Data Privacy Policy - April 2023

Scope

 

This data privacy policy applies worldwide and may concern our customers, prospects, suppliers, service providers, employees, trainees and job applicants.

Two notices were written:

  • An information notice on personal data for the attention of health professionals or those practising in the field of health and research.
  • An information notice on personal data in the context of health vigilance monitoring.

 

Objective

 

The processing of personal data is governed by the provisions of the EU General Data Protection Regulation 2016/679 (GDPR) of the 27th April 2016, and by those of Law 78-17 of the 6th January 1978 and its modifications and the texts facilitating their implementation.

Pharma Blue is an “Exploitant” partner of innovative pharmaceutical companies for the commercialisation in France of their medicines benefiting from an Early Access Authorisation (AAP) / a Compassionate Access Authorisation (AAC) or a Marketing Authorisation (MA).

In the course of carrying out our activities, we may collect and process your personal data.

We are conscientious about respecting your privacy, and so have drawn up this Data Privacy Policy (hereinafter the “Data Privacy Policy”) in order to present to you in a transparent manner the use we make of your data, the description of your rights and the way in which the law protects you. 

This Data Privacy Policy, which is accessible online, is subject to change at any time. Therefore, we invite you to consult the online version on a regular basis and before any interaction with our services. The date of the last revision of this Data Privacy Policy is located at the top of this Data Privacy Policy.

 

Concepts as defined by the Commission Nationale Informatique et Libertés (hereinafter “CNIL”) and/or the European Regulation n° 2016/679 on data protection (hereinafter “GDPR”)

 

1.1      What is a personal Data?

 

Personal data is any information relating to an identified or identifiable natural person, directly or indirectly:

  • By reference to an identifier, such as a name, an identification number (e.g., customer code, social security number), an online identifier (e.g., email, web cookie, login), a telephone number, a date of birth, etc.
  • By reference to one or more elements specific to its physical identity (e.g. biometric photograph, fingerprint, handwriting).
  • By cross-checking information such as date of birth, postal address, biometric data, etc.

 

1.2      What is data processing?

 

Processing shall mean any operation, or set of operations, whether or not involving the use of automated processes, applied to data or sets of Personal Data, regardless of the process used: collection, recording, organisation, storage, adaptation, modification, retrieval, consultation, use, communication by transmission, dissemination or any other form of making available, alignment or interconnection, blocking, erasure or destruction.

 

1.3      What is a data processor in the sense of the regulations on the protection of personal data?

 

A processor is a natural or legal person, public authority, service or other body that processes Personal Data on behalf of, under the instruction of, or under the authority of the Data Controller.

 

1.4      What is a controller?

 

The “Controller” is the person who determines the purposes and means of the Processing. He implements appropriate technical and organisational measures to ensure and be able to demonstrate that the Processing is carried out in accordance with the regulations in force

The Data Controller of the Personal Data concerning you is  Pharma Blue, whose registered office is located at Les 2 Arcs, Bât A, Route des Crêtes, CS 60327, 06906 Sophia-Antipolis Cedex, France registered with the Registre du Commerce et des Sociétés (RCS) of Grasse under the  n° 813 780 863, (hereinafter “Pharma Blue“, “We”, “Our”. You can contact the Data Controller via the page GDPR Data Request Form

 

The processing of your personal data

 

1.5      Why do we collect Personal Data?

 

Pharma Blue collects and processes your Personal Data in the course of carrying out its activities in order to provide you with a quality service in a secure environment.

Pharma Blue undertakes to collect only Personal Data that is adequate, relevant and limited to what is necessary for the purposes for which it is processed.

The collection and Processing of your Personal Data is necessary for the execution of all pre-contractual measures and for the execution of contracts or assignments between you and Pharma Blue In addition, we collect Personal Data about you that are necessary to comply with our legal, regulatory and contractual obligations.

 

1.6      We also process your Personal Data in order to ensure the defence of our legitimate interests.  These interests include the use of your Personal Data in connection with litigation or other legal matters involving Pharma Blue and/or any Pharma Blue subsidiary.

