SUBSTIPHARM

Substipharm personal data processing rules applicable to requests for medical information

At Substipharm, we collect your personal data when you request medical information about our products so that we can respond to you and analyse your requests.

We need to collect and process your personal data in order to manage medical information requests.

The legal basis for this, required under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter also referred to as “GDPR“), is the legal of Substipharm to process requests for medical information in accordance with the French Public Health Code (Articles R5124-2 and L5122-1) and the Charter and Certification Standards for Promotional Information (criterion E6 in particular).

We also have a second legal basis under the GDPR, which is that of legitimate interest. This means that we may collect and process your personal data in order to improve our products.

Under no circumstances may the information collected be used for any purpose other than that provided for herein.

I) Data Collected and Purpose of Processing

In accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and the Act of 6 January 1978 as amended, certain personal information is collected by Substipharm when requests for medical information are made.

The purpose of the data processing is to manage and analyse your requests for medical information, as detailed below (hereinafter referred to as the “Purpose“).

At Substipharm, we only collect and store data that is relevant and meets the Purpose of the processing. The data that may be collected by Substipharm and the details of its Purpose are as follows:

II) Who do we share your personal data with?

A. Within the European Economic Area

Within the Substipharm company or Group, we may share your personal data with the following recipients:

• Substipharm’s Medical Information department;
• other Substipharm departments involved in processing the data;
• other Substipharm Group entities within the European Economic Area.

We may also share your data with service providers and subcontractors acting on behalf of Substipharm for the Purpose of processing. The latter will be considered “processors“ under the GDPR.

All these recipients have access to personal data only insofar as they need it for the Purpose of the aforementioned processing.

The data is disclosed or transmitted in accordance with the security requirements of the GDPR.

B. Transfers outside the European Economic Area

The data collected by Substipharm is processed, stored and archived in the European Economic Area. However, by way of exception, data may be transferred outside the European Economic Area if this is necessary to process medical information that is linked to a Pharmacovigilance case.

In this case, the data is only transferred to countries recognised by the European Union as providing an adequate level of protection, or by implementing measures to control the transfer and guarantee the level of protection required by the GDPR.

III) How long personal data is kept ?

The length of time data is kept is determined by the Purpose of collecting the data and processing the requests for medical information.

The personal data collected and processed and the history of requests for medical information are kept for up to 30 years from the date of receipt of the request for medical information.

IV) Your rights

When you make a request for medical information and we process your personal data, you have the following rights:

• Right of access: i.e. the right to access the data about you that Substipharm processes;
• Right of rectification: i.e. the right to rectify any data about you that is inaccurate or incomplete;
• Right to limitation: i.e. the temporary freezing of your data for the time needed to carry out checks, should you dispute the accuracy of the data;
• Right to erasure and deletion of your personal data under the conditions defined by the applicable regulations and legislation (right to be forgotten);
• Right to object to the processing of all or part of your personal data when it has been collected and processed on the basis of Substipharm’s legitimate interests (subject to you providing justification for your particular situation);
• Right to limit the processing of your personal data;
• Right to give instructions relating to the storage, deletion and disclosure of your Personal Data after your death.

Your right to object to the processing of your data and your right to have it deleted may be limited in certain situations, in particular if the processing of your data is required by law.

V) Contacting us

If you want to contact Substipharm about your Personal Data, you can write:

By post to:

Substipharm

24 rue Erlanger

75016 Paris, France

By e-mail to: dataprivacy@substipharm.com

Substipharm will send you a reply within one month of receipt of your request in accordance with Article 12 of the GDPR. If Substipharm has complex requests to deal with or a very large number of requests, the period within which it sends you a reply may be extended by a further two months. If this is the case, you will be informed within one month of receipt of your request.

You may also lodge a complaint with the supervisory authority in your Member State (CNIL in France) at any time.

The Commission Nationale de l’Informatique et des Libertés (3 place de Fontenoy – TSA 80715 -75334 Paris Cedex 07, Tel. +33 (0)1 53 73 22 22 / www.cnil.fr).