SAP validation in Pharma & Biotech — what's required.
An ERP system in Pharma, Biotech and MedTech is not just an IT backbone. Once SAP processes GxP-relevant data — batch numbers, material master data, release workflows — it falls under Computer System Validation. The regulatory frame is unambiguous: GAMP 5 as the methodology standard (more on GAMP 5 compliance →), Annex 11 for the EU and 21 CFR Part 11 for the FDA.
Concretely, that means: a gapless audit trail, tamper-proof electronic signatures and ALCOA+ data integrity — in standard SAP and in customer-specific customising alike.
GxP-compliant ERP validation in regulated industry goes beyond generic CSV. Three subject areas are non-negotiable: transport management with documented release and rollback paths for every transport; customising validation for every GxP-relevant Z-table and workflow; interface validation across PI/PO and the SAP Business Technology Platform (BTP).
Skip one of these, and you risk not just audit findings — you risk the validated state of the entire ERP system.
02 Risk zones
S/4HANA migration — the validation traps.
An S/4HANA migration is more than a technical release upgrade. In Pharma, Biotech and MedTech, the validation logic decides whether your go-live lands on schedule — or stalls right before cut-over. Three areas carry the highest risk for audit findings and delays.
01
High risk
Data migration
LTMC and DMC are themselves validation-mandatory: they generate GxP-relevant data and belong in scope. Add mandatory ALCOA+ checks: completeness, consistency and traceability for every migrated batch, material, workflow.
LTMCDMCALCOA+
02
Medium-high risk
Customising validation
Not every customising needs re-validation, but every one must be assessed. GxP-relevant Z-tables, workflows and authorisation objects require full re-validation. Standard customising without GxP relevance can be slimmed risk-based. The art is in the boundary.
Z-TablesWorkflowsRoles
03
High risk
Interfaces (PI/PO & BTP)
The genuine hotspots: Veeva-SAP for master data, MES-SAP (e.g. Werum PAS-X) for production orders, LIMS-SAP for analytical results. Each interface needs its own validation concept for data mapping, error handling and audit-trail continuity across system boundaries.
VeevaMES PAS-XLIMS
Deep-dive · Audit-Vorbereitung
Assess audit risk before cut-over
How critical the audit risk in your S/4HANA rollout really gets depends on the validation state before cut-over. We diagnose, prioritise and close gaps in 4–8 weeks.
Greenfield / Brownfield / Bluefield — which path needs which validation?
SAP customers in Pharma, Biotech and MedTech face the same strategic question: which migration path fits the existing landscape? The three established options differ not only technically — they differ sharply in validation scope.
Greenfield
Full new setup
Build S/4HANA from scratch. Validation-wise: full re-validation across all GxP-relevant modules. Risk assessment, OQ/IQ/PQ, interface tests, audit-trail design — all built fresh.
Validation effort
Hoch
Timeline
12–18 months
Ideal for
Tech-debt cleanup, fresh start
Most common in Pharma
Brownfield
ECC → S/4 Conversion
Convert your existing ECC into the new release. Validation-wise: delta validation. Existing OQ/IQ/PQ evidence carries forward — provided the risk analysis proves comparability. Shorter timeline, but strict requirements on documenting every change delta.
Validation effort
Mittel
Timeline
6–12 months
Ideal for
Stable ECC with manageable customising
Bluefield
Selective migration
Take selected data and configurations, but clean custom code at the root. Validation-wise a hybrid: new validation for the cleaned areas, delta validation for the carried-over components. Demands an especially crisp scope definition.
Validation effort
Mittel-Hoch
Timeline
9–15 months
Ideal for
Tech-debt + business continuity
Which path is right depends on your system context — not on a blanket recommendation.
Global multinational ERP implementation, tight deadlines, multi-country stakeholders across business units.
Daniel's role
Team lead — building and steering a multi-country project team under regulatory requirements.
A global, multinational ERP implementation with tight deadlines and many demanding stakeholders. Daniel led the team and showed he is highly skilled at turning a group into a cooperative, supportive and highly successful team.
Patryk Rutkowski
Tollgate Review Lead · Novartis
Global ERPMulti-countryTeam leadNovartis
That cross-stream integration — IT, QA, business, external partners speaking one language — is the foundation of every successful SAP validation in Pharma. At dhc it's the I-pillar of our IVE methodology — backed by 15+ years of practice in regulated industry.
