Data Privacy Notice HCP

Grünenthal UK Data Privacy Statement for Health Care Professionals and Site Staff

As a science-based pharmaceutical company, we may process your personal data if you are a Healthcare Professional or a member of the site staff. Protecting your data and privacy is of the utmost importance to us. With this privacy statement, we (Grünenthal GmbH and Grünenthal Pharma GmbH & Co. KG, also referred together to us "Grünenthal", "we", "us", “our”) would like to inform you about how we process your personal data and for what purposes.

The collection and processing of personal data is carried out in accordance with applicable data privacy laws, including the EU General Data Protection Regulation (GDPR).

Who is responsible for the processing of your personal data?

The data controller responsible for the processing of your personal data is Grünenthal GmbH, Zieglerstraße 6, 52099 Aachen, Germany and the UK Affiliate Grünenthal Limited, TOR, Saint-Cloud Way, Maidenhead, SL6 8BN

In addition, other Grünenthal entities worldwide might also be responsible for the processing of your personal data, for example if you provide your consent or if your professional address is in a country where Grünenthal has an affiliate. You can find more information about how that entity processes your personal data in the privacy statement available in its corresponding website.

You can reach Grünenthal´s Data Protection Data Protection Team at the following contact email address:

dataprivacy.de@grunenthal.com or ukdataprotectionofficer@grunenthal.com

You may also directly contact Grünenthal´s external Data Protection Officer by using the following email address:

datenschutz.grunenthal@two-towers.eu

What types of personal data do we process about you, for what purposes and based on what legal basis, and what are the applicable retention periods?

The types of personal data and the purposes why we process your data differ depending on the specific data processing activities. In the table below you can find a detailed description of each of these activities:

Types of personal data processed	Processing activity purposes and legal basis	Data retention periods
Professional data, such as: Full name Professional address Contact details Medical specialty Name of your practice or workplace Medical Identification Number Name and job title of clinic and nursing staff Any other data that you choose to provide to us`	We use your professional data for the following purposes: Planning our interactions with you, according to our legitimate interests to promote our business interests and inform you about our products (Art. 6 (1) (f) GDPR) If necessary, sending information material by post in accordance with these interests (Art. 6 (1) (f) GDPR) Sending drug safety-relevant information (e.g. Dear Doctor Letter) in order to comply with applicable regulations (Art. 6 (1) (c) GDPR) If you wish to access restricted content for Healthcare Professionals, in order to ensure that you are authorized to access such content in line with applicable regulations (Art. 6 (1) (c) GDPR)	In general, we will process your professional data only for as long as you practise as an active healthcare professional and your medical specialty is of relevance for us, unless there is a legal obligation to process these data beyond that period or if we claim a legitimate interest. Under certain circumstances, you also have the right to object to the processing of your data.
Interaction information and professional interests, such as: Full name Contact details Medical specialty Name of your practice or workplace Date of the interaction Name of the products and indications that have been discussed General information about the patient population Information about giving a sample (if applicable) Scientific/medical/ professional fields of interests Membership in medical associations Publications (including postings and announcements in social media channels) Your interest in a contractual collaboration (lectures, events, medical education, consultancy) Information about your product/information interests or about the prescription of our products in your practice Documentation of the consent ("opt-in") allowing us to reach out to you by digital means Your activities on our websites and online presences (e.g. viewed pages, visits on our social media profiles, received newsletters, clicks on our online advertisements, emails opened, etc) Technical information about your device when you visit our websites, social media or similar digital channels, such as your IP address, device type, device and advertising identifiers, browser type and version, and other standard server log information Your interaction channels of preference Any other voluntary information you provide	We use interaction information and information about your professional interests for the following purposes: Planning our interactions with you, according to our legitimate interests to promote our business interests and inform you about our products (Art. 6 (1) (f) GDPR) Sending customized marketing and other communications to you, based on the creation of a profile considering your preferences and interests as communicated to us or as a result of the tracking of your behaviour across online and offline sources, if you provide your consent (Art. 6 (1) (a) GDPR) or, when applicable, based on our legitimate interests (Art. 6 (1) (f) GDPR) to provide our customers with tailored information about our products or other educational or scientific content Analysing the effectiveness of our different campaigns and assessing if they meet the predefined goals, evaluating the effectiveness and impact of our marketing material and analysing how to best optimize our resources and design the customer experience, if you provide your consent (Art. 6 (1) (a) GDPR) or, when applicable, in accordance to our legitimate interests (Art. 6 (1) (f) GDPR) to structure and organize our commercial and marketing efforts To respect our legal obligations to document HCP interactions, for example, if we provide a product sample to you and we are legally required to keep this information for a certain period of time (Art. 6 (1) (c) GDPR) To offer you contractual cooperation or participation in projects sponsored by us, or to invite you to events that might be of interest to you, if you have given your consent to establish communications with you by digital means when required (Art. 6 (1) (a) GDPR), or according to our legitimate interests to promote our business interests and inform you about our products (Art. 6 (1) (f) GDPR)	In general, we will process the information about our interactions with you and professional interests only for as long as you practise as an active healthcare professional and your medical specialty is of relevance for us, unless there is a legal obligation to process these data beyond that period or if we claim a legitimate interest. If the processing of your personal data is based on your freely-given consent, we will process your personal data for as long as your consent remains valid (e. g. we will stop processing your personal data if you withdraw your consent). Under certain circumstances you also have the right to object to the processing of your data.
Information related to adverse events, medical information enquiries and product quality complaints, such as: Your name, profession, contact data The circumstances of the event/enquiry/complaint itself Any other data that you report about individuals that experience these events (e. g. patients), such as name or initials, age, gender, details of our products that were applied as well as other information regarding the circumstances of the event	Information about adverse events, medical information enquiries and product quality complaints is processed for the following purposes: Information related to adverse events (in particular, contact data from you as a reporter), is processed in order to investigate events and follow-up with you in order to gain additional information, if needed. We prepare reports (which may be translated into other languages) based on the information you provide that are shared with health authorities, our group entities and any concerned business partners worldwide in order to analyse and investigate specific events and define required actions. The processing of these data is necessary for compliance with a legal obligation to which we are subject according to Art. 6 (1) (c) GDPR, and art. 9 (2) (i) GDPR (processing is necessary for reasons of public interest in the area of public health, on the basis of Union or Member State law). More information can be found on the link: https://www.grunenthal.com/en/footer-links/data-protection-notice Information related to medical enquiries is processed in order to answer the inquiry and maintain our medical information database up to date. The legal basis for the processing of your personal data is our legitimate interest to follow-up on enquiries and provide a Medical Information service in line with applicable laws (Art. 6 (1) (f) GDPR) Information about product quality complaints is processed in order to evaluate, classify and assess the product complaint, to follow up on your request and to maintain this information in our database. The processing of your personal data is necessary in order to comply with a legal obligation (Art. 6 (1) (c) GDPR). If data about a patient is reported, the legal basis is Art. 9 (2) (i) GDPR.	In general, information about adverse events is stored in our systems at least 10 years after the respective product has been withdrawn from the market. Information in relation to medical enquiries or product quality complaints will be kept for 3 years, unless we are legally obliged to keep the data for a longer period or for as long as we can claim a legitimate interest
Information about contractual relationships, such as: Full name, (professional) address, country, workplace, VAT number or bank account details Contract documentation Fees Invoices, payment documentation, travel expense reports Employer authorizations obtained for hospital doctors Documentation of the services provided Invitations to events Covered event costs, travel expenses Documentation of participation in events If you participate in Market Research and similar projects, the answers you provide (although, in general, we will not be able to attribute these answers to you) If you are an investigator interested in participating, or who participates, in Clinical Studies where we are the sponsor, or a member of the site staff, information such as full name, telephone number, email address, professional experience including your area of specialisation and qualifications, job history, recruitment and enrolment rates, the types of trials or studies you are interested but also experienced in, your participation and general experience in past and current trials and studies, interests -also financial- you may have, experience of staff / team, available resources, location, lab equipment, or other specific settings required for a specific clinical trial	Information about contractual relationships is processed for the following purposes: Generally, for pre-contractual measures and for the execution of the contract with us (Art. 6 (1) (b) GDPR). The data might also be processed to disclose payments according to applicable laws or codes of practice of the pharmaceutical industry, based on your consent (Art. 6 (1) (a) GDPR) or in order to comply with a legal obligation (Art. 6 (1) (c) GDPR). This depends on the country where you have your professional address To document our contractual relationships with you based on our legitimate interests to demonstrate compliance with applicable anti-corruption and similar legislation and to assess any reputational, legal and financial risks that the business relationship could expose Grünenthal to (Art. 6 (1) (f) GDPR) The insights you provide in relation to your participation in (Scientific) Market Research and similar projects are processed to answer the specific project questions based on your consent (Art. 6 (1) (a) GDPR) Data about investigators (and members of site staff) interested in participating in Clinical Studies are processed for the purposes of assessing the potential and suitability for participating in a trial or study according to our legitimate interests to select suitable candidates to conduct the specific trials or studies (Art. 6 (1) (f) GDPR), or with your consent (Art. 6 (1) (a) GDPR). In addition, if you effectively participate in any such studies, we are legally required to process your personal data in accordance with applicable laws (Art. 6 (1) (c) GDPR). In such case, your data might be further processed insofar as this is necessary to continue the research and development in case we cease to pursue the Study (Art. 6 (1) (f) GDPR)	In general, the information that is strictly necessary for the execution of the contract will be processed for as long as we are required to keep it according to tax law requirements (i.e. 10 years). Any other information will be kept for as long as our business relationship lasts, we can claim a legitimate interest, we are legally obliged to, we can claim a legitimate interest or as long as your consent remains valid (e. g. we will stop processing your personal data if you withdraw your consent).

