Privacy notice

Concerning data processing in connection with pharmacovigilance and medical information service (“privacy notice”)

1. Background

Gedeon Richter Plc. (H-1103 Budapest, Gyömrői út 19-21., Hungary, Cg. 01-10-040944 ) (hereinafter referred to as ”Richter” or ”we” or ”us”) as personal data controller at the subsidiary Gedeon Richter Nordics AB (SE-11123 Stockholm, Barnhusgatan 22, Sweden, organization number 556890-1663 ) undertakes to respect your rights to data protection and confidentiality and to protect your personal data. The purpose of this privacy notice is to explain how we process and protect your personal data and when

  • you report an adverse event/side effect in connection with our product(s),
  • you request information about one or more of our products, or
  • you submit other claims or questions related to pharmacovigilance issues, adverse events/side effects or medical issues.

We will use the information that you (or another person) provide to us about yourself, or related to you when you through any channel (eg e-mail sent directly to us or contact us through one of our partners or through our website) ask us a question or notifies us of an adverse event/side effect or calls us to take necessary actions in connection with your request or notification.

This may include the processing of personal data about you as an identified or identifiable natural person (ie personal data) covered by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data and on the repeal of Directive 95/46/EC (”General Data Protection Regulation” or ”GDPR”) and of applicable national law. According to the GDPR, you as the data subject have the right to submit a question or a complaint you may have to Richter (as the data controller) or a complaint against Richter to the data protection authority of the country where you are a permanent resident. In Sweden, this data protection authority is Datainspektionen (website: www.datainspektionen.se; city: Stockholm, Sweden; postal address: Drottninggatan 29, 5th floor, PO Box 8114, 104 20 Stockholm; e-mail address: [email protected]; telephone number: +46 8 657 6100). We recommend that before you ask the authority a question regarding the handling of your personal data, you first contact GR Nordics if you have questions or complaints by sending an e-mail to the e-mail address [email protected].

2. Contact details of the personal data controller and its data protection officer

2.1. Personal data controller

Name: Gedeon Richter Plc
Seat: H-1103 Budapest, 19-21 Gyömrői út, Hungary
Postal address: 1475 Budapest, P. O. Box 27, Hungary
Company registration number: Cg. 01-10-040944
Tax number: 10484878-2-44
Website: www.richter.hu
Email: [email protected]

3. Details of the data processor

3.1. Name: Gedeon Richter Nordics AB
CITY: Stockholm, Sweden
Mailing address: Barnhusgatan 22, 111 23, Stockholm, Sweden
Company registration number: 556890-1663
Website: www.gedeonrichter. se/no
CEO: Mats Jonsson
Email regarding data protection issues: [email protected]

Other data processors:

3.2. Name: ArisGlobal Limited
Seat: 16A, Lincoln Place, Dublin 2, Ireland
Website: https://www.arisglobal.com/contact-us/

3.3. Name: ProPharma Group
Website: https://www.propharmagroup.com/contact/

4. Definitions

”Adverse event” is any adverse medical event in a patient or subject who has received a drug and which event is not necessarily causally related to this treatment.

”Side effect” is a harmful and unintended reaction to a drug. A causal relationship between a drug and the reaction is suspected.

”Personal data controller” is the natural or legal person, public authority, body or other organization which, alone or together with others, decides on the purpose and methods of the processing of personal data; whereby the purposes and methods of such processing are set out in Union or Member State law, and the controller or specific criteria for the appointment of this may be set out in Union or Member State law.

”Data processor” is a natural or legal person, public authority, body or other organization that processes personal data on behalf of the data controller;

”EudraVigilance” is a centralized European database of suspected side effects on medicines that are approved or are being studied in clinical trials within the European Economic Area (EEA).

”GDPR” is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46/EC (general data protection regulation).

”Medical Information Service” is an organizational unit within Richter that provides information to customers, healthcare professionals and/or the public about products marketed by Richter.

