Data privacy policy

1. SERVIER’S COMMITMENTS ON DATA PRIVACY

SERVIER is fully committed to ensure the protection of Personal Data within its organization:

WHY?

To preserve confidentiality and security of your Personal Data as patients, job applicants, employees, customers and other business partners such as health professionals, medical sales representatives and pharmacists and any other person who’s Personal Data will be processed.

HOW?

• Adopting Binding Corporate Rules (BCRs), whose objective is to ensure that the same level of protection is respected within all SERVIER entities, and to frame the transfer of Personal Data within the whole organization, notably to countries outside of the European Economic Area, in accordance with the GDPR.
• Setting up data privacy governance: Appointment of global data protection officer, local data protection officers, compliance relays in charge of the coordination of all those aspects, raises awareness of its staff on the applicable rules, and also adopted numerous internal policies and procedures aiming to ease and ensure the compliance to the applicable rules within the organization.
• Monitoring adherence to this privacy policy within the organization by permanent training.
• Being demanding when selecting and entrusting Processors with your Personal Data (providers, supplies, partners, etc.).

2. WHY SERVIER NEEDS TO USE YOUR PERSONAL DATA?

SERVIER processes your Personal Data only for specified, explicit, and legitimate purposes and does not further process the data in a way that is incompatible with the purposes described below but not limited to:

• Recruitment and Human Resources management;
• Management of relationships with clients, prospects and vendors (e.g.: purchase department; marketing and communication department; CRM department, legal department etc.)
• Monitoring of the scientific medical liaison with health-care professionals;
• Management of medical information delivery;
• Communication and relationship management and promotional activities with HCPs including interactions, profiling activities, contractual relationships management, congress and meetings management, though leaders databases, social media, E-services (e-conferencing, etc.);
• Management of clinical trials;
• Pharmacovigilance management;
• Transparency management;
• Security of visitors and premises (in case you visit SERVIER’s premises)
• Premises and car park access management
• CCTV management to ensure security of persons and premises.
• The litigation management you may enter or have entered into with SERVIER;

SERVIER does not process Personal Data for secondary purposes without verifying that additional data privacy requirements have been implemented where required information, consent, etc.

3. WHAT IS THE LEGAL BASIS?

SERVIER collects and processes your Personal Data:

• according to your consent;
• for the performance of a contract;
• for compliance with a legal obligation to which the Data Controller is subject;
• for your vital interests or of another natural person;
• for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
• for legitimate interests pursued by SERVIER except where such interests are overridden by your interests or fundamental rights and freedoms, in particular where the person concerned is a child.

What about legal basis for Processing your Sensitive Personal Data?

Sensitive Personal Data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, data concerning health, sex life or sexual orientation.

SERVIER does not process your Sensitive Personal Data unless:

• You have unambiguously given your consent to such Processing (except where the applicable laws prohibit it); or
• It is necessary for SERVIER in the field of employment law in so far as it is authorized by Union or national law or a collective agreement providing for adequate safeguards; or
• SERVIER needs to protect your vital interests or of another person where the Data Subject is physically or legally incapable of giving his/her consent; or
• It is necessary for the establishment, exercise or defense of legal claims; or
• Those Sensitive Personal Data are manifestly made public by yourself; or
• It is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of national law or pursuant to contract with a health professional and subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.

4. WHAT ARE THE OTHER PRINCIPLES SERVIER IS COMPLYING WITH?

SERVIER collects and processes your Personal Data in a fair, transparent and lawful manner, to the extent necessary for its legitimate business interests, and in consideration of your rights and freedom as individuals regarding the respect of :

• Data quality and proportionality of the use of your Personal Data: SERVIER limits the collection of your Personal Data to what is necessary in relation to the purposes for which they are processed (‘data minimization’) and with adequate and relevant Personal data only. SERVIER takes steps and processes to prevent excessive or irrelevant transmissions of Personal Data from the sender.
• Accuracy and kept up to date your Personal Data: SERVIER takes steps to ensure that data which is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified.
• Appropriate data retention period: SERVIER retains your Personal Data on legal and business retention requirements, in a form which permits your identification for no longer than is necessary for the purposes for which your Personal Data are processed. When the maximum retention period required by applicable law or the retention period required for the purpose of collection (whichever date occurs later) is reached, SERVIER takes reasonable steps to destroy the Personal Data.
• Security and confidentiality of your Personal Data: SERVIER has put in place appropriate and commercially reasonable technical and organizational security measures to keep your Personal Data that it collects and holds confidential and to protect it against unauthorized or unlawful disclosure or access, accidental loss, destruction, alteration or damage taking into consideration the state of art of technology and the cost of implementation. SERVIER takes appropriate measures to ensure that Data Processors who are given access to your Personal Data reasonably uphold at least as stringent security measures as those applied by SERVIER.

5. IS THERE ANY AUTOMATED DECISIONS FOR THE PROCESSING OF YOUR PERSONAL DATA BY SERVIER?

SERVIER takes appropriates steps to ensure that you have the right not to be subject to a decision which produces legal effects concerning you or significantly affects you and which is based solely on automated Processing of Personal Data, including profiling intended to evaluate certain personal aspects relating to you such as your performance at work, creditworthiness, reliability, conduct, etc.

