Date: 2020.11.24
At Xellia Pharmaceuticals ApS (“Xellia”/"we"/“our”/us”), data protection and confidentiality is a high priority. This Privacy Policy applies for our processing of personal data and sets out the guidelines for Xellia’s processing of your personal data and provides you with the information you have the right to receive according to applicable data protection law.
1. Data controller
The data controller responsible for processing your personal data is:
Xellia Pharmaceuticals ApS
Company registration no.: 61094628
Dalslandsgade 11
2300 Copenhagen S
E-mail: dataprivacy@xellia.com
2.a Pharmacovigilance
Types of personal data, purposes and legal basis
We process the information that you, your family, legal representative or health care professionals provide directly to us in relation to reporting of adverse events/adverse drug reactions. If the adverse events/adverse drug reactions have been reported to one of our distributors or other data processors, we may also receive adverse event/adverse drug reaction reporting’s from these parties.
Depending on your role (category of data subject), we process your personal data for different purposes and therefore with different legal bases:
- Patient subject to adverse events/adverse drug reactions:
When processing personal data of the end-user (e.g. patient subject to the adverse event/adverse drug reaction), we process the following types of data: initials, gender, age, medical history, type of medicine (i.e. our pharmaceutical product), sickness, and other relevant medical data that may be contained in the reporting. The purpose of this processing is the fulfillment of our legal obligation to file a report on adverse events/adverse drug reactions in accordance with the General Data Protection Regulation (“GDPR”) article 6(1)(c) and article 9(2)(i) cf. Danish Data Protection Act section 7(3).
- Reporter of adverse events/adverse drug reactions:
If you are the reporter of adverse events/adverse drug reactions, we may process your full name, professional information, contact data (i.e. phone number, address and/or email). The purpose of this processing is the fulfillment of our legal obligation to file a reporting on adverse events/adverse drug reactions, hereunder our legitimate interest in identifying and/or contacting you as the reporter of the adverse events/adverse drug reactions, in accordance with the GDPR article 6(1)(f) and article 6(1)(c).
Transfer to data processors and disclosure to other data controllers
In order to pursue the above listed purposes your personal data may be made available to third party data processors (service providers) providing relevant services under contract to Xellia. Such service providers will only process the personal data in accordance with our instructions, hereunder for reporting’s on adverse events/adverse drug reactions by receiving them, processing the content, etc. and providing IT services.
Some of your personal data will be disclosed to other companies within the Xellia Pharmaceuticals group acting as separate data controllers for administration purposes, but only if these have relevance for the processing of the adverse events/adverse drug reactions in question. Certain personal data will also be disclosed to governmental and other regulatory authorities where required by law. The legal basis for such disclosure is the GDPR article 6(1)(c) and article 9(2)(i) cf. the Danish Data Protection Act section 7(3). Furthermore, we may disclose your personal data to our external lawyer and the courts if the processing is necessary for our legitimate interest in establishing, exercising or defending legal claims in accordance with the GDPR article 6(1)(f) and the GDPR article 9(2)(f).
If your personal data is transferred to data controllers or data processors which are located in countries outside the EU/EEA, including group entities, not ensuring an adequate level of data protection, such transfer will be safeguarded by the EU Commission’s standard contractual clauses.
Retention/deletion of personal data
We will delete your personal data when we no longer need to process them in relation to one or more of the purposes set out above, hereunder if we are under a legal obligation to retain the data. However, we will not keep the data longer than 10 years after expiration of marketing authorization. Though, the data may be processed and stored for a longer period in anonymized form in order for us to improve the pharmaceutical products.
2.b Contact information of suppliers and customers
Types of personal data, purposes and legal basis
If you are the contact person of our supplier or customer, we may process your contact information, including name, job title, work email address, signature and work phone number.
We may process your personal data for the administration of our business relations, including being able to communicate with you, when sending finalized agreements, and in connection with invoicing and accounting. The processing of your personal data is either based on GDPR article 6(1)(b) (necessary for the performance of a contract between the company that you represent and Xellia), GDPR article 6(1)(c) (legal obligation that follows from bookkeeping legislation) and GDPR article 6(1)(f) (our legitimate interest in being able to run our business and to be able to manage Xellia’s business relationship, including being able to communicate with you).