 

For the purposes of this Policy, pre-contractual measures are defined as any action taken by Pharma Blue in the presentation of our service offerings that may require the collection of Personal Data in order to be able to meet your expectations.

 

1.7      The provision of Personal Data is essential for the conclusion and performance of contracts. If you do not provide us with your Personal Data, we will not be able to respond favourably to your requests, nor to provide you with the products and services to which you have subscribed.

 

How and on when do we collect Personal Data?

 

The processing of the Personal Data listed above is necessary to carry out the pre-contractual measures, to create an estimate and to execute the Contract.

In addition, for purposes other than those set out in the Contract, we may collect Personal Data about you based on your free, specific, informed and unambiguous consent. This consent is manifested by a positive statement or act (e.g. ticking a box on a form).

When we collect Personal Data about you through third parties (e.g. healthcare professionals, third parties with whom we have contractual relations etc.), we ensure that you are informed of our commitments and your rights.

 

The categories of recipients of your data

 

Your Personal Data may be communicated to the following recipients, when this communication is necessary for the fulfilment of the purpose of the Processing of your Personal Data:

  • Internal recipients within Pharma Blue and Pharmalex Group: our customer services, finance, legal, HR, marketing and sales departments, all staff, management and internal control functions.
  • Third Party Recipients: Pharmaceutical companies holding marketing authorisations (MA) or early access authorisations (AAP) or compassionate access authorisations (AAC) operated by Pharma Blue and their service providers;
    • Event, communication, advertising and marketing agencies, affiliate platforms, etc.;
    • business introducers;
    • Third-party application maintenance, software service and hosting providers
    • IT and telephone service providers
    • Social organisations
    • Persons authorised as authorised third parties (e.g. supervisory authorities, auditors, etc.).
    • in the event of litigation: investigators, legal advisers, debt collection agencies, bailiffs, lawyers, notaries and parties to the litigation.

We do not sell your Personal Information to third parties.

 

The transfer of your Personal Data outside the EEA

 

We may transfer your Personal Data outside the European Economic Area (“EEA”) to our service providers and customer services. In this case, these transfers are governed either by the standard contractual clauses of the European Commission, or by the establishment of internal company rules or by any other mechanism guaranteeing an adequate level of protection.

 

Retention Periods of Personal Data

 

Pharma Blue keeps your Personal Data for the time necessary to fulfill the purposes for which it was collected. We retain your Personal Information for three (3) years after we have terminated our relationship with you. However, in some cases, your Personal Information may be retained longer, for example in the event of litigation, or to comply with our accounting, legal or regulatory obligations. In any case, this data is destroyed or anonymised once the said purposes have been fulfilled. Anonymisation is a protection mechanism that aims to irreversibly transform Personal Data so that they can no longer identify the person concerned.

 

Our commitment to the protection of Personal Data

 

Pharma Blue is committed to ensuring the protection of your Personal Data from the design of our products, services, sites and applications. We use technical and organisational measures appropriate to the sensitivity of your Personal Information. We protect them against any malicious intrusion, loss, alteration or disclosure to third parties or unauthorised persons. Your data transfers are encrypted using the Secure Socket Layer (SSL) protocol.

However, despite our best efforts to ensure that your Personal Data is kept in a secure environment, we cannot fully protect against the risk of hacking or illegal disclosure of your data.

We take steps to limit intrusive and malicious actions. In the event of a data breach involving your Personal Data, we will notify the CNIL of the breach as soon as possible, and if possible, no later than 72 hours after becoming aware of it. When such a breach is likely to create a high risk to your rights and freedoms, we will inform you of the data breach as soon as possible. Our employees are aware of the processing of Personal Data made available to them in the context of their duties and are required to comply with the internal rules developed by Pharma Blue in accordance with applicable European and national regulations.

We deal exclusively with third parties who respect privacy and limit their access to only the Personal Data necessary to carry out their assignments. The exchange of information is carried out through secure protocols. In order to ensure a high level of security of your Personal Data, our subcontractors are subject to control and audit measures.

We protect the IT developments carried out on our tools by limiting transfers outside our infrastructures. Our information system is accessible only to authorised persons.

