What data do we process?
The Company processes the following personal data for the purposes described below:
- Personal identification data (gender, surname and first name or only initials of surname (first 3 letters) and first name (first 2 letters) for patients;
- Professional identification data (surname, first name, title, position, organization) for healthcare professionals;
- Health data related to patient follow-up (information about the procedure to be performed on the patient, other health data: medical and family history, concomitant medications);
- Contact data (telephone number, postal address, e-mail address) for patients and healthcare professionals.
- Personal data contained in the contact form on the website for patients and healthcare professionals.
How do we process your data?
The Company processes your personal data for the following purposes:
- Pharmacovigilance and materiovigilance monitoring (collection of adverse events, risks of incidents and/or incidents, patient monitoring (such as registers, database), writing reports of adverse reactions that may be related to the use of medicines), monitoring of the "off-label";
- Processing of medical information requests.
(b) Legal basis
- The collection and processing of your personal data is based on the legal obligations binding the Company, as well as on the legitimate interest of the Company in managing and processing requests for information. When they are based on our legitimate interests, these interests do not appear to us to take precedence over your interests and fundamental rights and freedoms.
- In addition, when processing health data, the Company complies with the data protection and privacy legalization. In particular, the processing of health data carried out is necessary for the purposes of preventive medicine, medical diagnosis, the administration of care or treatment, or the management of health services implemented by a health professional.
(c) How long do we keep your data?
Your personal data are kept by the Company for periods not exceeding those necessary for the purposes for which they are processed, taking into account the sensitive nature of the data processed, the applicable statute of limitations and the legal or regulatory obligations imposed on the Company. The retention periods are specified in point 3.5.
The processing of your personal data can be summarized as follows:
Management of the early and compassionate access
Patient's personal identifying data
Health data related to patient follow-up
2 years after approval by the National Pharmaceuticals Agency of the
summary of the last synthesis report.
Archiving on an intermediate basis
during the MA and 10 years after its expiry.
Patient personal identifying data (gender, initials) and reporter (gender, last name, first name).
Health data related to patient follow-up.
Notifier contact Information.
Duration of the marketing authorisation
and 10 years after the
marketing ceases to exist.
Processing of medical information requests
Applicant's personal identifying data
Contact details of the applicant
Personal data contained in the contact form on the website
Legitimate interest of the Company in charge of management and processing of medical information requests
5 years from the request
How do we collect your data?
We collect your personal data:
- directly from you through our authorised staff by telephone, post, website, or other means at the initiative of the patient or declarant (symposium, trade fairs, etc.), or
- indirectly through the early and compassionate access authorizations forms
Who do we share your data with?
If necessary, we may forward your personal data to the following recipients:
- Our affiliates;
- Our data processors, our technical service providers for hosting, archiving and telephone permanence;
- Our legal advisers and/or lawyers and those of potential purchasers in the context of restructuring operations, divestments, mergers, and acquisitions or litigation;
- Government entities and administrations authorised to access and/or obtain your personal data, and in particular the regional pharmacovigilance centers and the European database of adverse reaction reports that may be related to the use of medicinal products.
- The courts and tribunals of the judicial order in case of litigation involving you;
- Law enforcement authorities in the event of the observation or suspicion of the occurrence of an offence involving you in accordance with or as required by applicable law.
In the event of a restructuring, divestments, or merger (including reorganization), we may transfer your personal data to a third party involved in the transaction (for example, a purchaser) in accordance with applicable data protection legislation.
How is the outsourcing of your data managed?
- We take appropriate steps to ensure that our contractors process your personal data in accordance with applicable data protection legislation.
- These measures include the signing of a data processing agreement which requires processors, among other things, to process your personal data only on our instructions, not to engage a second-tier processor without our consent, to take appropriate technical and organizational measures to ensure the security of your personal data, to ensure that the persons authorised to access the data are subject to confidentiality obligations, to return and/or destroy your personal data at the end of their assignment or contract, to undergo audits and to provide us with assistance in following up on your requests to exercise your rights in relation to your personal data.
Are your data transfered outside the European Econoly Area?
Your data may be transferred outside the European Union to authorized subcontractors. We have controlled this transfer by implementing various legal and technical tools through standard contractual clauses ensuring a sufficient and appropriate level of protection of your data. We have also entered into appropriate contractual arrangements in accordance with applicable data protection legislation.
You have the right to access your data, to rectify it, to limit its processing, the right to data portability and in certain cases the right to object to its processing and to delete it, as well as the right to define directives concerning the use of your data after your death. You can perform your rights at any time by sending an email to our Data Protection Officer (DPO) at firstname.lastname@example.org.
What are your rights?
In accordance with applicable data protection legislation, you have the right to access, rectify and delete your personal data, the right to object to or limit the processing of your personal data, the right to the portability of personal data and the right to define directives concerning the use of your personal data after your death.
What does that mean?
The right of access
You have the right to obtain a copy of your personal data.
|The right of rectification
|You have the right to obtain the rectification of your personal data if they are inaccurate or incomplete.
|The right to erasure (the "right to be forgotten")
|You have the right to obtain the deletion of your personal data. However, the right to erasure (or the "right to be forgotten") is not absolute and is subject to specific conditions. We may retain your personal data to the extent permitted by applicable law, and in particular when their processing remains necessary to comply with a legal obligation to which the Company is subject or to establish, exercise or defend a right in court.
|The right to limitation of processing
|You have the right to obtain the limitation of the processing in certain circumstances (for example when the Company no longer needs your personal data, but they are still necessary for the establishment, exercise, or defense of a legal right).
|The right to portability of personal data
|You have the right, under certain circumstances, to receive the personal data concerning you that you have provided to the Company in a structured, commonly used, and machine-readable format and to pass it on to another data controller. This right does not apply when the processing is based on our legal obligations or legitimate interests.
|The right to object to processing
|You have the right to object to certain types of processing (for example, where the processing is based on the Company's legitimate interests). This right does not apply when the processing is based on our legal obligations.
|The right to withdraw consent
|If you have given your consent to the Company's processing of your personal data, you have the right to withdraw it at any time.
|The right to set guidelines on the fate of your data after your death
You can set guidelines for the storage, deletion, and disclosure of your personal data after your death. These guidelines may be general or specific. General guidelines are registered with a trusted third party.
Special directives are registered with the Company.
Please send us any request concerning your rights in relation to your personal data by email to email@example.com. We will respond to your request as soon as possible and always within the time limits set out in the applicable data protection legislation. Please note that we may retain your personal data for certain purposes where required or permitted by law.
How we guarantee the security of your data?
We take appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated with your personal data. We follow industry best practices to ensure that personal data is not accidentally or unlawfully destroyed, lost, altered, unauthorized disclosure or access.
Questions and Complaints
If you have any questions or complaints concerning the processing of your personal data by the Company, please contact our data protection officer by email at firstname.lastname@example.org.
You have the right to submit a complaint before the competent supervisory authority.
The Company reserves the right to update this Policy at any time. If we make changes to this Policy, we will notify you so that you are always aware of how we treat your personal data.