Information from The Danish Medicines Verification Organisation ApS to Suppliers in connection with the EU General Data Protection Regulation
V. 1.0. October 2018
Background
In May 2018 a new EU-regulation regarding the protection of personal data came into effect, known as the General Data Protection Regulation (GDPR). At the Danish Medicines Verification Organisation ApS (DMVO) we have of course acquainted ourselves thoroughly with the legislation and the requirements of the law for us.
Among other things, this means that DMVO must meet the enhanced requirements in the GDPR in regards to informing data subjects about the collection, storage, and use of data. This applies, even though it only concerns data related to the professional work of the data subjects.
Credibility and professionalism are core values at DMVO. Therefore, the purpose of this privacy policy is to supply all mandatory information about our use of data about suppliers in connection with our operation and administration of DMVO. This privacy policy elaborates in detail how we process data in relation to our purpose: to establish, administer, and operate a national data storage system in accordance with the requirements of EU legislation [1].
What types of data does DMVO process
DMVO stores and process the data necessary to live up to our purpose: to establish, administer and operate a national data storage system in accordance with the requirements of EU legislation. This concerns, amongst others, data about contact persons at suppliers. This processing may include name, title, work related contact information, login information related to our contract management system, as well as data related to invoicing.
What is the purpose of DMVO’s data processing
The purpose of DMVO is to establish, administer and operate a national data storage system in accordance with the requirements of EU legislation. We store and process data for this statutory purpose. In connection with this, we process data amongst other things to enter into contracts with suppliers, assign secure access to our contract management system, administer this system, and handle communication with data subjects. Furthermore, we can process data as part of our duty to enable the competent authority to keep control etc.
Besides this purpose, we must store and process data in compliance with applicable legislation (e.g. the EU General Data Protection Regulation). For instance, we must be able to document that we have supplied this privacy policy. We must also be able to document that we have responded to certain types of inquiries within certain time limits.
We are obliged to implement and maintain security precautions that can protect data. I.e. prevent unauthorized access to IT-systems (hacking), prevent the receipt or distribution of malware, block denial-of-service attacks etc. Should a security breach despite this happen, we can be obliged to report to the authorities and the affected data subjects.
Data must also be stored in order for us to provide the authorities and other official inspection bodies with the necessary information if they wish to carry out inspections or inquiries.
We must also store and process data, to ensure availability should a dispute with data subjects or third parties arise.
The legal basis for collection, processing and disclosure of data in DMVO
Our collection, processing and disclosure of data must be consistent with the GDPR. Therefore, DMVO has had a legal analysis done, to ensure that we have a legal basis for the use of data to comply with a legal obligation, as well as legitimate additional interests.
Our legal basis can be that the processing is necessary for compliance with a legal obligation to which we are subject. The legal obligation is found in the EU regulation (EU/2016/161) which lays down detailed rules for the safety features appearing on the packaging of medicinal products for human use and the establishment of the repositories system in connection with this as well as the Danish Medicines Act (cf. EU directive 2011/62/EU).
In addition to this, part of the data that DMVO process is necessary for the purpose of legitimate interests pursued by us. To ensure a balance of interests, we apply the principles that:
- Data is limited to what is strictly necessary to carry out the purposes of DMVO.
- DMVO is a non-profit organization that process data with the purpose of establishing, administering, and operating a national data storage system in accordance with the requirements of EU legislation.
- The data relates to the professional work of the data subject and not the data subject as a private individual.
- Suppliers have an interest in the processing of their data for the purpose of i.a. correctly signing of an agreement and handling communication with the data subjects in this relation as part of observing the legal requirements of the EU-regulation.
- Furthermore, we place emphasis on our legitimate interest in securing data with all the necessary security measures and being able to communicate and cooperate with the data subject and the relevant public authorities.
- Finally, we have placed emphasis on our legitimate interest in determining and defending legal rights and invoking them in relation to any disputes that might arise.
What is the DMVO’s data sources
Personal data is collected from suppliers and may be supplemented with data from the organization of the supplier in question.
Who can process data
DMVO can make use of one or more data processors. Typically, these are companies that process data on behalf of the DMVO. DMVO use Danish Pharmaceutical Information A/S (Dansk Lægemiddel Information, DLI) and The Danish Association of the Pharmaceutical Industry (Lægemiddelindustriforeningen, Lif) in Denmark and their subcontractors as data processors in regards to IT-operation and –security as well as invoicing. Furthermore, DMVO use an IT-system supplier and legal consultant in regards to contract formation, as well as selected consultants and their subcontractors who assists us with the operation of DMVO.
Transfers to third countries
We or our data processors do not currently transfer personal data to countries outside the EU/EEA as part of our processing activities, but reserve the option of doing so in the future. If transfers outside the EU/EEA will take place in the future, DMVO must ensure that we inform data subjects about it.
How long is data stored
DMVO retains the stated personal data as long as needed to fulfil the stated purposes mentioned above, to comply with the legal obligations to which we are subject, and to attend to the relation to the suppliers. In addition we retain personal data in relation to expiry of statutory limitations on criminal liability and liability for damages (absolute time limits), if relevant.
What are our rights in regards to your personal data
As the data subject you have certain rights within statutory limitations. E.g., you have the right to access personal data stored about you as a supplier. You have the right to rectification of inaccurate data. You have the right to data erasure, i.a. if data is processed against regulations or is no longer necessary for the stated purposes. You have the right to object to processing of your personal data. Finally, you have the right to complain to a competent supervisory authority, including the Danish Data Protection Agency. However, you should be aware that according to the GDOR we are only bound to meet such requests on certain conditions.
If you have any questions concerning the processing of your personal data or exercising your rights, you are welcome to contact us:
Contact:
Tina Hou Marer
DMVO
Phone: +45 39 15 09 51
E-mail: thm@dmvo.dk
Who is the Data Controller
The Danish Medicines Verification Organisation ApS, Lersø Park Allé 101, 2100 København Ø
[1] Delegated regulation (EU) 2016/161 of 2 October 2015.Version: 1.0, Date: May 2018 You have the rights to – by reasons that concern your special situation - object to processing of personal data where the lawful basis is a legitimate interest. The data controller may subsequently no longer process your personal data, unless the data controller proves weighty lawful reasons for processing that precede your interests, fundamental rights or freedoms, or the processing is necessary to determine, defend legal rights and/or invoke them. |