Regulatory UpdateJul 12, 2026 · 16:247 min readBy Daniel Herrmann
FDA Warning Letters 2026: Seven Controls for Audit-Ready Computerised Systems
What current FDA warning letters show about user access, audit trails, raw data, vendor changes and CAPA in GxP systems.
Recent FDA warning letters do not introduce a new rulebook. They expose recurring control failures: shared credentials, excessive privileges, incomplete electronic raw data, unreviewed audit trails and changes made outside the quality system. Operators of GxP-relevant computerised systems should therefore demonstrate that technical controls, procedures and quality oversight work together in routine operation.
Why these warning letters matter to GxP organisations
A warning letter addresses a specific company and is not a substitute for law or guidance. It does, however, show how the FDA applies existing requirements during inspections. Three letters issued in March and April 2026 are particularly relevant to IT leaders, QA and system owners:
At Ava Inc., FDA cited a shared HPLC account, administrator privileges for analysts, deleted GC sequences, unretained trial injections and a mismatch between FTIR usage records and the electronic audit trail.
At Intas Pharmaceuticals, a QA employee instructed a software supplier to modify a completed electronic batch record. According to the letter, the change was captured neither in the audit trail nor in the quality system.
At Fareva Morton Grove, microbiological results existed across paper and electronic formats, some data were missing, and negative observations were not recorded contemporaneously as individual results.
The circumstances differ, but the control pattern is consistent. A system that has been formally validated is not automatically under control. The organisation must be able to reconstruct the complete data history and show that only authorised, appropriately separated roles can make changes.
Control 1: Individual identities instead of shared accounts
A shared login breaks attribution. If several analysts use the same username and password, an audit trail may display an event but cannot reliably identify the responsible person.
The minimum control is both technical and procedural:
every relevant account belongs to one person or to a clearly defined technical identity;
roles and privileges match the task;
joiner, mover and leaver events trigger an approved access process;
periodic reviews assess actual privileges, not only whether an account exists.
For system validation, a one-off screenshot of the user administration is therefore insufficient. Evidence should show that the access process remains effective in operation.
Control 2: Separate administration from laboratory or process execution
At Ava Inc., analysts could modify or delete data because they held administrator privileges. The design combined execution, data manipulation and control in one role.
Where the system supports segregation, operational users should not have production administrator privileges. Where a legacy system cannot enforce that separation, the organisation needs a documented risk assessment, compensating controls and a credible remediation plan. A procedure saying that deletion is prohibited does not compensate for an unrestricted delete function.
Evidence normally includes a role matrix, approved access requests, periodic access reviews and a sample that reconciles real users against their configured roles.
Control 3: Enable, protect and risk-base audit trail review
An audit trail becomes a control only when it captures critical events, is protected against unauthorised alteration and is reviewed by an appropriate role. The FDA observations show two common weaknesses: relevant events are missing, or events exist but are not considered in the quality decision.
A defensible audit trail strategy answers at least five questions:
1. Which data and metadata are GxP-critical?
2. Which events must be recorded, including creation, modification, deletion and relevant configuration changes?
3. Who reviews the trail independently of the executing role?
4. When and at what risk-based frequency is the review performed?
5. How are anomalies investigated, assessed and closed?
21 CFR 211.68(b) requires appropriate controls over computer or related systems so that only authorised personnel can make changes to master production and control records or other records. Audit trail review frequency may be risk-based, but the rationale cannot rely solely on the system name or supplier category. Intended use, data criticality and the potential effect of an undetected change belong in the assessment. The same risk logic supports risk-based Computer Software Assurance without extending the FDA CSA scope to pharmaceutical CGMP systems.
Control 4: Retain all raw data and relevant repetitions
Unretained trial injections, discarded sequences or selectively transferred results prevent full reconstruction. 21 CFR 211.194(a) requires complete laboratory data derived from all tests necessary to establish compliance. FDA’s data integrity guidance also expects CGMP data to be complete, consistent and accurate.
