Privacy Policy

LAST UPDATED AUG 28, 2024

1. General

Donna My Personal Pharmacy with its affiliate companies respects your right to privacy and endeavours to ensure the highest level of protection for your personal information. Therefore, when carrying out our activities, we are committed to acting in accordance with laws and regulations that govern the protection of personal data, in particular the Personal Data Protection Act, the Electronic Communications Act and the General Data Protection Regulation of the EU. The purpose of this Privacy Policy is to inform you of the purposes for which your personal information will be acquired and how it will be used, what your rights are in relation to the information we keep about you and how you can exercise those rights.

Donna My Personal Pharmacy with its affiliate companies undertakes that the personal information which you submit will be used in accordance with this Privacy Policy and will not be sold, lent or otherwise transferred to any third parties, except in cases provided for in this Policy.

2. Data Controller⁠

The controller of your personal data is Medis d. o . o., Brnčičeva ulica 1, 1231 Ljubljana – Črnuče, Slovenia, gdpr@medis.com

As we value your privacy very highly, we have appointed an authorized Data Protection Officer for you to contact should you have any questions regarding the processing of your personal data. Our authorized Data Protection Officer is the JK Group d.o.o., Stegne 27, 1000 Ljubljana, Slovenia.

To contact the authorized Data Protection Officer, please send an e-mail to gdpr@medis.com.

All the topics and content handled by the authorized Data Protection Officer will be subject to strict confidentiality.

This Privacy Policy applies to:

  • Users of our website;
  • Recipients of our newsletters;
  • Participants in our events;
  • End users of our services (including the users of our online store, participants in our prize games, individuals who order free samples on our websites, members of the Donna products loyalty club);
  • Expert public whom we engage in the direct marketing of our products;
  • Candidates applying for our job vacancies.

3. Types of Personal Data

We only process your personal data on the basis of clearly stated and legitimate purposes, which are defined in this Policy. Donna My Personal Pharmacy is committed to the principle of data minimisation, which means that we collect, store and process only the data we need to fulfil the purposes for which they are collected.

We collect your personal information directly from you (e.g. you provide your personal information when ordering our services, participating in our events or making inquiries).

Your personal information may also be obtained from publicly available records. Personal data that we process may include:

  • General information about you – e.g. name and surname (including prefix or title), gender, age and date of birth;
  • Contact information – e.g. address, business address, e-mail address, telephone number, telephone number of your personal mobile phone;
  • Information about your profession – e.g. information about your education, academic title, professional qualifications, employment / position / role, specialization, customer account reference number, medical interest, official ID, membership in some professional bodies, your CV;
  • Technical information and interaction information – e.g.:
    • Information about the device that you use to interact with us, information about previous interactions or information about given presentations;
    • Information about your contact preferences or your preferred communication channel;
    • Information about the time you spent interacting with us, the location of these interactions, and your response to the various interactions you have with our representative; and
    • Details of any previous relations that you had with another healthcare organization.

4. Purpose of Data Processing and Types of Personal Data

⁠All the personal information you provide to us will be treated confidentially and will only be used for the purposes for which it was submitted. Should a need arise for any further processing of your information for another purpose, we will contact you in advance and ask for your consent.

To facilitate transparency, we have categorised the purposes for which we process your personal information into three sets:

  1. Processing purposes related to expert public
  2. General purposes of processing
  3. Processing purposes related to the online store
1. Processing Purposes Related to Expert Public

Below, we set forth the purposes for which the processing of personal data is carried out for individuals that are part of the expert public (please refer to the last section of this Policy for a definition of who belongs to the category of expert public) and for participants in clinical trials.

Communication of professional information about expert public in the field of health about dietary supplements, medical devices and events

Name, surname, address and contact, education and work experience, and data on the job of healthcare and pharmaceutical professionals are collected for the purpose of providing professional information on dietary supplements and medical devices marketed by the company, and events the company organizes.

This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the section titled “Your Rights” for more information about your rights regarding the communication of professional information.

The communication of professional information is carried out on the basis of basic content customization according to your field of activity (healthcare) and depending on your responses to specific content and your preferences. This customization is carried out on the basis of our legitimate interest in providing up-to-date solutions when interacting with customers regarding food supplements.