We do not disclose any Personal Data about you to business partners without first obtaining your consent and informing you of the possibility of exercising your right to object.

 

Your rights concerning your Personal Data

 

What are your rights?

 

With regard to the processing of Personal Data, you have a number of rights in accordance with the applicable regulations. You can action the following rights from the following page: GDPR Data Request Form

  • Access to your Personal Data;
  • The rectification of your existing Personal Data;
  • The deletion of your Personal Data, if such deletion does not contravene other regulatory or contractual requirements;
  • The portability of your Personal Data (the right to portability offers you the possibility to recover part of your data in a structured, commonly used and machine-readable format);
  • The opposition to the processing of your Personal Data;
  • The limitation of the processing of your Personal Data in order to verify their accuracy, to oppose their deletion or to exercise or defend your rights in court;
  • The withdrawal of your consent, if you have consented to the processing of your Personal Data;
  • The right to give instructions on the processing of Personal Data concerning you after your death;
  • Lodging a complaint with the Commission Nationale de l’Informatique et des Libertés.

 

What’s a cookie?

 

The Commission nationale de l’informatique et des libertés (hereinafter the “CNIL”) defines a cookie as “(…) a small computer file, a tracer, deposited and read, for example, when consulting a website, reading an e-mail, installing or using a software or mobile application, regardless of the type of terminal used (computer, smartphone, digital reader, video game console connected to the Internet, etc.).

The term “cookie” includes for example:

  • HTTP cookies;
  • Flash cookies;
  • The result of the fingerprint calculation in the case of “fingerprinting” (calculation of a unique identifier of the machine based on elements of its configuration for tracing purposes);
  • Web bugs;
  • Any other identifier generated by a software or operating system, for example.

 

1.8      What Cookies do we use?

 

1.9      Important Consent Information

 

The deposit or reading of certain Cookies does not require your prior consent, either because they do not process any Personal Data concerning you, or because they are strictly necessary for the provision of the service you request. Filing or reading other Cookies than those mentioned in the previous paragraph is impossible without your prior consent. You can at any time prevent us from storing or reading the Cookies we use, either by deleting them from your devices or by changing your browser settings. 

 

1.10   How to set up your browser, smartphone and software components?

 

Any settings you may make will be likely to modify your browsing on our websites as well as your access conditions to certain services requiring the use of Cookies. 

You can allow or disallow cookies to be stored on your device and change your device settings at any time. 

If you have enabled your browser software to accept cookies, they are stored in a dedicated area on your device. 

If you refuse to accept Cookies on your device or if you delete Cookies stored on your device, you will no longer be able to benefit from a certain number of functionalities that are necessary to navigate in certain areas of our websites. Where applicable, we decline all responsibility for the consequences linked to the impaired functioning of our websites resulting from the impossibility for us to record or consult the Cookies necessary for their functioning and that you have deleted or refused. 

More generally, we invite you to consult the “Your traces” section of the CNIL website: http://www.cnil.fr/vos-libertes/vos-traces/les-cookies/. 

 

  1. How to set up your browser?

 

Most browsers accept Cookies by default. However, you can choose to block these Cookies or have your browser notify you when a site tries to install a Cookie on your device.

Please refer to your browser’s help menu to set Cookies to your preferences. Below are links to the cookie setting instructions for all major browsers:

 

  1. How do you configure your privacy settings in your smartphone?

 

You may decide to reset your Ad ID and change your smartphone’s privacy settings.

To configure your privacy settings:

  • Android system:

https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DAndroidl=fr  

  • Apple system:

https://support.apple.com/fr-fr/HT201265

 

  1. How do you set your analytical cookies?

 

You can set your browser to reject third-party Cookies by default. You can also choose to block only certain suppliers: 

  • Google Adwords: plug-ins are available to systematically block cookies
  • YouronlineChoices offers to control cookies on a company-by-company basis:http://www.youronlinechoices.com/fr/controler-ses-cookies/
  • XITI: you can refuse Cookies by default by logging on tohttp://www.xiti.com/fr/optout.aspx

 

1.11   How to make a request to Pharma Blue?

 

Any request for information, correction or declaration of events related to personal data processing should be addressed on the page: GDPR data request form 

 

Information notice on personal data for the attention of health professionals or those practising in the field of health and research

 

This information notice (“Information Notice”) on personal data for healthcare professionals or those engaged in health or research (hereinafter “Healthcare Professionals” or “you”) describes the various processes of personal data that Pharma Blue undertakes in its interactions with Healthcare Professionals, how we use this data and the rights they may exercise with regard to their personal data.

