Information from The Danish Medicines Verification Organisation ApS to Stakeholders in connection with the EU General Data Protection Regulation
V. 1.0. September 2018
Background
In May 2018 a
new EU-regulation regarding the protection of personal data came into effect,
known as the General Data Protection Regulation (GDPR). At the Danish Medicines
Verification Organisation ApS (DMVO) we have of course acquainted ourselves
thoroughly with the legislation and the requirements of the law for us.
Among other
things, this means that DMVO must meet the enhanced requirements in the GDPR in
regards to informing data subjects about the collection, storage, and use of
data.
Credibility
and professionalism are core values at DMVO. Therefore, the purpose of this
privacy policy is to supply all mandatory information about our use of data
about stakeholders in connection with our operation and administration of DMVO.
This privacy policy elaborates in detail how we process data in relation to our
newsletters and general communication with stakeholders. Personal data may also
be covered by other privacy policies in DMVO. Click on the links to see privacy
policy for MAHs and end-users.
What types of data does DMVO process
DMVO stores and process the data necessary to live up to our purpose: to establish, administer and operate a national data storage system in accordance with the requirements of EU legislation. This concerns data about DMVO's stakeholders.
The processing covered in this privacy policy concerns personal data including name, title, work related contact information, company and content of communication with DMVO.
What is the purpose of DMVO's data processing
The purpose of DMVO is to establish, administer and operate a national data storage system in accordance with the requirements of EU legislation. We store and process data for this statutory purpose. In connection with this, we process data amongst other things to communicate with stakeholders and send out newsletters.
Besides this purpose, we must store and process data in compliance with applicable legislation (e.g. the EU General Data Protection Regulation). For instance, we must be able to document that we have supplied this privacy policy. We must also be able to document that we have responded to certain types of inquiries within certain time limits.
We are obliged to implement and maintain security precautions that can protect data. I.e. prevent unauthorized access to IT-systems (hacking), prevent the receipt or distribution of malware, block denial-of-service attacks etc. Should a security breach despite this happen, we can be obliged to report to the authorities and the affected data subjects.
Data must also be stored in order for us to provide the authorities and other official inspection bodies with the necessary information if they wish to carry out inspections or inquiries.
We must also store and process data, to ensure availability should a dispute with data subjects or third parties arise.
The legal basis for collection, processing and disclosure of data in DMVO
Our collection, processing and disclosure of data must be consistent with the GDPR. Therefore, DMVO has had a legal analysis done, to ensure that we have a legal basis for the use of data.
Our legal basis for the processing covered by this privacy policy is that the processing is necessary for the purpose of legitimate interests pursued by DMVO. To ensure a balance of interests, we apply the principles that:
- Data is limited to what is strictly necessary to communicate with stakeholders.
- DMVO is a non-profit organization that process data with the purpose of establishing, administering, and operating a national data storage system in accordance with the requirements of EU legislation.
- The data relates to the professional work of the data subject and not the data subject as a private individual.
- Stakeholders have an interest in the processing of their data for the purpose of communicating and sending out newsletters to stay up to date with relevant information about the work of DMVO in which they are involved.
- Furthermore, we place emphasis on our legitimate interest in securing data with all the necessary security measures and being able to communicate and cooperate with the data subject and the relevant public authorities.
- Finally, we have placed emphasis on our legitimate interest in determining and defending legal rights and invoking them in relation to any disputes that might arise.
What is the DMVO's data sources
Personal data is collected from stakeholders and may be supplemented with data from the organization of the stakeholder in question.
Who can process data
DMVO can make use of one or more data processors. Typically, these are companies that process data on behalf of the DMVO. DMVO uses Danish Pharmaceutical Information A/S (Dansk Lægemiddel Information, DLI) and their subcontractors as data processors in regards to IT-operation and –security. Furthermore, DMVO use a supplier of a system to send out newsletters as well as selected consultants and their subcontractors who can assists us with the operation of DMVO.
Transfers to third countries
Our data processor who supply a system to send out newsletters transfer data to third countries for hosting purposes. The legal basis for transferring person data included in this privacy policy is that our supplier and their subcontractors has self-certified under EU-US Privacy Shield. To read more see: https://www.privacyshield.gov/welcome. If you wish further information about who we transfer data to, you are welcome to contact us.
How long is data stored
DMVO retains the stated personal data as long as needed to fulfil the stated purposes mentioned above and attend to the relation to the stakeholders. In addition, we retain personal data in relation to expiry of statutory limitations on criminal liability and liability for damages (absolute time limits), if relevant.
What are our rights in regards to your personal data
As the data subject you have certain rights within statutory limitations. E.g., you have the right to access personal data stored about you as a stakeholder you have the right to rectification of inaccurate data. You have the right to data erasure, i.a. if data is processed against regulations or is no longer necessary for the stated purposes. You have the right to object to processing of your personal data. Finally, you have the right to complain to a competent supervisory authority, including the Danish Data Protection Agency. However, you should be aware that according to the GDPR we are only bound to meet such requests on certain conditions.
If you have any questions concerning the processing of your personal data or exercising your rights, you are welcome to contact us:
Contact:
Tina Hou Marer
DMVO
Phone: +45 39 15 09 51
E-mail: thm@dmvo.dk
Who is the Data Controller
The Danish Medicines Verification Organisation ApS, Lersø Park Allé 101, 2100 København Ø