”Pharmakovigilance” is a compound word of pharmakon (Greek for drug) and vigilare (Latin for guarding) which aims to protect against the side effects of pharmaceutical products. Safeguarding means ensuring the safe use of medicines, assessing their effectiveness and monitoring new and known side effects. The term pharmacovigilance encompasses any activity carried out to ensure the safe use of medicines. According to the World Health Organization (WHO) definition published in 2002, pharmacovigilance is ”the research and activities related to the detection, assessment, understanding and prevention of side effects or other drug-related problems.”

”Personal data” is any information relating to an identified or identifiable natural person (”the data subject”). An identifiable natural person is a person who can be directly or indirectly identified specifically by reference to an identifier such as a name, an identification number, location data or online identifiers or one or more factors specific to the natural person’s physical, physiological, genetic, psychological, economic, cultural or social identity.

5. How should the registrant be informed of this privacy notice?

Possible sources of information are described in point 6.2 below. Consequently, we do not always receive information directly from the data subjects (persons directly affected by the side effect or product-related medical information requested).

Informing the data subjects about the data processing is a confidentiality principle. We are obliged to do this even if we do not receive the personal data directly from the data subjects themselves. Sometimes, however, we do not have sufficient information about the registrants (for example, contact details may be missing). In such cases, we cannot contact the data subjects directly to inform them since we have received information about them from the reporter.

When the source of information (ie the reporter) is not the data subject himself, we encourage the reporter to inform the data subject (the person directly affected) that the privacy notice exists and where to read it. It is desirable that the URL link to this privacy notice be forwarded, or at least that reference is made to the content and/or location of the privacy notice.

6. Pharmacovigilance

6.1. What terms apply to the processing of personal data?

We will process personal data according to the following conditions.

The purpose of our data processing

Richter handles personal data to enable Richter

  • to fulfill its obligations under statutory regulations in relation to reported adverse events / side effects;
  • to maintain the system for pharmacovigilance;
  • to fulfill its obligation to report side effects according to statutory regulations.

In order to monitor the safety profile of our products, we can

  • assess information about the reported adverse event/side effect;
  • gather more information about the adverse event/side effect and the circumstances surrounding it;
    answering reporters;
  • follow up on reports.

The legal basis for our data processing

Richter is required by pharmacovigilance legislation to record, process and store information on adverse events/side effects and personal data included in such reports, and further to submit these reports in accordance with applicable statutory regulations.

Such statutory regulations are:

  • Commission Implementing Regulation (EU) No. 520/2012 of 19 June 2012 on the pharmacovigilance of medicinal products provided for in Regulation (EC) No. 726/2004 of the European Parliament and of the Council and Directive 2001/83/EC of the European Parliament and of the Council;
  • Guideline on good pharmacovigilance practices (GVP) – Module VI – Collection, management and submission of reports of suspected adverse reactions to medicinal products;
  • The Swedish Medicines Act (SFS 2015:315) and the Swedish Medicines Ordinance (2015:458)
  • 15/2012. (VIII. 22.) Decree of the Minister of Human Resources (Hungary)

What personal data can we process?

Personal information about

The patient

  • Contact information (e.g. name, email address, phone number, address)
  • Age, sex, sex life
  • Weight, height
  • Ethnic background
  • Information about the patient’s relatives
  • Previous and current drug treatments or therapies
  • Medical status
  • Medical history

Rapporteur

  • Contact information (e.g. name, email address, phone number, address)
  • Profession
  • Relationship to the patient

How long do we save this data?

Richter archives and stores pharmacovigilance data for as long as the product is approved and for a further 10 years after the marketing authorization has expired.

However, local regulations may be stricter.

