Group Data Protection Compliance Policy

  1. SCOPE

    Each Huvepharma Entity is responsible and accountable for complying with this Policy, as well as with any additional requirements mandated by the applicable Data Protection Law. This Policy applies to all Huvepharma Entities worldwide. Each Huvepharma Entity must: (i) adopt this Policy, and (ii) supplement or amend this Policy with its own data protection policies and practices to account for any variations in the local Data Protection Law.

    In additional, Huvepharma Entities need to comply with the EU/EEA Personal Data Protection standard (Section 6 of this Policy) in the following cases:

    1. Huvepharma Entities based in the EU/EEA

      The EU/EEA Personal Data Protection standard applies to all Huvepharma Entities established in the processing Personal Data in the context of its activities, regardless of whether the processing takes place in the EU/EEA or not or whether the processing is performed by the Huvepharma Entity or external provider on its instructions.

    2. Huvepharma Entities based outside the EU/EEA

      The GDPR will also apply to the processing of Personal Data by any Huvepharma Entity established outside the EU/EEA if the entity:

      a) offers goods or services (whether free or paid for) to Data Subjects located within the EU/EEA; or

      b) Huvepharma Entity monitors behavior of Data Subjects in the EEA (as far as that behavior occurs in the EU/EEA).

  2. BACKGROUND TO DATA PROTECTION

    1. DATA PROTECTION LAW

      Data Protection law gives individuals the right to control how their "Personal data" is used. Personal data is interpreted very broadly in many countries. Personal data is any information that relates to someone, such as their name, contact details, financial information, personal preferences, browsing behaviour, transaction history, etc. Data Protection law also places obligations on organisations, like Huvepharma, that use personal data. Data Protection Law is usually enforced by local data protection regulators and courts.

    2. PERSONAL DATA

      Huvepharma Group may process, inter alia, one or more types of the following personal data:

      • job applicants and Huvepharma Group personnel, relating to their (potential) role within Huvepharma including contact details, résumé, professional development, personnel file, benefits, compensation, etc.;
      • Huvepharma Group employees' family members and dependents, relating to employee benefits and services;
      • trade customers and potential trade customers;
      • consumers/members of the public, some of whom also become direct customers, relating to the products and services we provide to them or that they ask us about;
      • business associates and personnel of Huvepharma Group's suppliers and other agents for the management of the business relationship;
      • the personal data of the complainants, persons who entered in a written correspondence with a Huvepharma Entity or deposited with this Entity documents containing their and / or foreign personal data and of other persons who, in any case, have contacted Huvepharma Entity in its capacity of a data controller, and
      • images captured via CCTV cameras while Data Subject is within the Huvepharma Entity's premises.
      • Other information collected on paper or electronically for visitors in the Huvepharma Entity`s premises.

      Information about personal details of representatives of clients or customers.

    3. CONSEQUENCES FROM NON-COMPLIANCE WITH DATA PROTECTION LAW

      It is important that all Huvepharma Group personnel comply with this Policy, as we are all responsible for data privacy compliance. It could lead to complaints from individuals, compensation claims, fines from regulators and bad publicity. Any deliberate cover up or attempts to mislead us about a breach may result in disciplinary proceedings. Additional, you should note that knowingly or recklessly obtaining or disclosing personal data for personal use may be a criminal offence in some countries, and could also result in damages or compensation claims against you.

  3. PRINCIPLES OF PROCESSING

    Each Huvepharma Entity shall process Personal Data in full observance of the following principles:

    Lawfulness, fairness and transparency: Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.

    Purpose limitation: Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

    Data minimization: Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

    Accuracy: Personal Data shall be accurate and, where necessary, kept up to date.

    Storage limitation: Personal Data shall be kept in a form, which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed.

    Integrity and confidentiality: Personal Data shall be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

    Accountability: Each Huvepharma Entity, as Data Controller shall be responsible for, and be able to demonstrate compliance with the applicable Data Protection Law.

  4. EU/EEA PERSONAL DATA PROTECTION STANDARDW

    1. RECORDS OF PROCESSING

      IEach Huvepharma Entity shall maintain an overview of all Processing activities within the organisation (e.g. what kind of data categories are being processed, by whom (which departments or business units) and for which underlying purposes of processing ("Records for Processing").

      The Records of Processing shall explicitly state the Lawful Basis and Purpose(s) of Processing.

    2. PRIVACY NOTICE

      Upon request, each Huvepharma Entity should be able to explain thoroughly to what business activity is the Processing related to, what type of Personal Data is requested from the Data Subject, and that appropriate organizational and technical measures are in place to ensure that Personal Data is kept safe and confidential ("Privacy Notice").

    3. LAWFUL BASIS

      Huvepharma Entity must only collect and process Personal Data where one or more of the following lawful grounds for processing is/are met:

      CONSENT the Data Subject has given explicit consent to the Processing of his or her Personal Data for one or more specific purposes.

      LEGITIMATE INTEREST Processing is necessary for the purposes of the legitimate interests pursued by Huvepharma Entity or by a third party, except where such interests are overripen by the interests of fundamental rights and freedoms of the Data Subject, which require protection of personal data, in particular where the Data Subject is a child.

      PERFORMANCE OF A CONTRACT Processing is necessary:
      a. For the performance of a contract to which the Data Subject is party; or
      b. In order to take steps at the request of the Data Subject prior to entering into a contract.

      COMPLIANCE WITH LEGAL OBLIGATION Processing is necessary for compliance with a legal obligation to which Huvepharma Entity is subject.

