Alfred Gera & Sons Limited: Privacy Notice
Welcome to Alfred Gera & Sons Limited’s dedicated privacy notice for customer and patient complaints / reports.
Ensuring customer satisfaction and patient safety is of paramount importance for us and our business.
As an authorised distributor of medicinal products, Alfred Gera & Sons Limited (C 120) of 10, Triq il-Masgar, Qormi, Malta (“AGS”; “we”; “us”; “our”) carries out safety monitoring and pharmacovigilance reporting activities. In that regard, we are legally and contractually obligated to report any adverse events communicated to us to the competent public authorities and public agencies (e.g. the European Medicines Agency (the “EMA”) and/or the Maltese Medicines Authority (the “MA”)) as well as to the product manufacturer. We also maintain records of the complaints, adverse events and other (adverse) incidents or reactions which are reported to us by customers, patients, healthcare professionals (“HCPs”) and other individuals in connection with the products that we distribute (our “Activities”).
Accordingly, this privacy notice (the “Notice”) sets out and explains the way in which we may collect and process your personal data in connection with our Activities. It provides you with information on the particular items of personal data which we may collect about you and how we will handle it and additionally, tells you about (i) our obligations to process your personal data responsibly, (ii) your data protection and privacy rights as a data subject and (iii) how the law protects you
We operate and control the following website: http://www.alfredgera.com/ (the “Website” or the “Site”)
Please refer to Section 2 to understand the meaning of some of the terms used in this Notice.
1 Important information and who we are
Purpose of this Notice
Your trust and privacy is very important to us, and we are wholly committed to protecting your personal data.
We process your personal data in an appropriate and lawful manner, in accordance with the Data Protection Act (Chapter 586 of the Laws of Malta) (the “Act”), as may be amended from time to time, and the General Data Protection Regulation (Regulation (EU) 2016/679) (the “Regulation” or the “GDPR”).
This Notice aims to give you information on how we (AGS) collect and process your personal data in connection with our Activities. This Notice applies to all individuals (be it customers, patients or HCPs acting on behalf of a patient) who make or submit a complaint, enquiry or report to us, regardless of the mains of communication (i.e. whether by phone, e-mail, fax or telephone or even through the online form which may be electronically submitted to us through our Website). It extends to the information that we process in connection with any such report, whether that report concerns the reporter’s own experiences or those of another person (for example, a report submitted to us by a HCP on behalf of his/her patient reporting an adverse event to a product which we have distributed).
This Notice supplements our other notices and privacy policies and is not intended to override them.
AGS, as defined above, is the controller and responsible for your personal data.
We have appointed a data protection contact point (DPCP) who is responsible for overseeing questions in relation to this Notice and for handling requests made by data subjects.
If you have any questions about this Notice, including any requests to exercise your legal rights (see below at Section 9), please contact the DPCP using the details set out below.
Please use the words ‘Data Protection Matter’ in the subject line. Our full details are as follows.
Full name of legal entity: Alfred Gera & Sons Limited (C 120)
Email address: firstname.lastname@example.org
Postal address: 10, Triq il-Masgar, Qormi QRM3217, Malta.
Telephone number: + 356 21446205
Changes to the Notice and your duty to inform us of changes
We keep our privacy notice under regular review.
2 Some key definitions
Set out below are definitions of certain key terms which appear in this Notice.
- “adverse event” means a noxious and unintended or unwanted response to the use of a medicinal product which has been distributed by AGS.
- “consent form” refers to separate documents which we might from time to time provide you where we ask for your explicit consent for any processing which is not for purposes set out in this Notice.
- “data subjects” means living individuals (i.e. natural persons) about whom we collect and process personal data.
- “data controller” or “controller” means any entity or individual who determines the purposes for which, and the manner in which, any personal data is processed.
- “data processor” or “processor” means any entity or individual that processes data on our behalf and on our instructions (we being the data controller).
- “personal data” means data relating to a living individual (i.e. natural person) who can be identified from the data (information) we hold or possess. This includes, but is not limited to, your name and surname, address, date of birth, nationality, gender, civil status, tax status, identity card number & passport number, contact details (including mobile and home phone number and personal email address), photographic image, bank account details, emergency contact information as well as online identifiers. The term “personal information”, where and when used in this Notice, shall be taken have the same meaning as personal data.
- “process” means any activity that involves use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including, organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties. The terms “processing” and “processed” shall be construed accordingly.
- “sensitive personal data”, “sensitive data” or “special categories of personal data” includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition or sexual life, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings. This type of sensitive data can only be processed under strict conditions.
Note that personal data does not include information relating to a legal person (for example, a company or its registered address). Accordingly, the collection and use of information which relates to a legal person does not give rise to ‘data controller obligations’ at law. We will still naturally treat any and all such information in a confidential manner, in accordance with our standard practices.