The operating control is therefore not “archive only the final result.” It should cover the complete decision-relevant data set: electronic raw data, relevant metadata, method and sequence information, repetitions, links to deviations or OOS investigations and the rationale for rejected or repeated work.
A system test should not stop at proving that one record can be saved. It should examine what happens during interruption, repetition, export, reprocessing, attempted deletion and system failure.
Control 5: Reconcile electronic data with operational evidence
In the Ava letter, the FTIR usage log indicated testing while the electronic audit trail showed no corresponding activity. Such discrepancies can reveal a gap in system function, procedure or recording practice.
A periodic data integrity review should therefore compare selected sources rather than assess them in isolation. Depending on the system, useful reconciliations include:
instrument or application logs against the audit trail;
batch or sample records against electronic raw data;
interface monitoring against received records;
helpdesk or supplier activity against change records;
backup logs against defined recovery tests.
The purpose is not indiscriminate log collection. It is to choose the few comparisons most likely to reveal an incomplete or out-of-process data history.
Control 6: Put supplier and database changes through change control
The Intas case is central to SaaS, ERP and electronic batch record operators. Even when a supplier executes the technical change, the regulated company remains responsible for a controlled process. A support ticket alone is not a quality change record.
Before a production change, the organisation should establish the purpose, affected data, approval, technical execution, audit trail impact, verification and potential product or batch impact. Direct database changes and retrospective record corrections need particularly strong segregation, logging and independent review.
This logic belongs in supplier agreements, support procedures and the validation strategy before an inspection finding occurs.
Control 7: Systemic CAPA instead of isolated retraining
Additional training can be useful, but it does not remove inappropriate privileges, missing audit trail functions or uncontrolled data modification. In the cited letters, FDA requested measures such as independent assessments, comprehensive remediation plans, root-cause analysis and effectiveness checks.
A systemic CAPA therefore combines:
scope determination across comparable systems and sites;
technical correction and procedural change;
assessment of potential impact on previously released data or batches;
clear accountability for management, QA, business and IT;
defined effectiveness criteria followed by independent verification.
For GxP audit readiness, this is the difference between a list of closed tickets and defensible remediation evidence.
A 30-day review for system owners and QA
The seven controls can be assessed through a focused review rather than an indiscriminate transformation programme.
Week 1: Select two or three critical laboratory, production or quality applications. Review individual accounts, privileged roles and the latest access review.
Week 2: Reconstruct one critical business process per system from the transaction to raw data, metadata and audit trail. Record discrepancies.
Week 3: Reconcile recent supplier, helpdesk and database interventions against change control and audit trail evidence.
Week 4: Prioritise findings by risk, determine systemic scope and approve CAPA with effectiveness criteria.
DHC CSV consulting connects this review with existing validation evidence instead of creating a parallel control system.
Frequently asked questions
Must every technical audit trail be reviewed before each release?
Not every technical log by default. Scope and timing depend on data criticality, intended use and process risk. For critical data, the organisation should justify which events are decision-relevant and when independent review is required.
Does a validated system prove data integrity?
No. Validation demonstrates fitness for intended use under defined conditions. Data integrity also depends on access control, operation, review, change control, training and quality oversight.
Do FDA warning letters apply directly to every European pharmaceutical company?
No. A warning letter addresses its recipient and specific facts. The underlying FDA requirements and recurring control patterns are nevertheless useful for organisations that manufacture FDA-regulated products or want to challenge their data integrity controls against real inspection findings.
Daniel Herrmann Consulting supports Pharma, Biotech and MedTech organisations with CSV, GxP system validation, audit readiness and risk-based remediation.
Can you reconstruct access, audit trails and data changes across your critical systems?
A focused readiness review identifies and prioritises the gaps that should be closed before an inspection or go-live.
VAT identification number pursuant to § 27a German VAT Act (UStG): DE328451232
Consumer dispute resolution (VSBG)
In accordance with § 36 VSBG: we are neither willing nor obliged to participate in dispute resolution proceedings before a consumer arbitration board.
Liability for content
We are responsible for our own content on these pages under the general laws. Under Articles 4 to 8 of Regulation (EU) 2022/2065 (Digital Services Act, DSA), as a service provider we are not obliged to monitor transmitted or stored third-party information or to investigate circumstances that indicate unlawful activity.