Processing of feedback from the expert public in the field of health for the purpose of personalized communication

Feedback collected by our representatives in the field and by means of a customer satisfaction survey is collected in order to customize the information to individual preferences. These include contact information preferences for contacting you, or your preferred communication channel; information about the time you spent interacting with us, the location of these interactions, and your response to the various interactions you have with our representative, and details of any previous relations you had with another health organization. This information is processed on the basis of our legitimate interests in facilitating efficient and successful administration and management of our business and providing up-to-date solutions when interacting with customers regarding food supplements. Please refer to Section 6 of this Policy for more information on legitimate interest as a basis for the processing of personal data.

Direct marketing of dietary supplements to employees in pharmacies and wholesale drugstores

Name, surname, address and contact, education and work experience, and data on the job of pharmaceutical professionals are collected for the purpose of direct marketing of dietary supplements and medical devices marketed by the company.

This information is processed on the basis of our legitimate interest in efficient and successful administration and management of our business. Please refer to Section 6 of this Policy for more information on legitimate interest as a basis for the processing of personal data.

Conclusion and implementation of education and copyright agreement

Name, surname, address, contact, bank account and tax number are used for the purpose of concluding and implementing education and copyright agreements.

This information is processed on the basis of an agreement. Please refer to Section 6 of this Policy for more information about agreement as a basis for processing personal information.

2. General Purposes of Processing

This section sets forth processing purposes that may be relevant for both groups: expert public and end users.

Compliance with requirements laid down by laws and regulations

In certain cases, laws and regulations may require us to process or communicate your personal information. In such cases, we process your personal information on the basis of the law; such processing or communication of personal data is mandatory.

Retention of unsuccessful recruitment information submitted by candidates

Name, surname, e-mail, address, mobile phone, and CV are used for the purpose of carrying out recruitment and providing notice about current vacancies. This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the section titled “Your Rights” for more information.

Execution of prize games organized by Donna My Personal Pharmacy

Name, surname, gender, age, e-mail, and address are used for the purpose of carrying out prize games. This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the section titled “Your Rights” for more information.

Enabling access and use of the Donna loyalty club

Name, surname, gender, age, e-mail, address, history of purchases and prize items are used for the purposes of the loyalty club. This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the section titled “Your Rights” for more information.

Communicating with users based on your request, regardless of the request channel (e-mail, completing the contact form on our website, phone call, etc.)

Name, surname, gender, age, e-mail and address are used for the purposes of responding to your request. This information is processed on the basis of our legitimate interest in familiarizing our customers with additional information and presentations for the purpose of improving our services. Please refer to Section 6 of this Policy for more information on legitimate interest as a basis for the processing of personal data.

Distribution of newsletters to end users

Name, surname, gender, age, e-mail and address are used to distribute newsletters. This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the section titled “Your Rights” for more information.

Distribution of newsletters is carried out on the basis of basic content customization according to the products you have expressed interest in or purchased in our online store. Such customization is carried out on the basis of our legitimate interest in familiarizing our customers with additional information and presentations in order to improve our portfolio of services.

Distribution of newsletters to our partners and potential partners

Name, surname and e-mail are used to distribute newsletters. This information is processed on the basis of our legitimate interest in facilitating efficient and successful administration and management of our business. Please refer to section 6 of this Policy for more information on legitimate interest as a basis for the processing of personal data.

3. Purposes Related to the Provisioning of the Online Store Service:

This category comprises processing purposes related to the use of the online store.

Enabling user access and use of the Donna My Personal Pharmacy internet account available within the www.mydonna.com online store (the use of online store with registration)

Name, surname, gender, e-mail, and address are used to fulfil the online purchase. This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the section titled “Your Rights” for more information.

Name, surname, gender, e-mail, and address are used to fulfil the online purchase. This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the section titled “Your Rights” for more information.

Statistical analyses of customer data, orders and prospective buyers

This information is processed on the basis of our legal interest in the optimization of advertising and operations of Donna My Personal Pharmacy.

Should Donna My Personal Pharmacy identify a need for further processing of personal data for purposes that are incompatible with the above stated purposes, we will provide prior notice and ask for your consent regarding such processing.