 

Personal data about yourself used by Pharma Blue

 

« Personal Data » are the personally identifiable information, directly or indirectly, that we collect during interactions with you such as: our meetings, your participation in our training or information programs, events, inquiries and communications with us.

We may also use Personal Information that you provide to us or that results from your browsing on our websites or online services and those of our partners. We may collect Personal Data from companies that provide information in the healthcare sector, from publicly available information sources and from partner companies. Depending on the purpose of the data processing, the Personal Data collected may be:

  • Marital status, surname, first name,
  • Contact details (postal address, telephone numbers, email address, fax number)
  • Data relating to your professional activity, including data relating to your education and training, speciality, curriculum vitae, RPPS, official function that you may have in authorities or bodies
  • Data related to your interactions with us and the use of our services that we offer you
  • Preferences regarding your communication methods with Pharma Blue, specialty, or area of interest
  • Browsing data on our websites or online services or those of our partners, IP address, cookie
  • Financial and banking information that you give us for the payment of your fees or the reimbursement of your travel expenses
  • National identity number, passport number, tax identification number.

When Pharma Blue asks you to provide your Personal Data, you have the right to refuse. However, if you refuse to provide data that is necessary for us either to provide you with a requested service or to meet contractual obligations, we will not be able to provide that service or enter into a contract with you; or to meet a legal obligation, in which case we will inform you.

 

How does Pharma Blue use your personal data?

 

Your Personal Data may be used for:

Set up, monitor and evaluate our activities, based on our legitimate interests:

  • To conduct training or information campaigns on the correct use of our products;
  • Respond to your questions and requests for information;
  • Conduct market research and satisfaction surveys or monitor interest in the information provided;
  • To set up scientific collaborations or research actions;
  • Manage databases that allow us to personalise and monitor our interactions with you, contact you with information about our products, services and care pathway approach through our employees, send you information electronically tailored to your needs or interests;
  • Invite you to congress, professional meetings and scientific, medical or training meetings;
  • Analyse and predict your preferences or profile in order to be able to organise our commercial activities, to personalise the contents of our communications and training and information proposals, to provide information more relevant to your specialties and interests and to improve the use of our sites, platforms and services (processing including profiling);
  • To meet the consolidation and financial management control needs of Pharma Blue and all the companies part of the Group.

 

Satisfy our legal obligations:

  • Vigilance: monitoring and reporting, including those related to adverse events, product claims and product safety;
  • Transparency of links, anti-corruption and detection to identify and prevent business relationships with third parties that may be present on unauthorised third party lists;
  • Verification of your eligibility to access certain products, services and data that cannot be provided solely to healthcare professionals (for example, access to a mobile application intended solely for healthcare professionals).

 

Satisfy our contractual obligations with you or your establishment:

  • Setting up an expertise contract, remuneration for services rendered or reimbursement of expenses inherent to these services;
  • Implementation of projects within the establishment (such as projects to optimise patient care or to monitor the patient’s progress) including the creation of questionnaires, analysis of responses and monitoring of the measures taken in the context of such projects;
  • Management of your travels;
  • Management of your participation in medical and scientific research.

 

In some cases, send you personalised communications and newsletters, based on your consent.

