Information on the Processing of Personal Data – Pharmacovigilance

pursuant to Regulation (EU) 2016/679 and Legislative Decree 196/2003 and subsequent amendments

The following information is provided in compliance with the provisions of European legislation (EU Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, hereinafter referred to as “GDPR”) and the applicable national legislation in force.

Data Controller

The Data Controller is G.N. Pharmaceutical Srl, with registered office in Modugno (BA), Via Dei Gigli 17 (Email: info@gnpharmaceutical.com, Certified Email: giusininivaggi@legalmail.it, Tel.: +39 0808890375).

Purposes of Processing

Correct and complete management of pharmacovigilance reports.

In particular, for the purposes of:

  • investigating the adverse event;
  • contacting the reporter to obtain, where necessary, further information in addition to that already provided;
  • comparing information on the adverse event with information on other adverse events received by the Data Controller in order to analyse the safety of the product, a generic component, or an active substance as a whole;
  • providing the competent authorities with the information required by law, so that they may analyse the safety of the product as a whole, or of a generic component or active substance.

Legal Basis for Processing

The processing of personal data for this purpose constitutes a legal obligation (Art. 6.1.c, GDPR). With regard to the processing of “special categories of data”, it is necessary for reasons of public interest in the field of public health, such as ensuring high standards of quality and safety of medicinal products and medical devices (Art. 9.2.i, GDPR).

Data Retention

With reference to the purpose indicated in the preceding paragraph, personal data will be retained in accordance with the following terms and criteria:

  • for pharmacovigilance purposes, for as long as the pharmaceutical product is authorised for marketing and for a further period of 10 (ten) years from the expiry of the marketing authorisation.

For technical reasons, the cessation of processing and the consequent deletion or anonymisation of personal data will take place within 30 (thirty) days of the above-mentioned deadlines.

This is without prejudice to cases in which retention for a further period is required for any litigation, requests from competent authorities, or pursuant to applicable legislation.

The processing of your personal data will take place at the registered office located in Modugno (BA), Via Dei Gigli 17, and will be carried out in both automated and manual form, using methods and tools designed to ensure maximum security and confidentiality, by expressly authorised individuals for the time strictly necessary to achieve the purposes for which the data were collected. The data provided will be used with paper-based, IT and electronic tools. Specific security measures are in place to prevent data loss, unlawful or incorrect use, and unauthorised access. Upon expiry of the retention periods indicated above, the data will be destroyed or rendered anonymous, in accordance with the technical deletion and backup procedures.

Nature of Data Provision and Refusal

The provision of personal data is mandatory for the conclusion and performance of the contract, as well as for the fulfilment of legal obligations. Therefore, any refusal — even partial — or inaccurate indication of such data will make it impossible for the Data Controller to correctly perform the contract and/or all related obligations.

Recipients of the Data

The following parties are recipients of the collected data and will therefore process such data on behalf of the Data Controller, pursuant to Art. 28 of the Regulation, as Data Processors:

  • persons authorised by the Data Controller to carry out personal data processing operations (employees or collaborators of the Data Controller);
  • Data Processors appointed by the Data Controller (providers of IT, technological and electronic services; providers of pharmacovigilance report management services);
  • independent data controllers (national and European medicines and pharmaceutical agencies; other pharmaceutical companies linked to the Data Controller by licensing and distribution agreements for pharmaceutical products, or in the event of transfer of the marketing authorisation for the pharmaceutical product).

To find out at any time the parties to whom your data will be communicated, you may request an updated list by writing to the Data Controller at the contact details indicated above. Furthermore, your data may be communicated to external parties such as, by way of example and without limitation, supervisory and control authorities and, in general, public or private entities legally entitled to request such data (e.g. the Italian Revenue Agency, the Financial Police).

Authorised Individuals

The collected personal data will also be processed by internal authorised individuals acting on the basis of specific instructions provided regarding the purposes and methods of the processing itself.

Rights of Data Subjects – Complaint to the Supervisory Authority

In relation to the data subject to the processing described in this document, you have the right:

  • at any time, to request from the Data Controller access to your personal data and related information (Art. 15 GDPR); rectification of inaccurate data or completion of incomplete data (Art. 16 GDPR); erasure of personal data concerning you (upon the occurrence of one of the conditions set out in Art. 17, para. 1 of the GDPR and subject to the exceptions provided for in para. 3 of the same article); restriction of the processing of your personal data (upon the occurrence of one of the cases set out in Art. 18, para. 1 of the GDPR);
  • at any time, to request and obtain from the Data Controller — where the legal basis for processing is a contract or consent, and the processing is carried out by automated means — your personal data in a structured, machine-readable format, including for the purpose of transmitting such data to another data controller (so-called right to data portability, Art. 20 GDPR);
  • at any time, to object to the processing of your personal data where particular circumstances concerning you arise (Art. 21 GDPR).

The relevant request may be submitted by contacting the Data Controller at the contact details indicated above. If you believe that the processing of your data is in breach of the provisions of the Regulation, you may lodge a complaint with a supervisory authority (Italian Data Protection Authority – www.garanteprivacy.it), as provided for in Art. 77 of the GDPR, or seek judicial remedy (Art. 79 of the GDPR).