Cyanokit

CUSTOMER PRIVACY POLICY

This privacy policy (the «Policy») covers the use of personal data concerning end users («you», «your») by SERB SA, whose registered office is located at ­avenue Louise 480, 1050 Brussels, Belgium (hereinafter referred to as the «Company», «we», «us», «our»).

1. WHAT ARE OUR DATA PROTECTION COMMITMENTS?

1.1 The Company is committed to making data protection and privacy a key value.

1.2 The Company undertakes to use its best efforts to comply with applicable data protection legislation, including Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, when processing personal data, and repealing Directive 95/46/EC (the «General Data Protection Regulation») (the «GDPR») and applicable national laws and regulations on data protection (together, the «Applicable Data Protection Legislation»).

1.3 In particular, your personal data is kept by the Company for periods not exceeding those necessary for the purposes for which it is processed, taking into account the sensitive nature of the data processed, the applicable statute of limitations and the legal or regulatory obligations imposed on the Company. The retention periods are specified in Articles 3.4 and 4.4.

2. WHAT PROCESSINGS DO WE PERFORM?

(a) Categories of data processed

2.1 The Company processes the following personal data for the purposes described below:

  • Your personal identification data (surname, first name);
  • Your professional identification data (hospital, pharmacy, government entity, civil protection, civil defence, etc.) will be used to identify you.);
  • Your contact data (postal address, telephone, e-mail address, fax);
  • Data relating to your meeting with our medical representatives (time and location of the meeting, data relating to the cost of shared meals, data contained in the comment fields);
  • Where applicable, the personal data you have entered in the contact form on the website or in the complaints you have submitted.

(b) Purposes of processing

2.2 The Company processes your personal data for the following purposes:

  • Follow-up of medical sales representative canvassing activity;
  • Follow-up of invoicing;
  • Follow-up of emailing or postal campaigns;
  • Management of temporary authorisations for use (individual or cohort) (the «ATU»);
  • Monitoring and transparency of the benefits granted;
  • Management of calls for tenders;
  • Verification of product quality;
  • Management of requests for information.

2.3 The collection and processing of your personal data is based on the legitimate interests pursued by the Company, on the performance of the sales contract between you and the Company, if any, and on the legal obligations incumbent on the Company. When they are based on our legitimate interests, these ­interests do not appear to us to take precedence over your interests and fundamental rights and freedoms.

2.4 The processing of your personal data can be summarised as follows:

Processing activity Collected data Legal basis Shelf life
Follow-up of medical sales representative canvassing activity

Your personal identification data

Data relating to your meeting with our medical sales representatives

Legitimate business development interest of the Company 5 years from collection
Follow-up of invoicing

Your personal identification data

Your professional identification data

Your contact details

Execution of the sales contract between
Company and the
customer
5 years from the issue of the invoice
Follow-up of emailing or postal mail campaigns

Your personal identification data

Your professional identification data

Your contact details

Legitimate business development interest of the Company Duration of the business ­relationship, increased by 3 years from the last active contact with the customer
Management of ATU Your personal identification data
Your professional identification data
Your contact details
Legal obligation

2 years following the approval by the ANSM of the summary of the last synthesis report

Archiving on an
intermediate basis
during the MA and then 10 years after its expiry.

Monitoring and transparency of benefits granted

Your personal identification data

Your professional identification data

Your contact details

Legal obligation 5 years from collection
Management of calls for tenders

Your personal identification data

Your professional identification data

Your contact details

Legitimate interest in the ­Company’s management of tenders

For prospects: 3 years

With regard to customers: duration of the contractual relationship increased by 5 years

Verification of product quality

Your personal identification data

Your contact details

Personal data contained in the claim form

Legal obligation 10 years from the date of the claim
Information requests Your personal identification data
Your contact details
Personal data contained in the contact form on the website
Legitimate interest of the applicant to receive full information on the product 5 years from application

3. HOW DO WE COLLECT YOUR DATA?

3.1 We collect your personal data:
– directly to you through our authorised staff, our website or our medical sales representatives, or
– indirectly through ATU forms.

4. WITH WHOM DO WE SHARE YOUR DATA?

4.1 If necessary, we may pass on your personal data to the following recipients:
• Our technical service providers for billing management, CRM, tender management, hosting and archiving;
• Our legal advisers and/or attorneys and those of potential purchasers in the context of restructuring operations, disposals, mergers and acquisitions or ­litigation;
• Government entities and administrations authorised to access and/or obtain your personal data;
• The courts and tribunals in the event of a dispute involving you;
• The law enforcement authorities in the event of the observation or suspicion of the occurrence of an offence involving you in accordance with or as required by the applicable law.

