Privacy notice for medical information, safety vigilance and product quality complaints
Scope of this notice
At Santen SA (Santen SA, La Voie-Creuse 14, 1202, Geneva, Switzerland, www.santen.eu), (hereafter “Santen”, “we”, “our” or “us”), we respect your privacy and we take all reasonable efforts to collect and process your personal data in accordance with applicable data protection and privacy laws and regulations, at the community or national level. This privacy notice, is intended to explain how Santen and its affiliates within and outside the European Economic Area (EEA) (each acting as a Data Controller) will collect and process your personal data for the purposes of management of medical information enquiries, pharmacovigilance and product vigilance reports (also known as safety vigilance) and product quality complaints related to Santen medicinal products or medical devices.
Purpose & legal basis for processing
Any personal data provided by you will be processed exclusively for the management of medical information enquiries, safety vigilance reports and product complaints and compatible purposes. If we need to process and retain your information for additional purposes we will inform you accordingly and we will request your consent (where relevant).
a) Medical information enquiries
Any personal data provided by you to Santen which relates to a medical enquiry may be used to process your enquiry appropriately, follow up with you to request additional information and to respond to your enquiry. After handling your enquiry, we will also further maintain a record of your enquiry and related personal information, for as long as necessary, in a medical information database for future historic reference, record keeping, auditing and compliance purposes as well as for the establishment, exercise or defence of legal claims. Where required by applicable law (such as for safety vigilance and product quality and safety purposes), we will also share your enquiry with the relevant internal function within Santen and we may also be required to report the relevant safety and quality data to regulatory authorities in and outside of the EEA. Your data will not be used for any other purposes. If you do not wish to provide your personal details to us, we will not be able to contact you back or further deal with your request.
We collect and process your data to respond to your inquiries and to comply with our legal obligations and industry codes to provide a medical information service for our medicinal products and medical devices. We will also rely on our legitimate interests to further store and maintain medical information related data, to the extent required, in a medical information database for future historic reference, record keeping, auditing and compliance purposes as well as for the establishment, exercise or defence of legal claims.
If your medical information enquiry consists of or requires the further reporting of an adverse event, your data (including special categories of personal data) will be processed to comply with our legal safety vigilance obligations imposed on Santen by European and local health vigilance laws and regulations. If your medical enquiry consists of a product complaint, your data may be processed to comply with our legal obligations in the context of drug & product safety.
b) Safety vigilance reports
Any personal data provided by you, as a patient, or as a reporter in general, to Santen, which relates to the reporting of adverse events or other safety vigilance related activities will be collected and used solely for such safety vigilance management purposes. In particular, we will collect and use such data to investigate the adverse event, to follow-up contact the patient, or the patient’s doctor or the reporter, in general, to collect additional information about the adverse event and/or to provide healthcare where necessary, to analyse the safety of the product by combining and collating the information from one adverse event with information about other adverse events and to provide relevant safety vigilance reports to the competent regulatory authorities in and outside of the EEA and to maintain any safety vigilance related information in a safety vigilance database for as long as necessary for future historic reference, record keeping, auditing and compliance purposes, as well as for the establishment, exercise or defence of legal claims.
We will collect and process your data (including special categories of personal data) to comply with legal pharmacovigilance obligations imposed on Santen by European and local safety vigilance laws and regulations. The collection of any health-related information is necessary for reasons of public interest in the area of public health and aims to the detection, assessment and understanding of adverse events and any other medicine-related problem as well as to ensure compliance with high standards of quality and safety of health care and medicinal products, devices or products in accordance with applicable data protection laws.
c) Product (quality) complaints
Any personal data provided by you to Santen which relates to a product (quality) complaint will be used solely for the purposes of management such product complaints. We will collect and process your data in order to comply with our legal obligations in the context of drug quality and safety.
This information is very important for reasons of public health and will be used for the evaluation, classification and assessment of the product complaint, to follow up on such requests for healthcare purposes, to request additional information and/or to respond to you. We will also use such information to analyse the quality and safety of our product by combining and collating the information from one product complaint with information about other product complaints and to provide relevant product quality reports to the competent regulatory authorities in and outside of the EEA; we will also store and maintain any product complaint related information, except personal data of reporters that are not healthcare professionals, in a product quality management database for as long as necessary for future historic reference, record keeping, auditing and compliance purposes, as well as for the establishment, exercise or defence of legal claims. We may also be required to report the data to competent regulatory authorities in and outside the EEA.
Categories of personal data processed
The type of information that we collect from you will depend on the type of the processing activity and the data subject concerned:
a) Medical information enquiries
For managing medical information enquiries we may collect the name and surname of the requestor, their contact details (such as phone numbers and email addresses) and the affiliation or profession of the individual making the enquiry (if it is a customer or a healthcare professional).
b) Safety Vigilance reports
Personal data relating to the Patient:
- Patient’s name and contact details (address, e-mail address, phone number or fax number) needed, if patient is also the reporter, for effective follow-up activities;
- Date of birth/age/age group, sex, weight, height;
- Information about health, racial or ethnic origin and sexual life; and
- Medical history and status, which may for example include administered treatments, test results, nature of the adverse effect(s), personal or family history, associated diseases or events, risk factors, information on how medicinal products are prescribed and used and on the therapeutic conduct of the prescriber or of the health professionals involved in the management of the disease or adverse health event.
