Policy last updated: 24 May 2018
As a pharmaceutical company, we are obligated to:
- perform post-marketing pharmacovigilance;
- provide medical information to unsolicited requests; and
- respond to quality complaints.
Those obligations require us to process certain personally-identifiable information (“Personal Data”) to ensure the safety of patients and that we can respond to questions from the public and healthcare professionals. We are also required to process such Personal Data to follow-up and gather information on any complaints or concerns about the quality of our products, and to comply with strict obligations to report suspected adverse reactions or events, how the company receives them, to relevant regulatory authorities. We will also process such Personal Data to ensure that any reports or information we receive are unique, or whether they are duplicates or previous reports. All of these tasks are referred to in this document as the “Purposes”.
This policy is designed to provide a summary of how we process Personal Data for the Purposes, in line with our obligations under the EU General Data Protection Regulation ((EU) 2016/679) (“GDPR”).
For the purposes of the GDPR, Bayer is the “data controller” in respect of the Personal Data processed for the Purposes. If you have any questions about this policy or about how we use your Personal Data, please contact us via our contact details at the end of this policy.
We will only process your Personal Data for the Purposes where necessary for compliance with our legal and/or regulatory pharmacovigilance obligations.
1. Personal Data we process for the Purposes
We may need to process the following Personal Data about a patient in order to comply with our legal obligations, for example to respond to a request or information received from a healthcare professional or patient, or to make an effective safety data analysis and to comply with the Purposes:
- Patient name and / or initials;
- Unique identification number (e.g. National Insurance or NHS number);
- Date of birth / age group;
- Medical history;
- Medical status;
- Email address / online identifier;
- Residential address;
- Telephone and /or mobile number;
- Voice recordings (e.g. taped telephone conversations);
- Photos / videos (if you provide these to us);
- Religious or philosophical beliefs;
- Sex life / sexual orientation;
- Genetic / biometric data; and
- Personal data relating to children.
Please note that we collect and process the minimum Personal Data necessary in order to comply with our legal obligations in respect of the Purposes.
We also process Personal Data related to the reporter of the suspected adverse reaction or other information received, which may be a healthcare professional or provider, family member or the patient. This Personal Data includes name and contact details (including name, job title, clinic / institution name and address, email address, telephone number, fax number). We require this information in order to follow-up with the reporter, as necessary, to ensure complete and accurate data are collected, and to ensure that any reports or information we receive are unique, or whether they are duplicates or previous reports.
2. Use of your Personal Data for the Purposes
We will only use your Personal Data where the law allows us to and in order to comply with the Purposes.
3. Sharing/disclosure of your Personal Data for the Purposes
We do not disclose or share any Personal Data for the Purposes except as permitted by law or as set out below.
We will disclose Personal Data in respect of a suspected adverse event or reaction or a complaint or concern about the quality of our products to relevant regulatory authorities as required to fulfil our legal and regulatory obligations.
We will share your Personal Data within the Bayer group as necessary for the Purposes.
We will also share Personal Data processed for the Purposes as necessary with our third party service providers who provide services or functions on our behalf. These third party service providers may include database providers, call centre operators, and in the event that you disclose your Personal Data to our market researchers, that particular market research provider. Please note that we have appropriate data protection safeguards in place with our third party service providers with whom we share Personal Data and who are providing services or functions on our behalf.
4. Keeping your Personal Data secure
We have implemented appropriate technical and organisational measures to safeguard Personal Data processed for the Purposes, including safeguards and procedures designed to restrict access to Personal Data to those employees who need it to perform their job responsibilities.
We maintain physical, electronic and procedural safeguards that comply with applicable law, including the GDPR, to safeguard Personal Data from accidental loss, destruction or damage and unauthorised access, use and disclosure.
5. Retention periods for use of your Personal Data
We will delete permanently or anonymise any Personal Data which is no longer necessary.
6. Access to and control over your Personal Data
You have legal rights under applicable law in relation to your Personal Data. You can ask the following questions, or take the following actions, at any time by contacting us via email:
- see what Personal Data we hold about you (if any), including why we are holding it and who it could be disclosed to;
- ask us to change / correct your Personal Data;
- ask us to delete permanently your Personal Data;
- object to the processing of your Personal Data;
- ask us to restrict the processing of your Personal Data;
- withdraw any consents you have given us to the processing of your Personal Data; and
- express any concerns you have about our or third parties’ use of your Personal Data to your national data protection regulator.
Please note that some of these rights may be limited in certain circumstances, for example where we are required by law to collect and retain minimum information relating to persons who have suffered a suspected adverse reaction or event to the company’s medicinal products in order to monitor quality or safety.
7. Transfers of your Personal Data for the Purposes
We may need to transfer your Personal Data within the Bayer group for the Purposes. We may also need to share your Personal Data with our third party service providers and regulatory bodies, as described above, which may be based outside the European Economic Area (“EEA”).
Unless a legal derogation applies under applicable law, whenever we need to transfer your Personal Data out of the EEA for the Purposes, we ensure a similar degree of protection is afforded to it by ensuring that we have a data transfer agreement incorporating specific protective clauses approved by the European Commission in place with the recipient of the data, or we otherwise insert protective clauses into our agreements with third parties, or some other similar applicable international transfer protection mechanism is in place as permitted under the GDPR, to endeavour to ensure that the Personal Data transferred is processed in accordance with applicable law.