      VITAL INTERESTS OF THE DATA SUBJECT Processing is necessary in order to protect the vital interests of the Data Subject or of another individual.

      PUBLIC INTEREST OR EXERCISE OF PUBLIC AUTHORITY Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.

      Where Huvepharma Entity is intending to collect and process Special Categories of Personal Data (e.g data relating to an employee's health) it needs to be treated with greater care than other Personal data. The nature of the Personal Data is also a factor in deciding what security is appropriate. If you are processing Special Categories of Personal Data you must satisfy one or more of the conditions for processing which apply specifically to such data as set out in the Data Protection Law, in apition to the general lawful grounds which apply in every case.

    4. DATA MINIMIZATION

      Huvepharma Entities shall Process Personal Data only if and to the extent it is adequate, relevant and limited to what is necessary to achieving business-related purposes.

      Where possible, Personal Data should be anonymised, pseudonymised or aggregated to the fullest extent possible.

    5. PURPOSE LIMITATION

      Huvepharma Entity shall Process Personal data for the purposes for which it was originally collected (original purpose). Personal Data may be Processed for purposes different from the original purpose (secondary purpose) only if the secondary purpose is compatible and closely related with the original purpose, as understood by the Data Subject concerned.

    6. ACCURACY AND CONFIDENTIALITY

      All Personal Data processed by Huvepharma Entity must be kept accurate, complete and up-to-date as is necessary for the Purpose(s) of Processing. The personnel of Huvepharma Entity shall make sure that the Personal Data obtained directly from Data Subjects or indirectly is verified against relevant documentation.

      Where possible, Data Subjects (whether employees, customers or suppliers) should be provided with a means to update their own Personal Data.

      The integrity and the confidentiality of all collected Personal Data in relation to any Purpose of Processing is mandatory at all times. The personnel of the Huvepharma Entity shall make sure that Personal Data obtained directly from Data Subjects or indirectly is safely stored and accessed only on a need-to-know basis.

      Each Huvepharma Entity shall use appropriate technical and organizational measures to safeguard Personal Data, including when third parties are engaged in processing Personal Data on Huvepharma Entity's behalf.

    7. STORAGE LIMITATION

      Huvepharma Entity shall retain Personal Data in either hard-copy or electronic form (or both) only for a specific period ("Retention period"), which in any case will not be longer than:

      • the time needed to accomplish the Purpose of Processing, or
      • the period necessary to comply with an retention requirements under the applicable domestic legislation, or
      • as advisable in light of an applicable statute of limitations.

      Each Huvepharma Entity is responsible to ensure that:

      • Personal Data is stored (internally or externally, on paper or electronically) in proper conditions, with the observance of the applicable statutory Retention periods.
      • The necessary technical means and internal controls are in place to ensure that the Personal Data processed by the Huvepharma Entity is erased as soon as the applicable Retention Periods expires.
    8. TRANSFERS OF PERSONAL DATA

      In the exercise of its business activities, Huvepharma Entity may transfer data with other Huvepharma Entities or third parties only once it makes sure that data privacy and security is guaranteed appropriately.

      Transfers between Huvepharma Entities are allowed only in strict compliance with rules and procedure established in the Data Protection Manual.

      When transferring Personal Data to a third party country outside the EU/EEA, the Huvepharma Entity shall ensure that binding rules, in agreement or otherwise, require to the third party to provide adequate guarantees for the protection of Personal Data are in place.

    9. PERSONAL DATA BREACH

      When Personal data breach is likely to result in a high risk to individual rights and freedoms of Data subjects, the Data Controller shall communicate the Personal data breach to the Data subject and the competent Supervisory Authority. In such cases, notification shall be lodged without undue delay but in any cases not later than whichever is shorter between the applicable statutory deadline under the Data Protection Law or 72 hours from the Personal Data Breach.

      Each Huvepharma Entity shall maintain a Register of Response to Personal data breach compliant with the requirements in the Data Protection Manual.

    10. INDIVIDUAL RIGHTS

      Under Data Protection Law Data Subjects have the following Individual rights with respect to the processing of their personal data:

      RIGHT TO ACCESS The right to access to the Personal Data processed by Huvepharma group or by a third party vendor on behalf of Huvepharma Group.

      RIGHT TO RECTIFICATION The right to have inaccurate or incomplete Personal Data amended or erased.

      RIGHT TO ERASURE The right to have Personal Data permanently removed.

      RIGHT TO RESTRICTION OF PROCESSING The right to request that Huvepharma Group temporarily or permanently suspends Processing all or some of Personal Data of the Data Subject.

      RIGHT TO DATA PORTABILITY The right to receive their Personal Data, in a structured, commonly used, machine readable and interoperable format, giving them the ability for their Personal Data to be provided to another Data Controller by themselves or the relevant Huvepharma entity. Rule: Use appropriate technical and organizational measures to safeguard Personal Data, including when third parties are engaged in processing Personal Data on Huvepharma's behalf.

      RIGHT TO OBJECT The right to object to the processing of their Personal Data when such processing is based on a public interest or legitimate interest grounds, or is processed for the purposes of direct marketing.

      AUTOMATED DECISION MAKING The right not to be subject to a decision based solely on automated individual decision-making, including profiling, which produces a legal effect or significantly affects them.

      Each Huvepharma Entity will provide appropriate training and information in accordance with the processes established by the Data Protection Manual so that its employees may react appropriately to any exercise of the Data Subjects' rights.