4.2 In the event of a restructuring, disposal or merger (including reorganisation), we may transfer your personal data to a third party involved in the transaction (for example, a purchaser) in accordance with Applicable Data Protection Legislation.

5. HOW IS THE OUTSOURCING OF YOUR DATA MANAGED?

5.1 We take appropriate steps to ensure that our contractors process your personal data in accordance with Applicable Data Protection Legislation.

5.2 These measures include the signing of a data processing agreement which requires the subcontractors, among other things, to process your personal data only on our instructions, not to engage a second-tier subcontractor without our consent, to take the appropriate technical and organisational measures to guarantee the security of your personal data, to ensure that the persons authorised to access the data are subject to confidentiality obligations, to return and/or destroy your personal data at the end of their assignment or contract, to undergo audits and to provide us with assistance in following up on your requests to exercise your rights in relation to your personal data.

6. ARE YOUR DATA TRANSFERRED OUTSIDE THE EUROPEAN ECONOMIC AREA?

6.1 It is not our intention to transfer your data outside the European Economic Area, with the exception of data communications that we may make to our subcontractors located outside the European Economic Area. Where appropriate, we will implement all appropriate safeguards in accordance with Applicable Data Protection Legislation.

7. WHAT ARE YOUR RIGHTS?

7.1 In accordance with Applicable Data Protection Legislation, you have the right to access, rectify and delete your personal data, the right to object to or limit the processing of your personal data, the right to portability of personal data and the right to define directives concerning the use of your personal data after your death.

Law What does this mean?
The right of access You have the right to obtain a copy of your personal data.
The right of rectification You have the right to obtain the rectification of your personal data if they are inaccurate or incomplete.
The right to erasure (the «right to forget») You have the right to obtain the deletion of your personal data. However, the right to erasure (or the «right to forget») is not absolute and is subject to specific conditions. We may retain your personal data to the extent permitted by applicable law, and in particular where processing is necessary to comply with a legal obligation to which the Company is subject or to establish, exercise or defend right in court.
The right to limitation of processing You have the right to obtain the ­limitation of the processing in certain circumstances (e.g. when the Company no longer needs your personal data but they are still necessary for the establishment, exercise or defence of a legal right).
The right to the portability of ­personal data You have the right, in certain circumstances, to receive the personal data concerning you that you have provided to the Company in a structured, commonly used and machine-readable format and to pass it on to another controller.
The right to object to processing You have the right to object to ­certain types of processing (e.g. when the processing is based on the legitimate interests of the ­Company). This right does not apply when the processing is based on our legal obligations.
The right to withdraw consent If you have given your consent to the Company’s processing of your personal data, you have the right to withdraw it at any time.
The right to right to define directives concerning the use of your personal data after your death You can define guidelines for the storage, deletion and disclosure of your personal data after your death. These guidelines may be general or specific. General guidelines are registered with a trusted third party. Special guidelines are stored with the Company.

7.2 Please send us any request concerning your rights in relation to your personal data by email to dpo@serb.eu. We will deal with your request as soon as possible and always within the time limits provided for by the Applicable Data Protection Legislation. Please note that we may retain your personal data for certain purposes where required or permitted by law.

8. HOW DO WE GUARANTEE THE SECURITY OF YOUR DATA?

8.1 We take appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with your personal data. We follow industry best practices to ensure that personal data is not accidentally or unlawfully destroyed, lost, altered, unauthorised disclosure or unauthorised access.

9. QUESTIONS AND COMPLAINTS

9.1 To exercise all relevant rights, queries or complaints please in the first instance contact our Data protection office on dpo@serb.eu.

Please note that you also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or of an alleged infringement of the GDPR.

In the United Kingdom, the supervisory authority in charge of data protection matters is the Information Commissioner’s Office (ICO) that you may contact by phone (03031231113), by email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.

In Belgium, the supervisory authority in charge of data protection matters is the Autorité de protection des données (APD) that you may contact by phone (+32 (0)2 274 48 00), by email https://www.autoriteprotectiondonnees.be/citoyen/agir/contact or at Autorité de protection des données, Rue de la Presse, 35 à 1000 Bruxelles.

10. MISCELLANEOUS

10.1 The Company reserves the right to update this Policy at any time. If we make changes to this Policy, we will notify you so that you are always aware of how we treat your personal data.