Types of personal data processed

Processing activity purposes and legal basis

Data retention periods

Professional data, such as:

Full name
Professional address
Contact details
Medical specialty
Name of your practice or workplace
Medical Identification Number
Name and job title of clinic and nursing staff
Any other data that you choose to provide to us`

We use your professional data for the following purposes:

Planning our interactions with you, according to our legitimate interests to promote our business interests and inform you about our products (Art. 6 (1) (f) GDPR)
If necessary, sending information material by post in accordance with these interests (Art. 6 (1) (f) GDPR)
Sending drug safety-relevant information (e.g. Dear Doctor Letter) in order to comply with applicable regulations (Art. 6 (1) (c) GDPR)
If you wish to access restricted content for Healthcare Professionals, in order to ensure that you are authorized to access such content in line with applicable regulations (Art. 6 (1) (c) GDPR)

In general, we will process your professional data only for as long as you practise as an active healthcare professional and your medical specialty is of relevance for us, unless there is a legal obligation to process these data beyond that period or if we claim a legitimate interest. Under certain circumstances, you also have the right to object to the processing of your data.

Interaction information and professional interests, such as:

Full name
Contact details
Medical specialty
Name of your practice or workplace
Date of the interaction
Name of the products and indications that have been discussed
General information about the patient population
Information about giving a sample (if applicable)
Scientific/medical/ professional fields of interests
Membership in medical associations
Publications (including postings and announcements in social media channels)
Your interest in a contractual collaboration (lectures, events, medical education, consultancy)
Information about your product/information interests or about the prescription of our products in your practice
Documentation of the consent ("opt-in") allowing us to reach out to you by digital means
Your activities on our websites and online presences (e.g. viewed pages, visits on our social media profiles, received newsletters, clicks on our online advertisements, emails opened, etc)
Technical information about your device when you visit our websites, social media or similar digital channels, such as your IP address, device type, device and advertising identifiers, browser type and version, and other standard server log information
Your interaction channels of preference
Any other voluntary information you provide

We use interaction information and information about your professional interests for the following purposes:

