1. How We Use Your Personal Data
We will only use your personal data when applicable law allows us to do so. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract that we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
- Necessary for scientific research purposes.
We may also use your personal data in the following situations, which are likely to be rare:
- Where we need to protect your interests (or someone else’s interests).
- Where it is needed in the public interest or for official purposes.
Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to clinical studies in some countries in Europe.
| Purpose / Activity | Category of Personal Data | Lawful Basis |
|---|---|---|
| To register you as a new client, contractor or employee | Identity; Contact | Performance of a contract with you |
| To process and deliver your service or order, including managing payments and recovering money owed | Identity; Contact; Financial; Transaction; Marketing & Communications | Performance of a contract; legitimate interests (recover debts) |
| To manage our relationship with you (notifying of policy changes, surveys, employee administration) | Identity; Contact; Profile; Usage; Financial | Performance of a contract; legal obligation; legitimate interests |
| To enable you to complete a survey | Identity; Contact; Profile; Usage | Performance of a contract; legitimate interests |
| To administer and protect our business and website | Identity; Contact; Profile; Technical; Usage | Legitimate interests; legal obligation |
| To deliver relevant website content and advertising | Identity; Contact; Profile; Usage; Technical | Legitimate interests (marketing strategy) |
| To use data analytics to improve our website and services | Technical; Usage | Legitimate interests |
| To conduct a research programme | Identity; Contact; Financial; Special Categories (Health Data) | Consent (mainland Europe); legitimate interests / scientific research (UK) |
2. Clinical Trial Data
We undertake clinical studies within the EEA/UK and we will use information from subjects’ medical records and other health data in order to improve healthcare. As a pharmaceutical organisation, we have a legitimate interest in using information relating to your health for research studies, when you agree to take part in a research study.
Our exception to the general provision at Article 9(1) GDPR not to process special categories of data is, dependent upon the country of study, either your explicit consent or that processing is necessary for scientific research purposes in accordance with Article 89(1) GDPR.
Your rights to access, change or move your information are limited, as we need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum personally-identifiable information possible.
3. Change of Purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis.
4. International Transfers of Personal Data
The processing of your personal data may involve a transfer of data outside the UK/EEA. Whenever we transfer your personal data out of the UK/EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- Regarding transfers to the US, we incorporate the model clauses in agreements for transfer provided by the European Commission in order to provide similar protection to personal data shared within Europe.
5. How Long We Retain Your Personal Data
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
In some circumstances we may anonymise your personal data for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
6. Your Data Protection Rights
Under certain circumstances, visitors from the UK and within the EEA have the following data protection rights:
- Access to your personal data
- Correction of your personal data
- Erasure of your personal data
- Object to processing of your personal data
- Restriction of processing your personal data
- Transfer of your personal data
- Withdraw consent previously given
If you wish to exercise any of the rights set out above, please contact our DPO at sar@thedpo.co.uk. You can also contact the Supervisory Authority in the country of your residence within the UK/EU for advice or to make a complaint.
We try to respond to all legitimate requests within one month. We may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.