General policy for the protection of personal data
What is the purpose of this General Policy?
The purpose of this General Policy is to provide you with general and understandable information regarding the categories of Personal Data collected, how we use the data as part of our activities and your rights in this regard.
Where appropriate and when necessary, you will be provided with specific information regarding any specific processing of your Personal Data. That detailed information will describe precisely how your Personal Data are processed and will name the LFB Group subsidiary acting as the Data Controller.
By way of example, specific information will be provided to:
– patients participating in medical research sponsored by an LFB Group entity, via the investigating doctor.
– healthcare professionals participating in a symposium organised by the LFB Group.
Who is this General Policy for?
This General Policy concerns people with whom the LFB Group is in contact and in particular:
– Patients participating in medical research,
– Healthcare professionals,
– Representatives of our contractors or our prospects,
– Representatives of our institutional partners,
– Candidates for job offers,
– Internet users browsing LFB Group websites,
– Any person who contacts us, including by phone.
How are your Personal Data used (what are the purposes)?
The LFB Group may collect and use your Personal Data for the following purposes:
– To carry out medical research with participants, and in particular to manage the participation of patients and the recruitment of health professionals and subcontractors.
– To comply with our legal obligations in terms of pharmacovigilance, haemovigilance, medical device vigilance, medical information, complaints related to the quality of our products.
– To manage relations between healthcare professionals and the LFB Group, in particular for invitations to events (symposiums, conferences, congresses), communications regarding our activities via email campaigns or replies to their requests and questions.
– To maintain commercial and/or contractual relationships with our customers, suppliers and prospects.
– To manage and monitor information provided via canvassing or prospecting for the promotion of our medicines in compliance with the Charter and Certification Framework for promotional activities as established by the French National Authority for Health (HAS).
– To comply with our legal obligations regarding transparency in interactions and the French Anti-Gift law.
– To manage job offers.
– To analyse the audience that visits our websites and improve their interactivity.
– To manage our professional alert systems.
– To assess the integrity of third parties, in application of the French Sapin II law.
– To communicate with you and reply to your requests, including those made by telephone.
What types of data are processed?
In order to comply with the principle of data minimisation, the LFB Group only processes Personal Data that are appropriate, relevant and necessary for the purposes for which they are processed.
Details of the Personal Data processed will be provided in the specific information notices.
In general and depending on the specific purpose, the LFB Group may process the following data:
– Your identification (civil status, identity, etc.)
– Data relating to your professional life (CV, diploma, job, title, etc.)
– Your contact information (postal address, email address, telephone number, etc.)
– Data relating your interactions with the LFB Group and in particular job interview reports, email exchanges, etc.
– In strictly limited and legally framed cases:
– Health data of patients who use our medicines (for example in the context of a pharmacovigilance alert) or participants in medical studies when the LFB Group is the sponsor of the research.
– Data required in the context of our professional alert systems.
– Data required to assess the integrity of a third party that interacts with a company of the LFB Group.
Where does the Personal Data we process come from?
We may collect your Personal Data by various means:
– Directly from you, including through your interactions with employees of the LFB Group, during events that we organise or when you fill out a form.
– Indirectly:
– From public sources.
– From third parties provided that they are able.
– From cookies or tracers present on our websites.
What are the legal bases for our processing of your Personal Data?
We can only process your Personal Data in the context of lawful processing.
Processing is only lawful if it is based on one of the legal bases included in applicable laws (GDPR and, where applicable, local laws).
The processing of Personal Data carried out by the LFB Group is mainly based on one of the following legal bases:
– The performance of a contract. This is the case, for example, in the context of relations with our contracting partners. We are obliged to process the Personal Data of the representative of our contracting partner as well as of certain employees in order to perform the contract.
– Compliance with a legal obligation. This is particularly the case for the advantages that we grant to healthcare professionals. We are required to process their Personal Data in order to comply with our legal obligations regarding transparency in interactions and the provisions of the French Anti-Gift law.
The legitimate interests pursued by the LFB Group, provided that they are in balance with your rights. This is the case, for example, with the processing of your Personal Data in the context of medical research sponsored by the LFB Group. In such cases, the legitimate interests pursued by the LFB Group are weighed against your interests, freedoms and fundamental rights which require protection of personal data.
Given its activity, the LFB Group is called upon to process special categories of Personal Data or sensitive data including health data. The LFB Group only processes these data if this is permitted by the GDPR or applicable local laws. For example, in the context of medical research, we process health data of patients participating in the research, because this processing is necessary for scientific research purposes and it complies with what is authorised by the GDPR (Article 9 2j).
