Data Privacy Notice HCP
Grünenthal UK Data Privacy Statement for Health Care Professionals and Site Staff
As a science-based pharmaceutical company, we may process your personal data if you are a Healthcare Professional or a member of the site staff. Protecting your data and privacy is of the utmost importance to us. With this privacy statement, we (Grünenthal GmbH and Grünenthal Pharma GmbH & Co. KG, also referred together to us "Grünenthal", "we", "us", “our”) would like to inform you about how we process your personal data and for what purposes.
The collection and processing of personal data is carried out in accordance with applicable data privacy laws, including the EU General Data Protection Regulation (GDPR).
Who is responsible for the processing of your personal data?
The data controller responsible for the processing of your personal data is Grünenthal GmbH, Zieglerstraße 6, 52099 Aachen, Germany and the UK Affiliate Grünenthal Limited, TOR, Saint-Cloud Way, Maidenhead, SL6 8BN
In addition, other Grünenthal entities worldwide might also be responsible for the processing of your personal data, for example if you provide your consent or if your professional address is in a country where Grünenthal has an affiliate. You can find more information about how that entity processes your personal data in the privacy statement available in its corresponding website.
You can reach Grünenthal´s Data Protection Data Protection Team at the following contact email address:
dataprivacy.de@grunenthal.com or ukdataprotectionofficer@grunenthal.com
You may also directly contact Grünenthal´s external Data Protection Officer by using the following email address:
datenschutz.grunenthal@two-towers.eu
What types of personal data do we process about you, for what purposes and based on what legal basis, and what are the applicable retention periods?
The types of personal data and the purposes why we process your data differ depending on the specific data processing activities. In the table below you can find a detailed description of each of these activities:
Types of personal data processed | Processing activity purposes and legal basis | Data retention periods |
---|---|---|
Professional data, such as:
|
We use your professional data for the following purposes:
|
In general, we will process your professional data only for as long as you practise as an active healthcare professional and your medical specialty is of relevance for us, unless there is a legal obligation to process these data beyond that period or if we claim a legitimate interest. Under certain circumstances, you also have the right to object to the processing of your data. |
Interaction information and professional interests, such as:
|
We use interaction information and information about your professional interests for the following purposes:
|
In general, we will process the information about our interactions with you and professional interests only for as long as you practise as an active healthcare professional and your medical specialty is of relevance for us, unless there is a legal obligation to process these data beyond that period or if we claim a legitimate interest. If the processing of your personal data is based on your freely-given consent, we will process your personal data for as long as your consent remains valid (e. g. we will stop processing your personal data if you withdraw your consent). Under certain circumstances you also have the right to object to the processing of your data. |
Information related to adverse events, medical information enquiries and product quality complaints, such as:
|
Information about adverse events, medical information enquiries and product quality complaints is processed for the following purposes:
|
In general, information about adverse events is stored in our systems at least 10 years after the respective product has been withdrawn from the market. Information in relation to medical enquiries or product quality complaints will be kept for 3 years, unless we are legally obliged to keep the data for a longer period or for as long as we can claim a legitimate interest |
Information about contractual relationships, such as:
|
Information about contractual relationships is processed for the following purposes:
|
In general, the information that is strictly necessary for the execution of the contract will be processed for as long as we are required to keep it according to tax law requirements (i.e. 10 years). Any other information will be kept for as long as our business relationship lasts, we can claim a legitimate interest, we are legally obliged to, we can claim a legitimate interest or as long as your consent remains valid (e. g. we will stop processing your personal data if you withdraw your consent).
|
Where is your data stored?
Grünenthal uses different IT systems and applications to store and process your data. You can be identifiable in these systems based on the use of direct identifiers, such as your name or e-mail address, or indirect identifiers, such as your registration ID or IP address.
Grünenthal uses a central Customer Relationship Management system (“CRM”) in which we combine, update and rectify your personal data which you have provided to us or which was collected by us as outlined above in a central customer profile. This is necessary to pursue our legitimate interests to manage your personal data in the most effective way (for example, centralising your personal data helps us to easily keep it up-to-date), efficiently manage our relationship with you and enhance your customer experience as well as to facilitate our direct marketing efforts in the most efficient manner. You have the right to object to this kind of processing at any time. In such case Grünenthal will carefully evaluate your request and only continue to process your personal data to the extent that it is legally required or in accordance with your explicit consent.
