Privacy Notice for Website Visitors and Users
Last Updated: December 2, 2020
This Privacy Notice is provided by Celltrion Healthcare United Kingdom Limited. (hereinafter "Celltrion Healthcare" or "we") and its subsidiaries/branches to explain who we are, how we collect, share, and use personal data about visitors and users of our website (hereinafter "you" or "user"), as well as how they can exercise their privacy rights. If you have any questions or concerns about our use of your personal data, or would like to exercise any of your rights — including, but not limited to, objecting to the processing of your personal data in the ways that are described herein — then please contact us using the details provided at the end of this Privacy Notice.
WHO WE ARE
Celltrion Healthcare is a global pharmaceutical company whose ultimate parent company is headquartered in Incheon, Republic of Korea (South). For more information about us, please visit our website at https://www.celltrionhealthcare.co.uk. We are committed to lawful, fair and transparent processing of all personal information about the users and we will ensure that collection and use of personal information is carried out in accordance with applicable data protection laws. The main law governing data protection is the General Data Protection Regulation (Regulation (EU) 2016/679 of 27 April 2016) known as the GDPR.
Celltrion Healthcare primarily acts as the data controller for the personal information we process. We do not require registration to visit or use our websites. However, some services may require users to provide us with Personal Data, such as contact details and their preference or interests in relation to certain issues.
"Personal Data" means, for the purposes of this privacy notice, any information that identifies one as an individual or relates to an identifiable individual, such as:
• Contact details (for example, name, telephone numbers and email addresses);
• Interests (for example, health conditions, specific requests made through the website).
If you are a Healthcare Professional ("HCP"), we may request additional Personal Data related to our professional interaction with you.
* HCP refers to any member of the medical, dental, pharmacy, or nursing professions or any other person who, in the course of his or her professional activities, may prescribe, purchase, supply, or administer a medicinal product.
* For the purposes of this privacy notice, Additional Personal Data includes, but is not limited to:
• Professional biography/credentials;
• Data related to licenses, specialties, professional affiliations, publications, credentials, and other occupational achievements; or
• Data related to your use of our products, your interactions with us, and services for those whom you care for. Providing us with, or giving us permission to collect, any Personal Data relating to individuals other than yourself requires you to have valid authority to do so pursuant to the relevant data protection legislation.
HOW WE COLLECT PERSONAL DATA
We use different methods to collect Personal Data from and about you. These include Personal Data you provide when you:
• apply for our products or services;
• create an account on our website;
• subscribe to our service or publications;
• request marketing to be sent to you;
• enter a competition, promotion or survey; or
• give us feedback or contact us.
HOW WE USE PERSONAL DATA
We use Personal Data in order to maintain functionalities on our websites such as:
• Providing customer service to users;
• Responding to user inquiries and fulfilling any user requests;
• Sending administrative information to users, such as changes to our terms, conditions, and policies, as well as market information that we believe may be of interest to you.
We also use Personal Data to ensure that our business operations comply with any relevant legal obligations and match our legitimate interests For example, we could use Personal Data for the following purposes:
• Data analysis;
• Internal data audits;
• Identifying usage trends for our websites;
• Detecting, preventing, and investigating fraud in the use of our websites;
• Cyber security monitoring;
• Developing, enhancing, or modifying our products and services;
• Validating users' ability to access or utilise our products and services; or
• Understanding how our products and services impact you and those in your care.
The Personal Data that you and other website users provide may be aggregated. The Personal Data will be combined and communicated in terms of totals or summary so that it can no longer be associated with you. We may use aggregated data for other purposes (e.g., for research or statistical purposes) in which case we may use this information indefinitely without further notice to you.
HOW WE DISCLOSE PERSONAL DATA
We may share Personal Data to third parties as follows:
• Our subsidiaries and affiliates worldwide for the purposes described in this Privacy Notice.
• Service providers in order to provide services including, but not limited to: website hosting, data analysis, information technology, infrastructural provision, customer service, email delivery, and auditing.
• Other companies with whom we collaborate regarding particular products or services, including our co-promoting partners for products that we develop and market jointly.
If we use a third-party data processor to process Personal Data on our behalf, we will obtain contractual commitments to safeguard the security of the Personal Data to ensure that the third party only acts on our instructions when using that Personal Data and that the third party has in place appropriate technical and organisational security measures to safeguard the Personal Data.
We may also disclose your Personal Data as we believe to be necessary or appropriate:
• (i) To comply with applicable law, as well as our regulatory monitoring and reporting obligations (including laws outside your country of residence);
(ii) to respond to requests from both public and government authorities (including authorities outside your country of residence);
(iii) to cooperate with law enforcement; or (iv) for other legal purposes.
LEGAL BASIS FOR PROCESSING PERSONAL DATA
We will only use Personal Data when the law allows us to do so and relying on a relevant basis for lawful processing in each instance.
If you are a visitor from the European Economic Area, our legal basis for collecting and using the Personal Data as described above will depend on the Personal Data concerned and the specific context in which we collect it.