05 IVE applied to SAP
Three pillars carry one roof: your S/4HANA go-live.
The dhc methodology IVE — Integrated Validation Execution — maps directly onto SAP validation in Pharma, Biotech and MedTech.
I
Integrated
Cross-stream integration
Risk-based classification of your SAP modules — from MM through PP to QM. The GAMP 5-compliant assessment drives the validation strategy, aligned across IT, QA and business. One language, clear ownership.
V
Validation
Quality assurance
OQ/IQ/PQ for GxP-relevant SAP functions, documented interface tests to Veeva Vault, LIMS and MES, plus a gapless audit trail across all Z-tables and workflows. Documentation that holds under any FDA or EMA inspection.
E
Execution
Delivery & project management
Cut-over coordination, on-schedule go-live, then structured change-control plus hypercare. We stay with the system until it runs stably in production — then hand over an audit-secure SAP for your own operation.
ScopeDo we need to re-validate SAP completely for the S/4HANA switch?
Not necessarily. With the Brownfield approach a delta validation usually suffices — provided the risk analysis proves comparability between ECC and S/4HANA for the GxP modules. Greenfield migrations require full re-validation. Which path applies is decided by the risk assessment, not the migration method alone.
TimelineHow long does an SAP validation take?
An isolated module validation typically runs four to eight weeks. Complete S/4HANA migrations with multiple GxP modules and interfaces to Veeva Vault, LIMS or MES we plan in six to twelve months. Under acute timeline pressure we work in parallel tracks and deliver first reliable results from week 1.
CloudDo you also validate SAP Cloud (RISE / BTP)?
Yes. SAP RISE and the SAP Business Technology Platform (BTP) are part of our standard scope. We clarify the shared responsibility between SAP as cloud provider and your company as the regulated operator — including the release strategy for SAP updates and multi-tenant specifics.
We work project-based or by day rate, depending on the engagement. We estimate the exact effort after a free initial analysis of your SAP validation status. Fixed prices are possible once scope is defined.
VAT identification number pursuant to § 27a German VAT Act (UStG): DE328451232
Consumer dispute resolution (VSBG)
In accordance with § 36 VSBG: we are neither willing nor obliged to participate in dispute resolution proceedings before a consumer arbitration board.
Liability for content
We are responsible for our own content on these pages under the general laws. Under Articles 4 to 8 of Regulation (EU) 2022/2065 (Digital Services Act, DSA), as a service provider we are not obliged to monitor transmitted or stored third-party information or to investigate circumstances that indicate unlawful activity.
Note: The §§ 7–10 of the previous Telemedia Act (TMG) on the liability for digital services have not been transferred to the German Digital Services Act (DDG). Liability for digital services is now primarily regulated by Regulation (EU) 2022/2065 (DSA), in particular Articles 4–8 — referenced above. The §§ 7–10 DDG cover other subjects (limited responsibility under DSA Articles 4–8 + Wi-Fi access, blocking claims under copyright law, lists of audiovisual-media-service and video-sharing-platform providers, and information-request rights of the competent authorities under state law).
Copyright
The content and works on these pages created by the site operator are subject to German copyright law. Reproduction, processing, distribution and any kind of exploitation outside the limits of copyright require the written consent of the respective author.
Privacy Policy
1. At a glance
The following information gives a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally.
2. Controller
The controller responsible for data processing on this website pursuant to Art. 4 (7) GDPR is:
Daniel Herrmann Consulting Daniel Herrmann (sole proprietor) Enzweilerweg 3a · 66709 Weiskirchen · Germany Phone: +49 170 7878065 Email: info@daniel-herrmann.io
A data protection officer has not been appointed; the controller is your point of contact for all data protection matters.
3. Server logs
When you visit this website, the hosting provider automatically collects technical information in server log files: IP address (anonymised after 7 days), date and time of access, page accessed, referrer, user agent. Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in technically reliable operation. Retention: 7 days, then automatic deletion. No merger with other data sources.
4. Contact
If you contact us via form, email or phone, we store the information you provide (name, email, company, message content) to process the enquiry and for follow-up questions. Legal basis: Art. 6 (1) (b) GDPR (pre-contractual measures) and Art. 6 (1) (f) GDPR (legitimate interest in answering enquiries). Retention: deletion as soon as the enquiry has been finally processed, at the latest after 12 months, unless statutory retention obligations apply. Data is not shared with third parties.
