The company Angelini Pharma S.p.A. (hereinafter “Angelini” or “Controller”), pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation, hereinafter referred to as the “GDPR”), and Legislative Decree 196/2003 (Privacy Code), provides you with the following information on the processing of your personal data, regarding contents you may have disclosed (e.g., opinions, information, digital contents, communications, requests, adverse events reports, etc. relating to Angelini or to its products or services) – normally on your own or with your consent – on “social media” as websites, blogs, forum, social networks (especially profiles/pages managed by the Controller), etc. (hereinafter, “Social Media”).
1. Data Controller and Data Protection Officer (DPO)
The Controller is Angelini Pharma S.p.A., with registered office at Viale Amelia n. 70, 00181 – Rome, Italy, e-mail: firstname.lastname@example.org.
The Controller has appointed a Data Protection Officer (DPO), who can be contacted directly at the following addresses: Data Protection Officer – DPO c/o Angelini Pharma S.p.A., Viale Amelia n. 70, 00181 – Rome, Italy, e-mail: email@example.com.
2. Purposes of processing and legal basis
Your personal data will be processed, in compliance with the law in force, in a fair, lawful and transparent manner for the purposes set out below and according to the following conditions of lawfulness (Legal basis of the processing).
Purposes of the processing
Legal basis of the processing
a) Understanding the audience opinion regarding Angelini, as well as to its products and services,
through the analysis of contents disclosed on Social Media, in order to take actions to protect its reputation, as well as the image of its products and services
[Social Media Monitoring].
This activity does not imply a monitoring or profiling of Social Media users, but the collection and analysis of the contents disclosed on Social Media, which may contain user’s personal data (normally published on their own or with their consent).
Processing of your personal data for this purpose is based on legitimate interest pursued by the Controller (art 6.1.f, GDPR) to protect its own reputation, as well as the image of its products and services.
On request, the Controller may give you information about the assessment on this legitimate interest made by the Controller.
|b) Proper and comprehensive management of any communication or request (e.g., for information) you may send to Angelini via Social Media (especially profiles/pages managed by the Controller)
[management of your requests].
Processing of your personal data for this purpose is necessary for the performance of a contract or precontractual measures (here construed as the “legal relationship” established between yourself and the Controller, in order to take steps at your possible request) (Art. 6.1.b, GDPR).
|c) Proper and comprehensive management of reports relating to pharmacovigilance.
In particular: (i) to investigate on the adverse events; (ii) to contact the reporting subject to obtain, if necessary, further information than the ones already given (“follow-up”); (iii) to compare information on the adverse event with information on other adverse events received by the Controller to analyse the security of the product as a whole or an its generic component or active substance; (iv) to give to competent authorities requested information, in order to allow them to analyse the security of the product as a whole or an its generic component or active substance
The processing of your personal data for this purpose is a legal obligation (Art 6.1.c, GDPR).
|d) Compliance with legal obligations. In certain circumstances, legislation obliges Angelini to use your personal data (especially communications provided for by law or for administrative/accounting/fiscal reasons) [compliance with legal obligations].||
The processing of your personal data for this purpose is a legal obligation (Art 6.1.c, GDPR).
3. Categories of data processed
The Data Controller will process the following categories of your personal data:
- in case of Social Media monitoring (purpose pursuant to paragraph 2, letter a), your personal data included in contents disclosed on Social Media, as personal details (e.g., name, last name, postal address, etc.), pseudonymous data (e.g., nickname, username, etc.), appearance or voice data (e.g., photographs, footage or voice messages);
- if you should submit communications or requests to Angelini, your personal data necessary to the correct management of communication or request you made via Social Media (in particular, name and surname, postal address, e-mail address and phone number) and any other personal data you may include in your message or in any content you send to the Controller (for the purpose pursuant to paragraph 2, letter b);
- if you should make any reports in relation to pharmacovigilance, the data necessary to comply with the related legal obligations assigned to the Controller (for the purpose pursuant to paragraph 2, letter c). More specifically, as “reporting party”, as a guarantee of the exactness and pertinence of data and its verifiability for the purpose of the scientific assessment of the reports: e-mail address or telephone number, to obtain, if necessary, additional information with respect to that already communicated (“follow-up”); and, in order to manage the report correctly, any classification as medical-health care professional (for example doctor, dentist, nurse, pharmacist, medical examiner) or type of non-health care professional, such as patient, attorney or person in relation to the subject to whom the report refers (for example friend, relative, assistant). As the subject to whom the report refers (the “patient”): initials of name and surname, city and country of residence, age (or age range) and/or date of birth, gender, height and weight and data relating to sex life or which reveals racial or ethnic origin, health of the subject (medical history, any current or previous pathologies, pharmacological and non-pharmacological therapies, pregnancy, breast-feeding) “special categories of data”) concerned by pharmacovigilance obligations, in particular in respect of “Safety information” on the medicinal product, such as adverse reactions, special situations (abuse, overdose, improper use (misuse), therapeutic error, “off-label” use, occupational exposure), exposure during pregnancy or breast-feeding, with or without associated adverse reactions, lack of efficacy or suspected transmission of infectious agent through the medicinal product;
- all data necessary to comply with legal obligations (for the purpose pursuant to paragraph 2, letter d) such as, for example, your contact data for communications required by the law or the authority.
