Privacy notice
for healthcare professionals
(HCPs)

Last Update July 29, 2021

Arvelle Therapeutics UK, a UK establishment of Arvelle Therapeutics Netherlands B.V., (hereinafter — "Arvelle" or "Controller"), pursuant to the UK Data Protection Act (2018), provides You with the following information on the processing of your personal data, in your capacity as a healthcare professional (hereinafter — “HCP”).

  1. Identity and contact details of the Controller and Data Protection Officer (DPO)
    The Controller is Arvelle, with registered office at Oxford Circus, 33 Cavendish Square, W1G 0PW London, United Kingdom, email: dataprivacy@arvelletx.com.
    The Controller has appointed a Data Protection Officer (DPO), who can be contacted directly at dataprivacy@arvelletx.com.
  2. Purposes and legal basis of the processing
    Your personal data will be processed, in compliance with the law in force, in a fair, lawful and transparent manner for the purposes set out below and according to the following prerequisites of lawfulness (legal bases of the processing).
Purpose of the processing Legal basis of the processing
a) Carrying out and managing the personalized medical-scientific information visits to clinics, doctor's offices and hospital facilities where You carry out your professional activity, according to your activity, interests, needs, preferences and your interaction with us [personalized medical-scientific information visits]. The processing of your personal data for this purpose is based on the legitimate interest of the Controller (art. 6.1.f, UK GDPR) in personalized medical-scientific information visits.
Upon your request, the Controller may provide You with information on the evaluation of this legitimate interest carried out by the Controller.
You may exercise your right to object to this activity at any time by notifying the Controller.
b)Remote marketing communications (email, SMS and non-automated telephone calls) concerning medical-scientific and non-medical-scientific information including invitations to take part, as learner, in congresses, conventions or medical-scientific meetings, personalized according to your activities, interests, needs, preferences, and interaction with us [personalized remote marketing communications]. The processing of your personal data for this purpose requires your consent (art. 6.1.a, UK GDPR).
You may withdraw your consent at any time by using the appropriate link at the foot of each email and SMS communication or by contacting the Controller.
c) Carrying out of market research and surveys about products, services and activities of the Controller (communicated or carried out face to face, by email) [market research and surveys]. The processing of your personal data for this purpose requires your consent (art. 6.1.a, UK GDPR).
You may withdraw your consent at any time by contacting the Controller.
d) Proper and comprehensive management of your request (for example, a request for information or assistance, an unsolicited request for medical-scientific information or a request to receive free samples of pharmaceutical products) [management of your requests]. The processing of your personal data for this purpose is necessary for the execution of a contract or the execution of pre-contractual measures (herein intended as a "legal relationship" established between You and the Controller following a possible request from you) (art. 6.1.b, UK GDPR).
e) Proper and comprehensive management of your possible participation in congresses, conventions or medical-scientific meetings organized by the Controller (held face to face or in remote/online) [management of congresses, conventions or medical-scientific meetings]. The processing of your personal data for this purpose is necessary for the execution of a contract or the execution of pre-contractual measures (proper and comprehensive management of your participation in congresses, conventions or medical-scientific meetings organized by the Controller) (art. 6.1.b, UK GDPR).
f) Proper and comprehensive management of pharmacovigilance reports [pharmacovigilance]. The processing of your personal data for this purpose is a legal obligation (art. 6.1.c, UK GDPR).
g) Fulfilment of legal obligations of an administrative/accounting/tax nature, including the obligation to document your acknowledgement of this notice and any consents given by you [administrative/accounting/tax obligations]. The processing of your personal data for this purpose is a legal obligation (art. 6.1.c, UK GDPR).
h) Proper and comprehensive management of your registration with the reserved area accessible on the Arvelle websites (the “Reserved Area”) and your use of the contents and services reserved to registered users [registration with the reserved area and use of the related contents and services]. The processing of your personal data for this purpose is necessary for the execution of a contract or the execution of pre-contractual measures (reference is made to the conditions of the contract regulating registration with the Reserved Area and use of the related contents and services) (art. 6.1.b, UK GDPR)
  1. Profiling
    The personalization of the medical-scientific information visits and remote marketing communications (purposes referred to in paragraph 2, letters a) and b) is carried out by us on the basis of an analysis of your data relative to interests, needs, preferences, activities and your interaction with us (this is termed “profiling”).
    We believe that profiling adds value to our relationship with you, insofar as it allows us to visit you and send you or show you communications and contents that take your profile into account and, therefore, may be of greater interest, more use or better appreciated by you.