5. Lead magnets (PDF downloads)
To request our practical guides (e.g. Strategy Guide, Compliance-Gap Analysis, Execution Playbook) we ask for your email address and, optionally, your name and company. The data is stored solely to provide the requested material and for documentation of consent. Legal basis: Art. 6 (1) (a) GDPR (consent). Retention: until your withdrawal, at most 24 months. The newsletter subscription is offered as a separate, opt-in checkbox on the lead-magnet form (no coupling — you can request the material without subscribing). No marketing emails are sent without separate consent.
5a. Newsletter (Double-Opt-In)
If you sign up for our newsletter, we use the double-opt-in procedure: after entering your email and name you receive a confirmation email with a verification link. Only after you click the link do we activate the subscription and document your consent. Data: email, name, consent timestamp, confirmation IP. Purpose: sending the monthly dhc newsletter with practice insights, plus documentation of the consent process (Art. 7 (1) GDPR). Legal basis: Art. 6 (1) (a) GDPR (consent), § 7 (2) Nr. 3 UWG. Retention: for as long as your subscription is active; consent logs retained for 3 years after the end of the subscription as evidence in the event of complaints. Withdrawal: every newsletter contains a one-click unsubscribe link in the footer. Alternatively a short email to info@daniel-herrmann.io is sufficient. Processor: the newsletter is sent via our hosting provider's SMTP infrastructure; we currently do not use a third-party email-marketing tool. As soon as we transition to a dedicated newsletter-tool (e.g. Brevo), we will update this section and conclude an additional data-processing agreement.
5c. Link-click tracking in our emails
To understand which content in our lead-magnet emails and newsletter issues is actually useful, we route outbound links through an internal redirect endpoint (`/t/`). Each link in each send gets an aggregate click counter — but we do NOT store an identifier of the individual recipient, NO IP address and NO user agent. The data we keep is comparable to anonymous server logs (e.g.: ‘link X in send Y was clicked 42 times in total’). It does not allow us to infer who clicked. Therefore no separate consent or cookie banner is required (recital 26 GDPR — anonymous data, no personal-data processing per Art. 4 (1) GDPR). Legal basis for the redirect itself: Art. 6 (1) (f) GDPR (legitimate interest in measuring content effectiveness for our own communications). Legal pages (Impressum, Datenschutz) and the unsubscribe link are NEVER routed through the redirect, so the click behaviour on legally relevant links is never measured.
5b. Retention overview & justifications
A consolidated view of all retention periods with the rationale behind each one — the principle: minimal storage, clear purpose, documented basis.
Data categoryRetentionJustification
Server logs7 daysSufficient for technical fault analysis & security forensics — Art. 6 (1) (f) GDPR. IP anonymisation kicks in immediately on log close.
Contact enquiries12 monthsB2B sales cycle in pharma typically runs 6–9 months. 12 months covers follow-ups without unnecessary stockpiling. Statutory retention (e.g. § 257 HGB) only applies once a contract is concluded.
Lead magnetsup to 24 monthsUntil withdrawal of consent; 24-month cap covers documentation of consent (Art. 7 GDPR) and re-engagement cycle. Withdrawal at any time, deletion within 7 days of request.
Newsletter subscriptionactive subscription + 3 yrs consent logEmail + name only as long as the subscription is active. Consent log (timestamp + IP) retained 3 years to cover statutory limitation period (§ 195 BGB) for complaints under § 7 UWG.
Cookies (incl. analytics)30 min – 14 monthsPer-tool detailed in 6.9. GA4 capped at 14 months (the GA4 minimum, shorter possible only via property reset); all other tools below or equal to industry standard.
Cookiebot consent12 monthsMaximum window the EDPB considers reasonable for repeat-consent requests. After 12 months a fresh banner appears.