4. Data sources
Your personal data will be obtained by the Controller:
- directly from you and your interaction with the Controller;
- from Social Media on which your personal data are disclosed (if they are publicly accessible).
5. Nature of data conferral
The conferral of your personal data for the Social Media monitoring (purpose pursuant to paragraph 2, letter a) is completely optional: the Controller will process exclusively your personal data included in contents disclosed on Social Media.
The conferral of your personal data in order to manage your requests (purpose pursuant to paragraph 2, letter b) is necessary to allow the Controller to process your communication: failure to provide such would make it impossible for you to receive a reply to your communication (in particular, to receive a response to a request you make for information or assistance).
Conferral of your personal data for pharmacovigilance (purpose pursuant to paragraph 2, letter c) and to comply with legal obligations (purpose pursuant to paragraph 2, letter d) is mandatory insofar as it derives from provisions of the law.
6. Processing methods
Data processing is carried out using both automated and non-automated tools, with logic strictly related to the purposes of the processing and, in any case, with methods and procedures able to ensure the security and confidentiality of the data.
7. Categories of personal data recipients
For the purposes indicated above (paragraph 2), your personal data may be communicated:
- to persons authorized by the Controller to carry out personal data processing operations (employees or collaborators of the Controller);
- to the data processors appointed by the Controller (for all purposes: providers of computer, technological and telematic services, including data storage and management, technical security measures and technological infrastructure; for Social Media monitoring: providers of the monitoring service of the contents disclosed online; for the management of your requests: providers of the Social Media management service; providers of the consumer service; for pharmacovigilance: providers of the pharmacovigilance report management service);
- to autonomous controllers (for the management of your requests: providers of the web-based/online telecom and communication services, couriers and dispatch companies; for pharmacovigilance: national and European medicine and drug agencies, other pharmaceutical companies, including companies of the Angelini Pharma Group, bound to the Controller by license contracts and distribution agreements for pharmaceutical products or in the case of transfer of marketing authorizations for the pharmaceutical product; to comply with legal obligations: public authorities).
Your data may also be transmitted in accordance with the law to police, judicial and administrative authorities, for the detection and prosecution of crimes, prevention and safeguard from threats to public security, to allow the Controller to establish, exercise or defend a right in court, as well as for other reasons related to the protection of the rights and freedoms of others.
8. Data retention period
We store your personal data for a limited period depending on the purpose of processing. After the expiry of this period, your data will be permanently deleted or in any case irreversibly anonymised.
Your personal data will be stored in accordance with the terms and criteria specified below:
- for the Social Media monitoring (purpose pursuant to paragraph 2, letter a), for a maximum period of 90 (ninety) days from their collection;
- for the management of your requests (purpose pursuant to paragraph 2, letter b) for a maximum period of 6 (six) months from the proper and comprehensive management of your request;
- for pharmacovigilance (purpose pursuant to paragraph 2, letter c) as long as the medical product is authorised and for at least 10 (ten) years after the marketing authorisation has expired;
- to comply with legal obligations (purpose pursuant to paragraph 2, letter d) for a maximum period of 10 (ten) years from when the calendar year ends during which the Controller has complied with the legal obligation, in order to document and be able to show correct compliance with the law.
For technical reasons, the termination of the processing and the consequent deletion of your personal data, or its anonymization, will take place within 30 (thirty) days from the terms indicated above.
