Information on the processing of personal data of clients and business partners
This document contains basic information about how we process your personal data. It has been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as "GDPR") and Act No. 110/2019 Coll., on the processing of personal data (hereinafter referred to as "PDPA").
1. Personal data controller
a. The controller is the person who, alone or jointly with others, determines the purposes and decides how personal data will be processed.
b. The controller of your data is IBSA PHARMA s r. o., company ID: 63674297, with registered office at Senovážné náměstí 1463/5, Nové Město, 110 00 Prague 1, registered at the Municipal Court in Prague, file No. C 36851 (hereinafter referred to as the "Controller").
c. You can contact the Administrator via the following contacts:
Tel.: +420 221 111 500, e-mail: info.cz@ibsagroup.com, mailbox ID: gx7bcaq (IBSA PHARMA s r.o.)
2. The purpose for which we need the personal data and the legitimacy of their processing
a. We process your personal data:
i. for the purpose of ensuring the conclusion and subsequent performance of a contractual obligation between the controller and you (Article 6(1)(b) GDPR). Other legal obligations may arise from such a relationship and the controller may process personal data for this purpose as well (see point iii. below);
ii. on the basis of your explicit consent, e.g. for marketing purposes such as:
- sending you ongoing information (news, current offers, quotations, medical information, e.g. published articles, pharmacovigilance information) about goods supplied by the controller (also referred to as "products"),
- sending invitations to professional events and seminars,
- obtaining information about your satisfaction with services and events,
- internal analysis of training events and other events you have attended,
iii. for the purpose of complying with a legal obligation to which the controller is subject (Article 6(1)(c) GDPR), such as receiving reports of adverse effects, complying with obligations imposed by tax regulations, handling complaints, etc;
iv. the protection of its legitimate interests (Article 6(1)(f) GDPR), which may be to ensure the protection of the documents you have entrusted to us for processing, the protection of our property, etc.
3. Personal data and their processing
a. Information you provide
The Controller collects personal data that you provide through this website or when you otherwise contact the Controller to receive marketing information, when you contact the Controller's customer service, in response to questionnaires or surveys, or when you contact the Controller with a query or suggestion, when you apply for employment with the Controller, report an adverse effect, enter into a contract with the Controller, etc. This may include, in particular, the following data:
i. name and surname,
ii. contact details (e.g. postal address, telephone number or email address),
iii. registration data, such as your username and password,
iv. details of the remuneration paid for the service you have provided to the controller as a healthcare professional,
v. employment, education and other similar data if you are applying for employment with the controller,
vi. professional, clinical experience and education information if you are participating as a health care professional in a program, study or survey sponsored by the Administrator.
b. Information we may collect automatically
Whenever you use this website, we may automatically collect certain information about your facility and your use of the Administrator's services.
i. We may record the Internet Protocol (IP) address of your computer or other electronic device when you visit this website. The IP address identifies the electronic device you used to visit our site, allows us to maintain a connection with your computer while you are viewing the website, and allows us to tailor the content of the website to your needs.
ii. In addition, when you visit this website, a unique numerical code (called a cookie) is transmitted to your computer to track your interests and preferences and to recognize you on subsequent visits. More information can be found here.
iii. If you use a mobile device to access the Website, we may collect the following information specifically for access from a mobile device, in addition to the information listed above: device identification, device type, hardware type, MAC (Media Access Control) address, International Mobile Equipment Identifier (IMEI), version of your mobile operating system, platform used to access the Website, location data, and data about your device traffic and your use of the Website.
c. Data collected from other sources
We may combine the data we collect about you when you visit the Website with data collected in other ways, such as offline, or with data provided to us by third parties or with data collected from public sources.
i. information about the products and services we provide to you,
ii. information about our communications with each other - information from emails, records of meetings with the administrator's sales representative or contact forms,
iii. billing and transaction information - this includes information appearing on invoices, agreed billing terms and payments received,
iv. information obtained from public registers, such as the Trade Register.
d. Processing period - we keep information that we are required to keep based on the time limits set by law for the period of time specified in the law (this applies in particular to accounting documents).
We keep other information for a period of 5 years from the end of the contract or from the last contact with you.
Personal data processed for marketing purposes only will be processed until consent is withdrawn, but for a maximum of 10 years.
After this period, the personal data will be securely and irretrievably destroyed so that it cannot be misused.
e. Transfer of data - we must, within the limits of the law, provide personal data to public authorities, such as tax authorities, courts, law enforcement authorities, etc.
We may also transfer necessary personal data in the case of the use of contractors - transport companies, postal service providers, legal or tax advisors, etc.
The systems we use are mostly installed at our facilities. If this is not the case and the system is operated by an external supplier, we have concluded appropriate contracts with them and we make sure that they also process your personal data in accordance with the GDPR and the GDPR.