6. Cookies, analytics & tracking
This website uses analytics and tracking tools that go beyond pure reach measurement and create usage profiles. Personal data may be processed (in particular IP address, device and browser information, behaviour data) and transferred to third countries (including the USA). Legal basis is your consent pursuant to § 25 (1) TTDSG and Art. 6 (1) (a) GDPR. The consent is granted on first visit via our cookie banner and can be withdrawn at any time with effect for the future — see section 6.10 below. Withdrawal is as simple as granting consent (Art. 7 (3) GDPR); the lawfulness of processing carried out on the basis of consent prior to withdrawal remains unaffected.
6.0 Consent management (Cookiebot)
Provider: Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark (a Usercentrics company) — EU-based. Purpose: Cookiebot is the consent management platform (CMP) we use to document your consent in line with § 25 TTDSG and Art. 7 GDPR and to block analytics / tracking tools until you opt in. Data: Cookiebot stores a ‘CookieConsent’ cookie containing your consent state (categories, timestamp, anonymous identifier) and a server-side consent log. Retention: up to 12 months from the moment consent is given; renewed on each new visit after expiry. Legal basis: the processing of consent itself rests on Art. 6 (1) (c) GDPR (legal obligation to document consent). Third-country transfer: primary processing in the EU; sub-processors may include service providers outside the EEA under EU Standard Contractual Clauses. Data processing agreement: concluded with Cybot A/S. More info:Cookiebot Privacy Policy.
6.1 Google Analytics 4
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA). Purpose: Tracking tool that goes beyond pure reach measurement. Google uses the collected data for the operation of GA4 and partly for its own purposes (no commissioned processing in the narrow sense for these purposes). Data: pseudonymous identifiers (client ID), IP address (shortened on EU server, see below), page views, dwell time, scroll depth, click events, device and browser information, approximate location (country / region from IP). Retention: up to 14 months for event-level data, then automatic deletion. IP shortening: The IP address is shortened on an EU server before being forwarded to the USA (‘_anonymizeIp’ equivalent in GA4 is active by default). Third-country transfer: data is processed on servers in the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework (Adequacy Decision of 10 July 2023). Note that the supervisory authorities point out that the legal certainty gained may only be temporary; previous adequacy regimes (Safe Harbor, Privacy Shield) were invalidated by the CJEU. Data processing agreement: concluded with Google Ireland Ltd. More info:Google Privacy Policy, Browser opt-out.
6.2 Microsoft Clarity
Provider: Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (parent: Microsoft Corporation, USA). Purpose: Session recordings and heatmaps to improve usability. Note: session recordings are a particularly intensive form of processing — they can capture sensitive content even though input fields are masked by default. We have configured the strictest masking level (‘Strict’) for all form fields. Data: mouse movements, clicks, scroll behaviour, page views, device and browser information, shortened IP address, country. Retention: up to 12 months from the last recorded session. Third-country transfer: Microsoft is a US group; data may be processed on servers in the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework. The reservations noted above for GA4 apply analogously. Data processing agreement: Microsoft Online Services DPA concluded. More info:Microsoft Privacy Statement.
6.3 Leadfeeder (Dealfront)
Provider: Dealfront Germany GmbH (Leadfeeder), Markgrafenstraße 36, 10117 Berlin, Germany — EU-based provider. Purpose: B2B identification of visiting companies based on commercially licensed IP-address databases (e.g. RIPE, ARIN, public corporate IP ranges). We use this to inform our sales outreach. The aim is identification of the company, not of an individual user. Important note from a data protection perspective: IP addresses can constitute personal data, particularly when combined with other data. We therefore treat Leadfeeder processing as relevant under GDPR. Data: IP address, page views, timestamp, dwell time, referrer. Data sources: Dealfront enriches IP data with publicly available company information and licensed B2B databases. Retention: up to 12 months on visit level; aggregated reports may be retained longer. Third-country transfer: Dealfront operates primarily on EU infrastructure; sub-processors may include US service providers under EU Standard Contractual Clauses. Data processing agreement: concluded with Dealfront Germany GmbH. More info:Dealfront Privacy Policy.
6.4 Google Ads
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent: Google LLC, USA). Purpose: We use Google Ads conversion tracking and (where activated) remarketing to measure the success of advertising campaigns and to address visitors with relevant ads. Data: pseudonymous click ID (gclid), conversion event, conversion timestamp, device and browser information. Cookies used include `_gcl_au` (conversion linker) and `test_cookie` (doubleclick.net technical test cookie). Retention: `_gcl_au` up to 90 days, conversion logs in the Google Ads account according to Google retention settings. Third-country transfer: data is processed on Google servers including the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework. Data processing agreement: concluded with Google Ireland Ltd. More info:Google Privacy Policy, Ad personalisation settings.