Planning our interactions with you, according to our legitimate interests to promote our business interests and inform you about our products (Art. 6 (1) (f) GDPR)
Sending customized marketing and other communications to you, based on the creation of a profile considering your preferences and interests as communicated to us or as a result of the tracking of your behaviour across online and offline sources, if you provide your consent (Art. 6 (1) (a) GDPR) or, when applicable, based on our legitimate interests (Art. 6 (1) (f) GDPR) to provide our customers with tailored information about our products or other educational or scientific content
Analysing the effectiveness of our different campaigns and assessing if they meet the predefined goals, evaluating the effectiveness and impact of our marketing material and analysing how to best optimize our resources and design the customer experience, if you provide your consent (Art. 6 (1) (a) GDPR) or, when applicable, in accordance to our legitimate interests (Art. 6 (1) (f) GDPR) to structure and organize our commercial and marketing efforts
To respect our legal obligations to document HCP interactions, for example, if we provide a product sample to you and we are legally required to keep this information for a certain period of time (Art. 6 (1) (c) GDPR)
To offer you contractual cooperation or participation in projects sponsored by us, or to invite you to events that might be of interest to you, if you have given your consent to establish communications with you by digital means when required (Art. 6 (1) (a) GDPR), or according to our legitimate interests to promote our business interests and inform you about our products (Art. 6 (1) (f) GDPR)

In general, we will process the information about our interactions with you and professional interests only for as long as you practise as an active healthcare professional and your medical specialty is of relevance for us, unless there is a legal obligation to process these data beyond that period or if we claim a legitimate interest. If the processing of your personal data is based on your freely-given consent, we will process your personal data for as long as your consent remains valid (e. g. we will stop processing your personal data if you withdraw your consent). Under certain circumstances you also have the right to object to the processing of your data.

Information related to adverse events, medical information enquiries and product quality complaints, such as:

Your name, profession, contact data
The circumstances of the event/enquiry/complaint itself
Any other data that you report about individuals that experience these events (e. g. patients), such as name or initials, age, gender, details of our products that were applied as well as other information regarding the circumstances of the event

Information about adverse events, medical information enquiries and product quality complaints is processed for the following purposes:

Information related to adverse events (in particular, contact data from you as a reporter), is processed in order to investigate events and follow-up with you in order to gain additional information, if needed. We prepare reports (which may be translated into other languages) based on the information you provide that are shared with health authorities, our group entities and any concerned business partners worldwide in order to analyse and investigate specific events and define required actions. The processing of these data is necessary for compliance with a legal obligation to which we are subject according to Art. 6 (1) (c) GDPR, and art. 9 (2) (i) GDPR (processing is necessary for reasons of public interest in the area of public health, on the basis of Union or Member State law). More information can be found on the link: https://www.grunenthal.com/en/footer-links/data-protection-notice
Information related to medical enquiries is processed in order to answer the inquiry and maintain our medical information database up to date. The legal basis for the processing of your personal data is our legitimate interest to follow-up on enquiries and provide a Medical Information service in line with applicable laws (Art. 6 (1) (f) GDPR)
Information about product quality complaints is processed in order to evaluate, classify and assess the product complaint, to follow up on your request and to maintain this information in our database. The processing of your personal data is necessary in order to comply with a legal obligation (Art. 6 (1) (c) GDPR). If data about a patient is reported, the legal basis is Art. 9 (2) (i) GDPR.

In general, information about adverse events is stored in our systems at least 10 years after the respective product has been withdrawn from the market.

Information in relation to medical enquiries or product quality complaints will be kept for 3 years, unless we are legally obliged to keep the data for a longer period or for as long as we can claim a legitimate interest

Information about contractual relationships, such as:

Full name, (professional) address, country, workplace, VAT number or bank account details
Contract documentation
Fees
Invoices, payment documentation, travel expense reports
Employer authorizations obtained for hospital doctors
Documentation of the services provided
Invitations to events
Covered event costs, travel expenses
Documentation of participation in events
If you participate in Market Research and similar projects, the answers you provide (although, in general, we will not be able to attribute these answers to you)
If you are an investigator interested in participating, or who participates, in Clinical Studies where we are the sponsor, or a member of the site staff, information such as full name, telephone number, email address, professional experience including your area of specialisation and qualifications, job history, recruitment and enrolment rates, the types of trials or studies you are interested but also experienced in, your participation and general experience in past and current trials and studies, interests -also financial- you may have, experience of staff / team, available resources, location, lab equipment, or other specific settings required for a specific clinical trial

