request additional copies of the same data, or if requests are manifestly unfounded or excessive (e.g., repetitive), we may charge a reasonable administrative fee based on our actual costs of providing the response. We will notify you in advance before applying any charge.
Where we consider a request to be manifestly unfounded or excessive, we may either charge a reasonable fee or decline to act on the request. In either case, we will inform you in writing within the standard timeframe, explaining our reasons and your right to complain to the supervisory authority.
Not all rights apply in all circumstances. The following are the principal situations in which your rights may be limited or where we may decline a request, in whole or in part:
Where we are required by law to retain data, we cannot comply with an erasure or objection request to the extent it conflicts with that obligation. In particular:
Where personal data is subject to a litigation hold (i.e., it is or may be relevant to actual or anticipated legal proceedings), we may decline an erasure or restriction request in respect of that data until the litigation is resolved or the litigation hold is lifted. We will inform you of this fact without disclosing privileged legal strategy.
We may withhold or redact information in response to an access request where disclosure would adversely affect the rights and freedoms of others, or where the information constitutes a trade secret or confidential commercial information — for example, information about our internal business processes or about third parties not consenting to disclosure.
Where compliance with a portability or access request would require disproportionate effort (e.g., because data is held in archival systems not designed for regular access or export), we will indicate this to you and discuss alternative means of providing the relevant information.
Where personal data relates to or reveals information about third parties (e.g., a jointly submitted inquiry), we may need to balance your access right against the privacy rights of the third party. We will consider each case individually.
Where an exception applies to part but not all of a request, we will fulfil the request to the extent possible and inform you in writing about the portion we are unable to fulfil, identifying the applicable exception and your right to complain.
If you are not satisfied with our response or the manner in which we have handled your request, you may escalate your concern directly to our Data Protection Officer at [email protected]. We take all complaints seriously and will provide a substantive response within 15 business days of escalation.
You have the right, at any time, to lodge a complaint with the relevant data protection supervisory authority without first contacting us.
Switzerland — Federal Data Protection and Information Commissioner (FDPIC): Feldeggweg 1 3003 Bern, Switzerland Telephone: +41 58 462 43 95 Website: www.edoeb.admin.ch Online complaint form: available at www.edoeb.admin.ch/edoeb/en/home/the-/contact.html
Netherlands — Autoriteit Persoonsgegevens (AP): PO Box 93374 2509 AJ The Hague, Netherlands Website: www.autoriteitpersoonsgegevens.nl
Spain — Agencia Española de Protección de Datos (AEPD): Calle Jorge Juan 6 28001 Madrid, Spain Website: www.aepd.es
Austria — Datenschutzbehörde (DSB): Barichgasse 40-42 1030 Vienna, Austria Website: www.dsb.gv.at
Malta — Information and Data Protection Commissioner (IDPC): Website: https://idpc.org.mt
Turkey — Kişisel Verileri Koruma Kurumu (KVKK): Website: www.kvkk.gov.tr
You may lodge a complaint with the supervisory authority of your country of habitual residence, your place of work, or the place of the alleged infringement.
> This section is addressed to IDEOGEN staff responsible for handling data subject requests.
The following steps apply to all data subject requests received at [email protected], via the web form, or by post:
DSAR Register: A dedicated DSAR register is maintained by the DPO. It records all requests, status, timelines, outcomes, and any extensions. The register is reviewed quarterly and reported to senior management annually as part of the data protection compliance report.
Extensions: Any decision to extend the response period must be approved by the DPO and documented in the register, with the reason and new deadline communicated to the requester before expiry of the initial 30-day period.
Manifestly Unfounded/Excessive Requests: Any decision to charge or refuse a request on these grounds must be made by the DPO and documented in the register, with supporting reasons, prior to communicating the decision to the requester.
Data Protection Officer (DPO) [Name to be appointed] [email protected]
IDEOGEN Group GmbH Hurdnerstrasse 119 CH-8640 Hurden SZ Switzerland Tel: +41 43 311 52 52
General Enquiries: [email protected] Healthcare / Medical: [email protected]
This Data Subject Rights Request Procedure was last revised in March 2026 (Version 2.0). IDEOGEN Group GmbH, Hurdnerstrasse 119, CH-8640 Hurden SZ, Switzerland.