(Last updated: 18 February 2021)

Gedeon Richter Plc. (seat: 1103 Budapest Gyömrői út 19-21.; Company Registration Number: 01-10-040944; hereinafter “we”, “us” or “Company”) is committed to protecting the privacy of individuals. This Privacy Notice informs you about the processing of the personal data collected by us from the users, subscribers, visitors (hereinafter collectively “Data Subjects”) of our website’s (hereinafter “Website”) services (hereinafter “Services”). Data Subjects below the age 16 (hereinafter “Minors”) are not eligible to use our services and we ask that minors do not submit any personal data to the Company.

Please read this Privacy Notice in conjunction with our general Terms of Use and Cookie Notice.

We may revise the Privacy Notice at any time by updating this posting and we will obtain your consent to the changes when necessary. You can determine when the Privacy Notice was last revised by referring to the “Last updated” legend at the top of this Privacy Notice.

WHO WILL BE THE DATA CONTROLLER?

The data controller is the Company. Your data will be processed by the Company in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “GDPR”), and the national laws applicable to this Website.

WHAT IS THE PURPOSE OF DATA PROCESSING?

We handle personal data in order to provide you with our Services per your request. The personal data collected from you as Data Subject will be handled by our employees, kept confidential and used by us for lawful and relevant purposes for providing our services to you.

Purposes of personal data processing and such use of your personal data may be

1. connected to our Services such as
   • carrying out your requests submitted through our Website, respond to your inquiries or requests;
   • providing a communication channel for the notification of adverse reactions to us for pharmacovigilance purposes.

We may also process your personal data for purposes previously communicated to you from time to time, as long as such other purposes are directly relating to and compatible with the purposes indicated in this Privacy Notice and Cookie Notice.

WHAT IS THE LEGAL BASIS OF DATA PROCESSING?

Unless otherwise indicated to you in this Privacy Notice, processing of your personal data is voluntary and based on your freely given consent. You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Failure to provide the requested personal data may result in us being unable to provide to you our Services. If any of our communications constitute direct marketing (including newsletters) we will separately seek your consent to such communications.

In relation to adverse effect notifications, the legal basis of data processing is our legal requirement to comply with European and national pharmacovigilance laws.

If you enter into a contract with us or subscribe to our Services, we will process your personal data pursuant to Article 6 (1) and (b) of the GDPR to the extent processing is necessary in order to administer the Services you request or in order to take steps at your request prior to entering into a contract with us.

Personal data will also be processed to the extent this is required to pursue our legitimate interests as a data controller (e.g. to protect against and to prevent fraud, to manage our professional relations, to provide information about our products, to handle complaints and enforce our terms and conditions).

WHAT PERSONAL DATA MAY WE COLLECT?

In the course of our activities and for the purposes indicated above, we may process (collect) the following personal data of Data Subjects.

• Name (family name and surname, user name). This information allows us to identify you. If you consent to newsletter communications, we must keep record of your name and email address.
• Language preferences. This information allows us sending communications to you in languages you understand.
• Email address. We use your email when providing you with customer support. This information allows us to identify you and sending communications to you, in case you contact us via the Website.
• Adverse reactions information. This information is necessary for us to process, investigate and notify the adverse reactions to the regulator. Your notification must include the name of the reporting person, your phone and email address; your profession; patient information; patient’s initials; date of birth of the patient; age of the patient; sex of the patient; adverse event description, including the symptoms experienced; description of the side effects, adverse conditions, the patient’s medical history, other diseases with free text; adverse events observed, such as death; immediate threat to life; necessary treatment; persistent or significant deterioration of health, or loss of function; developmental or birth defects occurred; medicines information; start and end date of medication; medicines/drugs taken. Please, find more information on personal data processing regarding adverse event reporting in “Privacy Notice for Data Processing Connected To Pharmacovigilance and Medical Information Service” placed on our Website.
• Message information. We will keep records of our communications with you, including any complaints you submit including any read receipt information in order to provide you with customer support and the handling of complaints.
• General usage information. Information that informs us on how you use our Services when you use our Website, including search behaviour and preferences, a record of the searches that you make on our Website and browsing activity (including: IP address, time of visit, visited pages, on-page interactions, limited detail location information, device and software of the user, first-time or repeated visits, traffic source information). We use this information to improve our Services to you, as well as to identify improvement areas of the quality of our Services.

Our Services are not aimed at collecting sensitive personal data from Data Subjects, other than adverse reactions information (health data) for pharmacovigilance purposes.

DO WE USE COOKIES?

Our Website may use cookies to distinguish you from other users of our Website. This helps us to provide you with a good experience when you are browsing our Website and also allows us to improve our Website.

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.

For more information regarding the use of cookies on our Website, please read our separate Cookie Notice here.

WHERE IS THE INFORMATION STORED AND WHO WILL SEE THE INFORMATION?

