Data Privacy | L'Institut Servier

Data privacy policy

SERVIER preserves your privacy and strives to collect responsibly your Personal Data, pursuant to the 2016/679 Regulation on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation (hereinafter “GDPR”).

Please refer to the definitions at the end of this data privacy policy regarding the terms with a capital letter.

1. SERVIER’S COMMITMENTS ON DATA PRIVACY

SERVIER is fully committed to ensure the protection of Personal Data within its organization:

WHY?
To preserve confidentiality and security of your Personal Data as patients, job applicants, employees, customers and other business partners such as health professionals, medical sales representatives and pharmacists and any other person who’s Personal Data will be processed.
HOW?
Adopting Binding Corporate Rules (BCRs), whose objective is to ensure that the same level of protection is respected within all SERVIER entities, and to frame the transfer of Personal Data within the whole organization, notably to countries outside of the European Economic Area, in accordance with the GDPR.
Setting up data privacy governance: Appointment of global data protection officer, local data protection officers, compliance relays in charge of the coordination of all those aspects, raises awareness of its staff on the applicable rules, and also adopted numerous internal policies and procedures aiming to ease and ensure the compliance to the applicable rules within the organization.
Monitoring adherence to this privacy policy within the organization by permanent training.
Being demanding when selecting and entrusting Processors with your Personal Data (providers, supplies, partners, etc.).

2. WHY SERVIER NEEDS TO USE YOUR PERSONAL DATA?

SERVIER processes your Personal Data only for specified, explicit, and legitimate purposes and does not further process the data in a way that is incompatible with the purposes described below but not limited to:

Recruitment and Human Resources management;
Management of relationships with clients, prospects and vendors (e.g.: purchase department; marketing and communication department; CRM department, legal department etc.)
Monitoring of the scientific medical liaison with health-care professionals;
Management of medical information delivery;
Communication and relationship management and promotional activities with HCPs including interactions, profiling activities, contractual relationships management, congress and meetings management, though leaders databases, social media, E-services (e-conferencing, etc.);
Management of clinical trials;
Pharmacovigilance management;
Transparency management;
Security of visitors and premises (in case you visit SERVIER’s premises)
Premises and car park access management
CCTV management to ensure security of persons and premises.
The litigation management you may enter or have entered into with SERVIER;

SERVIER does not process Personal Data for secondary purposes without verifying that additional data privacy requirements have been implemented where required information, consent, etc.

3. WHAT IS THE Legal BASIS?

SERVIER collects and processes your Personal Data:

according to your consent;
for the performance of a contract;
for compliance with a legal obligation to which the Data Controller is subject;
for your vital interests or of another natural person;
for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
for legitimate interests pursued by SERVIER except where such interests are overridden by your interests or fundamental rights and freedoms, in particular where the person concerned is a child.

What about legal basis for Processing your Sensitive Personal Data?

Sensitive Personal Data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, data concerning health, sex life or sexual orientation.

SERVIER does not process your Sensitive Personal Data unless:

You have unambiguously given your consent to such Processing (except where the applicable laws prohibit it); or
It is necessary for SERVIER in the field of employment law in so far as it is authorized by Union or national law or a collective agreement providing for adequate safeguards; or
SERVIER needs to protect your vital interests or of another person where the Data Subject is physically or legally incapable of giving his/her consent; or
It is necessary for the establishment, exercise or defense of legal claims; or
Those Sensitive Personal Data are manifestly made public by yourself; or
It is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of national law or pursuant to contract with a health professional and subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.