    The information we use to do this is, in particular: professional qualification, professional order; specialization; graduation year; date of birth; any position held in hospitals and outpatient clinics; data relating to medical-scientific information visits and interest shown; information you have supplied voluntarily; answers you have provided directly to the medical-scientific representative or through filling in specific questionnaires/forms, such as area of greatest interest or main professional activity, assessment of the products of the Controller under the scope of therapeutic choices; answers you have given during market research and surveys carried out on our products, services and activities; your opinion about us and our products, services and activities; participation in our events; interaction with our communications and contents; information on the use of and how to use the contents and services present on the Arvelle websites and web platforms.
    We use different tools to collect and process this information, including analytical and profiling cookies, as well as similar tracking technologies (such as, for example, web beacons). The data collected using these technologies includes: IP address, information on the device used and data acquired by means of the browser or device used (as unique identifier of the device and operating system), information on the conduct adopted during on-line browsing or use of digital contents and services, as well as statistical data.
    For detailed information on the use of cookies and similar tracking and analytical technologies on the specific Arvelle web platforms and websites and to give consent to their use, please refer to the specific “cookie policy” given on said Arvelle websites and web platforms.
  2. Categories of data processed
    The Controller will process the following categories of personal data concerning You:
    • name and surname, profession, status (i.e. whether or not You have ceased professional activities), OneKey ID (i.e. identification code used by the database of IQVIA Commercial GmbH & Co. KG and affiliates, see paragraph 5 below);
    • data necessary for your correct identification as healthcare professional (HCP), in particular your GMC number and, if not sufficient to identify You correctly, additional verification information such as profession, specialization, entity/structure, business address and telephone number;
    • if a registered user, username and password to access the Reserved Area, as well as the data necessary or connected to the use of specific contents and services present in the Reserved Area, such as any specialization, whether or not You are a trainee specialist and the relevant specialty, personal data You have shared in the Reserved Area;
    • contact data, such as email, telephone number, postal address of the clinic, doctor's office or hospital environment where You practice your profession;
    • data related to interests, needs, preferences, activities and interaction with us (for the purposes pursuant to paragraph 2, letters a) and b) (for a detailed list of data used for “profiling”, see paragraph 3 above);
    • any personal data You may have supplied during market research and surveys (for the purpose pursuant to paragraph 2, letter c);
    • personal data You use for any request (in particular name and surname, postal address or email address) and any other personal data You may have given in your communication or as may be necessary to handle your request (for the purpose pursuant to paragraph 2, letter d);
    • identification data, such as tax code and the data contained in the identification document (number of the identification document, place and date of birth, residence address, photograph, etc.) in case of your participation in congresses, conventions or medical-scientific meetings organized by the Controller (for the purpose referred to in paragraph 2, letter e), as well as any image of your signature affixed at the bottom of this privacy notice to document the reading by You and any consents given by You (for the purpose referred to in paragraph 2, letter g);
    • any other data necessary for the fulfillment of legal obligations (purposes referred to in paragraph 2, letters f) and g) such as, in particular, VAT number.
  3. Source of data
    Your personal data will be obtained by the Controller:
    • directly from You and your interaction with us;
    • from sources accessible to the public (in particular, professional registers);
    • from private databases of third parties, in particular, of the company IQVIA Commercial GmbH & Co. KG and its affiliates (whose privacy notice can be consulted on the following web page https://www.iqvia.com/about-us/privacy/privacy-policy);
    • from official websites of your own or of the clinics and hospitals in which You carry out your profession;
    • from social networks such as Facebook, Instagram (both owned by “Facebook Ireland Ltd.”) and LinkedIn (“LinkedIn Ireland Unlimited Company”) with which You may be registered. The privacy notice of Facebook is available for consultation at https://en-gb.facebook.com/policy.php that of Instagram at https://help.instagram.com/519522125107875 and that of LinkedIn here https://www.linkedin.com/legal/privacy-policy;
    • from third parties (in particular, from your colleagues or from the clinics and hospitals in which You carry out your profession).
  4. Nature of the provision
    The provision of your personal data for personalized medical-scientific information visits (purpose referred to in paragraph 2, letter a) is merely optional: failure to provide or opposition to their processing would make it impossible for You to receive personalized medical-scientific information visits from the Controller at the clinics, doctor's offices and hospital facilities where You carry out your professional activity, based on profiling.
    The provision of your personal data for the personalized remote marketing communications (purpose referred to in paragraph 2, letter b) is merely optional: failure to provide it would make it impossible for You to receive personalized remote communications from the Controller (email, SMS, non-automated telephone calls) concerning medical-scientific and non-medical-scientific information, including invitations to take part, as learner, in congresses, conventions or medical-scientific meetings, based on profiling.
    The provision of your personal data for market research and surveys (purpose referred to paragraph 2, letter c) is optional only: failure to provide such would make it impossible for You to take part in market research and surveys about products, services and activities of the Controller and express your opinion on them.
