Pharmacovigilance Privacy Notice
Pharmacovigilance DISCLOSURE ex art. 13 and 14 of EU Regulation 679/2016 and Privacy Code as modified by Legislative Decree 101/2018
Who are we and what do we do with your personal data?
As Data Controller (hereinafter referred to as the “Controller”), Kedrion S.p.a. protects the confidentiality of your personal data and guarantees its protection from any event that may put it at risk of breach.
To this end, the Controller implements policies and practices regarding the collection and use of personal data and the exercise of the rights assigned to you under applicable legislation. The Controller updates the policies and practices applied for the protection of personal data each time this becomes necessary and in any case, any time legislative or organisational changes take place, which may affect the processing of your personal data.
The Controller has appointed a Data Protection Officer (DPO), whom you may contact if you have any questions about the policies and practices adopted. The Data Protection Officer can be contacted at:
How does the Controller collect and process your data?
The Controller collects and/or receives information about you, including: first name, surname, tax code, physical and electronic address, fixed and/or mobile telephone number and information on health. This is used by the Controller to fulfil purposes preliminary, contingent and consequential to pharmacovigilance.
The term “pharmacovigilance” is used to refer to all activities aimed at continuously assessing all drug safety-related information and ensuring, for all medicines available for sale, that the benefits outweigh the risks for the population. The continuous assessment of all drug- safety related information and all activities aimed at ensuring a risk/benefit ratio for all medicines on sale that is favorable for the population are part of the pharmacovigilance. Your personal data will in no way be disseminated or disclosed to undetermined and non-identifiable subjects, even as third parties.
The legal basis of data processing is for personal identification data: legal obligation.
The legal basis for the processing of particular categories data is: public interest reasons in the public health sector.
Purposes for which personal data is collected
Your personal data will be processed to fulfil preliminary, contingent and consequential purposes related to pharmacovigilance.
Kedrion S.p.a. is obliged to comply with current pharmacovigilance regulations (including Italian Decree Law of 30 April 2015, the Official Journal General Series no. 143 of 23-6-2015 regulating, in implementation of Directive 2010/84 of the European Parliament and Council of 15 December 2010 and Directive 2012/26/EU of the European Parliament and Council of 25 October 2012, the operating procedures and technical solutions necessary to ensure effective pharmacovigilance, and Module VI of the Good Pharmacovigilance Practices (GVP), paragraphs VI.C.184.108.40.206 and VI.B.4) through the processing of your personal data.
Your personal data is also collected from third parties, such as, by way of example:
- other data controllers, e.g. companies of the group
- lists and registers held by public authorities or under their authority or similar entities according to specific national and/or international legislation;
- private and public entities operating in the sector nationally and internationally, with which the data controller has established informative relations;
The personal data processed by the Controller to this end includes:
- first name, surname, tax code, physical and electronic address, fixed and/or mobile telephone number
- personal data categories for example those related toex art. 9 of EU Regulation.
Communication and diffusion of data
Your data will not be disclosed to any third parties/addressees for their own autonomous purposes, unless:
- you should authorise this;
- this should be necessary in order to fulfil obligations arising from provisions of law governing it (e.g. to protect your rights, to report to control authorities, etc.);
- it is necessary for information archiving purposes such as data processing and IT services (es. Web hosting, data entry, management and maintenance of infrastructures and IT services etc)
- communication is made to public supervisory and control entities with regards to which the Controller is required to fulfil specific obligations deriving from the specific nature of its activities;
- family members, cohabitees or legal representatives are are delegated or are legally entitled to receive your personal data.
Both directly and through its suppliers (third parties and/or addressees), the Controller processes your personal data as strictly necessary and proportional to the appropriate security measures pursuant to art. 32 of the EU regulation 679/2018
To this end, the Controller shall envisage procedures to handle personal data breaches in compliance with the legal obligations to which it is bound.