Note: The §§ 7–10 of the previous Telemedia Act (TMG) on the liability for digital services have not been transferred to the German Digital Services Act (DDG). Liability for digital services is now primarily regulated by Regulation (EU) 2022/2065 (DSA), in particular Articles 4–8 — referenced above. The §§ 7–10 DDG cover other subjects (limited responsibility under DSA Articles 4–8 + Wi-Fi access, blocking claims under copyright law, lists of audiovisual-media-service and video-sharing-platform providers, and information-request rights of the competent authorities under state law).
Copyright
The content and works on these pages created by the site operator are subject to German copyright law. Reproduction, processing, distribution and any kind of exploitation outside the limits of copyright require the written consent of the respective author.
Privacy Policy
1. At a glance
The following information gives a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally.
2. Controller
The controller responsible for data processing on this website pursuant to Art. 4 (7) GDPR is:
Daniel Herrmann Consulting Daniel Herrmann (sole proprietor) Enzweilerweg 3a · 66709 Weiskirchen · Germany Phone: +49 170 7878065 Email: info@daniel-herrmann.io
A data protection officer has not been appointed; the controller is your point of contact for all data protection matters.
3. Server logs
When you visit this website, the hosting provider automatically collects technical information in server log files: IP address (anonymised after 7 days), date and time of access, page accessed, referrer, user agent. Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in technically reliable operation. Retention: 7 days, then automatic deletion. No merger with other data sources.
4. Contact
If you contact us via form, email or phone, we store the information you provide (name, email, company, message content) to process the enquiry and for follow-up questions. Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures) and Art. 6 (1) (f) GDPR (legitimate interest in answering enquiries). Retention: deletion as soon as the enquiry has been finally processed, at the latest after 12 months, unless statutory retention obligations apply. Data is not shared with third parties.
5. Lead magnets (PDF downloads)
To request our practical guides (e.g. Strategy Guide, Compliance-Gap Analysis, Execution Playbook) we ask for your email address and, optionally, your name and company. The data is stored solely to provide the requested material and for documentation of consent. Legal basis: Art. 6 (1) (a) GDPR (consent). Retention: until your withdrawal, at most 24 months. The newsletter subscription is offered as a separate, opt-in checkbox on the lead-magnet form (no coupling — you can request the material without subscribing). No marketing emails are sent without separate consent.
5a. Newsletter (Double-Opt-In)
If you sign up for our newsletter, we use the double-opt-in procedure: after entering your email and name you receive a confirmation email with a verification link. Only after you click the link do we activate the subscription and document your consent. Data: email, name, consent timestamp, confirmation IP. Purpose: sending the monthly dhc newsletter with practice insights, plus documentation of the consent process (Art. 7 (1) GDPR). Legal basis: Art. 6 (1) (a) GDPR (consent), § 7 (2) Nr. 3 UWG. Retention: for as long as your subscription is active; consent logs retained for 3 years after the end of the subscription as evidence in the event of complaints. Withdrawal: every newsletter contains a one-click unsubscribe link in the footer. Alternatively a short email to info@daniel-herrmann.io is sufficient. Processor: the newsletter is sent via our hosting provider's SMTP infrastructure; we currently do not use a third-party email-marketing tool. As soon as we transition to a dedicated newsletter-tool (e.g. Brevo), we will update this section and conclude an additional data-processing agreement.
5c. Link-click tracking in our emails
To understand which content in our lead-magnet emails and newsletter issues is actually useful, we route outbound links through an internal redirect endpoint (`/t/`). Each link in each send gets an aggregate click counter — but we do NOT store an identifier of the individual recipient, NO IP address and NO user agent. The data we keep is comparable to anonymous server logs (e.g.: ‘link X in send Y was clicked 42 times in total’). It does not allow us to infer who clicked. Therefore no separate consent or cookie banner is required (recital 26 GDPR — anonymous data, no personal-data processing per Art. 4 (1) GDPR). Legal basis for the redirect itself: Art. 6 (1) (f) GDPR (legitimate interest in measuring content effectiveness for our own communications). Legal pages (Impressum, Datenschutz) and the unsubscribe link are NEVER routed through the redirect, so the click behaviour on legally relevant links is never measured.