Personal data relating to the Reporter:
- Reporter’s Name;
- Contact details (address, e-mail address, phone number or fax number) needed to perform effective follow-up to ensure complete and accurate data are collected;
- Profession; and
- Relationship with the subject of the report.
c) Product quality complaints
We may collect the name, contact details and affiliation/profession of the individual reporting the complaint. We may collect some additional personal data related to health and medical history of the individual affected by the product complaint if such information is relevant to evaluate, classify and assess the product complaint.
Recipients of your personal data
Santen may share your data among its affiliates worldwide, business partners and service providers, where required to operate a Santen global or regional Medical Information database, a Santen global or regional safety vigilance database, a Santen global or regional product complaint database and fulfill its obligations deriving from relevant medical information, safety vigilance legislation and/or legislation regarding drug quality and safety.
Where our processing activities are outsourced to third party service providers, these entities will be acting for and on our behalf as data processors; in such cases we ensure that binding data processing agreements are in place and that such entities and their representatives and sub-contractors operate strictly under our instructions and only to the extent they are authorised to do so or are required to do so by applicable laws and company policies. All third parties acting on behalf of Santen are required to be appropriately trained and aware of their data protection obligations and to implement appropriate technical and organisational security measures.
Santen is also obliged to report certain pharmacovigilance and product relevant information to Health Authorities worldwide, National or foreign public bodies in charge of vigilance in the exercise of their tasks as defined by law, foreign national health authorities or agencies and international health authorities or agencies (e.g. European Medicines Agency), including those with different level of data protection compared to EU. These reports will contain details about the incident but will only contain limited (non-identifying) personal data and in particular:
- Patients: Information as provided, including date of birth/age/age group and gender (note that patient name will never be provided)
- Reporting Individuals: Information as provided to allow the regulatory authority to follow up with the reporting individual, including name, profession, initials (to identify any duplications), address, email, phone number.
In the exchange of data within Santen, business partners and service providers, your personal data may be transferred to third countries (countries outside the EU/EEA) that do not provide the same level of data protection as the country of your residence or place of work. Where data relating to medical information, safety vigilance or product quality will be transferred to countries outside the EEA, Santen will ensure the adequacy of the recipient country and the security of the processing of personal data being transferred.
Within Santen we have implemented appropriate technical and organisational security measures, that are appropriate to the risk and the nature of the processing, in accordance with applicable laws and regulations, including any generally approved industry standards, as well as any guidance or standards issued by any competent data protection authority, to safeguard personal data (incl. special categories of personal data) being collected and processed in relation to the management of medical information enquiries, safety vigilance reports and product quality complaints, including safeguards and procedures designed to restrict access to personal data to those employees who are authorised to do so and on a need to know basis in accordance with their roles and responsibilities.
Moreover, we maintain physical, electronic and procedural measures with due regard to the risks presented by the processing in question, to safeguard the security of the processing of the personal data and in particular, at the time of collection, during their transmission as well as during storage, to prevent them from being distorted, damaged or accessed by unauthorised third parties.
Your personal data will be kept for the time strictly necessary for the above-mentioned purposes and in accordance with applicable legal and regulatory requirements governing storage and reporting of related information.
Safety vigilance: As information related to pharmacovigilance (reports about adverse events) are important for public health reasons, in the absence of a legally imposed retention period, the relevant safety data will not be stored for more than 70 years from the date on which the medicinal product, device or product is withdrawn from the market. At the end of these periods the data will be deleted or archived in an anonymised form.
Medical information: Personal data retained as part of a medical information inquiry are kept for a minimum of 10 and maximum of 15 years after receipt and closure of the enquiry.
Product complaints: As information related to product complaints and drug safety are important for public health reasons, complaint records, including personal data contained, are kept for a minimum of 5 years.
The above retention periods may be extended if required by law or for other compelling legitimate grounds of Santen, which override the interests, rights and freedoms of the data subjects concerned, or for the establishment, exercise or defence of legal claims.
Information about your rights
You have the right to request from Santen information on the types of personal data we store and the purposes for which we process them. You can also request access to and rectification of your personal data, as well as the restriction of their processing.
The exercise of your rights are subject to the specific conditions set forth in the General Data Protection Regulation (GDPR) and other applicable data protection and privacy laws.
To the extent the processing is based on Santen’s compliance with a legal obligation, your rights to object, to erase data or to data portability will be restricted.
To the extent the processing is based on consent, kindly note that you have the right to withdraw your consent at any time, however, this will not affect the lawfulness of the processing carried out prior to and up to such withdrawal.
If we do not handle your request in a timely manner, or if you are not satisfied with our response to the exercise of these rights, you are entitled to submit a complaint with the competent supervisory authority of your country of residence or place of work.
Further information and contact details of the European competent supervisory authorities can be found here: https://edpb.europa.eu/about-edpb/board/members_en.
All inquiries and requests with respect to the processing of your personal data by Santen or by third parties on Santen’s behalf should be directed to the Santen Privacy EMEA Office by email at: firstname.lastname@example.org.
Last updated: March 19th, 2020