(v3 May 2020)
The purpose of this policy is to provide any person (or ‘data subject’) in relation to whom IMVO holds personal data, with details of the information that we collect, how we process it and who we share it with. It also explains your rights under data protection law in relation to our processing of your data.
Certain key terms are used in this policy such as ‘personal data’, ‘processing’, ‘data protection law’ and these are defined in the Definitions section included at Annex 1.
This policy applies to IMVO’s employees, contractors and officers.
Who controls the use of your personal data?
The Irish Medicines Verification Organisation, a company limited by guarantee exempt from the requirement to use ‘CLG’ in its name (with the registered business name ‘IMVO’), whose registered address is c/o IPHA Office, Wilton Park House, Wilton Place, Dublin 2, is the company that controls and is responsible for personal data that is covered by this policy. IMVO is therefore a ‘data controller’.
Compliance with principles of data protection law
IMVO adheres to the principles of the data protection law and as a result, your personal data will be:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary;
- Accurate and up-to-date;
- Kept for no longer than is necessary for the specified purpose or purposes; and
- Processed in a manner that maintains the integrity and confidentiality of your data.
What personal data is collected?
The type of information that IMVO holds (in both paper or electronic format), where appropriate and permitted by law, includes personal details relating to you, such as your name, professional contacts, bank account details (if required for payments in performance of a contract) and related information. Additional personal information is held about employees and parties such as directors so that IMVO can comply with relevant contractual and/or statutory obligations.
Special categories of data collected by IMVO include:
- Gender of employees;
- Data regarding the health of an employee connected with sick leave or attendance at medical appointments;
- Data regarding the health of individuals visiting the IMVO office or participation in IMVO events, where such information is required to facilitate their visit/participation (e.g. information on disability or special dietary requirements).
Where do we collect your personal data?
Most of your personal data that we collect will be provided by you through your interactions with us. Certain personal information (name, job title, business email address, business address and/or mobile phone number) may be provided to IMVO by third parties (such as your employer) on your behalf for the purpose of contacting you about legitimate IMVO business. IMVO may also source personal data from publicly-available sources such as a company website, commercially published directory, etc.
Legal basis for processing your information
We process your personal data in order to provide you with our services and to assist us in the operation of our business. Under data protection law we are required to ensure that there is an appropriate basis for the processing of your personal data, and we are required to let you know what that basis is.
There are various options under data protection law, but the primary bases on which we process your personal data are:
- Performance of a contract or agreement with you – we collect and use your information primarily for the purpose of managing our working relationship with you, for example, in order to provide services, to arrange payment for the provision of your services or to collect payment for our services, to communicate with you, and otherwise to fulfil any contractual obligations owed to you
- Where required by applicable law – IMVO may be required under local laws to maintain records that can include personal information, such as mandatory reporting, tax and accounting requirements. In particular, IMVO processes personal data relating to pharmaceutical manufacturers, marketing authorisation holders, wholesalers and persons authorised or entitled to supply medicines to the public, and other relevant parties, in order to fulfil its obligations under Commission Delegated Regulation (EU) 2016/161 of 2 October 2015 supplementing Directive 2001/83/EC of the European Parliament and of the Council by laying down detailed rules for the safety features appearing on the packaging of medicinal products for human use (and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in Ireland).
- To fulfil our legitimate business interests – IMVO also may process your personal data to pursue our legitimate business interests, which shall include planning for, conducting and monitoring the activities of IMVO, providing service information, etc.
- Where you have consented – for certain types of information, IMVO may rely on your consent to the use of such information. Our policy is to keep to the minimum necessary, any data where the basis for processing is your consent. In that event, you will have been asked for your explicit and specific consent, and you will be entitled to withdraw your consent at any time by contacting us using the contact details at the bottom of this policy. Please note that if you withdraw your consent we may not be able to continue providing you with the service to which the consent related.
IMVO will only use your information for the purposes for which it was collected, unless we reasonably consider that we need it for another purpose that is compatible with the original purpose. If we need to use your information for an unrelated but compatible purpose, we will notify you in advance of our use of your information and explain the legal basis for this. Note that we may process your information without your knowledge or consent where this is required or permitted by applicable law.
IMVO will not use your personal data for any marketing or promotional purposes.
IMVO does not carry out automated decision-making processes with personal data.
Who do we share your personal data with?
You should be aware that in certain circumstances, IMVO may need to transfer or disclose your personal information to third parties, including service providers who render administration, technical and other support services to IMVO, but will only do so where it is consistent with the purposes outlined above.