5b. Retention overview & justifications
A consolidated view of all retention periods with the rationale behind each one — the principle: minimal storage, clear purpose, documented basis.
Data categoryRetentionJustification
Server logs7 daysSufficient for technical fault analysis & security forensics — Art. 6 (1) (f) GDPR. IP anonymisation kicks in immediately on log close.
Contact enquiries12 monthsB2B sales cycle in pharma typically runs 6–9 months. 12 months covers follow-ups without unnecessary stockpiling. Statutory retention (e.g. § 257 HGB) only applies once a contract is concluded.
Lead magnetsup to 24 monthsUntil withdrawal of consent; 24-month cap covers documentation of consent (Art. 7 GDPR) and re-engagement cycle. Withdrawal at any time, deletion within 7 days of request.
Newsletter subscriptionactive subscription + 3 yrs consent logEmail + name only as long as the subscription is active. Consent log (timestamp + IP) retained 3 years to cover statutory limitation period (§ 195 BGB) for complaints under § 7 UWG.
Cookies (incl. analytics)30 min – 14 monthsPer-tool detailed in 6.9. GA4 capped at 14 months (the GA4 minimum, shorter possible only via property reset); all other tools below or equal to industry standard.
Cookiebot consent12 monthsMaximum window the EDPB considers reasonable for repeat-consent requests. After 12 months a fresh banner appears.
6. Cookies, analytics & tracking
This website uses analytics and tracking tools that go beyond pure reach measurement and create usage profiles. Personal data may be processed (in particular IP address, device and browser information, behaviour data) and transferred to third countries (including the USA). Legal basis is your consent pursuant to § 25 (1) TTDSG and Art. 6 (1) (a) GDPR. The consent is granted on first visit via our cookie banner and can be withdrawn at any time with effect for the future — see section 6.10 below. Withdrawal is as simple as granting consent (Art. 7 (3) GDPR); the lawfulness of processing carried out on the basis of consent prior to withdrawal remains unaffected.
6.0 Consent management (Cookiebot)
Provider: Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark (a Usercentrics company) — EU-based. Purpose: Cookiebot is the consent management platform (CMP) we use to document your consent in line with § 25 TTDSG and Art. 7 GDPR and to block analytics / tracking tools until you opt in. Data: Cookiebot stores a ‘CookieConsent’ cookie containing your consent state (categories, timestamp, anonymous identifier) and a server-side consent log. Retention: up to 12 months from the moment consent is given; renewed on each new visit after expiry. Legal basis: the processing of consent itself rests on Art. 6 (1) (c) GDPR (legal obligation to document consent). Third-country transfer: primary processing in the EU; sub-processors may include service providers outside the EEA under EU Standard Contractual Clauses. Data processing agreement: concluded with Cybot A/S. More info:Cookiebot Privacy Policy.
6.1 Google Analytics 4
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA). Purpose: Tracking tool that goes beyond pure reach measurement. Google uses the collected data for the operation of GA4 and partly for its own purposes (no commissioned processing in the narrow sense for these purposes). Data: pseudonymous identifiers (client ID), IP address (shortened on EU server, see below), page views, dwell time, scroll depth, click events, device and browser information, approximate location (country / region from IP). Retention: up to 14 months for event-level data, then automatic deletion. IP shortening: The IP address is shortened on an EU server before being forwarded to the USA (‘_anonymizeIp’ equivalent in GA4 is active by default). Third-country transfer: data is processed on servers in the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework (Adequacy Decision of 10 July 2023). Note that the supervisory authorities point out that the legal certainty gained may only be temporary; previous adequacy regimes (Safe Harbor, Privacy Shield) were invalidated by the CJEU. Data processing agreement: concluded with Google Ireland Ltd. More info:Google Privacy Policy, Browser opt-out.