/Based on GVP module VI. C.2.2.

and

Article 12, paragraph 2, of Commission Implementing Regulation (EU) No. 520/2012 of 19 June 2012 on the pharmacovigilance of medicinal products provided for in Regulation (EC) No. 726/2004 of the European Parliament and of the Council and Directive 2001/83/EC of the European Parliament and of the Council

6.2. What/who is the source of information about the adverse event / adverse effect?

Richter may receive information about adverse events/side effects from the following sources:

  • the patient;
  • healthcare professionals (eg doctors, pharmacists, nurses, veterinarians, dentists, opticians, podiatrists, midwives, laboratory managers, biomedical analysts, physiotherapists, and nutritionists);
  • third party (e.g. patient’s family member, lawyer, colleague);
  • public source (eg scientific articles);
  • other sources.

In most cases, however, we receive personal data from the above-mentioned sources through direct transmission of information. We do not initially require people to send reports of an adverse event/side effect, but if we receive information about an adverse event/side effect that may be related to one of our products, we are required by law to collect information about the case and process it in accordance with the established procedure for pharmacovigilance. This means that we are obliged by law to process personal data when we have become aware of such data.

Please note that healthcare professionals are required by law to report adverse reactions they receive information about.

Please also note that we are always obliged to administer and register the contact details (name and other contact details) of the person who reports an adverse event/side effect.

6.3. Forms for receiving information

Richter can receive information about adverse events/side effects addressed directly to Richter in the following forms through the channels listed below:

Electronic – written / by mail – written / in person – oral

  • e-mail message;
  • personally delivered message;
  • message by telephone;
  • Richter’s website, social media;
  • mail;
  • fax.

6.4. What do we do with the information about adverse events / side effects?

The procedure for pharmacovigilance reporting is strictly regulated by European Union and national laws. During the processing of reports, we may take the following actions:

  • Receive information about adverse events/side effects via e-mail, websites, telephone calls, letters, and personally transmitted information, via searches of public sources.
  • Register and process the adverse event/side effect in our own, national and international databases.
  • Assess the adverse event / adverse event (ie, perform a medical evaluation of the adverse event report).
  • Follow up on the adverse event. (ie asking questions about the adverse event if the initially available information is not sufficient for a complex evaluation of the case.)
  • Transfer and convey data about the adverse event/side effect to recipients listed in the points6.5 below.

6.5. Do we forward or transfer your personal information?

According to the legislation on the safety monitoring of medicines, Richter can pass on personal data in connection with pharmacovigilance information

  • to units (subsidiaries and representative offices) within the Richter Group;
  • to supervisory authorities, and national health authorities, including submitting the case to the EudraVigilance system (transfer of personal data to the EudraVigilance system is however very rare as anonymous data is sufficient);
  • to Richter’s service providers who are part of Richter’s pharmacovigilance systems and processes;
  • to commercial partners (with whom we commercialize the same pharmaceutical products in different countries based on commercial agreements).

7. Medical information service

7.1. What terms apply to the processing of personal data?

We will process personal data according to the following terms unless the question/request relates to pharmacovigilance-related matters, in which case section 6 applies.

The purpose of our data processing

To answer your questions and follow up on your request.

The legal basis for our data processing

The consent you previously provided.

What personal data can we process?

Your contact information and the information you provided in your request.

(eg: name, email address, phone number, health-related information, and other information that you provide to us in your message.)

How long do we save this data?

Until your question/request has been answered, the data will be saved for a maximum of five years.

7.2. What/who is the source of medical information requests/questions?

Richter may obtain medical information and medical inquiries from the sources below.

  • the patient;
  • healthcare professionals (eg doctors, pharmacists, nurses, veterinarians, dentists, opticians, podiatrists, midwives, laboratory managers, biomedical analysts, physiotherapists, and nutritionists);
  • third party (e.g. patient’s family member, lawyer, colleague).

7.3. Forms for receiving requests/questions about medical information

Richter can receive requests/questions made directly to Richter in the following forms through the channels listed below:

Electronic – written / by mail – written / in person – oral

  • e-mail message;
  • personally delivered message;
  • message by telephone;
  • Richter’s website, social media;
  • mail.