4. WHAT ARE THE OTHER PRINCIPLES SERVIER IS COMPLYING WITH?

SERVIER collects and processes your Personal Data in a fair, transparent and lawful manner, to the extent necessary for its legitimate business interests, and in consideration of your rights and freedom as individuals regarding the respect of :

Data quality and proportionality of the use of your Personal Data: SERVIER limits the collection of your Personal Data to what is necessary in relation to the purposes for which they are processed (‘data minimization’) and with adequate and relevant Personal data only. SERVIER takes steps and processes to prevent excessive or irrelevant transmissions of Personal Data from the sender.
Accuracy and kept up to date your Personal Data: SERVIER takes steps to ensure that data which is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified.
Appropriate data retention period: SERVIER retains your Personal Data on legal and business retention requirements, in a form which permits your identification for no longer than is necessary for the purposes for which your Personal Data are processed. When the maximum retention period required by applicable law or the retention period required for the purpose of collection (whichever date occurs later) is reached, SERVIER takes reasonable steps to destroy the Personal Data.
Security and confidentiality of your Personal Data: SERVIER has put in place appropriate and commercially reasonable technical and organizational security measures to keep your Personal Data that it collects and holds confidential and to protect it against unauthorized or unlawful disclosure or access, accidental loss, destruction, alteration or damage taking into consideration the state of art of technology and the cost of implementation. SERVIER takes appropriate measures to ensure that Data Processors who are given access to your Personal Data reasonably uphold at least as stringent security measures as those applied by SERVIER.

5. IS THERE ANY AUTOMATED DECISIONS FOR THE PROCESSING OF YOUR PERSONAL DATA BY SERVIER?

SERVIER takes appropriates steps to ensure that you have the right not to be subject to a decision which produces legal effects concerning you or significantly affects you and which is based solely on automated Processing of Personal Data, including profiling intended to evaluate certain personal aspects relating to you such as your performance at work, creditworthiness, reliability, conduct, etc.

6. WHAT ARE YOUR RIGHTS?

You have the right to request and obtain from SERVIER without undue delay:

To be informed in an intelligible form at least about the purposes of the Processing, the categories of Personal Data concerned, the recipients or categories of recipients, the transfers is existing and the appropriate safeguards used.
Please go to the relevant information notice on INSTITUT SERVIER Website for complementary details.
To access to your Personal Data. Depending on your situation as a Data Subject (patient, candidate, vendors or other) and the applicable law, your Personal Data may be disclosed either to you directly or through a physician, healthcare professional or another person designated by you.
To rectify your inaccurate Personal Data,
To erase your Personal Data
Where applicable, to have a restriction of Processing;
Where applicable, to exercise your right to data portability and obtain from SERVIER the right to receive your Personal Data, which you have provided to SERVIER, in a structured, commonly used and machine-readable format;
To object, at any time of the Processing, free of charge and without having to state legitimate grounds, to the Processing of Personal Data for the purposes of direct marketing (including Profiling to the extent that it is related to such direct marketing).
To lodge a complaint with a supervisory authority regarding the use of your Personal Data

You may submit their requests to the relevant contact (detailed in the information notices) via postal mail, or via email which can be found on each SERVIER local website.

SERVIER may object to requests that are obviously excessive, in particular by their number, or their repetitive and systematic character.

7. IS THERE ANY TRANSFER OF MY PERSONAL DATA?

SERVIER is a global organization, with legal entities on the five continents, and businesses, IT systems, management structures and processes that cross borders. As such, it is sometimes necessary for SERVIER to transfer Personal Data to other SERVIER entities or to Data Processors or third parties, in the same country as or in countries other than the country in which it was initially provided, and/or store Personal Data in databases that may be hosted in or accessible from other countries.