6.2 Microsoft Clarity
Provider: Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (parent: Microsoft Corporation, USA). Purpose: Session recordings and heatmaps to improve usability. Note: session recordings are a particularly intensive form of processing — they can capture sensitive content even though input fields are masked by default. We have configured the strictest masking level (‘Strict’) for all form fields. Data: mouse movements, clicks, scroll behaviour, page views, device and browser information, shortened IP address, country. Retention: up to 12 months from the last recorded session. Third-country transfer: Microsoft is a US group; data may be processed on servers in the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework. The reservations noted above for GA4 apply analogously. Data processing agreement: Microsoft Online Services DPA concluded. More info:Microsoft Privacy Statement.
6.3 Leadfeeder (Dealfront)
Provider: Dealfront Germany GmbH (Leadfeeder), Markgrafenstraße 36, 10117 Berlin, Germany — EU-based provider. Purpose: B2B identification of visiting companies based on commercially licensed IP-address databases (e.g. RIPE, ARIN, public corporate IP ranges). We use this to inform our sales outreach. The aim is identification of the company, not of an individual user. Important note from a data protection perspective: IP addresses can constitute personal data, particularly when combined with other data. We therefore treat Leadfeeder processing as relevant under GDPR. Data: IP address, page views, timestamp, dwell time, referrer. Data sources: Dealfront enriches IP data with publicly available company information and licensed B2B databases. Retention: up to 12 months on visit level; aggregated reports may be retained longer. Third-country transfer: Dealfront operates primarily on EU infrastructure; sub-processors may include US service providers under EU Standard Contractual Clauses. Data processing agreement: concluded with Dealfront Germany GmbH. More info:Dealfront Privacy Policy.
6.4 Google Ads
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent: Google LLC, USA). Purpose: We use Google Ads conversion tracking and (where activated) remarketing to measure the success of advertising campaigns and to address visitors with relevant ads. Data: pseudonymous click ID (gclid), conversion event, conversion timestamp, device and browser information. Cookies used include `_gcl_au` (conversion linker) and `test_cookie` (doubleclick.net technical test cookie). Retention: `_gcl_au` up to 90 days, conversion logs in the Google Ads account according to Google retention settings. Third-country transfer: data is processed on Google servers including the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework. Data processing agreement: concluded with Google Ireland Ltd. More info:Google Privacy Policy, Ad personalisation settings.
6.5 LinkedIn Insight Tag
Provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (parent: LinkedIn Corporation, USA). Purpose: The LinkedIn Insight Tag enables campaign measurement, audience analytics and (where activated) retargeting for LinkedIn ad campaigns. Data: IP address (truncated), timestamp, page URL, device characteristics, LinkedIn member ID where the visitor has been logged in to LinkedIn. Cookies used include `bcookie`, `lidc`, `bscookie`. Retention: up to 6 months for direct identifiers; aggregated campaign reports may be retained longer. Third-country transfer: data is processed on LinkedIn servers including the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework. Data processing agreement: concluded with LinkedIn Ireland Unlimited Company. More info:LinkedIn Privacy Policy, LinkedIn opt-out.
6.5a Meta Pixel (Facebook Pixel)
Provider: Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, D04 X2K5, Ireland (parent: Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA). Purpose: The Meta Pixel (also ‘Facebook Pixel’) enables reach measurement, conversion tracking and (where activated) retargeting for advertising campaigns on Facebook and Instagram. It lets us measure the effectiveness of our ads and show relevant advertising to visitors. Data: pseudonymous identifiers, IP address, device and browser information, referrer URL, triggered events (e.g. page view). Cookies used include `_fbp` (first-party cookie used to recognise the browser) and `_fbc` (click identifier derived from the `fbclid` URL parameter). If the visitor was logged in to Facebook / Instagram at the time of the visit, Meta can attribute the visit to the respective account. Joint controllership: for the collection and transmission of the data to Meta there is joint controllership within the meaning of Art. 26 GDPR between us and Meta; we have concluded Meta’s controller addendum for this. Meta is solely responsible for any subsequent processing of the data for its own purposes. Retention: `_fbp` up to 90 days; on the event level according to the retention settings in the Meta Events Manager. Third-country transfer: data is processed on Meta servers including the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework (Adequacy Decision of 10 July 2023). The reservations noted above for GA4 apply analogously. Legal basis: your consent pursuant to § 25 (1) TTDSG and Art. 6 (1) (a) GDPR. The pixel is only loaded after you have given consent via our Cookiebot banner. More info:Meta Privacy Policy, Meta ad settings.
