Data protection statement of Grünenthal regarding the storage of personal data of health care professionals
A. Data collection, types of data, purpose, legal basis
Personal information we may process are:
I. Occupational personal data
II. Visit documentation
III. Information about your product interests
IV. Information about our contractual relationships with you
I. Occupational personal dataOccupational personal data are for example:
- Address of the doctor's office
- name and specialty of the doctor / the doctors in the practice / clinic / name of the pharmacist
- phone numbers, fax numbers and e-mail address (es)
- logistic data (for example about practice relocation, practice handovers)
- if necessary for hospital doctors, additionally: company / organization, function
- General Medical Council (GMC) identifier
- Name and job title of clinic and nursing staff
We gather occupational personal data from public registers, from private providers (e.g. the company IQVIA Commercial GmbH & Co. KG, formerly IMS GmbH) and from our sales force.
Occupational personal data can be stored and processed by us for different purposes:
- Sending drug safety-relevant information (e.g. Dear Doctor Letter)
- Contacting in case of queries about reported adverse reactions
- Contacting to answer your scientific questions
- Planning for sales force visit
- Sending newsletters or fax, if you have given us a consent for this purpose
- If necessary, sending information material by post
- Documentation and correspondence on contract-related topics
- Complaint management
The legal basis for the storage of these occupational personal data may be: a consent for processing for specific purposes pursuant to Art. 6 (1) a) GDPR granted by you, our legitimate interest under Art. 6 (1) f) GDPR and / or in accordance with Art. 6 (1) (c) GDPR, fulfilment of a legal obligation to which the responsible is subject, for the information exchange relevant for drug safety (e.g. pharmacovigilance).
II. Visit documentation
Our sales force document their visits to your practice in our system. The visit documentation can for example, include the following data:
- date of visit
- Name of the conversation partner
- if applicable, information about giving a sample
- Name of the products that have been discussed
- Indications that have been discussed
- Your voluntary information on product and information interests
- Your voluntary information about the prescription of our products in practice
We use the data collected in the visit documentation.
- to coordinate the visits of our field staff
- for legally required sample documentation
- to plan the submission of informational materials to you
- Anonymised, to identify the interests on our products in the market
The legal basis for the collection and processing of this data may be: a consent granted by you for processing for specific purposes pursuant to Art. 6 (1) a) GDPR, a legitimate interest under Art. 6 (1) f) GDPR and the fulfilment of a legal obligation according to Art. 6 (1) c) GDPR for the purpose of documenting giving away a sample.
III. Information about your product interests and other professional interests
Furthermore, in our system for example the following information about your product interests will be stored:
- product or indication related questions
- product or indication related areas of interests and focus
- scientific / medical and / or occupational fields of interest
- general information about the patient population
- membership in medical associations
- Documentation of the consent ("opt-in") for sending our newsletter
- your interest in a contractual collaboration (lectures, events)
This information is usually collected by our sales force, but may also be collected, when you give your consent, through written requests (such as at congresses).
Information about your product interests and other professional interests will be used for the following purposes:
- Coordination of sales force visits
- Planning the distribution of scientific and other information materials
- Relaying individually tailored information
- Sending newsletters
- Offers for contractual cooperation
- invitations to events
The basis for the collection / storage of data is a consent granted by you pursuant to Art. 6 (1) a GDPR or our legitimate interest under Art. 6 (1) f) GDPR.
IV. Information about our contractual relationship with you
We collect and process data to plan and fulfil our contractual relationships with you. These may include:
- Contract documentation
- Invoices, payment documentation, travel expense reports
- Employer authorizations obtained for hospital doctors
- Documentation of the services provided
- invitations to events
- Covered event costs, travel expenses
- Documentation of participation in events
The data will be collected and stored with us while setting up the contract, insofar as this is necessary for the execution, fulfilment and documentation of the collaboration. The processing serves the following purposes:
- Execution of the contract
- pre-contractual measures
- fulfilment of the legal obligations to establish transparency, fulfilment of documentation requirements ("compliance")
- to disclose payments under local Transparency Codes, if you have consented to
- planning and execution of events
The legal basis for the collection and processing of this data may be a consent granted by you for processing for specific purposes pursuant to Art. 6 (1) a) GDPR (e.g. disclosing payment information in accordance with the Transparency Code), for fulfilling a contract or precontractual measures pursuant to Art. 6 (1 b) GDPR, for fulfilment of a legal obligation under Art. 6 (1) c) GDPR (for the purposes of meeting the requirements of compliance regulations) or a legitimate interest pursuant to Art. 6 (1) f) GDPR.
B. Data security and data transfer
I. IT security
We ensure the safety of the information we collect and process by taking technical and organizational measures to ensure this protection. Access to our systems is strictly personal and purpose based on a graduated authorization concept, that is, only those of our employees may access the data who require access for the particular processing purposes outlined above.
II. Use of service providers
For the collection and processing of your data, we sometimes use service providers. Our service providers are carefully selected and regularly monitored by us. They process personal data on our behalf and strictly in accordance with our instructions on the basis of corresponding contracts for the fulfilment of the tasks according to Art. 28 GDPR.
III. Processing of data outside the EU / EEA
Your data will in principle not be processed in countries outside the European Union ("EU") or the European Economic Area ("EEA"), which generally could have lower levels of data protection than in Europe. Should future processing take place in such countries, we will ensure that a sufficient data protection level is provided e.g. through contractual arrangements with our contractors. A copy of such an agreement could then be obtained on request from our data protection officer, or we ask for your express consent.
C. Affected rights
The following rights are available to you based on applicable privacy laws:
- Right to information about personal data on you stored by us
- Right to deletion or restriction of processing, unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or in the event that the processing serves the enforcement, exercise or defence of legal claims
- Right to correct your personal data
- Right to object to processing that serves our legitimate interest, a public interest or profiling, unless we can establish compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or, in case, that the processing serves the enforcement, exercise or defence of legal claims
- Right to data transferability
- Right to complain to a supervisory authority
- You may withdraw your consent to the collection, processing and use of your personal data at any time from that point in time onwards.
If you want to exercise your rights, please address your request to the contact person mentioned below (D).
D. Responsibility in terms of data protection
In case of any questions regarding our data privacy you can get in touch with our company data protection team at the following address: firstname.lastname@example.org