We take the security and privacy of your personal data seriously. We need to gather and use information or ‘data’ about you as part of our business and to manage our relationship with you. We intend to comply with our legal obligations under the Data Protection Act 2018 (the ‘2018 Act’) and the EU General Data Protection Regulation (‘GDPR’) in respect of data privacy and security. We have a duty to notify you of the information contained in this policy.
We have separate policies and privacy notices in place in respect of employees and consultants working with Aguettant.
This Privacy Notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we’ll store and handle that data and keep it safe.
Aguettant Ltd will hold data in accordance with our Data Retention Policy. We will only hold data for as long as necessary for the purposes for which we collected it.
We have measures in place to protect the security of your data in accordance with our IT Security Policy.
We are a ‘data controller’ for the purposes of your personal data. This means that we determine the purpose and means of the processing of your personal data.
This policy explains how we will hold and process your information. It explains your rights as a ‘data subject’.
Data Protection Principles
Personal data must be processed in accordance with six ‘Data Protection Principles’; it must:
• Be processed fairly, lawfully and transparently;
• Be collected and processed only for specified, explicit and legitimate purposes;
• Be adequate, relevant and limited to what is necessary for the purposes for which it is processed;
• Be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay;
• Not be kept for longer than is necessary for the purposes for which it is processed; and
• Be processed securely.
We are accountable for these principles and must be able to show that we are compliant.
How we define personal data
‘Personal data’ means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It does not include anonymised data.
When we collect personal data
• Personal data will be provided or created during our business relationship with you. For example, when you create an account with us.
• Personal data might be provided to us by you when you visit our website or when you enquire about or purchase our products.
• When you contact us by any means with queries, complaints, pharmacovigilance etc.
What personal data we collect:
• Your contact details; including name, job title, place of work and contact email address.
• Details of your interactions with us through email, phone, or online.
How we define processing
‘Processing’ means any operation which is performed on personal data such as:
• Collection, recording, organisation, structuring or storage;
• Adaption or alteration;
• Retrieval, consultation or use;
• Disclosure by transmission, dissemination or otherwise making available;
• Restriction, destruction or erasure.
• This includes processing personal data which forms part of a filing system and any automated processing.
How and why we process your personal data?
We will process your personal data in accordance with our obligations under the 2018 Act.
• To respond to your complaints and to fulfil our obligations in regard to the Human Medicines Regulations (HMR) 2012. For example, in accordance to the Guideline on Good Pharmacovigilance Practice GPvP, we would process your personal data in order to report an undesirable effect you would notify to us.
• To send you communications required by law or which are necessary to inform you about a product for example, product recall notices, and legally required information relating to our products. These messages will not include any promotional content and do not require prior consent when sent by email or post message. If we do not use your personal data for these purposes, we would be unable to comply with our legal obligations.
• To comply with our contractual or legal obligations to share data with law enforcement.
• To process any orders that you place with us.
• To respond to your queries about our products and services within the framework of the Prescription Medicines Code of Practice Authority (PMCPA) code.
• As part of our business relationship with you and based on our legitimate business interest, we may contact you to inform you about other relevant products, services and events.
• With your consent and within the frame of the Prescription Medicines Code of Practice Authority (PMCPA) code, send you marketing relevant, personalised communications in relation to services and products. You are free to opt out of hearing from us at any time.
Sharing Your Personal Data
We do not sell, rent or share your personal information with outside third parties. In order to provide our services, we sometimes share your personal data within the Aguettant Group and/or to other trusted companies who work on our behalf.
The policy we apply to those organisations to keep your data safe and protect your privacy:
• We provide only the information they need to perform their specific services.
• They may only use your data for the exact purposes we specify in our contract with them.
• We work closely with them to ensure that your privacy is respected and protected at all times.
• If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.
Examples of the kind of companies we work with are:
• IT companies who support our website and other business systems.
• Operational companies such as our delivery partners.
• Pharmacovigilance and regulatory service providers
We do not send your personal data outside the European Economic Area.
How long we keep your personal data
Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected.
At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
How we deal with data breaches
We have robust measures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur (whether in respect of you or someone else) then we must take notes and keep evidence of that breach. If the breach is likely to result in a risk to the rights and freedoms of individuals, then we must also notify the Information Commissioner’s Office within 72 hours.
In most situations we will not rely on your consent as a lawful ground to process your data. If we do however request your consent to the processing of your personal data for a specific purpose, you have the right not to consent or to withdraw your consent later. To withdraw your consent, please contact us or click the ‘unsubscribe’ link in the email communication that we send you.
Making a Complaint
You have the right to complain to the Information Commissioner. You can do this be contacting the Information Commissioner’s Office directly. Full contact details including a helpline number can be found on the Information Commissioner’s Office website (www.ico.org.uk). This website has further information on your rights and our obligations.
Your rights over your personal data
You have the right to request:
• Access to the personal data we hold about you, free of charge in most cases.
• The correction of your personal data when incorrect, out of date or incomplete.
You can contact us to request to exercise these rights at any time.
If we choose not to action your request, we will explain to you the reasons for our refusal.
You have the right to request that we erase your personal data where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected.
Your right to withdraw consent
Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent. We must always comply with your request and would:
• stop using your personal data for marketing purposes (either through specific channels, or all channels).
• stop any consent-based processing of your personal data after you withdraw that consent.
Where we rely on our legitimate interest
In cases where we are processing your personal data based on our legitimate interest, you can ask us to stop for reasons connected to your individual situation.
We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.