However, we will generally collect Personal Data from you only where we have your consent to do so, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms.
If we ask you to provide Personal Data to comply with a legal requirement or for contacting purposes, we will make this clear at the relevant time and advise you whether or not the provision of your Personal Data is mandatory (as well as of the possible consequences of not providing your Personal Data).
Similarly, if we collect and use your Personal Data in reliance on our legitimate interests (or those of any third party), we will alert you and clarify what those legitimate interests are at the relevant time unless the basis for processing such data is not specified below or otherwise in this privacy notice:-
• Basis of processing: Where we need to perform a contract we are about to enter into or have entered into with you:
(i) to provide you with information, products or services that you request from us; and
(ii) to carry out our obligations arising from any contracts entered into between you and us.
• Basis of processing: Where it is necessary for our legitimate interests (or those of a third party) and we have undertaken an assessment to determine that processing for those interests (listed below) does not outweigh your interests and fundamental rights, considering the nature and impact of the processing and any relevant safeguards we can put in place:
(i) to protect the assets of the Company, increase your safety or safety of our employees or to deter and detect crime including online crime; and
(ii) to maintain a basic amount of information about you and your transaction history, in order to provide you service tailored to your preferences.
Under certain circumstances, you have rights under data protection laws in relation to your Personal Data, as summarised below.
You have the right to:
• request access to your Personal Data (commonly known as a data subject access request). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it;
• request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us;
• request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request;
• object to processing of your Personal Data where we are relying on a legitimate interest (of our own or of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms;
• request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios:
(i) if you want us to establish the data's accuracy;
(ii) where our use of the data is unlawful but you do not want us to erase it;
(iii) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
(iv) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you; and
• withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you would like to request to review, correct, update, suppress, restrict, or delete Personal Data that you have provided us through these websites, or if you would like to request to receive an electronic copy of your Personal Data for the purpose of transmitting it to another company, you may contact us as indicated in the "CONTACT US" section. We will respond to your request promptly, in compliance with applicable laws.
In your request, please let us know what Personal Data you would like to have changed, whether you would like to have it suppressed from our database, or set certain limitations on our use of your data. We may need to verify your identity before implementing your request. We will try our best to respond to your request as soon as reasonably practicable.
When asked to provide Personal Data, you may decline. However, choosing not to provide necessary information may limit our ability to supply you with requested services.
Please note that we may need to retain certain types of Personal Data for recordkeeping purposes.
We will always take appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing (including taking reasonable steps to ensure the reliability of employees who have access to personal information).
We have put in place internal procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We will not keep Personal Data in a form which permits identification of individuals for longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to destroy, or erase from our systems, all data which is no longer required. We will comply with our data retention policy. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of Personal Data, the purposes for which we process information and whether we can achieve those purposes through other means, and the applicable legal requirements.
We will only keep Personal Data for as long as is necessary for the purpose or purposes for which that Personal Data are processed; and we will let anyone about whom we process data know how long that is or the criteria that go into deciding how long that is.
We may sometimes anonymise your Personal Data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Our website may, from time to time, contain links to and from the websites of partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies or the security of these websites. Please check the relevant policy before you submit any personal information to these websites.
INTERNATIONAL DATA TRANSFERS
• Your personal information may be transferred to, and processed in countries other than the one in which you are resident. These countries may have data protection laws that are different from the laws in your country.
The servers of this website are located in the Republic of Korea (South). We may transfer your personal information with legitimate purpose to our subsidiaries/affiliates, third party service providers, and business partners located around the world provided that one of the following conditions applies:
(i) the country to which the Personal Data are transferred ensures an adequate level of protection for that individual's rights and freedoms;
(ii) an individual has given their explicit and informed consent having had the risks explained to them;
(iii) the transfer is covered by one of the derogations set out in the GDPR, including the performance of a contract between us and that individual, or to protect the vital interests of individuals;
(iv) the transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims; or
(v) the transfer is authorised by the relevant data protection authority where we have checked adequate safeguards exist with respect to the protection of the individual's privacy, their fundamental rights and freedoms, and the exercise of their rights.
We will take appropriate safeguards to ensure that your Personal Data will remain protected in accordance with this Privacy Notice. This includes implementing the European Commission's Standard Contractual Clauses for transfers of personal information between our group companies, which requires all group companies to protect personal information they process from the EEA in accordance with the European Union data protection laws.
Appropriate safeguards have also been implemented with our third party service providers and partners. Further details, along with our Standard Contractual Clauses, can be provided upon request.
USE BY MINORS
Our websites and online services are not intended to be used by anyone under the age of 18.
We reserve the right to change this policy at any time. We may update this Privacy Notice from time to time in response to changing legal, technical, or business developments. This Privacy Notice was last updated as of the "Last Updated" date shown above.
If you have any questions or concerns about our use of your personal information, please contact our data protection officer using the following details: DPO.CTHC@celltrionhc.com or DPO@chaucer.com.
You also have the right to file a complaint with your local data protection authority: (such as https://edpb.europa.eu/about-edpb/board/members_en for EEA residents).