Transfer of data to non EU countries
The Controller may transfer your personal data to non-EU countries, in compliance with current provisions on personal data protection pursuant to EU Regulation 679/2016, Directive 95/46/EC, Regulation (EC) no. 45/2001 and Regulation (EC) no. 726/2004.
Obligations and Facultative provisions of your data
Data processing is optional but in the event that you do not provide your personal data, even of a particular type, relating to health, the Controller will not be able to process the request made or fulfil the legal obligations in the field of pharmacovigilance.
Data treatment modality
Data is processed p using hard copies and mainly by means of computerised procedures by internal subjects who are specifically authorised and trained to this end. They are granted access to your personal data to the extent and within the limits that this is necessary in order to perform the relevant processing.
The Controller regularly checks the tools used to process your data and the security measures envisaged for them, which it also ensures are kept constantly up-to-date; it verifies, both directly and through the authorised processors, that no personal data is collected, processed, stored or kept of which processing is not necessary; it further verifies that data is kept with a guarantee of integrity and authenticity and that it is only used for the actual processing purposes.
Archiving of Data
Data is kept in hard copy, computerised and telematic archives held within the European Economic Area.
Data relating to pharmacovigilance reports is kept for ten years after expiry of the Marketing Authorisation (MA) of the medicine subject of the report, without prejudice to any legal obligations set by the European Union or national legislation or for defensive needs of the Controller.
What are your rights?
In short, at any time and free of charge, at no cost and with no particular formalities for your request, you can exercise the rights provided by the EU Regulation 679/2016 Articles 15-22 as well as those provided by the Privacy Code as amended by Legislative Decree 101/2018:
- obtain confirmation of the processing performed by the Controller;
- access your personal data and know their origin (when the data is not obtained from you directly), the purposes and aims of the processing, the data of the subjects to which it will be disclosed, the time for which your data will be kept or the criteria useful to determining this;
- to withdraw your consent at any time, if this is required for the processing. Withdrawal of consent shall not, in any case, prejudice the lawful nature of the processing carried out on the basis of the consent given prior to said revocation;
- update or rectify your personal data so as to ensure that it is always exact and accurate;
- erase your personal data from back-up and other databases and/or archives of the Controller if, amongst other situations, it is no longer necessary for the purpose of the processing or if this is assumed to be unlawful and as long as the legal conditions are met; and in any case if processing is not justified by another equally legitimate reason;
- limit the processing of your personal data in some circumstances, for example where you have challenged its exactness, for the period necessary to the Controller to verify its accuracy. You must be informed, in time, also of when the suspension period has expired or the cause for the limitation to processing ceased applying and, therefore, said limitation has been revoked;
- obtain your personal data, if received and/or in any case processed by the Controller with your consent and/or if its processing takes place in accordance with a contract and using automated tools, in electronic format, also so as to send it to another data controller.
The Controller must proceed in this sense without delay and in any case at the latest within a month of receiving your request. The terms may be extended by two months, if necessary, considering the complexity and number of requests received by the Controller. In these cases, the Controller shall, within a month of your request, inform you and make you aware of the reasons for the extension.
For any further information and in any case to send your request, please contact the Controller at [email protected]
How and when can you object to the processing of your personal data?
For reasons relating to your specific situation, you may object at any time to the processing of your personal data if your objection is based on a legitimate interest, sending any such request to the Controller at [email protected]
You are entitled to have your personal data erased if there is no legitimate reason that prevails over the reason that gave rise to your request.
To whom should you submit a complaint?
Without prejudice to any other administrative or legal action, you may submit a complaint to the competent control authority or to the one carrying out its duties and exercising its powers in Italy where you have your normal place of residence or where you work, if different from the Member State where the violation of Regulation (EU) 2016/679 took place.
You will be informed of any update to this disclosure promptly using appropriate means. You will also be informed if the Controller should follow up on the processing of your data for purposes over and above those pursuant to this disclosure before proceeding with this and sufficiently ahead of time as to allow you to give your consent, where necessary.