At Xellia Pharmaceuticals (or "we" / “our”) data protection and confidentiality is a high priority. This Privacy Notice explains how information about you is collected, processed and disclosed when you file a report with us on an adverse event/ adverse drug reaction regarding one of our pharmaceutical products marketed within the EU/EEA.
We may amend this Privacy Notice from time to time. If we make changes, we will notify you by revising the date at the top of the Notice and, depending on the specific amendments; we may provide you with additional notice. We encourage you to review the Privacy Notice whenever you file a report with us on adverse event/adverse drug reaction to stay informed about our information practices and the ways you can help protect your privacy.
1. Data controller
The data controller is the marketing authorization holder of the pharmaceutical product in question. Thus, within EU/EEA, Xellia Pharmaceuticals ApS, Reg. 61094628, Dalslandsgade 11, 2300 Copenhagen S, Denmark is the data controller.
2. Processing of personal data
We process the information you, your family, legal representative or health care professionals provide directly to us in relation to reporting of adverse events/adverse drug reaction. If the adverse events/adverse drug reaction have been reported to one of our distributors or other data processors, we may also receive adverse event/adverse drug reaction reporting’s from these parties.
Depending on your role (category of data subject), we process your data for different purposes and therefore with different legal bases.
Patient subject to adverse events/adverse drug reactions:
When processing personal data of the end-user (e.g. patient subject to the adverse event/adverse drug reaction), we process the following types of data: initials, gender, age, medical history, type of medicine (i.e. our pharmaceutical product), sickness, and other relevant medical data that may be contained in the reporting. The purpose of this processing is the fulfillment of our legal obligation to file a report on adverse events/adverse drug reactions in accordance with the General Data Protection Regulation (“GDPR”) article 6(1)(c) and article 9(2)(i).
Reporter of adverse events/adverse drug reactions:
If you are the reporter of adverse events/adverse drug reactions, we may process your full name, professional information, contact data (i.e. phone number, address and/or email). The purpose of this processing is the fulfillment of our legal obligation to file a reporting on adverse events/adverse drug reaction, hereunder our legitimate interest in identifying and/or contacting you as the reporter of the adverse events/adverse drug reactions, in accordance with the GDPR article 6(1)(f).
3. With whom will your personal data be shared?
In order to pursue the above listed purposes your personal data may be made available to third party data processors (service providers) providing relevant services under contract to Xellia Pharmaceuticals. Such service providers will only process the personal data in accordance with our instructions, hereunder for reporting’s on adverse events/adverse drug reactions by receiving them, processing the content, etc.
Some of your personal data will be disclosed to other companies within the Xellia Pharmaceuticals group for administration purposes, but only if these have relevance for the processing of the adverse events/adverse drug reactions in question.
Certain personal data will also be reported to governmental and other regulatory authorities where required by law. The legal basis for such disclosure is the GDPR article 6(1)(c) and article 9(2)(i).
Should Xellia Pharmaceuticals need legal assistance we may disclose your personal data to our external lawyer if the processing is necessary for the establishment, exercise or defence of legal claims in accordance with the GDPR article 6(1)(f) and the GDPR article 9(2)(f).
4. Transfer to third countries
If your personal data is transferred to data controllers or data processors which are located in countries outside the EU/EEA, including group entities, not ensuring an adequate level of data protection, such transfer will be safeguarded by the EU Commission’s standard contractual clauses.
5. Retention/deletion of personal data
We will delete your personal data when we no longer need to process them in relation to one or more of the purposes set out above, hereunder if we are under a legal obligation to retain the data. However, we will not keep the data longer than 10 years after expiration of marketing authorization. However, the data may be processed and stored for a longer period in anonymised form in order for us to improve the pharmaceutical products.
We have implemented security measures to ensure that our internal procedures meet our security standards. Accordingly, we strive to protect the quality and integrity of your personal data. This includes encryption of data and use of pseudonymisation, whenever applicable.
Further, all service providers will be subject to strict security requirements.
7. Your rights
You are at any time entitled to be informed of the personal data about you that we process, but with certain legislative exceptions. You also have the right to object to the collection and further processing of your personal data including profiling/automated decision-making. Furthermore, you have the right to have your personal data rectified, erased or blocked.
Moreover, you have the right to receive information about you that you have provided to us, and the right to have this information transmitted to another data controller (data portability).
8. Amendment of data, etc.
If you want us to update, amend or delete the personal data that we have recorded about you, wish to get access to the data being processed about you, or if you have any questions concerning the above guidelines, you may contact us at.
9. Contact and complaints
If you want to exercise any of your rights, if you have any questions regarding this privacy notice or the processing of your personal data, you may contact the Contingency Team (hence, the data privacy team) on email@example.com.
If you wish to appeal against the processing of your personal data, please contact us as indicated above. You may also contact your local Data Protection Agency – contact details can be found here: https://edpb.europa.eu/about-edpb/board/members_en.
As the Xellia Pharmaceuticals headquarters are in Denmark, the lead authority will be the Danish Data Protection Agency (Datatilsynet), e-mail: firstname.lastname@example.org. However, you may also contact your local data protection agency, which can be found here: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.