3 Reporting in relation to a third party
When making a report to us about another individual (particularly, an ‘adverse event report’), you warrant and confirm that you have obtained that individual’s prior permission and authorisation to make that report and to provide us with his or her personal data, including any special categories of personal data (or ‘sensitive personal data’). You must also ensure that this Notice, together with our other relevant privacy notices, are brought to that individual’s attention so that he/she can review how his/her personal data may be collected and processed by AGS.
4 Data which we collect
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We collect personal data about you when you, or a third party on your behalf (such as an HCP):
- submit an enquiry;
- make a complaint to us; and/or
- provide us with information (via a report) about an adverse event that you have experienced with regards to a product that was distributed or otherwise sold by us.
This may also include special categories of personal data about you.
We generally collect the following in connection with adverse event reporting.
- Reports made on another’s behalf.
- Name, surname, contact number and e-mail address of the reporter;
- Reporter’s profession;
- Details about the adverse event;
- Relationship with the subject of the report.
- Subject of an adverse event report.
The information which we then collect about the subject of a report is as follows:
- Name, surname and contact details;
- Age and date of birth;
- Weight and height;
- Details of the product causing the event, including the dosage taken or prescribed;
- Details of the reported adverse event; and
- Any annexed documents, such as lab reports.
Prior to and following any onward reporting, we (AGS) make every effort to remove the subject’s identifiers from the report, in accordance with our policy and practice of only retaining anonymised records of these adverse event reports. Despite our efforts though, it is possible that the documents which we receive in connection with an adverse event report (e.g. a lab report) may contain details which allow for the identification of the subject. We fully recognise this, and hold and retain all such documents in strict confidentiality at all times and under appropriate security measures.
Upon removing the subject’s identifiers (as described above), we provide and report the remaining information held in connection with the adverse event report to:
- the competent medicines authorities, including to the EMA and the MA, in accordance with our pharmacovigilance reporting obligations at law; and
- the product manufacturer, in order to ensure that the manufacturer is in a position to:
- investigate and respond to the adverse event and to take the appropriate action; and
- manage the adverse event and make efforts to prevent similar events from happening in the future.
We generally collect the following in connection with enquiries and complaints:
- The individual’s name, surname, contact number, e-mail address and organisation (where applicable);
- Details about:
- the nature of the enquiry or complaint;
- any information, materials or products that have been requested;
- our response to the enquiry or complaint and any follow-up actions;
- whether the enquiry or complaint was resolved and, if so, the manner in which it was resolved.
5 The purposes for our processing and the lawful grounds
The Activities are primarily driven by the need to monitor, detect, be made aware of and report safety information and any risks associated with products which we have placed on the marked, for reasons of substantial public interest and public benefit. We are also bound by legal and regulatory obligations to undertake safety monitoring and pharmacovigilance reporting, and to report to public agencies (including competent medicinal authorities).
We will process the personal data which we receive in connection with an adverse event report to:
- Report the adverse event to the product manufacturer;
- Provide mandatory reports to public and healthcare agencies, both national and regional (e.g. European Medicines Agency), in accordance with our legal obligations and in the public interest; and
- Process in accordance with the public interest and any legal and regulatory obligations under European Union Member State laws and guidance, including Directive 2001/83/EC as amended, Commission Implementing Regulation (EU) No 520/2012 and the adopted good pharmacovigilance practices (GVP) Modules.
We will generally rely on ‘compliance with a legal obligation’, ‘protection of your vital interests’, ‘legitimate interests’ or a combination of either of them as the lawful basis for these processing activities described above: Article 6(1)(c), GDPR; Article 6(1)(d), GDPR and Article 6(1)(f), GDPR.
In the context of special categories of personal data, we will additionally rely on the following:
- the processing is necessary for reasons of substantial public interest, on the basis of an EU or Maltese law that is proportionate to the aim pursued and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject (Article 9(2)(g), GDPR);
- the processing is necessary for the purposes of preventive or occupational medicine (Article 9(2)(h), GDPR);
- the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices (Article 9(2)(i), GDPR).
Note that pharmacovigilance laws require us to take records of every adverse event reported us in order to allow that event to be assessed and evaluated with other adverse events recorded about the particular product. As mentioned however, we make every effort to remove the subject’s identifiers and anonymise these records.
Furthermore, in connection with enquiries and complaints, we will process that individual’s personal data in order to:
- respond to and deal with your enquiry or complaint;
- provide you with the information, materials or customer support which you have requested from us;
- request feedback from you with regards to the manner in which your enquiry or complaint was handled by us; and
- manage disputes or issues with you.
We consider the above processing activities to be in our legitimate interest.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
6 Disclosures of your personal data
We may also share your personal data with third parties (including, but not limited to, third parties directed by you) or those who act on our behalf as processors for any of the purposes set out above in Section 5.