Reporting adverse effects of medical devices

Data about the patient (date of birth, information about health, medical history) and data about the person reporting adverse effects (name and surname, contact, profession) are used for the purposes of monitoring the safety of medical devices. As an online store selling food supplements, we are legally obliged to monitor the safety of all Donna products around the world which we develop or market in any country. The purpose of monitoring the safety of medical devices is to enable us and the competent regulatory public authorities to manage the adverse events, as well as protect the public health and ensure the high standards of quality and safety of the products. Under our obligations of monitoring the safety of medical devices also belongs the processing of certain data, from which we can directly or indirectly identify the person reporting the adverse event (“personal data”), in order to fulfil our strict obligations regarding the constant assessment of benefits and risks of products, and to report to the competent regulatory public authorities about the suspected adverse effects or events.

5. Data Users

The Controller may transfer your personal information to third parties. The access of third parties to the information and the processing of data by these parties is limited to the purposes for which such data were collected. All third parties to whom we may provide your personal data are bound to comply with applicable laws and regulations as well as the provisions of this Privacy Policy.

We may provide your personal information to:

  • Medis, d.o.o., Brnčičeva 1, 1231 Ljubljana-Črnuče, Slovenia
    1. Our affiliated companies listed below.
    2. Companies that provide supporting services needed for the normal functioning of our company (postal services, shipping providers, file destruction and data carrier destruction services, IT service providers in the context of servicing and maintenance of software, providers of online tools for distribution of newsletters and other e-mail (Dotdigital), CRM service providers (BigCommerce) legal service providers, administrators and webmaster, etc.).
    3. We provide data to the public administration bodies and courts when laws and regulations require us to (for example, tax authorities, court requests, etc.).
    4. Wholesale drugstores and pharmacies, where we perform direct marketing.
    5. We provide personal data to organizations or healthcare institutions when so required by law.
    6. Due to fulfilling our obligations in the area of monitoring the safety of medical devices, we may forward and/or disclose the personal data:
  • In the scope of Donna My Personal Pharmacy due to an analysis and processing of the reported adverse event;
  • To the competent regulatory public authorities regarding the suspected adverse event;
  • To third parties, service contractors for Donna My Personal Pharmacy; these service contractors may include the safety databases operators, call centre operators and our marketing researchers, in case that you have disclosed the details about your suspected adverse event to the latter. Please bear in mind that we have ensured appropriate security measures for the personal data protection with the service contractors, to which Donna My Personal Pharmacy forwards personal data and which carry out services or functions in our name;
  • To pharmaceutical companies with which we cooperate in marketing or distribution, and other licensed partners of Donna My Personal Pharmacy, when the obligations for a Donna My Personal Pharmacy product demand such exchange of safety information. Please bear in mind that we have ensured appropriate security measures for the personal data protection with those business partners to which Donna My Personal Pharmacy forwards personal data and which carry out services or functions in our name;
  • To third parties as legal successors in case of sale, resignation or transfer of a certain Donna My Personal Pharmacy product, project or therapeutic area connected to the above; in such case we will demand that the buyer, transferee or acquirer deals with personal data in compliance with the applicable legislation about personal data protection;
  • When we publish the information about adverse events (such as case studies or summaries); in such cases we will remove the identification markers from all publications and preserve the secrecy of your identity.

We exchange certain personal information with the third parties described above. We will ensure that access will be granted to third parties only for the purposes set out in this Policy. We will take appropriate measures to ensure that access to your personal data will be granted only to the employees of the above listed third parties who need access to personal data to carry out their work.

We limit the access to personal data both to Donna My Personal Pharmacy and to employees in our affiliated companies. All employees who have access to personal data are liable to protect the personal data they process.

Your personal data may also be processed by Donna My Personal Pharmacy and the above listed third parties outside the European Economic Area, including countries that may not provide such personal data protection as is in force within the European Economic Area.

In accordance with applicable data protection and privacy regulations, we will take appropriate measures to ensure that your personal data will remain secure and safe in every transfer. We will define these measures by concluding appropriate contractual frameworks that will determine the protection of personal data.