6.5 LinkedIn Insight Tag
Provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (parent: LinkedIn Corporation, USA). Purpose: The LinkedIn Insight Tag enables campaign measurement, audience analytics and (where activated) retargeting for LinkedIn ad campaigns. Data: IP address (truncated), timestamp, page URL, device characteristics, LinkedIn member ID where the visitor has been logged in to LinkedIn. Cookies used include `bcookie`, `lidc`, `bscookie`. Retention: up to 6 months for direct identifiers; aggregated campaign reports may be retained longer. Third-country transfer: data is processed on LinkedIn servers including the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework. Data processing agreement: concluded with LinkedIn Ireland Unlimited Company. More info:LinkedIn Privacy Policy, LinkedIn opt-out.
6.6 Google Tag Manager
Provider: Google Ireland Limited (see 6.1). Purpose: Google Tag Manager (GTM) is a tag-management system that loads other tracking tags (e.g. Google Analytics, Google Ads, LinkedIn Insight Tag) on this website. GTM itself does not set any cookies and does not collect personal data per se; it only orchestrates the tags loaded after consent. Data: technical request data (IP address, timestamp, user agent) is briefly seen by Google’s GTM-loader server. No persistent identifier is set by GTM itself. Third-country transfer: the GTM loader is hosted on Google infrastructure including the USA. Safeguards as in 6.1. Note: we have configured GTM so that no measurement tag fires before you have given consent via our Cookiebot banner. More info:Google Privacy Policy.
6.7 Cloudflare (CDN & bot management)
Provider: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA, with EU representative Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich. Purpose: Cloudflare is used by our hosting provider as a Content Delivery Network (CDN) and security layer. The ‘__cf_bm’ cookie is set by Cloudflare’s bot-management to distinguish humans from automated traffic and to mitigate DDoS attacks and content scraping in real time. Why we consider this technically necessary: Without bot-mitigation our website would be vulnerable to credential-stuffing, scraping and DDoS attacks that compromise availability, integrity and the security of the personal data we process (e.g. lead-magnet form submissions, newsletter signups). Bot-mitigation is therefore a technical security measure within the meaning of Art. 32 GDPR (security of processing). Cloudflare itself classifies ‘__cf_bm’ as ‘strictly necessary’ (Cloudflare cookie documentation). Replacing Cloudflare bot-management would weaken the security of personal data on this site. Data: IP address, request headers, technical fingerprint of the request. No persistent identifier across sites. Retention: ‘__cf_bm’ cookie expires after at most 30 minutes of inactivity. Aggregated security logs at Cloudflare are retained briefly under Cloudflare’s standard retention. Legal basis: § 25 (2) Nr. 2 TTDSG (technically required to operate the requested service) and Art. 6 (1) (f) GDPR (overriding legitimate interest in a secure, available website). Third-country transfer: Cloudflare is a US group; data may be processed on servers in the USA. Safeguards: EU Standard Contractual Clauses and the EU-US Data Privacy Framework (Adequacy Decision of 10 July 2023). Please note that the legal certainty of the framework may be limited; the General Court of the EU has annulment proceedings pending (case T-553/23). Data processing agreement: concluded as part of the hosting contract. More info:Cloudflare Privacy Policy.
6.8 Google Search Console
Provider: Google Ireland Limited (see 6.1). Purpose: Google Search Console (GSC) lets us monitor how the site performs in Google’s search results — indexing status, search queries that lead to the site, click-through rates, technical crawl errors. Cookies / tracking on visitors: GSC itself sets no cookies on visitors of this website and runs no client-side script. The site ownership is verified by a static HTML meta tag and / or a DNS TXT record. Data: aggregated search analytics from Google’s side (search queries, impressions, clicks); these are not directly linked to individual visitors. The data is made available to us only in aggregated form. Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in monitoring the site’s search visibility. Third-country transfer: the aggregated reporting is generated on Google infrastructure including the USA. Safeguards as in 6.1. More info:Google Privacy Policy.
