English Version

Spontaneous reporting – Privacy Notice pursuant to Article 13 of the European Regulation no. 2016/679 concerning the protection of physical persons with regard to the treatment of personal data (GDPR)

Pursuant to Article 13 of the Regulation UE 2016/679 on the Protection of Personal Data, Alfasigma S.p.A. (hereinafter referred to as “Alfasigma” or “Company”), informs you about the processing of personal data provided by you through a spontaneous report within the scope of the pharmacovigilance system.

Data Controller & Data Protection Officer

The Data Controller is Alfasigma Portugal, Lda., with headquarters at José Malhoa Avenue nº 2, Building Malhoa Plaza, 2nd floor- Esc. 2.2, in Lisbon, registered at the Commercial Registry Office under the single registration and tax identification number 502.857.722, with an e-mail address for this purpose[email protected]

Alfasigma Portugal, Lda. ensures the data processing confidentiality in compliance with current privacy regulations; specific security measures are implemented in order to prevent the loss of data, illegal or improper data use and unauthorised access.

The Company has identified the Data Protection Officer in accordance with Article 37 of the Regulation; DPO can be contacted for questions concerning the processing of your data, through the following contact details: Privacy Tel. +39-06-91393955, email [email protected].

Purpose, Nature and Legal Basis of Data Processing

Personal data spontaneously provided by you shall be collected and processed pharmacovigilance purposes.

The Company must carry out Pharmacovigilance activities for compliance with a legal obligation to which the controller is subjects.

The data conferment is optional but failure to provide personal data could determine the incorrect spontaneous report management.
Data shall be collected and processed for pharmacovigilance purposes such as, for example: (i) identification of any unknown adverse reactions; (ii) improvement and enhancement of the information on known suspected adverse reactions; (iii) assessment of the causal link between administration of the medicine and the adverse reaction observed; (iv) notification to the competent authority of this information to ensure that the medicines used present a favourable benefit/risk ratio for the population.

Lawfulness of processing is based on data subject’s consent to the processing of his or her personal data for purposes described in this privacy notice.

Data Processing Modalities & Data Retention Period

Personal data will be processed both by electronic and manual tools, suitable to ensure the data security and data confidentiality.

Data collected shall be stored in compliance with the applicable legislation for a period no longer than necessary for the purpose of data processing and thereafter for a period of ten years.

At the end of the period of storage, data shall be deleted or anonimyzed.

Data Recipients or Categories of recipients of personal data

Data collected are processed by Alfasigma’s personnel under the authority of the controller according to instructions provided by the Controller pursuant to Art. 29  of Regulation.

Data provided shall be anonymously made available for the purposes indicated above to third parties that access the National Pharmacovigilance Network as well as subjects subject to pharmacovigilance obligation (Italian Medicines Agency, holders of Marketing Authorisation of medicines, Italian Regions, Local Healthcare Units, Pharmacovigilance Office of hospitals or Scientific Research and Healthcare Institutes).

Personal data provided may also be communicated, for the purposes described in this Privacy Notice, to the following categories of subjects: (i) persons, companies, associations that provide services or activities of assistance and consultancy to Alfasigma Companies; (ii) subjects whose right to access the personal data is recognised by law and/or secondary regulations or orders of public authorities.

These subjects shall use the data as independent controllers or appointed as Data Processor, pursuant to Article 28 of the Regulation.

The complete list of the subjects to which your personal data have been or may be communicated is available on demand at the address [email protected].

Transfer of personal data

The management and retention of the personal data shall take place on servers, located within the European Union, of the Data Processor and/or third-party companies duly appointed as Data Managers.

Data are not currently subject to transfer outside the European Union; only anonimyzed data could be transferred extra UE. In any event, it remains understood that the Data Controller, should it be necessary, shall have the right to change the location of the servers within the European Union and/or to countries outside the EU.

In this case, the Data Controller guarantees henceforth that the transfer of the data outside the EU shall take place in compliance with articles 44 and subsequent of the Regulation and the applicable legal measures stipulating, where necessary, agreements that ensure an adequate level of protection.

Data Subject Rights

We inform you that at any time in relation to your data, you can exercise the rights under articles 15 to 22 of the GDPR.

In detail:

(a) You have the right to obtain from the Company confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

• The purposes of the processing;
• The categories of personal data concerned;
• The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• The period for which the personal data will be stored;
• Where the personal data are not collected from the data subject, any available information as to their source;
• The existence of automated decision-making, and, at least in those cases, meaningful information about the logic;
• The appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer;

(b) Moreover you have the right of the:

• Access, update, rectification, integration or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• Obtain the data portability;
• Withdraw consent to the processing of personal data, if applicable;
• To lodge a complaint with a supervisory authority.

In order to exercise your rights, please contact the data Controller with a written request and send it at the following address [email protected].

The Data Controller will provide information on action taken on a request under Articles 15 to 22 to you without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Data controller will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.