6. Legal Grounds for the Use of Personal Data

The grounds on which we use your personal information:

  • Your express consent – we may occasionally ask for your consent to use your personal data for one or more purposes. Please refer to the section titled “Your Rights” for more information regarding the rights that you have when we process your data on the basis of your consent;
  • Legitimate interests – the use of your personal data helps us to manage and improve our operations and reduce interference in the provisioning of services. Moreover, the use of your personal data allows us to make our communication more relevant and personalized to you, and renders your experience with our services and products effective and successful. Legitimate interests may include:
    • Facilitating effective and efficient administration and management of our business;
    • Enabling our customers to have quick and easy access to products;
    • Maintaining compliance with our internal procedures and customer relationship management policies;
    • Providing up-to-date solutions when interacting with clients regarding food supplements;
    • Familiarizing our customers with additional information and presentations for the purpose of improving our services.

Whenever we process your personal data on the basis of legitimate interests, we will explicitly indicate this in this Policy or inform you in advance on a special form.

  • Contractual or pre-contractual relationship – your personal data is processed when needed for the purpose of concluding and implementing an agreement with you. We process your personal data for the duration of the contractual term, including warranty or any other terms arising from the concluded contract (e.g. fulfilment of your orders in the online store).
  • The law – your personal data is processed when required by law (e.g., tax legislation).
  • Donna My Personal Pharmacy processes personal data which is important from the point of view of monitoring the safety of medical devices, including special kinds of personal data, in accordance with the GDPR:
    • For studying the adverse event;
    • For ensuring compliance with legal obligations which are defined by the applicable laws and regulations in the area of monitoring the safety of medical devices, and due to their legal interests in ensuring the purposes of monitoring of the safety of medical devices (Article 6 of the GDPR), when following that the European and national legislation of the EU member states in the area of monitoring of the safety of medical devices was accepted due to the important public interest in the area of public health and safety of medical devices (Article 9 of the GDPR).

You are obligated to provide personal information that we collect and process pursuant to laws and regulations. You communicate your personal information for the purpose of conclusion (and implementation) of an agreement on a voluntary basis. Nevertheless, we would like to point out that if you fail to provide us with personal information which we need in order to provide a specific service, we will not be able to provide that service (e.g. it is necessary that you provide your e-mail when making a purchase in our online store in order for us to fulfil your order).

With regard to personal data processing on the basis of your consent, the provision of personal information is always voluntary and without any negative consequences for you. Nonetheless, we would like to point out that we will not be able to provide certain services without your consent, or after you withdraw your consent (e.g. using Donna loyalty club).

7. Retention Period⁠

⁠We store all personal data that we process in accordance with laws and regulations and only for the time required to achieve the purposes for which the data were collected.

When the personal data retention period is prescribed by law, data are kept in accordance with the provisions of the applicable law.

When the grounds for the collection and processing of personal data is an agreement, the retention period lasts for the entire contractual term, including warranty or any other period arising from the concluded agreement.

When collecting and processing your personal information on the basis of your express consent, we keep your personal information permanently or until revocation. In the event that the purpose for which we have processed your information will be fulfilled, we will delete your information even if you do not withdraw your consent. For example, when we organize a prize game, the purpose of the collection and processing is fulfilled when the prizes are awarded, so we will delete all the participants’ data (with the exception of those needed for legal reasons), even if you do not submit the revocation, because the purpose of the collection is fulfilled (i.e. prizes were awarded).

8. Data Protection Methods

Donna My Personal Pharmacy commits to protecting the personal information you provide to us. Donna My Personal Pharmacy will do everything to protect personal data from any violation and misuse.

We store personal data in paper or digital form. All paper documents with your personal data are stored in protected areas, our computer systems are protected by technical and organizational measures that prevent any accidental or deliberate destruction, loss, damage, alteration and unauthorized disclosure or access to your personal data.

Technical and organizational measures that we use to protect your personal data include, but are not limited to:

  • Regular backups that are properly protected;
  • Restriction of access to personal data;
  • Regular employee training on the subject of personal data protection and supervision over the work of employees;
  • Password system;
  • Use of appropriate software protection.

After expiry of the retention period or the revocation of obtained consent, the data (including any copies thereof) are immediately, irretrievably and permanently deleted. Any personal data carriers where such data are located are also permanently destroyed or deleted.

Should a violation of personal data protection occur, we will immediately inform the competent supervisory authority. For Germany, the competent authority for personal data protection is the German Federal Data Protection Authority. For Austria, the competent authority for personal data protection is the Austrian Data Protection Authority. To find out more about the function of the competent authority, please refer to their website. Should a criminal offence be suspected in the event of a violation of personal data protection, we will immediately notify the police or the competent prosecutor’s office.

