Direct Marketing

 1.

 Controller / Company

Orion Corporation (Company Identification Number: 1999212-6)
Orionintie 1
FI-02200 Espoo
Finland
Tel. +358-10 4261

2.

The person in charge /contact person

Paul Clinch
Orion Pharma (Ireland) Ltd.
C/o Allphar Services Ltd.
4045 Kingswood Road
Citywest Business Park
Dublin 24.
Tel:  + 353 1 468 7500
e-mail: Paul.clinch@orionpharma.com
Email: ireland.privacy@orionpharma.com

Data Protection Officer: Heidi Arala
e-mail: privacy@orion.fi

 3.

Name of the data file

 Customer register for direct marketing

 4.

The purpose for processing the personal data / recipients (or categories of recipients) of personal data / the legal basis for processing the personal data

The purpose for processing the personal data is direct marketing based on customer relationship including creating a customer profile and profiling (information and direct mailings regarding medicinal products).

Company will not disclose the collected data for commercial purposes to third parties. The controller may disclose your information to selected partners in order to enable direct marketing operations. We may share your information with third parties, such as those who assist us by performing technical operations such as data storage and hosting. The controller may disclose the data to service providers selected by the controller for fulfilling the purposes of the register. Company uses an internet browser-based customer relationship management platform, technically maintained by a service provider called Interactive Medica for which purposes personal data is disclosed to Interactive Medica.

If ownership or control of Orion Corporation or all or any part of our products, services or assets changes, we may disclose your personal data to any new owner, successor or assignee.

The legal basis for processing of the personal data is consent of the data subject or legitimate interests of the controller / direct marketing purposes (EU General Data Protection Regulation Article 6.1.a or 6.1.f and recital 47). We only process personal data based on our legitimate interests, in case we have deemed, based on the balancing of interest test, that the rights and interests of the data subject will not override our legitimate interest.

 5.

Content of the data file

The data file contains the following groups of data of other relevant decision makers (as defined by the IPHA code of Practice for the pharmaceutical Industry), practising healthcare professionals and students of medicine, pharmacy and nursing registered in Ireland and contact persons for making appointments for sales promotion events.

Information collected and maintained by the controller:

• Meeting history
• Products introduced
• Meeting notes
• Target groups based on doctor’s therapy area and job description for purpose of correct allocation of sales promotion meetings
• Accessibility for sales promotion meetings (times/year)
• Distribution of RMP-material (Risk management plan)
• Possible other material distributed
• Contact information of the persons making sales promotion meetings: name, work telephone numbers and e-mail addresses
• Contact information of hcps, students of medicine, pharmacy and nursing and other relevant decision makers

 6.

Source of information

Data is added by the Orion management and sales teams

Data collected by the controller: Controller’s sales personnel, sales representatives.

 7.

Retention period of the personal data

The data file is periodically updated to include only data which is relevant for the purpose of processing. Upon legitimate request of the data subject the processing is restricted in accordance with the request. The data is erased in accordance with the archiving obligation (distribution of medicine samples and RMP material).    

 8.

The principles how the data file is secured

The data file is located on a server in a private hosting environment. The application is used via a secure https connection and only with a personal username and password.  The information is accessible only by such company employees who need the information based on their role. Only an authorized user of the data file can create new users and maintain user information.  Technical maintenance of the data file is provided by Interactive Medica.

Only Interactive Medica authorized employees can access the server via a VPN connection for maintenance of the system.

 9.

Right of access and right to data portability

The data subject shall have the right of access, after having supplied sufficient search criteria, to the data on himself/herself in the personal data file, or to a notice that the file contains no such data. The data controller shall at the same time provide the data subject with information of the sources of data in the file, on the uses for the data in the file and the destinations of disclosed data.

The data subject has the right to data portability (EU General Data Protection Regulation Art 20), i.e. the right to receive his or her personal data, which the data subject has provided to the controller and that is being processed by automated means, in a structured and machine-readable format and the right to transmit those data to another controller, where the basis for processing is consent or the fulfilment of a contract between the controller and the data subject.

The data subject who wishes to have access to the data on himself/herself, as referred to above, shall make a request to this effect to the local representative of controller by a personally signed or otherwise comparably verified document.

10.

Right to withdraw consent / Right to object to processing for direct marketing purpose

In case the legal basis for processing the personal data is the consent of the data subject, the data subject has the right to withdraw the consent.

In case the legal basis for processing the personal data is the legitimate interests of the controller, the data subject has the right to object to processing for direct marketing purposes.

In case the withdrawal of consent or the objection to processing for direct marketing purposes only concerns direct marketing performed by the data controller, he or she shall make a request to this effect to the person in charge at the data controller by a personally signed or otherwise comparably verified document in writing to the local representative of the data controller named under section 2. hereinabove.

Withdrawal of consent does not render the processing of personal data performed prior to such withdrawal unlawful.

 11.

Rectification, restriction of processing and erasure

The data controller shall, on its own initiative or at the request of the data subject, without undue delay rectify, erase or supplement personal data contained in its personal data file if it is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing. The data controller shall also prevent the dissemination of such data, if this could compromise the protection of the privacy of the individual or his/her rights.

In certain situations, the data subject shall have the right to obtain from the controller restriction of processing.

If the data controller refuses to act on the request of the data subject a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal. In this event, the individual may bring the matter to the attention of the Data Protection Ombudsman.

The data controller shall notify the rectification to the recipients to whom the data have been disclosed and to the source of the erroneous personal data. However, there is no duty of notification if this is impossible or unreasonably difficult.

Requests for rectification shall be made by contacting the local representative of the data controller named under section 2. hereof.