 

Recipients of your personal data

 

Depending on the purpose of the collection of personal data, your personal data may be transmitted:

  • To authorised personnel or their representatives acting on behalf of Pharma Blue (including Pharma Blue delegates);
  • Pharma Blue Group companies in France, its parent company Pharmalex Group;
  • Ordinary and/or professional bodies within the framework of regulatory provisions or group procedures relating to the transparency of links with the pharmaceutical industry;
  • To regulatory authorities and personal protection committees or other third parties to satisfy a regulatory requirement, lawsuit, court order, government request or legal process involving us;
  • To third parties who process your personal data on Pharma Blue’s instructions, as subcontractors (e.g. a database manager).
  • To third parties who provide services in the health sector;
  • To other healthcare professionals in the context of projects within your institution or between several institutions (such as projects to optimise patient care or patient pathways);
  • To companies in the context of development, distribution or marketing agreements, including in the context of mergers, acquisitions, sales or disposals of a business, and in particular to assignees or purchasers in the context of the transfer of certain activities.

 

How long your personal data will be stored?

 

Pharma Blue stores your personal data for the time necessary to fulfil the purposes described in this personal information notice in accordance with the provisions of applicable laws and regulations. We retain your Personal Data for up to three (3) years after the end of our relationship with you. However, in certain cases, your Personal Data may be retained longer, for example in the event of litigation, or to comply with our accounting, legal or regulatory obligations. In any case, this data is destroyed or anonymised once these purposes have been fulfilled. Anonymisation is a protection mechanism that aims to irreversibly transform Personal Data so that they can no longer identify the person concerned.

 

Transfer outside the European Union

 

We may transfer your Personal Data outside the European Economic Area (“EEA”) to our service providers and customer services. In this case, these transfers are governed either by the standard contractual clauses of the European Commission, or by the establishment of internal company rules or by any other mechanism guaranteeing an adequate level of protection.

 

Rights you have regarding your personal data

 

With regard to the processing of Personal Data, you have a number of rights in accordance with the applicable regulations. You can thus request from GDPR data request form.

  • Access to your Personal Data;
  • The rectification of existing Personal Data concerning yourself;
  • The deletion of your Personal Data, if such deletion does not contravene other regulatory or contractual requirements;
  • The portability of your Personal Data (the right to portability gives you the possibility to retrieve part of your data in a structured, commonly used, machine-readable format).
  • The opposition to the processing of your Personal Data;
  • The limitation of the processing of your Personal Data in order to check their accuracy, to oppose their deletion or to exercise or defend your rights in court;
  • The withdrawal of your consent, if you have effectively consented to the processing of your Personal Data;
  • The right to give instructions on the processing of your Personal Data after your death;
  • The submission of a complaint to the National Commission for Data Processing and Liberties.

 

1.12   How to make a request to Pharma Blue?

 

Any request for information, correction or declaration of an event related to personal data processed should be addressed on GDPR data request form

 

Information notice on personal data in the context of health vigilance monitoring

 

This information notice (“Information Notice”) on personal data is intended for persons whose data will be processed by Pharma Blue in the context of health vigilance management (including pharmacovigilance). These persons (hereinafter the “Data subjects” or “you”) may be those who:

Notify Pharma Blue of an adverse health event concerning a person who is a victim of this event (hereinafter the “Notifier” – examples: a healthcare professional making a notification concerning a patient; a member of an approved patient association, a member of a health authority, the person who is a victim of the adverse health event, etc.); and are the subject of the adverse event report: the person who is the victim of the adverse health event (hereafter the “Exposed Person”).

The purpose of this notice is to describe the various personal data processing operations that Pharma Blue puts in place in the context of health vigilance management, the manner in which we use the data thus transmitted on this occasion and the rights that the Persons concerned may exercise over their personal data.

 

Personal data about yourself used by Pharma Blue

 

Personal Data are data that personally identify you, directly or indirectly, which data has been collected directly when the Exposed Person is also the Notifier or indirectly when the notification is made by a person other than the Exposed Person. This data is collected as part of the notification but also during interactions with the Notifier or any person from whom we may collect data necessary to assess the adverse health event (e.g. another health professional).