We also use external suppliers for sending out commercial offers by letter, e-mail and SMS, to whom we only pass on the absolutely necessary data for sending the shipment (name, title, delivery address, e-mail, telephone number).
For all processors, we make sure that they also process your personal data securely and in full compliance with the GDPR and the GDPR.
We may transfer personal data to countries outside the European Union or the European Economic Area. In connection with the possible transfer of data to third countries outside the European Union, including countries that may not provide the same level of protection envisaged by the relevant regulations, we inform you that the transferability of data abroad is subject to safeguards relating to the protection of personal data through the adoption of standard contractual clauses.
4. Your rights
In connection with the processing of your personal data, you are guaranteed the rights described in this article. You can exercise them by contacting the controller at the above-mentioned contacts, either by sending an e-mail to the addresses indicated or in writing to the address of the controller's registered office. All communications and statements concerning the rights you have exercised are provided by the controller free of charge.
However, if the request is manifestly unfounded or excessive, in particular because it is repetitive, the controller is entitled to charge a reasonable fee taking into account the administrative costs involved in providing the information requested. In the event of a repeated request for copies of the personal data processed, the controller reserves the right to charge a reasonable fee for administrative costs for this reason.
The controller will provide you with a statement and, where appropriate, information on the measures taken as soon as possible and at the latest within one month. The controller is entitled to extend the time limit by two months if necessary and in view of the complexity and number of requests. The administrator will inform you of the extension, including the reasons for it.
a. Right to information about the processing of your personal data - you are entitled to request information from the controller as to whether or not personal data are processed. If personal data are processed, you have the right to request information from the controller, in particular, about the identity and contact details of the controller, its representative and, where applicable, the data protection officer, the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, the authorised controllers, a list of your rights, the possibility of contacting the Data Protection Authority, the source of the personal data processed and automated decision-making and profiling. If the controller intends to further process your personal data for a purpose other than that for which it was collected, it will provide you with information about that other purpose and other relevant information prior to that further processing. The information provided to you in exercising this right is already contained in this document, but this does not prevent you from requesting it again.
b. Right of access to personal data - you have the right to access information about the purposes of processing, categories of personal data concerned, recipients or categories of recipients, the period of storage of personal data, information about your rights (rights to request from the controller correction or erasure, restriction of processing, object to such processing), the right to lodge a complaint with the Data Protection Authority, information on the source of the personal data, information on whether automated decision-making and profiling is taking place and information concerning the procedure used as well as the significance and foreseeable consequences of such processing for you, information and safeguards in the event of transfer of personal data to a third country or an international organisation. You have the right to be provided with copies of the personal data processed. However, the right to obtain this copy must not adversely affect the rights and freedoms of other persons.
c. Right to rectification - you generally have the right to have your personal data rectified under the circumstances.
d. Right to erasure - in specified cases, you have the right to request that the controller erase your personal data. Such cases include, for example, that the data processed is no longer necessary for the purposes mentioned above. The controller deletes the personal data automatically after the period of necessity has expired, but you can contact the controller at any time with your request. Your request will then be subject to an individual assessment (despite your right to erasure, the controller may have an obligation or legitimate interest to retain your personal data) and you will be informed in detail about the processing.
e. Right to restriction of processing - the controller will only process your personal data to the extent necessary. However, if you feel that the controller is, for example, going beyond the purposes for which it processes personal data as set out above, you can make a request that your personal data be processed solely for the strictly necessary lawful purposes or that the personal data be blocked. Your request will then be subject to an individual assessment and you will be informed in detail about the processing.
f. Right to data portability - upon your request, the controller may provide your personal data to another controller or another company, the controller will transfer your personal data in the appropriate format to the entity designated by you, provided that no legal or other significant obstacles prevent it from doing so.
g. Right to object and automated individual decision-making - if you believe that the controller is processing your personal data in breach of the protection of your private and personal life or in breach of the law (provided that the personal data is processed by the controller on the basis of public or legitimate interest, or is processed for direct marketing purposes, including profiling, or for statistical purposes, or for purposes of scientific or historical interest), you may contact the controller and ask it to explain or rectify the deficiency. You can also object directly to automated decision-making and profiling.
h. The right to lodge a complaint with the Office for Personal Data Protection - at any time, you can address your complaint or complaint regarding the processing of personal data to the supervisory authority, namely the Office for Personal Data Protection, located at Pplk. Sochor 27, 170 00 Prague 7, website https://www.uoou.cz/.
i. Right to withdraw consent - You have the right to withdraw your consent to the processing of your personal data at any time, without prejudice to the lawfulness of the processing based on the consent given before its withdrawal. You may do so by sending a revocation to the email or registered office address of the controller or by using the link in the email communication.
5. Validity
This document is valid from 1 March 2021 and may be updated at any time. The current version will always be published on the Company's website www.ibsa-pharma.cz.