Where applicable, specific information notices will specify the applicable legal basis for each processing concerned.
How long do we keep Personal Data for?
The LFB Group limits the retention period of Personal Data. The retention period of Personal Data varies depending on the purpose of the processing concerned. This duration may, depending on the circumstances, be defined by the LFB Group or by applicable law. Thus, and by way of example, the personal data processed as part of pharmacovigilance will be kept for a maximum period of 70 years from the withdrawal of the medicine from the market. Data from job applications will be kept for 2 years from the last contact the candidate has with the LFB Group.
Once the retention period has been reached, the Personal Data are destroyed or anonymised depending on the case. In the latter case, this means that it will be impossible to identify you from such data.
How is the security of your personal data ensured?
The LFB Group implements technical and organisational measures to protect your personal data. We take reasonable steps to protect your data from loss, misuse, unauthorised access, disclosure, modification or destruction.
Are your Personal Data transferred to other recipients and can they be transmitted to recipients located outside the European Union?
The Personal Data collected may, depending on the case, be shared within different departments or subsidiaries of the LFB Group.
They may also be shared with public authorities or government agencies. By way of example and in order to comply with our legal obligations regarding transparency in interactions and the provisions of the French Anti-Gift law, certain types of Personal Data of health professionals will be transmitted to the French Ministry of Health and to professional associations (such as the French Medical Council (CNOM) or the French Chamber of Pharmacists (CNOP)).
Personal Data may also be shared with service providers acting as a Data Processor on behalf of the LFB group (within the limit necessary for the performance of the work that we entrust to them).
In the event that Personal Data are entrusted to a Data Processor, an agreement will be concluded with the Data Processor in order to ensure and guarantee that the Personal Data are processed in accordance with our instructions and that adequate technical and organisational measures are taken to protect them.
The recipients of the Personal Data may be located outside the European Union. In this case, the LFB Group will ensure that this transmission is legally framed by ensuring that adequate guarantees are implemented.
Where applicable, specific information notices will name the recipients with access to your Personal Data and whether the data are transferred outside the European Union.
What are your rights with respect to your Personal Data?
Under the conditions and limits of the applicable regulations, you have the following rights:
– Right of access: you can ask us to access the personal data we hold about you.
– Right of rectification: you can ask us to correct data that are inaccurate or incomplete.
– Right of erasure (right to be forgotten): you have the possibility, under certain conditions, to obtain the erasure of the Personal Data that we hold about you. However, we have the possibility to refuse your request, in particular if we need your Personal Data to meet a legal obligation. This is for example the case of data collected in the context of pharmacovigilance.
– Right to restriction of processing, in particular in the event that you contest the accuracy of the Personal Data that we hold about you.
– Right of objection: you may object, for reasons relating to your particular situation and under certain conditions, to the processing of data concerning you.
– Right to data portability: you have the right to receive the Personal Data that we hold about you in a readable format so that they can be stored or transmitted.
– Right not to be subject to a decision based solely on automated processing, including profiling.
Because certain rights are exercised on condition, we may not respond favourably to your request. In such a case, we will explain the reasons for our refusal.
To obtain more information on your rights and the conditions for exercising them, please consult the site of the CNIL (French Data Protection Authority) at the following address: https://www.cnil.fr/fr/les-droits-pour-maitriser-vos-donnees-personnelles
How to contact us?
To exercise your rights, you can contact our data protection officer at the following addresses:
– By email: privacy@lfb.fr
– By post: LFB BIOMEDICAMENTS – Direction des Affaires Juridiques [Legal Affairs Department] – DPO – 3 avenue des Tropiques, BP 40305, 91958 Courtabœuf Cedex – France
You can lodge a complaint at any time with a supervisory authority and in particular with that of the Member State in which your usual residence, place of work or the place where you consider that a breach of the regulations has been committed is located (for example, the CNIL for France: www.cnil.fr)
Modification of the General Policy:
We may modify the General Policy, in particular in the event of a regulatory or legislative change or a change in the practices implemented within the LFB Group.
Please consult the General Policy on a regular basis.
Definitions
– LFB Group or LFB or we/us: refers to LFB SA and its affiliated companies subject to the GDPR.
– Personal Data: refers to any information concerning an identified or identifiable natural person; an “identifiable natural person” is deemed to be a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
– General Policy: refers to this general policy for the protection of Personal Data.
– Data Controller: refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
– Data Processor: means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.
Version dated 26/05/2020