We have set out below a list of the categories of recipients with whom we may share your personal data:
- healthcare authorities, regulatory bodies and other public agencies (e.g. European Medicines Authority), in accordance with pharmacovigilance laws and our legal obligations; and
- the manufacturer of the product (most relevant for cases of adverse event reports).
In such cases, those third parties would be independent controllers of your personal data and have their own separate data protection practices, policies and obligations at law.
On occasions, we may also need to share your personal data with our consultants and professional advisors, including pharmaceutical, legal and other expert advisors. Additionally, we also need to provide certain third party service providers with access to your personal data (namely, those who operate our software and IT systems). We require all of our third party service providers to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
7 International transfers
Where we need to transfer your personal data to outside the EEA for any of the purposes listed in Section 5 above (such as onward reporting to the product manufacturer), we will ensure a similar degree of protection is afforded to that personal data by ensuring at least one of the following safeguards applies or is otherwise implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- In the absence of an adequacy decision, we will use standard contractual clauses that have been approved by the European Commission.
- Where we use providers based in the U.S., we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
8 Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed (safeguard its integrity and confidentiality).
We also regularly review and, where practicable, improve upon these security measures.
In addition, we limit access to your personal data to those employees who strictly need to know that information in a professional capacity. They will only process your personal data on our instructions and are subject to a duty of confidentiality. All our employees have received appropriate training on data protection.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will use and store your Personal Data in accordance with mandatory legal requirements governing storage and reporting of Pharmacovigilance related information. Such mandatory requirements oblige us to archive PV information which may include Personal Data at least for the duration of the product life-cycle and for an additional ten years after the respective medicinal product and medical devices has been taken from the market.
11 Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data.
- Request access to your personal data.
- Request correction (rectification) of your personal data.
- Request erasure of your personal data.
- Object to processing of your personal data.
- Request restriction of processing your personal data.
- Request transfer of your personal data.
- Right to withdraw consent.
If you wish to exercise any of the rights set out above, please contact us at email@example.com
No fee is usually charged
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may simply refuse to comply with your request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within a period of one month from the date of receiving your request. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You have the right to:
(i) Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are processing it in a lawful manner.
You may send an email to firstname.lastname@example.org information as the personal data which we process. You shall receive one copy free of charge via email of the personal data which is undergoing processing. Any further copies of the information processed shall incur a charge of €10.00.
(ii) Right to information when collecting and processing personal data about you from publicly accessible or third party sources. When this take places, we will inform you, within a reasonable and practicable timeframe, about the third party or publicly accessible source from whom we have collected your personal data.
(iii) Request correction or rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected and/or updated, though we may need to verify the accuracy of the new data you provide to us. As mentioned, it is in your interest to keep us informed of any changes or updates to your personal data which may occur during the course of your business relationship with us.
(iv) Request erasure of your personal data. This enables you to ask us to delete or remove personal data where:
- there is no good reason for us continuing to process it;
- you have successfully exercised your right to object to processing (see below);
- we may have processed your information unlawfully; or
- we are required to erase your personal data to comply with local law.
Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. These may include instances where the retention of your personal data is necessary to:
- comply with a legal or regulatory obligation to which we are subject; or
- establish, exercise or defend a legal claim.
(v) Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your personal information that override your rights and freedoms.
(vi) Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- if you want us to establish the data’s accuracy;
- where our use of the data is unlawful but you do not want us to erase it;
- where you need us to hold onto the data even if we no longer require it, as you need it to establish, exercise or defend legal claims; or
- where you have objected to our use of your personal data, but we need to verify whether we have overriding legitimate grounds to use it.
(vii) Request the transfer (data portability) of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
(viii) Withdraw your consent at any time where we are relying on consent to process your personal data. This will not however affect the lawfulness of any processing which we carried out before you withdrew your consent. Any processing activities that are not based on your consent will remain unaffected.
Kindly note that none of these data subject rights are absolute, and must generally be weighed against our own legal obligations and legitimate interests. If a decision is taken to override your data subject request, you will be informed of this by our data protection team along with the reasons for our decision.
You have the right to lodge a complaint at any time to a competent supervisory authority on data protection matters, such as in particular the supervisory authority in the place of your habitual residence or your place of work. In the case of Malta, this is the Office of the Information and Data Protection Commissioner (the “IDPC”) (https://idpc.org.mt/en/Pages/Home.aspx). We would, however, appreciate the opportunity to deal with your concerns before you approach the supervisory authority, so please contact us in the first instance.
We reserve the right to make changes to this Notice in the future, which will be duly notified to you. If you have any questions regarding this Notice, or if you would like to send us your comments, please contact us today or alternatively write to our data protection team using the details indicated in this Notice.