6.6 Google Tag Manager
Provider: Google Ireland Limited (see 6.1). Purpose: Google Tag Manager (GTM) is a tag-management system that loads other tracking tags (e.g. Google Analytics, Google Ads, LinkedIn Insight Tag) on this website. GTM itself does not set any cookies and does not collect personal data per se; it only orchestrates the tags loaded after consent. Data: technical request data (IP address, timestamp, user agent) is briefly seen by Google’s GTM-loader server. No persistent identifier is set by GTM itself. Third-country transfer: the GTM loader is hosted on Google infrastructure including the USA. Safeguards as in 6.1. Note: we have configured GTM so that no measurement tag fires before you have given consent via our Cookiebot banner. More info:Google Privacy Policy.
6.7 Cloudflare (CDN & bot management)
Provider: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA, with EU representative Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich. Purpose: Cloudflare is used by our hosting provider as a Content Delivery Network (CDN) and security layer. The ‘__cf_bm’ cookie is set by Cloudflare’s bot-management to distinguish humans from automated traffic and to mitigate DDoS attacks and content scraping in real time. Why we consider this technically necessary: Without bot-mitigation our website would be vulnerable to credential-stuffing, scraping and DDoS attacks that compromise availability, integrity and the security of the personal data we process (e.g. lead-magnet form submissions, newsletter signups). Bot-mitigation is therefore a technical security measure within the meaning of Art. 32 GDPR (security of processing). Cloudflare itself classifies ‘__cf_bm’ as ‘strictly necessary’ (Cloudflare cookie documentation). Replacing Cloudflare bot-management would weaken the security of personal data on this site. Data: IP address, request headers, technical fingerprint of the request. No persistent identifier across sites. Retention: ‘__cf_bm’ cookie expires after at most 30 minutes of inactivity. Aggregated security logs at Cloudflare are retained briefly under Cloudflare’s standard retention. Legal basis: § 25 (2) Nr. 2 TTDSG (technically required to operate the requested service) and Art. 6 (1) (f) GDPR (overriding legitimate interest in a secure, available website). Third-country transfer: Cloudflare is a US group; data may be processed on servers in the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework (Adequacy Decision of 10 July 2023). Please note that the legal certainty of the framework may be limited; the General Court of the EU has annulment proceedings pending (case T-553/23). Data processing agreement: concluded as part of the hosting contract. More info:Cloudflare Privacy Policy.
6.8 Google Search Console
Provider: Google Ireland Limited (see 6.1). Purpose: Google Search Console (GSC) lets us monitor how the site performs in Google’s search results — indexing status, search queries that lead to the site, click-through rates, technical crawl errors. Cookies / tracking on visitors: GSC itself sets no cookies on visitors of this website and runs no client-side script. The site ownership is verified by a static HTML meta tag and / or a DNS TXT record. Data: aggregated search analytics from Google’s side (search queries, impressions, clicks); these are not directly linked to individual visitors. The data is made available to us only in aggregated form. Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in monitoring the site’s search visibility. Third-country transfer: the aggregated reporting is generated on Google infrastructure including the USA. Safeguards as in 6.1. More info:Google Privacy Policy.
6.9 Cookie storage durations
Session cookies are deleted when the browser is closed. Permanent cookies have the following maximum lifetimes: Google Analytics 4 — up to 14 months (data retention shortened to 14 months in GA4 settings); Microsoft Clarity — up to 12 months; Google Ads (`_gcl_au`) — up to 90 days; Meta Pixel (`_fbp`) — up to 90 days; LinkedIn (`bcookie`) — up to 6 months; Cloudflare (`__cf_bm`) — at most 30 minutes of inactivity; Leadfeeder — typically session-based, not stored on the device; CookieConsent (Cookiebot) — up to 12 months from the moment consent is given.