These data might be enriched as described above taking into account your preferences and interests as communicated to us or as a result of the tracking of your behaviour across online and offline sources, if you provide your consent or, when applicable, based on our legitimate interests to provide our customers with tailored information about our products or other educational or scientific content. In addition, in order to keep you up to date and informed about our products, we are collecting and maintaining your contact data and information regarding your professional skills with the help of OneKey, a database containing the current contact data and latest information regarding professional skills of active health professionals. OneKey is operated by IQVIA™ Commercial GmbH & Co. OHG, Albert-Einstein-Allee 3, 64625 Bensheim. All data processing is carried out in compliance with the so called ‘balance-of-interests clause’ as specified in Art. 6 (1) f) GDPR. When your data is registered in the OneKey database, IQVIA™ will then contact you in order to verify your data or update it if necessary, and then it can be accessed by other pharmaceutical companies. You have the right to object to the inclusion of your data into OneKey at any time. If you wish to raise an objection, please contact IQVIA™ or the OneKey data protection officer. In this case, please reach out to DatenschutzOneKeyDE@iqvia.com via e-mail. You will also find further information about OneKey at https://www.iqvia.com/OneKeyGermanyDE.
Where do we receive your personal data from?
We receive your personal data directly from you or as a result of the tracking of your behaviour across online and offline sources as outlined above (e. g. if you enter into a contractual relationship with us or if you visit our websites), and also from data suppliers and service providers, such as IQVIA or Contract Research Organizations if you are an investigator with an interest to participate, or who actually participates, in a clinical study where we are the sponsor.
How is your data protected?
We ensure that the personal data we process from you is adequately protected by implementing state of the art technical and organizational measures. Access to our systems is strictly personal and purpose-driven based on a graduated authorization concept, that is, only those of our employees may access the data who require access for the particular processing purposes outlined above.
Where do we receive your personal data from?
We receive your personal data directly from you or as a result of the tracking of your behaviour across online and offline sources as outlined above (e. g. if you enter into a contractual relationship with us or if you visit our websites), and also from data suppliers and service providers, such as IQVIA or Contract Research Organizations if you are an investigator with an interest to participate, or who actually participates, in a clinical study where we are the sponsor.
How is your data protected?
We ensure that the personal data we process from you is adequately protected by implementing state of the art technical and organizational measures. Access to our systems is strictly personal and purpose-driven based on a graduated authorization concept, that is, only those of our employees may access the data who require access for the particular processing purposes outlined above.
Who will your data be shared with?
Your personal data may be transferred to other Grünenthal affiliates and may be stored by contracted third parties such as software vendors and IT solution providers. We use Grünenthal proprietary and standard industry solutions to process your data in a safe environment.
We may also share categories of your personal data listed above with certain service providers or third parties such as: IT providers for the purposes of system development and technical support (for example, IQVIA, Salesforce, Veeva or DOMO); auditors and consultants to verify our compliance with external and internal requirements; statutory bodies, law enforcement agencies and litigants, as per a legal reporting requirement or claim. If you consent to participate in (scientific) market research and similar projects, we may share your personal data with contracted parties to carry out such projects.
Furthermore, if you are an investigator (or a member of the site staff) who is interested in participating, or who participates, in Clinical Studies where we are the sponsor, we may transfer your personal data to service providers (such as Contract Research Organizations that provide clinical trial management services to us), entities of the Grünenthal Group of companies, ethics committees, authorities (including via other business partners), external researchers, further third parties who may contribute to the research and development of the medicinal product tested (e.g., by funding clinical trials), or to commercial partners (i) who aim to continue the research and development in case we cease to pursue the study (e.g., for completion of the clinical trial) or (ii) in connection with the whole research and development program being licensed or sold as an asset by us to such commercial partners, in particular to enable them to comply with the statutory documentation requirements applicable to manufacturers or marketing authorization holders.
Grünenthal does not sell personal data to third parties.
Will your personal data be processed outside the European Union (“EU”)?
While our internal servers are located within the EU, some of the third parties referred to above are located outside the EU or the European Economic Area (“EEA”), which means that your data will partly be processed in countries that may have a lower data protection level than European countries. In such cases, Grünenthal will ensure that a sufficient level of protection is provided for your data, e.g. by concluding specific agreements with these contractual partners and implementing any supplementary measures, if necessary.
What are your data privacy rights?
The following rights are available to you based on applicable privacy laws:
- Right to information about personal data on you stored by us
- Right to deletion or restriction of processing, unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or in the event that the processing serves the enforcement, exercise or defence of legal claims
- Right to correct your personal data
- Right to object to processing on grounds of your own legitimate interest, public interest or our profiling, unless we can demonstrate compelling legitimate grounds which override your interests, rights and freedoms, or that such processing is for the purposes of asserting, exercising or defending legal claims
- Right to data portability
- Right to complain to a supervisory authority
- You may withdraw your consent to the collection, processing and use of your personal data at any time, without affecting the lawfulness of processing based on consent before its withdrawal
If you want to exercise your rights, you can address your request to dataprivacy.de@grunenthal.com or to the corresponding Grünenthal entity.
This Data Privacy Statement was last updated on August 2022.
M-N/A-UK-05-23-0009-MAY 2023