This notice is effective of 14th April 2023
POA Pharma GmbH and its affiliates (collectively “POA”) are committed to preserving the privacy of all individuals that share their information with POA. POA is committed to ensuring that if we handle information about any individual, we do so with full regard to the individual’s privacy and in full compliance with applicable laws on data privacy and confidentiality.
POA has put in place internal policies to ensure that our employees are fully aware of the legal requirements relating to data privacy and confidentiality.
By registering on any POA site, you consent to the collection, use and transfer of your information under the terms of this Policy.
“Personal Data” means any information or set of information that identifies or can reasonably be used to identify an individual and includes, in the context of GDPR, all information defined as “Personal Data” within GDPR, comprising any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data does not include information that is anonymous.
References to “Sensitive Personal Data” in this Policy includes (in the context of GDPR) “Special Categories of Personal Data” (as such term is defined in GDPR) comprising personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, as well as information about criminal convictions and offences. References to Sensitive Personal Data in the Policy shall also include for the purposes of the Swiss-US Privacy Framework ideological views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings. POA will process information as Sensitive Personal Information as appropriate, and comply with applicable laws in respect of such processing (see Section 3 below for further details). Additionally, information will be treated as Sensitive Personal Data where it is received from a third party that treats and identifies it as sensitive.
POA as a data controller, will collect, process, and store certain Personal Data and Sensitive Personal Data including, but not limited to, the examples listed below.
(a) Employee Data
POA will collect Personal Data and Sensitive Personal Data of POA employees, workers, contractors and applicants seeking employment with POA. As a data controller, POA determines the purpose and means of such processing. POA collects and processes all employee information of staff for human resource purposes, including payroll, tax and performance reviews and assessments. POA also collects Personal Data and information from applicants (who may be existing employees or external individuals) who apply to recruitment offers and positions (either directly or through an employment agency). This information may include contact details, professional qualifications, previous professional experience, references and relevant background checks, where applicable. External advisors and consultants’ information will be collected and processed in the same manner and in accordance with POA’s standard operating procedures.
(b) Marketing and Website Visitors
POA will collect and process Personal Data, including names and contact details, of customers, prospective customers and other business contacts in the course of our marketing activities and other legitimate business related purposes.
When you visit or register on any POA website, you may be asked to voluntarily provide certain information about yourself, including your name and contact details. We may also collect information about you from e-mails, letters or business cards you provide to us. Where you have provided your e-mail address in connection with the sale of products or services, we may use your information to contact you for your views on our products and to notify you occasionally about important changes or developments to the site or our products, unless you have objected to this. Further, where you have consented, we might also use your information to let you know about other products which we offer which may be of interest to you and we may contact you by post, telephone or fax, as well as by e-mail. If you change your mind about being contacted in the future, please let us know, either by availing of the “unsubscribe” option in our marketing-related correspondence or by contacting us (see Section 8).
(c) Suppliers and Site Visitors and Virtual Audits
POA may be required from time to time to process information relating to consultants, contractors, suppliers and other third parties engaged by POA to provide services to it or who otherwise visit our premises (including for example, site security records and CCTV for the purposes of maintaining site security, and which are in accordance with our standard operating procedures). POA may also be required to process information of individuals on site (including employees) as part of filming for, or otherwise performing, virtual audits. There are prominent notices at the relevant locations throughout our sites where filming for virtual audits occurs and where CCTV is in operation.
(d) Health Professionals
POA will collect and process Personal Data about health professionals with whom we have dealings in connection with POA products. This information may include name, contact details, practice area and details of dealings with POA (e.g. details of medical enquiries, adverse event reporting, clinical trial involvement, meetings with our sales representatives and participation in relevant conferences, meetings, panels or speaker engagements).
(e) Regulatory and Pharmacovigilance Activities
POA may collect Personal Data (including Sensitive Personal Data) about you when you, or a third party, provide us with information about you in relation to an adverse event that affected you or someone else. We may also receive medical information queries or complaints relating to our products. In order to fulfil our pharmacovigilance obligations, we may use or share your information to investigate the adverse event, contact you for further information about the adverse event you have reported or provide reports to relevant regulatory authorities. We may also be required to share your information with our commercial partners where we have a legal or contractual obligation to do so.
Although POA will most often be considered a data controller, there may be some limited instances where POA may be required to process Personal Data (and, if applicable, Sensitive Personal Data) as a data processor on behalf of a third party (e.g. where a commercial partner subcontracts certain pharmacovigilance or regulatory responsibilities to POA). Where this is the case POA will process such Personal Data in accordance with the instructions of the applicable data controller.
Unless we specify at the point of collection that we are relying on a data subject’s consent to process their Personal Data (in which case we will comply fully with all applicable legal requirements in relation to consent, including under GDPR) POA relies on one or more of the other legal bases available for processing Personal Data, including (from a GDPR perspective):
(i) the processing is necessary for the purposes of the legitimate interests pursued by POA or by a relevant third party;
(ii) the processing is necessary for compliance with a legal obligation;
(iii) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
(iv) the processing is necessary to protect the vital interests of the data subject or another individual.