 

The Personal Data collected may be:

 

Data relating to the Exposed Individual necessary for the assessment of the adverse health event:

 

  • Data allowing the indirect identification of the person exposed to the adverse health event (descriptive information such as age, year or date of birth, sex, weight, height) or identification number of the person (alphanumeric code, alphabetical identification code as provided for in existing forms) allowing to guarantee the respect of his/her private life, excluding the registration number in the national directory of identification of natural persons and the national health identifier;
  • Data relating to the identification of the product concerned by the report of the adverse health event: type of medicinal product, device or product used, serial number, etc.;
  • Health data, in particular: treatments administered, results of examinations, nature of the adverse reaction(s), personal or family history, diseases or associated events, risk factors, information relating to the method of prescription and use of medicines and the therapeutic conduct of the prescriber or health professionals involved in the management of the disease or adverse health event.

 

Additional data collected when necessary for the assessment of the adverse reaction

 

  • Data relating to working life;
  • Use of tobacco, alcohol, drugs;
  • Lifestyle habits and behaviours;
  • Ethnic origin (where this may affect the efficacy or safety of the drug, device or product); Ethnicity (where this may affect the efficacy or safety of the drug, device or product)
  • Notifier’s data: contact details;
  • Data relating to the health professional likely to provide details: surname, first name, postal, electronic and telephone contact details, where appropriate specialty of the health care professional.

An adverse health event notified directly by the Exposed Person has the effect of lifting the secrecy of his identity.

 

Why Pharma Blue processes your personal data

 

Your Personal Data is processed by Pharma Blue for the purposes of health vigilance management and, in particular:

  • The collection, recording, analysis, monitoring, documentation, transmission and storage of data relating to all adverse health events concerning Pharma Blue products;
  • The management of contacts, by Pharma Blue, with the Notifier of the adverse health event or the healthcare professional who may be questioned in order to obtain, in compliance with medical confidentiality, details of the reported adverse health event (professional depending on the Exposed Person, etc.).

This treatment:

  • Meets the legal obligations imposed on Pharma Blue in application of the provisions of the Public Health Code
  • Is necessary for reasons of public interest; in particular, its aim is to ensure compliance with high standards of quality and safety of santé́ care and of medicines, devices or products in accordance with the provisions of Article 9 of Regulation (EU) 2016/679 of 27 April 2016 (known as RGPD) and Article 66 of Law No. 78-17 of 6 January 1978 as amended.

 

Recipient of your personal data

 

Depending on the purpose of the collection of personal data, your personal data may be transmitted to the following recipients:

  • The person in charge of the vigilance, as well as his collaborators and agents involved in the process of managing health vigilance;
  • The staff of the audit department to verify compliance with regulatory requirements;
  • Authorised personnel in charge of managing complaints;
  • Subcontractors working on behalf of Pharma Blue ́ under its responsibility;
  • The companies of the Pharma Blue group in France, as well as its parent company Pharmalex Group, which may be involved in the operation or marketing of the drug, device or product in question;
  • Third parties whose medicines, devices or products may be involved, with the exception of data directly identifying the Exposed Person;
  • Health care professionals involved in the follow-up of the Exposed Individual and health care professionals or other professionals who can provide additional information;
  • Notified Bodies in charge of the evaluation of a drug, device or product, with the exception of data directly identifying the Exposed Person;
  • National public bodies (e.g. regional health agencies, health agencies, etc.) or foreign public bodies in charge of vigilance in the exercise of their missions as defined by the texts, foreign national health authorities or agencies and international health authorities or agencies (e.g. European Medicines Agency), with the exception of data directly identifying the Exposed Person.

 

How long your personal data will be stored

 

Pharma Blue stores your personal data for the time necessary to fulfil the purposes described in this personal information notice in accordance with the provisions of applicable laws and regulations. Thus, your data will be kept for the legal or regulatory period applicable to the health monitoring in question. In the absence of a legal or regulatory duration, data may not be retained beyond a period of seventy years from the date of withdrawal of the drug, device or product from the market.

 

Transfer outside the European Union

 

We may transfer your Personal Data outside the European Economic Area (“EEA”) to our service providers and customer services. In this case, these transfers are governed either by the standard contractual clauses of the European Commission, or by the establishment of internal company rules or by any other mechanism guaranteeing an adequate level of protection.