This is without prejudice to cases where retention for a longer period is required for any litigation, requests by the competent authorities or under applicable law.
9. Transfer of personal data outside the EU/EEA
Your personal data may be transferred to countries outside the European Union (EU) or the European Economic Area (EEA) which, however, offer an adequate level of data protection, as established by specific resolutions issued by the European Commission (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).
The transfer of your personal data to countries that do not belong to the EU/EEA and that do not ensure adequate levels of protection will be carried out only after the Data Controller and the recipients of the data have concluded specific agreements, containing safeguard clauses and appropriate guarantees for the protection of your personal data, so-called "standard contractual clauses", also approved by the European Commission (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en), or if the transfer is necessary for the management of your requests.
10. Rights of the data subject
As data subject, you have the right to:
- have confirmation as to whether or not personal data concerning you are being processed and, if so, to obtain access to the data and related information (in particular, the purposes of the processing; categories of personal data processed; recipients or categories of recipients to whom the data have been or will be communicated; the period of data retention or the criteria for determining it; the existence of the right to rectify or erase the data or to limit or oppose the processing; the right to lodge a complaint with a supervisory authority; the origin of the data; the possible existence of an automated decision-making process, including profiling and, in such cases, significant information on the logic used and the importance and expected consequences of such processing for the data subject; the appropriate safeguards in case of transfer of personal data outside the EU/EEA), as well as a copy of such personal data, provided that this does not harm the rights and freedoms of others (right of access);
- obtain the rectification of your personal data, i.e., to obtain the correction, modification or updating of any inaccurate or no longer correct data, as well as to obtain the supplement of incomplete personal data, including by providing an additional statement (right of rectification);
- request the deletion of your personal data when these (i) are no longer necessary with respect to the purposes for which they were collected or processed, or (ii) they have been processed unlawfully, or (iii) they must be deleted in order to comply with a legal obligation, or, in the end, (iv) you have objected the processing (see below “right to object”) and there are no overriding legitimate grounds that allow the Controller to proceed the processing in any case (right to be forgotten). Deletion may not be carried out if, in particular, the processing is necessary for the fulfilment of a legal obligation or for reasons of public interest or for the establishment, exercise or defence of legal claims;
- obtain a restriction on the processing of your personal data, i.e., that the Controller retains such data without being able to use them. This right can be exercised only when, in particular, (i) the accuracy of the personal data is contested, for the period necessary for the Controller to verify the accuracy of such data, or (ii) the processing of the data is unlawful and a restriction on the use of the data is requested, instead of their deletion, or (iii) although the Controller no longer needs them for the purposes of processing, the personal data are necessary for you to establish, exercise or defend a right in court or (iv) you have objected the processing (see below “right to object”) pending the verification whether the legitimate grounds of the Controller override those of the data subject (right to restriction);
- obtain from the Controller your personal data, processed because of a contract, in a standard format, and that they are transferred, where technically possible, directly to a third party indicated by you (right to data portability);
In addition, as a data subject, you also have the right to object, that is:
- to object, on grounds relating to your particular situation, at any time to processing of your personal data for Social Media monitoring (based on the Controller’s legitimate interest): you can exercise this right contacting the Controller. In this case, the Controller will refrain from further processing your personal data, unless it demonstrates the existence of mandatory legitimate grounds which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
To exercise these rights, you may contact the Controller at any time, by writing to Angelini Pharma S.p.A., physical address: Viale Amelia, n. 70, 00181, Rome, Italy or to the email address: firstname.lastname@example.org or by writing to the Data Protection Officer (DPO) c/o Angelini Pharma S.p.A, physical address: Viale Amelia, n. 70, 00181, Rome, Italy or email address: email@example.com.
If you believe that your personal data has been processed unlawfully, you have the right to lodge a complaint with the data protection authority (in Italy the Garante per la protezione dei dati personali, for more information www.garanteprivacy.it).
The complaint can also be made to a data protection authority other than that of Italy, if said data protection authority is that of the EU Member State in which you have your habitual place of residence or of the place where the alleged breach took place.
12. Changes to this notice
The constant evolution of our activities could lead to changes in the characteristics of the processing of your personal data described above. As a result, this privacy notice may be subject to changes and additions over time, which may also be necessary in relation to new legislation on the protection of personal data. In the event of significant changes to this notice, we will notify you accordingly.
Last Update 27 July 2021