Where Sensitive Personal Data is processed, GDPR requires us to have (as well as one of the legal grounds described above), an additional legal ground to justify using this sensitive information. The appropriate additional legal ground will depend on the circumstances and includes (a) processing that is necessary for carrying out obligations and exercising specific rights in the field of employment or social security, (b) processing in connection with the establishment, exercise or defence of legal claims, (c) processing that is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care and of medicinal products or medical devices, and (d) explicit consent of the data subject – where we choose to rely on consent to process Sensitive Personal Data we always obtain the explicit consent of the individual data subjects concerned.
POA will also conduct Data Protection Impact Assessments (“DPIA”) as and when required, and in accordance with applicable law, taking into account, inter alia the nature, scope, context and purposes of the processing. Such DPIAs include a description of the processing operations and purposes of processing, the necessity and proportionality of the processing operations in relation to the purposes, the risks to the rights of data subjects and controls to mitigate the risks.
The information you provide to us may be held on our computer systems in the UK (or in respect of information provided to our affiliates outside the UK, in the jurisdictions where those affiliates are established). This information may be accessed by, or given to our staff or other third parties (including third party service providers) working either within or outside the UK, for the purposes set out in this policy or for other purposes approved by you. At times, personal information will be shared by POA with companies working as agents of POA and third parties strictly on a “need to know” basis and to satisfy business requirements. POA does not trade or sell any personal information. Under certain circumstances, POA may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Finally, if our business enters into a joint venture with or is sold to or merged with another business entity, your information may be disclosed to our new business partners or owners.
POA has implemented both organizational and technological measures to protect Personal Data and Sensitive Personal Data against accidental or unlawful destruction, loss, alteration, disclosure or access including, but not limited to, documented policies, procedures, and instructions, documented training, physical and logical secure access, role based access to minimum level required for job functionality, and data encryption. Your information will only be retained for as long as necessary for the purposes of the processing.
POA has put in place measures to ensure that adequate protection is provided to Personal Data where legally mandated. Countries outside the European Union do not always have strong data protection laws. However, we will always take steps as a data controller to ensure that your information is used by third parties in accordance with this Policy.
Your information will only be used for the purpose for which it was originally collected. You have the right to know what Personal Data/Sensitive Personal Data is held by POA as data controller and to ensure that such data is accurate and relevant for the purposes for which POA collected it. Upon reasonable request and as required by applicable law (including GDPR), POA allows you to access your Personal Data/Sensitive Personal Data held by POA as data controller, in order to request the correction, amendment or deletion of such data that you demonstrate to be incorrect or incomplete at any time, or where such data is being processed in violation of applicable law (including GDPR), or where such data is no longer necessary in relation to the purposes for which it was collected, or to request a limiting of the use and disclosure of your personal data. Such requests can be made by contacting POA by email or otherwise in writing (using the contact details set out in Section 8). Requests from POA employees may also be made to our HR Department. POA will respond in a timely manner to all reasonable requests to access, amend or delete any such Personal Data/Sensitive Personal Data, and in accordance with applicable law, and reserves the right to charge up to the maximum fee payable (as permitted by applicable law) for such requests in order to cover administration costs.
Please contact us at the address below if you have any comments, queries, requests or complaints relating to our use of your information.
Data Protection Officer
20 Seagoe Industrial Estate
Email address: firstname.lastname@example.org
POA has put in place mechanisms to verify our ongoing adherence to these privacy principles. We encourage individuals covered by this policy to raise any concerns that they have about the way that we process their Personal Data/Sensitive Personal Data by contacting us at the contact address above in the first instance, and we will endeavour to resolve them promptly. Please contact POA’s Data Protection Officer with any concerns about the use of your Personal Data/Sensitive Personal Data. POA will respond in a timely manner to such complaints, and in accordance with applicable law.
Any changes to our Policy in the future will be posted to our website.
POA may from time to time collect information from you by using “cookies”. At POA, we are strongly committed to protecting your privacy and as such we want to ensure that you are always aware of how we are using cookies on our websites and how this may affect you.
WHAT ARE COOKIES?
A cookie is a text file that is placed on your computer, mobile phone or tablet by the websites. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you and can only be read by a web server in the domain that issued the cookie to you.
Measuring how many people are using the different areas of the websites so that popular sections can be improved.
Analysing anonymous data to help us understand how visitors interact with the websites so we can improve the services offered.
Enabling a service to recognise your computer so you don’t have to give the same information several times during one task.
Cookies may be used on our customer facing applications, and although we are not actively storing any information pertaining to the user in a form of a cookie, some of the application servers which POA uses may write temporary files to enable them to perform as part of their normal usage. This data is not recorded by POA.
Cookies do not usually contain personally identifiable information, and if at times POA requires you to register your information, the cookie which is associated with your registration information is used in a limited manner to allow POA to offer increased functionality of our websites. We do not share any of our data with any third parties. The personal or system information is not stored in the cookie.
POA also uses industry standard web analytics to track web visits, Google Analytics. The information generated by the cookie about your use of our websites (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of our websites, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may opt out of web analytics by installing these tools on your computer: https://tools.google.com/dlpage/gaoptout.