6.9 Cookie storage durations
Session cookies are deleted when the browser is closed. Permanent cookies have the following maximum lifetimes: Google Analytics 4 — up to 14 months (data retention shortened to 14 months in GA4 settings); Microsoft Clarity — up to 12 months; Google Ads (`_gcl_au`) — up to 90 days; LinkedIn (`bcookie`) — up to 6 months; Cloudflare (`__cf_bm`) — at most 30 minutes of inactivity; Leadfeeder — typically session-based, not stored on the device; CookieConsent (Cookiebot) — up to 12 months from the moment consent is given.
6.10 Withdrawal of consent
You can withdraw your consent at any time with effect for the future — withdrawal is as easy as granting consent:
1. Open cookie settings: click the ‘Cookie settings’ link in the footer to re-open the banner and adjust your choice (this controls all of GA4, Clarity, Google Ads, LinkedIn and Leadfeeder). 2. By email: send a short message to info@daniel-herrmann.io — we will block the relevant tools for you. 3. Per tool: for Google Analytics the official browser opt-out is available; for Google Ads under Ad personalisation settings; for LinkedIn under LinkedIn opt-out. Microsoft Clarity and Leadfeeder are controlled exclusively via our cookie banner.
The lawfulness of processing carried out on the basis of consent prior to withdrawal remains unaffected (Art. 7 (3) GDPR).
7. Web fonts
This website loads Google Fonts. Connection data (in particular the IP address) is transmitted to Google. Provider: Google Ireland Limited (see section 6.1). Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in a consistent typographic presentation. As an alternative, fonts are also held in a local fallback so that font loading can fail safely without breaking the layout.
8. Technical and organisational measures (TOM)
To protect your data we implement appropriate technical and organisational measures pursuant to Art. 32 GDPR — among them: TLS encryption (HTTPS) for the entire site, encrypted database connections, server hosting in the EU (Kinsta / GCP Frankfurt), restricted admin access via individual accounts with strong passwords and 2FA, regular automatic backups, role-based access controls, a documented record of processing activities pursuant to Art. 30 GDPR, and data minimisation at the application level. We continuously review and update these measures.
9. Your rights
Under the GDPR you have the following rights:
Right of access (Art. 15 GDPR) — information about which of your personal data we process.
Right to rectification (Art. 16 GDPR) — correction of inaccurate data.
Right to erasure (Art. 17 GDPR) — deletion of your data where the legal conditions are met.
Right to restriction of processing (Art. 18 GDPR).
Right to data portability (Art. 20 GDPR) — receipt of your data in a structured, common, machine-readable format.
Right to object (Art. 21 GDPR) — to processing based on legitimate interest, including for direct marketing. See highlighted box below.
Right to withdraw consent (Art. 7 (3) GDPR) — at any time with effect for the future, see section 6.10.
Right to lodge a complaint (Art. 77 GDPR) — with a supervisory authority, in particular in the EU member state of your residence, your workplace or the location of the alleged infringement. Competent supervisory authority for our office location: Independent Data Protection Centre Saarland (Unabhängiges Datenschutzzentrum Saarland), Fritz-Dobisch-Straße 12, 66111 Saarbrücken.
Requests regarding these rights are to be directed to: info@daniel-herrmann.io. We will respond within the statutory period (usually one month).
10. Currency of this Privacy Policy
Last updated: 29 May 2026. We reserve the right to adapt this policy so that it always meets current legal requirements. The current version is always retrievable from this website.
Callback
When should we call you back?
Tell us when fits you and what it's about — we'll call back within the next business day.
Got it. We'll call you back.
You'll receive a confirmation email shortly. Daniel calls back within one business day.
Free material by email
Your material is on the way.
Enter your name and email — we send the material directly to your inbox, with a short personal note from Daniel.
Thanks — check your inbox.
We just sent the material to your email. If it doesn't arrive within a few minutes, please check your spam folder.
Once a month · CSV practice
CSV insights from real Pharma projects.
What you get next: the GAMP 5 2nd Edition impact, what the FDA CSA Final Guidance means for your validation strategy, and the 8-week CSV sprint we deliver in 60+ projects. Unsubscribe anytime in one click.
Almost done.
Confirm your email via the link we just sent to your inbox. After confirmation we'll send the latest newsletter issue right away.
We use your data exclusively for the newsletter. No sharing with third parties. Privacy policy.