6.10 Withdrawal of consent
You can withdraw your consent at any time with effect for the future — withdrawal is as easy as granting consent:
1. Open cookie settings: click the ‘Cookie settings’ link in the footer to re-open the banner and adjust your choice (this controls all of GA4, Clarity, Google Ads, LinkedIn, Meta Pixel and Leadfeeder). 2. By email: send a short message to info@daniel-herrmann.io — we will block the relevant tools for you. 3. Per tool: for Google Analytics the official browser opt-out is available; for Google Ads under Ad personalisation settings; for LinkedIn under LinkedIn opt-out; for the Meta Pixel under Meta ad settings. Microsoft Clarity and Leadfeeder are controlled exclusively via our cookie banner.
The lawfulness of processing carried out on the basis of consent prior to withdrawal remains unaffected (Art. 7 (3) GDPR).
7. Web fonts
This website loads Google Fonts. Connection data (in particular the IP address) is transmitted to Google. Provider: Google Ireland Limited (see section 6.1). Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in a consistent typographic presentation. As an alternative, fonts are also held in a local fallback so that font loading can fail safely without breaking the layout.
8. Technical and organisational measures (TOM)
To protect your data we implement appropriate technical and organisational measures pursuant to Art. 32 GDPR — among them: TLS encryption (HTTPS) for the entire site, encrypted database connections, server hosting in the EU (Kinsta / GCP Frankfurt), restricted admin access via individual accounts with strong passwords and 2FA, regular automatic backups, role-based access controls, a documented record of processing activities pursuant to Art. 30 GDPR, and data minimisation at the application level. We continuously review and update these measures.
9. Your rights
Under the GDPR you have the following rights:
Right of access (Art. 15 GDPR) — information about which of your personal data we process.
Right to rectification (Art. 16 GDPR) — correction of inaccurate data.
Right to erasure (Art. 17 GDPR) — deletion of your data where the legal conditions are met.
Right to restriction of processing (Art. 18 GDPR).
Right to data portability (Art. 20 GDPR) — receipt of your data in a structured, common, machine-readable format.
Right to object (Art. 21 GDPR) — to processing based on legitimate interest, including for direct marketing. See highlighted box below.
Right to withdraw consent (Art. 7 (3) GDPR) — at any time with effect for the future, see section 6.10.
Right to lodge a complaint (Art. 77 GDPR) — with a supervisory authority, in particular in the EU member state of your residence, your workplace or the location of the alleged infringement. Competent supervisory authority for our office location: Independent Data Protection Centre Saarland (Unabhängiges Datenschutzzentrum Saarland), Fritz-Dobisch-Straße 12, 66111 Saarbrücken.
Requests regarding these rights are to be directed to: info@daniel-herrmann.io. We will respond within the statutory period (usually one month).
10. Currency of this Privacy Policy
Last updated: 29 June 2026. We reserve the right to adapt this policy so that it always meets current legal requirements. The current version is always retrievable from this website.
Callback
When should we call you back?
Tell us when fits you and what it's about — we'll call back within the next business day.
Got it. We'll call you back.
You'll receive a confirmation email shortly. Daniel calls back within one business day.
Free material by email
Your material is on the way.
Enter your name and email — we send the material directly to your inbox, with a short personal note from Daniel.
Thanks — check your inbox.
We just sent the material to your email. If it doesn't arrive within a few minutes, please check your spam folder.
Once a month · CSV practice
CSV insights from real Pharma projects.
What you get next: the GAMP 5 2nd Edition impact, what the FDA CSA Final Guidance means for your validation strategy, and the 8-week CSV sprint we deliver in 60+ projects. Unsubscribe anytime in one click.
Almost done.
Confirm your email via the link we just sent to your inbox. After confirmation we'll send the latest newsletter issue right away.
We use your data exclusively for the newsletter. No sharing with third parties. Privacy policy.