    The provision of your personal data for the management of your requests (purpose referred to in paragraph 2, letter d) is a necessary requirement for the Controller to be able to respond to your request: failure to provide it would make it impossible for You to see your request fulfilled (in particular, to receive a response to a request You make for information or assistance, an unsolicited request for medical-scientific information or a request for free samples of pharmaceutical products).
    The provision of your personal data for the management of congresses, conventions or medical-scientific meetings (purpose referred to in paragraph 2, letter e) is a contractual obligation: failure to provide it would make it impossible for You to participate in congresses, conventions or medical-scientific meetings organized by the Controller (held face to face or in remote/online).
    The provision of your personal data for pharmacovigilance (purpose referred to in paragraph 2, letter f) and for the fulfilment of administrative/accounting/tax obligations (purpose referred to in paragraph 2, letter g) is compulsory as it derives from legal provisions.
    The provision of your personal data in order to register with the reserved area and use the related contents and services (purpose pursuant to paragraph 2, letter h) is a contractual obligation: failure to provide such would make it impossible for You to register with the reserved area and use the contents and services reserved to registered users.
  5. Categories of recipients of personal data
    For the purposes indicated above (paragraph 2), your personal data may be communicated:
    • to persons authorized by the Controller to carry out personal data processing operations (employees or collaborators of the Controller);
    • to the Processors appointed by the Controller (for all purposes: providers of computer, technological and telematic services, including data storage and management, technical security measures and technological infrastructure; for administrative/accounting/tax obligations: providers of services for the management and storage of tax and accounting documentation; for personalized medical-scientific information visits, for personalized remote marketing communications, and for market research and surveys: companies carrying out market research and marketing activities; companies specialized in data analysis; for the management of medical-scientific congresses, conferences or meetings: event organization companies);
    • to other data controllers (for pharmacovigilance: national and European medical and pharmaceutical agencies, other pharmaceutical companies, including companies of the Arvelle Pharma Group, tied to the Controller by license contracts and distribution agreements for pharmaceutical products or in the case of transfer of marketing authorizations for the pharmaceutical product; for the management of your requests: couriers and dispatch companies; for the management of medical-scientific congresses, conferences or meetings: travel agencies, transport companies such as airlines, railways, etc., hotels; conference and convention centers, banking operators; for administrative/accounting/tax obligations: registered and expert accountants; for remote communications: suppliers of telecommunication).
    Your data may also be transmitted in accordance with the law to tax authorities, police forces and judicial and administrative authorities, for the assessment and prosecution of crimes, prevention and protection from threats to public security, to allow the Controller to ascertain, exercise or defend a right in court, as well as for other reasons related to the protection of the rights and freedoms of others.
  6. Data retention period
    We store your personal data for a limited period of time, different depending on the purpose of processing. After this period, your data will be permanently deleted or in any case made anonymous in an irreversible way.
    Your personal data will be stored in compliance with the terms and criteria specified below:
    • for personalized medical-scientific information visits (purposes referred to in paragraph 2, letter a), until the exercise of your right to object, which can be done at any time by contacting the Controller and, in any case, for a maximum period of 5 (five) years from the last medical-scientific information visit or until we know that You no longer practice the medical-healthcare profession;
    • for personalized remote marketing communications (purpose referred to in paragraph 2, letter b), until the withdrawal of your consent or the exercise of your right to object, which can be done at any time by using the appropriate link at the foot of each email and SMS communication or by contacting the Controller and, in any case, for a maximum period of 5 (five) years from the time You have given your consent or until we known that You no longer practice the medical-healthcare profession;
    • for market research and surveys (purpose referred to in paragraph 2, letter c) until the withdraw of your consent or the exercise of your right to object, which can take place by contacting the Controller and, in any case, for a maximum period of 5 (five) years from the time You have given your consent;
    • for the management of your requests (purpose referred to in paragraph 2, letter d) for a period of 7 (seven) years from the proper and comprehensive handling of your request;
    • for the management of congresses, conventions or medical-scientific meetings (purpose referred to in paragraph 2, letter e) for a period of 10 (ten) years from the conclusion of the congress, convention or medical-scientific meeting organized by the Controller, in which You attended;
    • for pharmacovigilance (purpose referred to in paragraph 2, letter f) as long as the medical product is authorised and for at least 10 (ten) years after the marketing authorisation has expired;
    • for the fulfilment of administrative/accounting/tax obligations (purpose referred to in paragraph 2, letter g) for a maximum period of 7 (seven) years from the end of the calendar year in which the administrative/accounting/tax document was drawn up;
    • to register with the reserved area and use the related contents and services (purpose referred to in paragraph 2, letter h), if a registered user, until (i) deletion of your account, which You may request at any time by contacting the Controller or until (ii) loss, by yourself, of the subjective requirements needed to use the service (Reserved Area) and, in any case, until (iii) cessation of the service (Reserved Area) by the Controller. During registration, verification of your qualification as healthcare professional will last for up to 30 (thirty) days. Failure to complete the verification during this period of time will mean that your personal data is deleted from our databases and your request for registration is deemed unsuccessful.