Transfers to SERVIER entities: Transfer of your Personal Data from one SERVIER entity to another SERVIER entity shall be allowed only if the transfer is based on a specific and legitimate business purpose, and the receiving entity ensures compliance with this Policy and with the BCRs and with any stricter local laws applicable to the transfer and to any subsequent processing (including onward transfer).
Transfers to entities outside of the SERVIER Group:
Data Processors: SERVIER has entered or will enter into appropriate written agreements with Data Processors to ensure that they process your Personal Data in accordance with SERVIER’s instructions, and set up and maintain appropriate security and confidentiality measures to ensure an appropriate level of protection. SERVIER does not transfer your Personal Data to Processors outside of the EU unless those Data Processors have adopted appropriate privacy and security controls to protect Personal Data in accordance with the relevant EU privacy requirements (for instance by ensuring that the EU Standard Contractual Clauses approved by the EU Commission) are signed with the Data Processor if the latter is located in a country which does not provide an adequate level of protection of Personal Data, it being specified that such clauses will be signed between SERVIER and the Data Processor located outside the EU).
Third parties: SERVIER entities may be required to disclose certain Personal Data to third parties. In particular, such disclosure may be required to comply with applicable laws (e.g., disclosure of salary data to tax authorities) or when the health or security of a Data Subject is endangered (e.g., in case of an accident). SERVIER may also disclose your Personal Data to protect its legal rights (e.g., in a litigation).

CLAIMS HANDLING AND ENFORCEMENT MECHANISMS

SERVIER entities will take appropriate remedial action, which may include disciplinary sanctions, in accordance with applicable law, if your Personal Data is accessed, processed, or used in any way that is inconsistent with this Policy or BCRs.

If reasonably and in good faith you believe that there has been a violation of the BCRs or of this Policy that your Personal Data are processed in a way that is incompatible with the BCRs or this Policy, you may lodge a complaint to the following stakeholders whose independence is guaranteed during the performance of their functions.

SERVIER has a procedure in place to describe the roles and responsibilities for handling privacy complaints received from Data Subjects and for receiving, documenting, investigating and responding to privacy complaints.

When a complaint is registered, it must be acknowledged and handled within a reasonable period of time (one month renewable on legitimate grounds and subject to the level of complexity of the case).

If you are not satisfied by the replies provided at local or global level, it has the right to lodge a complaint before the relevant supervisory authority and/or the competent jurisdiction where the relevant SERVIER entity is established. Prior to referring a case to the relevant supervisory authority or competent jurisdiction, each party should make its best efforts to solve a claim through the internal complaint mechanism described above.

SERVIER POINT OF CONTACT

For any questions on this Policy, or any complaints, or requests (such as access, objections or rectification requests), we encourage you to the relevant contact for you detailed in the information notice.

AMENDMENTS

This Policy may be amended from time to time. The newest version of the Policy will be posted on the intranet and extranet website and may also be distributed (in hard copy or electronic version) as appropriate to employees.

DEFINITIONS

“SERVIER” shall mean SERVIER SAS, and any other company controlled by SERVIER SAS, with a company being considered as controlling another: (a) when it holds directly or indirectly a portion of the capital which provides the majority of the voting rights in general meetings of shareholders of this company; (b) when it holds solely the majority of the voting rights in this company by virtue of an agreement concluded with other partners or shareholders and which is not contrary to the interest of the company; (c) when it determines de facto, by voting rights which it holds, the decisions in the general meetings of shareholders of this company; (d) when it is a partner or shareholder of this company and holds the power to nominate or to revoke the majority of members of the administrative, management or supervisory bodies or (e) in any event, when it holds, directly or indirectly, a portion of voting rights greater than 40% and when no other partner or shareholder holds directly or indirectly a portion which is greater than its own.

« Personal Data »: means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

« Data subject »: an identified or identifiable natural person to whom Personal Data relates.

« Data Controller » or « Controller »: the entity, i.e. SERVIER, which determines the purposes and means of the Processing of Personal Data; except where expressly designated by legal provisions applicable to the Processing.

« Data Processor » or « Processor »: the natural or legal person, which processes Personal Data on behalf of the Controller.

« Processing » : means any operation performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Information notices

You consent to participate to a research study.

As a data controller, SERVIER processes your personal data on the basis of legitimate interest of Servier as a sponsor of the research study and also in order to comply with its legal and regulatory obligations (in particular those related to pharmacovigilance).

Your personal data may be collected and processed by SERVIER for one or more following purposes:

Management of research studies activities;
Management of pharmacovigilance activities;
Management of medical information delivery.

Your personal data processed by SERVIER will only be accessible by a limited list of recipients on a need to know basis or where required by law.

