Customer Register
INFORMATION NOTICE
Record of Processing Activities
EU General Data Protection Regulation (2016/679), Articles 13, 14 and 30
Date of drafting: 24 May, 2018
We may update or revise this Information Notice/ Record of Processing Activities at any time, with any notice to you as may be required under applicable law. Your right to data portability and/or restriction of processing, if applicable, will become applicable as of May 25th, 2018.
1. |
Controller / Company |
Orion Corporation (Company Identification Number: 1999212-6) |
2. |
The person in charge /contact person |
Paul Clinch |
3. |
Name of the data file |
Customer Register |
4. |
The purpose for processing the personal data / recipients (or categories of recipients) of personal data / the legal basis for processing the personal data |
The purpose for processing the personal data in this data file is to enable the controller to develop, maintain, administer and monitor client relationships and to otherwise create and develop its business, including creating a customer profile and profiling (booking, performing and registering sales promotion events of medicines; circulating information regarding medical products; registering the distribution of samples and RMP (Risk Management Plan) material). The controller is, inter alia, allowed to perform direct advertising regarding prescription medicines solely to Healthcare professionals including those that are allowed to prescribe and supply medicines and to provide information relating to adverse reactions to competent authorities. You can acquire further information on the obligations by contacting the local representative of the controller named under section 2. hereof. The controller will not disclose the collected data for commercial purposes to third parties. The controller may share your information with third parties, such as those who assist us by performing technical operations such as data storage and hosting The controller may disclose the data to service providers selected by the controller for fulfilling the purposes of the register. If ownership or control of Orion Corporation or all or any part of our products, services or assets changes, we may disclose your personal data to any new owner, successor or assignee. The legal basis for processing of the personal data is compliance with the controller’s legal obligations based on binding law (EU General Data Protection Regulation Article 6.1.c) or legitimate interests of the controller / administration and development of the client relationship (EU General Data Protection Regulation Article 6.1.f). We only process personal data based on our legitimate interests, in case we have deemed, based on the balancing of interest test, that the rights and interests of the data subject will not override our legitimate interest. |
5. |
Content of the data file |
The data file contains the following groups of data of other relevant decision makers (as defined by the IPHA code of Practice for the pharmaceutical Industry), practising healthcare professionals and students of medicine, pharmacy and nursing registered in the UK and contact persons for making appointments for sales promotion events: Information collected and maintained by the controller:
|
6. |
Source of information |
Data is added by the Orion Ireland management and sales teams Data collected by the controller: Controller’s sales personnel, sales representatives, and medical team |
7. |
Retention period of the personal data |
The data file is periodically updated to include only data which is relevant for the purpose of processing. Upon legitimate request of the data subject the processing is restricted in accordance with the request. The data is erased in accordance with the archiving obligation (distribution of medicine samples and RMP material). |
8. |
The principles how the data file is secured |
The application is used via a secure https connection and only with a personal username and password. The information is accessible only by such company employees who need the information based on their role. |
9. |
Right of access |
The data subject shall have the right of access, after having supplied sufficient search criteria, to the data on himself/herself in the personal data file, or to a notice that the file contains no such data. The controller shall at the same time provide the data subject with information of the sources of data in the file, on the uses for the data in the file and the destinations of disclosed data. The data subject who wishes to have access to the data on himself/herself, as referred to above, shall make a request to this effect to the person in charge at controller by a personally signed or otherwise comparably verified document. |
10. |
Right to object to processing |
In case the legal basis for processing the personal data is the legitimate interests of the controller, the data subject has the right to object to processing on grounds relating to his or her particular situation. In case the data subject wishes to use its above-mentioned right, he or she shall make a request to this effect to the person in charge at the data controller by a personally signed or otherwise comparably verified document in writing to the representative of the data controller named under section 2. hereinabove. |
11. |
Rectification, restriction of processing and erasure |
The data controller shall, on its own initiative or at the request of the data subject, without undue delay rectify, erase or supplement personal data contained in its personal data file if it is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing. The data controller shall also prevent the dissemination of such data, if this could compromise the protection of the privacy of the individual or his/her rights. The data subject shall have the right to obtain from the controller restriction of processing, in case the data subject has contested the accuracy of the processed personal data, if the data subject has claimed that the processing is unlawful and the data subject has opposed the erasure of the personal data and has requested the restriction of their use instead; if the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or if the data subject has objected to processing pursuant to the EU General Data Protection Regulation pending the verification whether the legitimate grounds of the controller override those of the data subject. Where processing has been restricted based on the above grounds, the data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted. If the data controller refuses the request of the data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal. In this event, the individual may bring the matter to the attention of the Data Protection Ombudsman. The data controller shall notify the rectification to the recipients to whom the data have been disclosed and to the source of the erroneous personal data. However, there is no duty of notification if this is impossible or unreasonably difficult. Requests for rectification shall be made by contacting the representative of the data controller named under section 2. hereof. |