    For technical reasons, the cessation of the processing and the consequent cancellation or anonymization of your personal data will take place within 30 (thirty) days from the terms indicated above.
    This is without prejudice to cases in which storage for a later period is required for any litigation, requests by the competent authorities or in accordance with applicable legislation.
  7. Transfer of personal data outside the UK
    Your personal data may be transferred in countries outside the UK that nevertheless offer an adequate level of data protection, as established in accordance with Art. 45 UK GDPR.
    The transfer of your personal data outside the UK that do not ensure adequate levels of protection will be performed only after conclusion between the Controller and the recipient of the data of specific agreements, containing safeguard clauses and appropriate safeguards for the protection of your personal data which are so-called "standard model clauses", also approved by the European Commission or the competent national authority, or if the transfer is necessary for the conclusion and execution of an agreement between You and the Controller or for the management of your requests.
  8. Data subject rights
    The data subject, i.e. You, may exercise, in relation to the processing of the data described herein, the rights provided for by the applicable legislation on the protection of personal data, including the right to:
    • have confirmation as to whether or not personal data concerning You are being processed and, if so, to obtain access to the data and related information (in particular, the purposes of the processing; categories of personal data processed; recipients or categories of recipients to whom the data have been or will be communicated; the period of retention of the data or the criterion for determining it; the existence of the rights to rectify or delete the data or to limit or oppose the processing; the right to lodge a complaint with a supervisory authority; the origin of the data; the possible existence of an automated decision-making process, including profiling and, in such cases, significant information on the logic used and the importance and expected consequences of such processing for the data subject; the appropriate safeguards in case of transfer of personal data outside the UK), as well as a copy of such personal data provided that this does not harm the rights and freedoms of others (right of access);
    • obtain the rectification of your personal data, i.e. to obtain the correction, modification or updating of any inaccurate or no longer correct data, and to obtain the integration of incomplete personal data, including by providing a supplementary statement (right to rectification);
    • request the deletion of your personal data when, in particular, (i) they are no longer necessary with respect to the purposes for which they were collected or processed, or (ii) they have been processed unlawfully, or (iii) they must be deleted in order to comply with a legal obligation, or, finally, (iv) you have objected to their processing (see below "right to object") and there is no prevailing legitimate reason allowing the Controller to proceed with the processing in any case (right to be forgotten). Cancellation may not be carried out if, in particular, the processing is necessary for the fulfilment of a legal obligation or for the ascertainment, exercise or defense of a right in court;
    • obtain the restriction of the processing of your personal data, i.e. that the Controller retains such data without being able to use them. This right can be exercised only when, in particular, (i) You contest the accuracy of your personal data, for the period necessary for the Controller to verify the accuracy of such data, or (ii) the processing of the data is unlawful and You request the restriction of their use, rather than their deletion, or (iii) although the Controller no longer needs them for the purposes of processing, the personal data are necessary for You to ascertain, exercise or defend a right in court or (iv) You have opposed their processing (see below "right to object"), pending verification of whether the legitimate reasons of the Controller prevail over those of the data subject (right to restriction);
    • obtain from the Controller your personal data processed on the basis of your consent or a contract, in a standard format, as well as that they are transferred, where technically possible, directly to a third party indicated by You (right to data portability);
    • withdraw your consent at any time, if previously given for the processing of your personal data, without affecting the lawfulness of processing based on consent before its withdrawal. You may revoke your consent by using the appropriate link at the foot of each email and SMS communication or by contacting the Controller (withdrawal of consent).
    In addition, You as data subject also have the right to object:
    • object at any time, for reasons related to your particular situation, to the processing of your personal data for personalized medical-scientific information visits, for personalized remote marketing communications, and for market research and surveys.
    To exercise these rights, You may contact the Controller at any time, by writing to Arvelle, physical address Oxford Circus, 33 Cavendish Square, W1G 0PW London, United Kingdom or by writing to the Data Protection Officer at dataprivacy@arvelletx.com.
  9. Complaint
    If You believe that your personal data has been processed unlawfully, You have the right to lodge a complaint with the data protection authority (the UK Information Commissioner’s Office). For more information please consult the website of the UK data protection authority: https://ico.org.uk/make-a-complaint/.
    The complaint can also be made to a data protection authority other than that of the UK, if said data protection authority is that of the state in which You have your habitual place of residence or of the place where the alleged breach took place.
  10. Changes to this policy
    The constant evolution of our activities could lead to changes in the characteristics of the processing of your personal data described above. As a result, this privacy notice may be subject to changes and additions over time, which may also be necessary in relation to new legislation on the protection of personal data.
    In the event of significant changes to this notice, we will notify You accordingly.