6. WHAT ARE YOUR RIGHTS?

You have the right to request and obtain from SERVIER without undue delay:

• To be informed in an intelligible form at least about the purposes of the Processing, the categories of Personal Data concerned, the recipients or categories of recipients, the transfers is existing and the appropriate safeguards used.
  Please go to the relevant information notice on INSTITUT SERVIER Website for complementary details.
• To access to your Personal Data. Depending on your situation as a Data Subject (patient, candidate, vendors or other) and the applicable law, your Personal Data may be disclosed either to you directly or through a physician, healthcare professional or another person designated by you.
• To rectify your inaccurate Personal Data,
• To erase your Personal Data
• Where applicable, to have a restriction of Processing;
• Where applicable, to exercise your right to data portability and obtain from SERVIER the right to receive your Personal Data, which you have provided to SERVIER, in a structured, commonly used and machine-readable format;
• To object, at any time of the Processing, free of charge and without having to state legitimate grounds, to the Processing of Personal Data for the purposes of direct marketing (including Profiling to the extent that it is related to such direct marketing).
• To lodge a complaint with a supervisory authority regarding the use of your Personal Data

You may submit their requests to the relevant contact (detailed in the information notices) via postal mail, or via email which can be found on each SERVIER local website.

SERVIER may object to requests that are obviously excessive, in particular by their number, or their repetitive and systematic character.

7. IS THERE ANY TRANSFER OF MY PERSONAL DATA?

SERVIER is a global organization, with legal entities on the five continents, and businesses, IT systems, management structures and processes that cross borders. As such, it is sometimes necessary for SERVIER to transfer Personal Data to other SERVIER entities or to Data Processors or third parties, in the same country as or in countries other than the country in which it was initially provided, and/or store Personal Data in databases that may be hosted in or accessible from other countries.

• Transfers to SERVIER entities: Transfer of your Personal Data from one SERVIER entity to another SERVIER entity shall be allowed only if the transfer is based on a specific and legitimate business purpose, and the receiving entity ensures compliance with this Policy and with the BCRs and with any stricter local laws applicable to the transfer and to any subsequent processing (including onward transfer).
• Transfers to entities outside of the SERVIER Group:
• Data Processors: SERVIER has entered or will enter into appropriate written agreements with Data Processors to ensure that they process your Personal Data in accordance with SERVIER’s instructions, and set up and maintain appropriate security and confidentiality measures to ensure an appropriate level of protection. SERVIER does not transfer your Personal Data to Processors outside of the EU unless those Data Processors have adopted appropriate privacy and security controls to protect Personal Data in accordance with the relevant EU privacy requirements (for instance by ensuring that the EU Standard Contractual Clauses approved by the EU Commission) are signed with the Data Processor if the latter is located in a country which does not provide an adequate level of protection of Personal Data, it being specified that such clauses will be signed between SERVIER and the Data Processor located outside the EU).
• Third parties: SERVIER entities may be required to disclose certain Personal Data to third parties. In particular, such disclosure may be required to comply with applicable laws (e.g., disclosure of salary data to tax authorities) or when the health or security of a Data Subject is endangered (e.g., in case of an accident). SERVIER may also disclose your Personal Data to protect its legal rights (e.g., in a litigation).

CLAIMS HANDLING AND ENFORCEMENT MECHANISMS

SERVIER entities will take appropriate remedial action, which may include disciplinary sanctions, in accordance with applicable law, if your Personal Data is accessed, processed, or used in any way that is inconsistent with this Policy or BCRs.

If reasonably and in good faith you believe that there has been a violation of the BCRs or of this Policy that your Personal Data are processed in a way that is incompatible with the BCRs or this Policy, you may lodge a complaint to the following stakeholders whose independence is guaranteed during the performance of their functions.

SERVIER has a procedure in place to describe the roles and responsibilities for handling privacy complaints received from Data Subjects and for receiving, documenting, investigating and responding to privacy complaints.

When a complaint is registered, it must be acknowledged and handled within a reasonable period of time (one month renewable on legitimate grounds and subject to the level of complexity of the case).

If you are not satisfied by the replies provided at local or global level, it has the right to lodge a complaint before the relevant supervisory authority and/or the competent jurisdiction where the relevant SERVIER entity is established. Prior to referring a case to the relevant supervisory authority or competent jurisdiction, each party should make its best efforts to solve a claim through the internal complaint mechanism described above.

SERVIER POINT OF CONTACT

For any questions on this Policy, or any complaints, or requests (such as access, objections or rectification requests), we encourage you to the relevant contact for you detailed in the information notice.

AMENDMENTS

This Policy may be amended from time to time. The newest version of the Policy will be posted on the intranet and extranet website and may also be distributed (in hard copy or electronic version) as appropriate to employees.

DEFINITIONS

“SERVIER” shall mean SERVIER SAS, and any other company controlled by SERVIER SAS, with a company being considered as controlling another: (a) when it holds directly or indirectly a portion of the capital which provides the majority of the voting rights in general meetings of shareholders of this company; (b) when it holds solely the majority of the voting rights in this company by virtue of an agreement concluded with other partners or shareholders and which is not contrary to the interest of the company; (c) when it determines de facto, by voting rights which it holds, the decisions in the general meetings of shareholders of this company; (d) when it is a partner or shareholder of this company and holds the power to nominate or to revoke the majority of members of the administrative, management or supervisory bodies or (e) in any event, when it holds, directly or indirectly, a portion of voting rights greater than 40% and when no other partner or shareholder holds directly or indirectly a portion which is greater than its own.

« Personal Data »: means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

« Data subject »: an identified or identifiable natural person to whom Personal Data relates.

« Data Controller » or « Controller »: the entity, i.e. SERVIER, which determines the purposes and means of the Processing of Personal Data; except where expressly designated by legal provisions applicable to the Processing.

« Data Processor » or « Processor »: the natural or legal person, which processes Personal Data on behalf of the Controller.

« Processing » : means any operation performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Information notices

• Information notice for patients/participants in research studies
• Information notice for patients advocate
• Information notice for the healthcare professionals
• Information notice for the clients, prospects and vendors