Thus, the main categories of recipients will be SERVIER’s authorized employees and departments acting within their scope of activities including but not limited to:

Clinical Operations Department;
Medical Affairs Department;
Pharmacovigilance Department;
Research and Biopharmacy Department;
Methodology and Valorisation of Data Department;
Information Technology Department where necessary.

SERVIER also uses third party providers and partners (e.g. hosting providers, contractual research organizations, travel agencies, hotels, air carriers etc.) who may also access to your personal data in order to provide their services. Finally, SERVIER shall communicate some of your personal data to the competent authorities such as health authorities.

Your personal data may be transferred to other SERVIER entities, and to third-parties providers and health authority which may be located inside or outside the EEA, including in the countries which do not have the same level of protection of personal data as in the EEA, in particular for hosting and IT support purposes. In such cases, SERVIER ensures that such transfers are carried out in compliance with the applicable data protection laws and regulation. Data transfers to other SERVIER entities are covered by the Group’s Binding Corporate Rules submitted to the CNIL, French Data Protection Authority, for approval in December 2017 whereas transfers to third-party providers outside the EEA are secured through appropriate contractual guarantees such as the EU Commission’s Standard Contractual Clauses or an adherence to the Privacy Shield for transfers to the USA where applicable. You may request and receive copy of such documents.

Your personal data collected by SERVIER are kept in a form which permits your identification for no longer than is necessary for the purposes for which the personal data are processed. More specifically:

Personal data collected for research studies activities are kept in the information systems of the data controller, participating centre or healthcare professional taking part in the research until the study product is marketed or until the final research report or until 2 years following the publication of the research results. They are then archived in paper or electronic form for a period in accordance with applicable laws and regulations;
Personal data collected for pharmacovigilance activities are kept for 10 years after the relevant marketing authorisation has ceased to exist, then data are deleted or archived in an anonymised form, unless otherwise provided by mandatory local regulations;
Personal data collected for medical information management are kept for 3 years after your request.

As a data subject, you have the right at any time to request from SERVIER as far as permitted by applicable laws and regulations, access to and rectification of your personal data. On legitimate grounds, you are also entitled to request a restriction of the processing of your personal data or to object to such processing.

Finally, you are entitled to lodge a complaint with the Data Protection Authority, related to SERVIER’s compliance with the applicable data protection laws and regulation.

Data protection contacts

	ROLE	NAME	CONTACT DETAILS
Data Protection Contact	to ask questions and exercise your rights	Your research doctor if you participate to a research study SERVIER Local DPO: protectiondesdonnees@servier.com, if you request medical information	Name, address, e-mail address as mentioned on the documentation provided by SERVIER (ICF, information notice...)
Data Controller	responsible of the use of your personal data	L'Institut Servier
Local/National Data Protection Authority	to lodge a complaint	CNIL

When you are collaborating with SERVIER as representative of a patient association, patient advocate, expert, your personal data may be also processed for the performance of your agreement. In such cases, your personal data may be also processed in relation to security management when visiting SERVIER’s premises.

Your personal data may be collected and processed by SERVIER for one or more following purposes:

Relationship management with you as patient expert/advocate/representative including interactions, contractual relationships management;
Security of visitors and premises (in case you visit SERVIER’s premises) including access management of premises and car park as well as video surveillance system management.

Your personal data processed by SERVIER will only be accessible by a limited list of recipients on a need to know basis or where required by law. Thus, the main categories of recipients will be SERVIER’s authorized employees and departments acting within their scope of activities including but not limited to:

Medical Affairs Department;
Security service and the General Services Department for issues related to the use and the security of the premises (premises and car park access management);
The Safety service for video surveillance system management;
Information Technology Department where necessary.

SERVIER also uses third party providers and partners (e.g. hosting providers, travel agencies, hotels, air carriers etc.) who may also access to your personal data in order to provide their services. Finally, SERVIER may communicate some of your personal data to the competent relevant authorities.

