SUBSTIPHARM

Rules for processing personal data applicable to job applications and commercial requests

At Substipharm, we need to collect your personal data when you apply for a job at Substipharm or when you make a commercial request.

The legal basis for this, required under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter also referred to as “GDPR“), is legitimate interest. Under no circumstances may the information collected be used for any purpose other than that provided for herein.

I) Data Collected and Purpose of Processing

In accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, certain personal information is collected by Substipharm when you apply for a job with Substipharm and/or make a commercial request.

The purpose of the data processing is to administer your application and/or commercial request (hereinafter referred to as the “Purpose“).

At Substipharm, we only collect and store data that is relevant and meets the Purpose of the processing. The data that may be collected by Substipharm and the details of its Purpose are as follows:

Data collected	Detailed Purpose
1)     Data that may be collected when you apply for a job at Substipharm Identity: –        Surname –        First name –        Address –        E-mail address –        Telephone number –        Employment history –        Educational background –        Areas of expertise –        Interests Attachments: –        CV –        Covering letter	Identify and communicate directly with the person applying for a job at Substipharm and review their application
2)     Data collected when commercial requests are made –        Company name –        Surname of the person making contact –        First name of the person making contact –        Job title of the person making contact –        E-mail address –        Address –        Telephone number –        Type of request	Respond to and assess the commercial request

II) Who do we share your personal data with?

A. Within the European Economic Area

Within the Substipharm company or Group, we may share your personal data with the following recipients:

• the Human Resources department;
• the Commercial Operations department;
• other Substipharm departments involved in data processing;
• other Substipharm Group entities within the European Economic Area.

We may also share your data with service providers and subcontractors acting on behalf of Substipharm for the Purposes of processing. The latter will be considered “processors“ under the GDPR.

All these recipients have access to personal data only insofar as they need it for the Purpose of the processing.

The data is disclosed or transmitted in accordance with the security requirements of the GDPR.

B. Transfers outside the European Economic Area :

The data collected by Substipharm is processed, stored and archived in the European Economic Area. However, by way of exception, data may be transferred outside the European Economic Area if this is necessary to process a job application or commercial request. In this case, the data is only transferred to countries recognised by the European Union as providing an adequate level of protection, or by implementing measures to control the transfer and guarantee the level of protection required by the GDPR.

III) How long personal data is kept ?

The length of time data is kept is determined by the Purpose of collecting the data and processing the applications for employment with Substipharm and the commercial requests.

Data collected	Length of time data is kept
Data collected when a job application is made	2 years from the date of the application
Data collected when a commercial request is made	2 years from the date of the request for medical information

IV) Your rights

When you make a request for medical information and we process your personal data, you have the following rights :

• Right of access : i.e. the right to access the data about you that Substipharm processes;
• Right of rectification: i.e. the right to rectify any data about you that is inaccurate or incomplete;
• Right to limitation: i.e. the temporary freezing of your data for the time needed to carry out checks, should you dispute the accuracy of the data;
• Right to erasure and deletion of your personal data under the conditions defined by the applicable regulations and legislation (right to be forgotten);
• Right to object to the processing of all or part of your personal data when it has been collected and processed on the basis of Substipharm’s legitimate interests (subject to you providing justification for your particular situation);
• Right to limit the processing of your personal data
• Right to portability and transfer of personal data to a given third party in a structured, commonly used, machine-readable format (applicable only where processing is based on your consent)
• Right to give instructions relating to the storage, deletion and disclosure of your personal data after your death.

V) Contacting us

If you want to contact Substipharm about your personal data, you can write:

By post to:

Substipharm

24 rue Erlanger

75016 Paris, France

By e-mail to: dataprivacy@substipharm.com

Substipharm will send you a reply within one month of receipt of your request in accordance with article 12 of the GDPR. If Substipharm has complex requests to deal with or a very large number of requests, the period within which it sends you a reply may be extended by a further two months. If this is the case, you will be informed within one month of receipt of your request.

You may also lodge a complaint with the supervisory authority in your Member State (CNIL in France) at any time.

The Commission Nationale de l’Informatique et des Libertés (3 place de Fontenoy – TSA 80715 -75334 Paris Cedex 07, Tel. +33 (0)1 53 73 22 22 / www.cnil.fr).