Information about contractual relationships is processed for the following purposes:

Generally, for pre-contractual measures and for the execution of the contract with us (Art. 6 (1) (b) GDPR).
The data might also be processed to disclose payments according to applicable laws or codes of practice of the pharmaceutical industry, based on your consent (Art. 6 (1) (a) GDPR) or in order to comply with a legal obligation (Art. 6 (1) (c) GDPR). This depends on the country where you have your professional address
To document our contractual relationships with you based on our legitimate interests to demonstrate compliance with applicable anti-corruption and similar legislation and to assess any reputational, legal and financial risks that the business relationship could expose Grünenthal to (Art. 6 (1) (f) GDPR) The insights you provide in relation to your participation in (Scientific) Market Research and similar projects are processed to answer the specific project questions based on your consent (Art. 6 (1) (a) GDPR)
Data about investigators (and members of site staff) interested in participating in Clinical Studies are processed for the purposes of assessing the potential and suitability for participating in a trial or study according to our legitimate interests to select suitable candidates to conduct the specific trials or studies (Art. 6 (1) (f) GDPR), or with your consent (Art. 6 (1) (a) GDPR). In addition, if you effectively participate in any such studies, we are legally required to process your personal data in accordance with applicable laws (Art. 6 (1) (c) GDPR). In such case, your data might be further processed insofar as this is necessary to continue the research and development in case we cease to pursue the Study (Art. 6 (1) (f) GDPR)

In general, the information that is strictly necessary for the execution of the contract will be processed for as long as we are required to keep it according to tax law requirements (i.e. 10 years).

Any other information will be kept for as long as our business relationship lasts, we can claim a legitimate interest, we are legally obliged to, we can claim a legitimate interest or as long as your consent remains valid (e. g. we will stop processing your personal data if you withdraw your consent).

Where is your data stored?

Grünenthal uses different IT systems and applications to store and process your data. You can be identifiable in these systems based on the use of direct identifiers, such as your name or e-mail address, or indirect identifiers, such as your registration ID or IP address.

Grünenthal uses a central Customer Relationship Management system (“CRM”) in which we combine, update and rectify your personal data which you have provided to us or which was collected by us as outlined above in a central customer profile. This is necessary to pursue our legitimate interests to manage your personal data in the most effective way (for example, centralising your personal data helps us to easily keep it up-to-date), efficiently manage our relationship with you and enhance your customer experience as well as to facilitate our direct marketing efforts in the most efficient manner. You have the right to object to this kind of processing at any time. In such case Grünenthal will carefully evaluate your request and only continue to process your personal data to the extent that it is legally required or in accordance with your explicit consent.

These data might be enriched as described above taking into account your preferences and interests as communicated to us or as a result of the tracking of your behaviour across online and offline sources, if you provide your consent or, when applicable, based on our legitimate interests to provide our customers with tailored information about our products or other educational or scientific content. In addition, in order to keep you up to date and informed about our products, we are collecting and maintaining your contact data and information regarding your professional skills with the help of OneKey, a database containing the current contact data and latest information regarding professional skills of active health professionals. OneKey is operated by IQVIA™ Commercial GmbH & Co. OHG, Albert-Einstein-Allee 3, 64625 Bensheim. All data processing is carried out in compliance with the so called ‘balance-of-interests clause’ as specified in Art. 6 (1) f) GDPR. When your data is registered in the OneKey database, IQVIA™ will then contact you in order to verify your data or update it if necessary, and then it can be accessed by other pharmaceutical companies. You have the right to object to the inclusion of your data into OneKey at any time. If you wish to raise an objection, please contact IQVIA™ or the OneKey data protection officer. In this case, please reach out to DatenschutzOneKeyDE@iqvia.com via e-mail. You will also find further information about OneKey at https://www.iqvia.com/OneKeyGermanyDE.

