Privacy Information Notice issued by A.Menarini Pharmaceuticals Ireland Ltd., pursuant to art. 13, Regulation (EU) 2016/679 (“GDPR”)

How we process the personal data collected by our call centre 00353 1 284111 and company switchboard 00353 1 2846744

***

Introduction
The present information notice, issued by A.Menarini Pharmaceuticals Ireland Ltd., (hereinafter the “Company”, the “Controller”, or “we”) is addressed to all individuals who contact the Company at the above-indicated numbers, or submit their data via email or postal mail.

Contact Data and DPO
The data Controller is A.Menarini Pharmaceuticals Ireland Ltd., with registered offices at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, A96 T924, Ireland.
The Data Protection Officer (“DPO”) of the Menarini Group may be reached via email at dpo@menarini.com

What data we process
The data we process are your “ordinary” data (e.g. name, surname, phone number, etc.) and your “special categories” of data, particularly information which may reveal your health conditions. These include all the information you disclose to us in the course of telephone contacts or in other correspondence.
In case you call our call centre, we advise you that your number may automatically be detected. In addition, the recordings of the messages you leave in our voice mail can be matched with your phone number. We inform you that if you supply third-party information, you need to provide to such third parties the full information notice beforehand and –where required by the law- obtain their prior informed consent.

For what reason we process your data and how
We inform you that your Data may be processed by the Controller for the following purposes:
(i) management of your requests, which may include: requests for medical information; remarks (including complaints) about the quality of our products;
(ii) management of notifications concerning adverse events (i.e. pharmaco-vigilance).
The legal basis for the processing for such purposes is art. 9.2.(i) GDPR. (iii) performing internal statistical analysis regarding the effectiveness of our services and the quality of our products.
The legal basis of the processing for such purpose is art. 6.1.(f) of the GDPR.
Finally, your ordinary and special categories of data may be processed by the Company to establish/defend legal claims or to enforce the Code of Conduct of the Menarini Group (arts. 6.1.(f) and 9.2.(f) of the Regulation).
All your data are processed manually or electronically, on paper or with automated devices, which are at any rate suitable to ensure your data’s the security and confidentiality.

Required/Optional data
Your data are required insofar as we need them to provide the services described above – failure to give such essential data will preclude the Company to provide the services or handle your requests. Failure to provide optional data shall have no consequence on the provision of the service/request handling.

How we process your data
In line with the provisions of art. 5.1.(c) GDPR, we minimise the use of identifying personal data i.e. we process them only insofar as necessary to achieve the purposes indicated in this document. The data will be stored for as long as necessary to pursue the actual purposes for which they were collected, and in any case the criterion to determine the data retention period is based on compliance with the terms set forth by the applicable laws, as well as with the principles of data minimisation, storage limitation and rational management of archives.

How we ensure the security and quality of your personal data
The Company commits to ensuring the security of your data and to respecting the security measures set forth by the applicable laws to prevent data losses, the unauthorised or unlawful access to, or use of, your data, including but not limited to arts. 25-32 GDPR. The Company uses a number of technological security solutions and procedures designed to protect your personal data; for example, your data are stored on secure servers located in restricted and protected access places.

Who may access the data
The staff authorised to process personal data belongs to the categories of administrative staff, customer care staff (e.g., as may be the case, call centre staff or staff in charge of handling medical enquires, quality assurance complaints, pharmaco-vigilance reports), IT technicians, product managers, as well as other staff which needs to process data to perform their job duties.
Data may be communicated, also in non-EU countries (“Third Countries”) to other companies of the Menarini Group, for the same purposes and/or administrative purposes, as per art. 6.1.(f) and recital 48 GDPR.
In addition, data may be communicated, also in Third Countries, to: (i) institutions, authorities, public entities for their institutional purposes; (ii) professionals, independent consultants –working individually or in partnerships- and other third parties and providers which supply to the Company commercial, professional or technical services (e.g. IT and cloud computing service providers) including externalised call centres, for the pursuit of the above-indicated purposes, (iii) third parties in case of mergers, acquisitions, company or branch take-overs, audits or other extraordinary operations; (iv) Supervisory Company Bodies, based at the controller’s Address, to pursue their own supervisory activities and to enforce the Menarini Group Code of Conduct. Said recipients will only process the data required for their job duties and commit to use them only for the above-indicated purposes, and process them in compliance with the law. Data may in addition be communicated to the recipients identified by the applicable laws. Except as stated above, data are not shared with third parties (be they natural or legal persons), which do not provide any technical, professional or commercial service to the Controller, and will not be disseminated. Recipients process data in the capacity as data controllers, data processors or person authorised to process personal data, as the case may be, for the purposes indicated above and in compliance with the applicable laws.
As far as data transfers to Third Countries are concerned (including countries who may not afford the right to “data privacy” the same level of protection as EU law), the Controller informs that data will be transferred in compliance with one of the methods prescribed by the GDPR, including your consent, the adoption of Standard Contractual Clauses approved by the EU Commission, the selection of recipients enrolled in programmes for the free movement of data (e.g. EU-US Privacy Shield) or operating in countries considered safe by the EU Commission.

Your rights
You may at any time exercise the rights afforded to you by arts. 15-22 of the GDPR, including: the right to know whether we are processing your data or not, verify their content, origin, accuracy, location (including the Third Countries where they might be), ask a copy, ask that they are rectified and, where envisaged by the applicable, law, obtain the restriction of their processing, their erasure, or oppose to their processing, withdraw the consent you have given (without prejudice for the lawfulness of the processing carried out before withdrawal) by writing to the postal address indicated above or via email at ireland@menarini.ie Likewise, you may submit any remarks you may have on the processing of your data which you regard as inappropriate by writing an email to the DPO (dpo@menarini.it); you may also lodge a complaint with (Data Protection Authorities).