In particular, IMVO may need to transfer or disclose your personal data to pharmaceutical manufacturers, marketing authorisation holders, wholesalers and persons authorised or entitled to supply medicines to the public, and other relevant parties, in order to fulfil its obligations under Commission Delegated Regulation (EU) 2016/161 of 2 October 2015 supplementing Directive 2001/83/EC of the European Parliament and of the Council by laying down detailed rules for the safety features appearing on the packaging of medicinal products for human use (and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in Ireland).
IMVO will also disclose your personal information in response to a valid, legally compliant request by a competent authority or in response to a court order or otherwise in compliance with any applicable law, regulation, legal process or enforceable governmental request or other statutory requirement; to detect, prevent or otherwise address fraud, security or technical issues; or to protect against imminent harm to the rights, property or safety of IMVO, its employees, its members or the public, as required or permitted by law.
IMVO will ensure through contracts and data processing agreements that third parties with whom your personal data is shared, apply appropriate security measures to protect your data from loss, misuse and unauthorised access or disclosure.
Transfers outside of the European Economic Area (EEA)
IMVO does not transfer personal data outside the European Economic Area.
Retention of personal data
IMVO will retain your personal data in accordance with our record retention policy. This policy operates on the principle that we keep personal data for no longer than is necessary for the purpose for which we collected it. It is also kept in accordance with any legal requirements that are imposed on us. This means that the retention period for your personal data will vary depending on the type of personal data. For further information about the criteria that we apply to determine retention periods, please see below:
- Statutory and regulatory obligations – we have certain statutory obligations to retain personal data for set periods of time.
- Business requirements – As we only collect personal data for defined purposes, we assess how long we need to keep personal data in order to meet our reasonable business purposes.
IMVO will permanently delete your personal data when the relevant retention period has expired.
All breaches of personal data held by IMVO will be reported to the Data Protection Authority within 72 hours, unless the data was anonymised or encrypted.
Breaches of this policy by employees will be dealt with under IMVO’s Grievance and Disciplinary Policy and may lead to a disciplinary sanction.
IMVO takes the security of your data very seriously and has implemented an information security policy which describes the technical, procedural and physical measures in place to protect your data from loss, misuse and unauthorised access or disclosure. IMVO also maintains reasonable procedures to help ensure that such data is reliable for its intended use and is accurate, complete and current.
Employees who handle personal data covered by this policy are trained on the information security policy and how to correctly collect, process, store and delete data in accordance with this policy.
You have various rights under data protection law, subject to certain exemptions, in connection with our processing of your personal data:
- Right to access the data – You have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.
- Right to rectification – You have the right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information, you may request that we update the information such that it is complete.
- Right to erasure – You have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the ‘right to be forgotten’.
- Right to restriction of processing or to object to processing – You have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.
- Right to data portability – You have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine readable format.
- Right to complain – You have the right to lodge a complaint with the Data Protection Authority if you are unhappy with our processing of your personal data.
- Right to withdraw your consent – When we process your personal data on the basis of your consent, you are free to withdraw that consent at any time by contacting us using the contact details below. Please note that if you withdraw your consent we may not be able to continue providing you with the service to which the consent related.
In order to exercise any of these rights, please get in touch using the contact details set out below.
Changes to this policy
The provisions of this policy may be altered by IMVO from time to time. Any alteration or addition will be posted on our website at www.imvo.ie.
Queries and complaints
IMVO has not appointed a data protection officer, however, if you have any queries or complaints in connection with our processing of your personal data, you can get in touch with us using the following contact details:
7 Clanwilliam Terrace
+353 1 5715320
Complaints may also be submitted to the Data Protection Commission which is the Data Protection Authority for Ireland (see www.dataprotection.ie):
Data Protection Commission
21 Fitzwilliam Square South
Annex 1 – Key Definitions:
“Data Protection Authority” means the Irish Data Protection Commission which is IMVO’s supervisory authority in the European Union.
“data protection law” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in Ireland and any successor legislation to the GDPR or the Data Protection Acts 1988-2003.
“consent” of the data subject means any freely given, specific, informed an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her – such as a written/electronic statement or an oral statement.
“data controller” means the legal person or company who determines the purposes and means of the processing of personal data, e.g. IMVO.
“data processor” means a person or company who processes personal data on behalf of the data controller, e.g. IMVO’s payroll provider.
“data subject” means an identifiable natural person who is the subject of the personal data, e.g. an employee, an employee of an IMVO member organisation;
“personal data” means any information relating to an identified or identifiable natural person (data subject).
“processing” means any operation which is performed on personal data, where automated or not, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction.
“special categories of data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data and data concerning health or a person’s sex life or sexual orientation.