Transfer to data processors and disclosure to other data controllers
In order to pursue the above listed purposes, your personal data may be made available to third party data processors (service providers) providing relevant services under contract to Xellia. Such service providers will only process the personal data in accordance with our instructions, hereunder in order to provide IT services.
Some of your personal data may be disclosed to other companies within the Xellia Pharmaceuticals group acting as separate data controllers when it is necessary in order to fulfill the contract (GDPR article 6(1)(b)). Furthermore, we may disclose your personal data to our external lawyer and the courts if the processing is necessary for our legitimate interest in establishing, exercising or defending legal claims in accordance with the GDPR article 6(1)(f).
If your personal data is transferred to data controllers or data processors which are located in countries outside the EU/EEA, including group entities, not ensuring an adequate level of data protection, such transfer will be safeguarded by the EU Commission’s standard contractual clauses.
Retention/deletion of personal data
We will store your personal data as long as it is necessary in order to fulfill the contract and up to two years after providing the products / services or after termination of a contract.
Bookkeeping material will be stored for 5 years from the closing of the current financial year.
2.c Website visitors (cookies)
When you use Xellia’s website, personal data related to your behavior and your IP address may be collected through cookies. Xellia may act as a separate data controller in this regard.
The processing of personal data in relation to necessary cookies is based on an agreement between you and Xellia to be able to use the functions of the website (GDPR article 6(1)(b)). The processing of personal data in relation to statistical and preference cookies is based on our legitimate interest in offering you the best possible products and services (GDPR article 6(1)(f)). The processing of personal data in relation to marketing cookies, also based on your preferences, is based on your prior consent (GDPR article 6(1)(a)).
In addition, Xellia will always obtain a valid cookie consent, in accordance with the EU cookie executive order, before cookies are placed on your terminal equipment.
To be able to process personal data in connection with cookies for the above purposes, we may provide access to your personal data for third parties who, on the basis of a contractual relationship with Xellia, provide relevant services, e.g. IT suppliers, analytics companies and suppliers of marketing material. Under certain circumstances Xellia will act as a joint controller with the third parties. For more information on the role of the third parties, deletion of cookies, withdrawal of consent etc., please refer to Xellia’s cookie policy and the cookie pop-up window
3. Security
We have implemented security measures to ensure that our internal procedures meet our security standards. Accordingly, we strive to protect the quality and integrity of your personal data. This includes encryption of data and use of pseudonymization, whenever applicable. We have internal rules on information security that contains instructions and measures to protect your personal data from being destroyed, lost or altered, against unauthorized disclosure, and unauthorized access to and knowledge of them. Furthermore, all service providers will be subject to strict security requirements.
4. Your rights
You have the right to access the personal data Xellia processes about you, but with certain legislative exceptions. Furthermore, you have the right to have your personal data rectified, erased or blocked, but with certain legislative exceptions.
In certain situations, you have the right to have the data you have submitted to us, handed over in a machine-readable format and to have your data transmitted to another data controller.
Moreover, you have the right to object to the collection and further processing of your data, including objection to our processing which is based on our legitimate interest (GDPR article 6(1)(f)).
5. Contact and complaints
If you want to exercise any of your rights, if you have any questions regarding this Privacy Policy or the processing of your personal data, you may contact the Contingency Team (hence, the data privacy team) on dataprivacy@xellia.com.
If you wish to appeal against the processing of your personal data, please contact us as indicated above. You may also contact your local Data Protection Agency – contact details can be found here: https://edpb.europa.eu/about-edpb/board/members_en.
As the Xellia Pharmaceuticals headquarters are in Denmark, the lead authority will be the Danish Data Protection Agency (Datatilsynet), e-mail: dt@datatilsynet.dk. However, you may also contact your local data protection agency, which can be found
here: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.
6. Changes to this Privacy Policy
We reserve the right to make changes to this Privacy Policy from time to time. The, at all times, applicable Privacy Policy will be available at www.xellia.com. In the event of significant changes, you will be notified.