Your personal data may be transferred to other SERVIER entities and to third-parties providers which may be located inside or outside the EEA, including in the countries which do not have the same level of protection of personal data as in the EEA, in particular for hosting and IT support purposes. In such cases, SERVIER ensures that such transfers are carried out in compliance with the applicable data protection laws and regulation. Data transfers to other SERVIER entities are covered by the Group’s Binding Corporate Rules submitted to the CNIL, French Data Protection Authority, for approval in December 2017 whereas transfers to third-party providers outside the EEA are secured through appropriate contractual guarantees such as the EU Commission’s Standard Contractual Clauses or an adherence to the Privacy Shield for transfers to the USA where applicable. You may request and receive copy of such documents.

the images of the video surveillance system are kept for 30 days;
the data related to security of visitors and premises are kept no longer than 3 months.

Finally, you are entitled to lodge a complaint with the Data Protection Authority, related to SERVIER’s compliance with the applicable data protection laws and regulation.

Data protection contacts

	ROLE	NAME	CONTACT DETAILS
Data Protection Contact	to ask questions and exercise your rights	SERVIER Local DPO: protectiondesdonnees@servier.com	Name, address, e-mail address as mentioned on the documentation provided by SERVIER (ICF, information notice...)
Data Controller	responsible of the use of your personal data	L'Institut Servier
Local/National Data Protection Authority	to lodge a complaint	CNIL

As a data controller, SERVIER processes your personal data mainly on the basis of its legitimate interest to promote its products along with relevant medical information or on the basis of your prior consent when applicable but also in order to comply with its legal obligations related to pharmacovigilance and transparency. In certain cases (e.g. when you visit SERVIER’s premises), your personal data may be also processed in relation to security management, whereas, in case you act as an investigator in the field of clinical research your personal data will also be processed for the execution of your contract with SERVIER.

Data protection contacts

	ROLE	NAME	CONTACT DETAILS
Data Protection Contact	to ask questions and exercise your rights	SERVIER Local DPO: protectiondesdonnees@servier.com	Name, address, e-mail address as mentioned on the documentation provided by SERVIER (ICF, information notice...)
Data Controller	responsible of the use of your personal data	L'Institut Servier
Local/National Data Protection Authority	to lodge a complaint	CNIL

Your personal data are collected and processed by SERVIER for the following purposes:

Monitoring of the scientific medical liaison with healthcare professionals (HCP);

Management of medical information delivery;

Communication and relationship management and promotional activities (contacts with HCP) including interactions, contractual relationships management, congress and meetings management, therapeutic area experts databases, social media, E-services (e-conferencing, etc.);

Relationship management activities with HCP in connection with clinical trials and pharmacovigilance activities;

Transparency management (disclosure of transfers of value from SERVIER to health stakeholders);

Security of visitors and premises (in case you visit SERVIER’s premises);

Premises and car park access management video surveillance system management to ensure security of persons and premises.

Your personal data processed by SERVIER will only be accessible by a limited list of recipients on a need to know basis or where required by law.

Thus, the main categories of recipients will be SERVIER’s authorized employees and departments acting within their scope of activities including but not limited to:

Clinical Operations Department of the coordination

Promotional Department;

Medical Affairs Department;

Pharmacovigilance Department;

Information Technology Department where necessary.

Other services and individuals may need to have access to your personal data in relation to specific purposes of data processing, such as:

The Security service and the General Services department for issues related to the use and the security of the premises (premises and car park access management);

The Safety service for video surveillance system management.

SERVIER also uses third party providers (e.g. hosting providers) and business partners (e.g. contractual research organizations, travel and conferences agencies, agencies, hotels, air carriers etc.) who may also access to your personal data in order to provide their services. Finally, SERVIER shall communicate some of your personal data to the competent authorities such as health authorities.