Where do we receive your personal data from?

We receive your personal data directly from you or as a result of the tracking of your behaviour across online and offline sources as outlined above (e. g. if you enter into a contractual relationship with us or if you visit our websites), and also from data suppliers and service providers, such as IQVIA or Contract Research Organizations if you are an investigator with an interest to participate, or who actually participates, in a clinical study where we are the sponsor.

How is your data protected?

We ensure that the personal data we process from you is adequately protected by implementing state of the art technical and organizational measures. Access to our systems is strictly personal and purpose-driven based on a graduated authorization concept, that is, only those of our employees may access the data who require access for the particular processing purposes outlined above.

Where do we receive your personal data from?

We receive your personal data directly from you or as a result of the tracking of your behaviour across online and offline sources as outlined above (e. g. if you enter into a contractual relationship with us or if you visit our websites), and also from data suppliers and service providers, such as IQVIA or Contract Research Organizations if you are an investigator with an interest to participate, or who actually participates, in a clinical study where we are the sponsor.

How is your data protected?

We ensure that the personal data we process from you is adequately protected by implementing state of the art technical and organizational measures. Access to our systems is strictly personal and purpose-driven based on a graduated authorization concept, that is, only those of our employees may access the data who require access for the particular processing purposes outlined above.

Who will your data be shared with?

Your personal data may be transferred to other Grünenthal affiliates and may be stored by contracted third parties such as software vendors and IT solution providers. We use Grünenthal proprietary and standard industry solutions to process your data in a safe environment.

We may also share categories of your personal data listed above with certain service providers or third parties such as: IT providers for the purposes of system development and technical support (for example, IQVIA, Salesforce, Veeva or DOMO); auditors and consultants to verify our compliance with external and internal requirements; statutory bodies, law enforcement agencies and litigants, as per a legal reporting requirement or claim. If you consent to participate in (scientific) market research and similar projects, we may share your personal data with contracted parties to carry out such projects.

Furthermore, if you are an investigator (or a member of the site staff) who is interested in participating, or who participates, in Clinical Studies where we are the sponsor, we may transfer your personal data to service providers (such as Contract Research Organizations that provide clinical trial management services to us), entities of the Grünenthal Group of companies, ethics committees, authorities (including via other business partners), external researchers, further third parties who may contribute to the research and development of the medicinal product tested (e.g., by funding clinical trials), or to commercial partners (i) who aim to continue the research and development in case we cease to pursue the study (e.g., for completion of the clinical trial) or (ii) in connection with the whole research and development program being licensed or sold as an asset by us to such commercial partners, in particular to enable them to comply with the statutory documentation requirements applicable to manufacturers or marketing authorization holders.

Grünenthal does not sell personal data to third parties.

Will your personal data be processed outside the European Union (“EU”)?

While our internal servers are located within the EU, some of the third parties referred to above are located outside the EU or the European Economic Area (“EEA”), which means that your data will partly be processed in countries that may have a lower data protection level than European countries. In such cases, Grünenthal will ensure that a sufficient level of protection is provided for your data, e.g. by concluding specific agreements with these contractual partners and implementing any supplementary measures, if necessary.

What are your data privacy rights?

The following rights are available to you based on applicable privacy laws:

Right to information about personal data on you stored by us
Right to deletion or restriction of processing, unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or in the event that the processing serves the enforcement, exercise or defence of legal claims
Right to correct your personal data
Right to object to processing on grounds of your own legitimate interest, public interest or our profiling, unless we can demonstrate compelling legitimate grounds which override your interests, rights and freedoms, or that such processing is for the purposes of asserting, exercising or defending legal claims
Right to data portability
Right to complain to a supervisory authority
You may withdraw your consent to the collection, processing and use of your personal data at any time, without affecting the lawfulness of processing based on consent before its withdrawal

If you want to exercise your rights, you can address your request to dataprivacy.de@grunenthal.com or to the corresponding Grünenthal entity.

This Data Privacy Statement was last updated on August 2022.