Only those authorized persons and departments within the Company will have access to your personal data who have an essential need to know that data for the fulfilment of their activities. We will not disclose any of your personal data to third parties, any external bodies or organizations, except as set out below, or unless you consent to data transfer or the data transfer is required or permitted by law.

We may engage third party vendors as data processors (hereinafter “Data Processor”) to provide services to us, and share your personal data with such third parties as well as with legal and other advisors, consultants that assist us. Nonetheless, in such a case, we always ensure confidentiality of your personal data, for example by concluding a confidentiality and non-disclosure agreement.

Such third party vendor Data Processors we employ are:

1.) Name of Data Processor: ALLWIN Informatika Kft. („Allwin”)

2.) Name of Data Processor: Microsoft Ireland Operations Ltd („Microsoft”)

HOW LONG WILL PERSONAL DATA BE RETAINED?

We keep personal data for no longer than is necessary for us to fulfil the purposes for which such personal data was processed (collected) unless we are specifically required to process personal data longer by applicable laws.

We will delete and erase personal data if

(i)     you withdraw consent on which the data processing is based and there is no other legal ground for the processing;

(ii)   if you object to the data processing and there are no overriding legitimate grounds for the data processing, or you object to the processing for purposes of direct marketing;

(iii) the personal data have been unlawfully processed; and

(iv) the personal data have to be erased for compliance with a legal obligation to which the Company is subject.

Deletion shall not apply to the extent that processing is necessary for compliance with a legal obligation which requires data processing by the Company or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company (if any); for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or for the establishment, exercise or defence of legal claims of the Company.

For the data processing period of your personal data provided in the course of reporting adverse events and contacting the Medical Information Service the provisions of “Privacy Notice for Data Processing Connected To Pharmacovigilance and Medical Information Service” apply.

WHAT INTERNATIONAL DATA TRANSFERS OCCUR?

Unless we inform you otherwise in this Privacy Notice or in any other communication of ours, we do not transfer your personal data to a country or territory outside the European Economic Area.

HOW DO WE ENSURE DATA INTEGRITY?

All practicable and reasonable steps will be taken to ensure that personal data held by us is accurate. Please, keep your personal data up to date, and to inform us of any changes to such personal data you provide to us.

HOW DO WE PROTECT PERSONAL DATA?

We will take all necessary steps to ensure security of the personal data and to avoid unauthorized or accidental access, collection, use, disclosure, copying, modification, disposal, erasure or other unauthorized use. Please note that electronic transmission of information cannot be entirely secure. Please note that you have the affirmative duty to keep your password information safe and not to share this data with third persons.

Any information we receive about possible adverse events related to our products, will only be accessible to a restricted number of personnel who are in the need of having access to such data in order to perform their employment duties with such data, and the data are protected by appropriate technical and organizational measures.

WHAT ARE YOUR RIGHTS AND REMEDIES?

You have the right to have incomplete, incorrect inappropriate or outdated personal data deleted or updated, marked or blocked. If you believe any of the personal data we hold about you is incomplete, incorrect or outdated, you can contact us and we will make the necessary corrections within one month of receipt of the request. All practicable and reasonable steps will be taken to ensure that personal data held by us is accurate. We will mark personal data if you dispute its correctness or up-to-date status and such claim cannot be verified beyond doubt. You may request that we delete your personal data, but we may be required by law to keep such information and not delete it (or to block or mark this information for a certain time, in which case we will comply with the deletion request only after having fulfilled such requirements).

You have the right to be informed what personal data is processed about you. We will respond to such request for access to personal data as soon as possible, but within one month from its submission at the latest. We may request the provision of additional information necessary to confirm your identity. You are also entitled to object to the processing of your personal data if processing or transfer of personal data is necessary solely for the performance of a contractual obligation, necessary for the enforcement of the legitimate interest of ours, a data recipient or any other third person (except if the data processing is compulsory); as well as if permitted by law. Such objection will be investigated by us within one month of the receipt of objection .

If you consider that your privacy and data protection rights have been infringed, you may contact the relevant data protection authority supervising the activities of the Company, namely the National Authority for Data Protection and Freedom of Information (seat: 1055 Budapest, Falk Miksa utca 9-11.; website: www.naih.hu; phone: +36 1 391 1400; fax: +36 1 391 1410]; email address: ugyfelszolgalat@naih.hu)]or to the competent data protection regulatory authority located in the European Union’s relevant Member State where your habitual residence, place of work or place of the alleged infringement is. Furthermore, you are entitled to initiate court proceedings

This Website may contain links to third party websites. These linked websites are not under our control, and are regulated by their own privacy policies. We are not responsible for the privacy practices of any such linked websites.

HOW CAN YOU CONTACT US ABOUT THIS PRIVACY NOTICE?

For more information regarding privacy and data protection inquiries and requests by Data Subjects, please contact the Company’s Legal and Global Operations Management Department (email: dataprotection-(at)-richter.hu ,  postal address: 1475 Budapest Pf.: 27.).