Personal data collected for scientific medical liaison with health-care are kept for 5 years after your last interaction with SERVIER, then data are archived for 5 years and deleted;

Personal data collected for clinical trials management activities with HCP are kept until the study product is marketed or until the final research report or until the publication of the research results. They are then archived in paper or electronic form for a period in accordance with applicable laws and regulations;

Personal data collected for medical information management are kept for 3 years after your request, then data are deleted;

Personal data collected for communication and relationship management and promotional activities (contacts with HCP) are kept for 5 years after your last interaction with SERVIER, then data are archived for 5 years and deleted;

Personal data collected for pharmacovigilance activities are kept for 10 years after the relevant marketing authorisation has ceased to exist, then data are deleted or archived in an anonymised form, unless otherwise provided by mandatory local regulations;

Personal data related to transparency management are kept, archived and deleted in accordance with applicable laws and regulations;

The images of the video surveillance system are kept for 30 days;

Data related to security of visitors and premises are kept no longer than 3 months.

As a data subject, you have the right at any time to request from SERVIER as far as permitted by applicable laws and regulations, access to and rectification or erasure of your personal data. On legitimate grounds, you are also entitled to request a restriction of the processing of your personal data or to object to such processing. When a data processing is based on a contractual relationship with SERVIER, you may also have the right to receive the personal data concerning only you which and which you alone have provided to SERVIER in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another Data Controller (data portability).

Finally, you are entitled to lodge a complaint with the Data Protection Authority, related to SERVIER’s compliance with the applicable data protection laws and regulation.

As a data controller, SERVIER processes your personal data in the context of the performance of your contract as well as for various legitimate interests such the security of SERVIER premises or the protection of its products from counterfeiting.

Your personal data are collected and processed by SERVIER mainly for the following purposes:

Contract management;
Anti-counterfeiting management.

When accessing to our premises/sites, your personal data are also collected for security purposes (such as premises and car park access management, video surveillance management to ensure security of persons and premises).Your personal data processed by SERVIER will only be accessible by a limited list of recipients on a need to know basis or where required by law, including but not limited to:

SERVIER’s employees and providers in their scope of activities for the management of relationships with clients, prospects and vendors
SERVIER’s trademark department, security department, and, where requested, local authorities for anti-counterfeiting purposes.
The Security service and the General Services department for issues related to the use and the security of the premises (premises and car park access management)
The Safety service for video surveillance management.

Your personal data may be transferred to other SERVIER entities and to third-parties (providers and public authorities) which may be located inside or outside the EEA, including in the countries which do not have the same level of protection of personal data as in the EEA, in particular for IT support purposes. In such cases, SERVIER ensures that such transfers are carried out in compliance with the applicable data protection laws and regulation. Data transfers to other SERVIER entities are covered by the Group’s Binding Corporate Rules submitted to the CNIL, French Data Protection Authority, for approval in December 2017 whereas transfers to third-party providers outside the EEA are secured through appropriate contractual guarantees such as the EU Commission’s Standard Contractual Clauses or an adherence to the Privacy Shield for transfers to the USA where applicable. You may request and receive copy of such documents.

Personal data collected for contract management are kept for the whole duration of the commercial relationship and then are archived for 5 years
The images of the video surveillance system are kept for 30 days;
Data related to security of visitors and premises, are kept for 90 days;
Personal Data collected in the context of anti-counterfeiting management are
- Archived during 3 years in the absence of any action;
- Archived during 5 years if the suspicion triggers an internal action;
- Kept until the end of the legal proceedings and then archived during 5 years.

Finally, you are entitled to lodge a complaint with the Data Protection Authority, related to SERVIER’s compliance with the applicable data protection laws and regulation.

Data protection contacts

	ROLE	NAME	CONTACT DETAILS
Data Protection Contact	to ask questions and exercise your rights	SERVIER Local DPO: protectiondesdonnees@servier.com	Name, address, e-mail address as mentioned on the documentation provided by SERVIER (ICF, information notice...)
Data Controller	responsible of the use of your personal data	L'Institut Servier
Local/National Data Protection Authority	to lodge a complaint	CNIL