Should a high-risk violation of personal data protection occur involving the rights and liberties of individuals whose personal data we process, we will inform you of such violation without any undue delay.

9. Your Rights ⁠

Donna My Personal Pharmacy ensures that you can exercise all the rights that you have in relation to the processing of your personal data.

Termination of subscription to product newsletters

If you no longer wish to be informed about the products marketed by Donna My Personal Pharmacy and its affiliated companies, you can contact us at gdpr@medis.com or inform our sales representative upon their visit (if you are a healthcare or pharmaceutical professional).

The data subject may at any time request Donna My Personal Pharmacy to:

  • Confirm whether the data relating to the data subject are processed or not.
  • Be granted access to the personal data:
  • Access to personal data will be granted only when we confirm that your personal data are processed. You have the right to request information about what data is being processed and what the source of this information is.
  • Enable the correction of inaccurate or incomplete personal data relating to the data subject: Please make sure to inform us of any change in your personal information as soon as possible, as this is the only way to ensure the accuracy and integrity of the personal data that we keep. You can notify us of any changes by use of the contacts listed in Section 10 of this Policy.
  • Enable the printout of personal data provided to us by the individual in a structured, generally used, machine-readable form.
  • Allow the right to have personal data deleted (i.e. the right to be forgotten): The right to have personal data deleted is limited as we cannot delete the personal data that we process on the basis of law and regulations or on the basis of a contractual relationship between us (including any warranty and other periods that may arise from a particular contract).
  • Enable the right to restrict processing (e.g., the request to restrict processing is possible when running the integrity check on the personal data that we process).
  • Allow the right to object to the processing: The right to object to the processing of personal data is limited to processing that is based on a legitimate interest (cases when a legitimate interest is the basis for the processing of your personal information are listed in this Policy or we will inform you accordingly in advance) and processing for the purposes of direct marketing, including profiling.
  • Make the data transferable and provide the data subject with data in a structured, generally used and machine-readable form or directly communicate them to another Controller.
  • Allow the right to withdraw consent, when personal data are processed on the basis of consent, whereas withdrawal of consent does not affect the lawfulness of data processing that was carried out prior to such withdrawal.

Consent may be withdrawn by an individual in any manner specified in Section 10 of this Policy. Withdrawal of consent does not create any negative consequences for you. After you withdraw your consent, we will not offer certain services if these services are of such a nature that we cannot perform them without you providing your personal information (e.g., without the processing of your e-mail address we cannot provide you with e-mail notification services). Every individual to whom data relates has the right to file a complaint against us with the Information Commissioner.

You can exercise your rights by contacting us by e-mail at: with subject of the message Personal Data protection.

Donna My Personal Pharmacy commits to respond to the data subject’s requests without undue delay, and at the latest within the statutory deadlines.

10. Contact⁠

The person responsible or the Data Protection Officer at Donna My Personal Pharmacy will answer your questions about the confidentiality of your information, the way in which data is collected and processed, or your requests to exercising the rights relating to your information. To contact the authorized Data Protection Officer, please send an e-mail to gdpr@medis.com.

11. Definitions⁠

This section sets forth the definition of terms used in this Policy.

Personal data is any information that refers to a specific or identifiable individual, specifically: name, identification number, web identifiers as well as factors that are characteristic of the individual’s physical, physiological, genetic, mental, economic, cultural or social identity.

Processing is any act or set of actions that is carried out with personal data and includes, in particular, the collection, editing, storing, modifying, viewing, retrieval and deletion of such data.

Controller is a natural or legal entity who, alone or jointly with others, determines the purposes and means of processing. For the purposes of this Policy, Donna My Personal Pharmacy is the Controller.

Processor is a natural or legal entity as well as a public authority or agency or other body that processes personal data on behalf of the Controller.

Expert public means natural persons working in a medical or pharmaceutical profession (such as medical institutions, pharmacies) as well as people employed in wholesale drugstores with whom we cooperate.

End user is any natural person who uses our services (including online store users, members of loyalty clubs, etc.).

12. Changes

We reserve the right to periodically amend this Privacy Policy to adjust it according to current conditions and personal data protection legislation. For this reason, we ask you to check the updated version before providing any personal information, so that you will be aware of any changes or updates.