7.4. What do we do with the medical information or medical request?

During the processing of data that we have received, we may take the following actions:

  • Receive the information via e-mail, websites (including social media), phone calls, letters, via personally communicated information.
  • Register and process the medical information in our own or a contracted partner’s databases.
  • Assess the medical information.
  • Follow up on the medical request.
  • Transfer and pass on personal data to recipients listed in point 7.5 below.

7.5. Do we forward or transfer your personal information?

In order to answer your questions or follow up on your request, Richter may pass on personal data:

  • to entities (Gedeon Richter Plc. as the parent company, other subsidiaries or representative offices) within the Richter Group;
  • to Richter’s service providers who are part of Richter’s systems and processes for medical information.

8. Other requests

8.1. What terms apply to the processing of personal data?

We will process personal data according to the following terms, unless the question/request relates to pharmacovigilance-related matters, in which case section6 applies, or questions/requests for medical information, in which case Sec7 applies.

The purpose of our data processing

To answer your request.

The legal basis for our data processing

The consent you previously provided.

What personal data can we process?

Your contact information and the information you provided in your request.

(eg: name, email address, phone number, health-related information, and other information that you provide to us in your message.)

How long do we save this data?

Until your question/request has been answered, the data will be saved for a maximum of five years.

8.2. What/who is the source of the request?

Richter may receive requests from the following sources:

  • the patient;
  • healthcare professionals (eg doctors, pharmacists, nurses, veterinarians, dentists, opticians, podiatrists, midwives, laboratory managers, biomedical analysts, physiotherapists, and nutritionists);
  • third party (e.g. patient’s family member, lawyer);
  • other sources.

8.3. Forms for receipt of other requests

Richter can receive other requests made directly to Richter in the following forms via the channels listed below:

Electronic – written / by mail – written / in person – oral

  • e-mail message;
  • personally delivered message;
  • message by telephone;
  • Richter’s websites;
  • mail.

8.4. What do we do with the request?

During the processing of requests, we may take the following actions:

  • Receive requests via e-mail, via websites (including social media), via telephone calls, via letters, via personally communicated information,
  • Register and process the request in our own databases.
  • Assess the request.
  • Follow up on the request.
  • Transfer and pass on personal data to recipients listed in point 8.5 below.

8.5. Do we forward or transfer your personal information?

Richter can pass on personal data in connection with the request:

  • to entities (Gedeon Richter Plc. as the parent company, other subsidiaries or representative offices) within the Richter Group;
  • to Richter’s contracted partners (e.g. lawyers, advisors, external experts, commercial partners).

9. What security measures do we use?

When we handle (including pass on) personal data, we always ensure that the personal data is handled confidentially and apply limited access to personal data, oblige our partners and service providers to use contractual security measures, follow internal procedures to fulfil our obligations regarding data protection, take sufficient technical and organizational measures to protect personal data, and we ensure data protection principles, in particular the principle of minimizing data and time and limited purpose.

10. What rights do you have regarding your personal data

You have the right:

  • to request access to your personal data,
  • to request that your personal data be transferred to another person,
  • to limit the processing of your personal data,
  • to correct or delete incorrect or out-of-date information,
  • to delete your personal data (in respect of personal data processed on the basis of your consent),
  • to object to the processing of your personal data in specific cases (in respect of personal data processed on the basis of our legitimate interest and legal provisions).

If you object to the use of your personal data, you can also request that we restrict the processing of this data.

If we use your personal data on the basis of your consent, in most cases you can withdraw this consent.

Please note that the above rights may be limited. We are obliged by law to process data on the pharmacovigilance of medicines. In these cases, we may not delete some of your personal data.

If permitted by law, we will of course terminate data processing and delete your data for this purpose.

If you wish to exercise your rights, please send your request to one of the contacts listed above. You also have the right to lodge a complaint with the data protection authority specified in the first section of this privacy notice.

Please also note that we may need to verify your identity before complying with your request. We may therefore ask you to provide us with additional information.