Pharmacovigilance privacy notice

Mundipharma Research Limited (“Mundipharma Research”, “we” or “us” or “our”) is responsible for monitoring and reporting safety data of certain products (defined below). This Privacy Notice describes how Mundipharma Research processes (e.g. collects, uses, stores, and shares) your personal data to help fulfil such obligations, known as pharmacovigilance obligations.

This Privacy Notice is reviewed and updated from time to time. If we update the terms, we will provide notice through our home page, or by other means, so you can to review the changes. Please check back if you wish to submit an adverse event.

This Privacy Notice supplements other privacy notices that we may provide on our website or through other means from time to time when we processing your personal data.

How do we collect personal data about you?

We may collect personal data provided by you directly to us or as part of the adverse event reporting requirements applicable to Mundipharma Research. If you are a patient, we may also be provided with information about you by another person (such as a medical professional or relative) reporting an adverse event that affected you. We will handle all such information in accordance with this Privacy Notice.

Why do we process your personal data?

An adverse event (or side effect) is any untoward medical occurrence in a patient administered a product that may or may not be caused by the treatment. Pharmacovigilance laws require us to collect specific data relating to adverse events to ensure that our products are safe to use and effective. This includes using and sharing your personal data to:
• investigate the adverse event
• contact you for further information about the adverse event you have reported
• collate the information about the adverse event with information about other adverse events received by Mundipharma Research to analyse the safety of a product and
• provide mandatory reports to national and international authorities so that they can analyse the safety of a product alongside reports from other sources

What personal data do we process about you? 

A minimum amount of information must be collected for a ‘reportable’ adverse event. The more information you provide regarding the adverse event, the more helpful this will be to meet our reporting obligations. If you do not want us to contact you to collect further information about the adverse event, you can say so when you report the adverse event.

Patients

The personal data that we may collect about you when you are the subject of an adverse event report includes your:
• name and/or initials
• contact details (which may include your address, e‐mail address, phone number or fax number)
• age and/or date of birth
• gender
• weight and height
• data concerning health, including details of the adverse reaction. We will also need to know details of the product causing the reaction and details of any other medicines or remedies you have taken, including the reasons for taking them, the dosage you have been taking or were prescribed, any subsequent change to your usual regimen, as well as other medical information considered relevant such as lab reports, medication histories and patient histories
• data revealing racial or ethnic origin
• data revealing religious or philosophical beliefs
• genetic data and/or biometric data
• data concerning sex life or sexual orientation

The data described in the last five bullets are considered special categories of data called “sensitive data”, which require a higher level of protection under data protection laws.

The information collected is only processed where relevant and necessary to document your reaction properly and for the purpose of meeting our pharmacovigilance obligations.

Reporters

The personal data that we may collect about you when you report an adverse event is your:
• name
• contact details (which may include your address, e‐mail address, phone number or fax number)
• profession (this information may determine the questions you are asked about an adverse event, depending on your assumed level of medical knowledge) and
• relationship with the subject of the report

The basis for using your information

Our processing of your personal data requires a legal basis. In general, we will only process your personal data using one or more of the following bases:
• Where you have consented
• To perform a contract to which you are, or will be, a party
• To comply with our legal or regulatory obligations
• Where processing is necessary for our legitimate interests
• Where processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
• Where processing is necessary for reasons of public interest in the area of public health, e.g. where processing is necessary for ensuring high standards of quality and safety of health care and of medicinal products or medical devices

As mentioned above, we are under a legal obligation to process your personal data relating to adverse events. The evaluation of the safety and effectiveness of the product is also in the public interest.

As a pharmaceutical company we have a legitimate interest in using information relating to your health and care to undertake pharmacovigilance-related activities, including research. When processing your personal data on the basis of our legitimate interests, we must maintain a balance between our legitimate interests and your privacy.

What will happen if I don’t provide information?

If you do not provide information requested in connection with an adverse event, we will also be less likely to identify safety and/or efficacy issues regarding our products and deal with them appropriately.

Sharing your personal data

Mundipharma Research limit access to your personal data to those of our and our Associates’ employees, agents, contractors, professional advisers (such as lawyers, bankers, auditors, accountants and insurers), service providers (such as IT system providers and regulatory service providers), and other third parties who have a business need to know, including pharmaceutical companies who are our commercial or licence partners and also are required to exchange product safety information. If they are a data processor, they must only process your personal data on our instructions and they are subject to a duty of confidentiality.

We are under a legal obligation to share adverse event information regarding our products with national and international authorities (including the European Medicines Agency’s EudraVigilance database) in accordance with pharmacovigilance laws. We are unable to control their use of your data.

Location of personal data we collect

Global Safety Database

Our pharmacovigilance obligations require us to analyse adverse event reports received from every country where we provide pharmacovigilance services to our Associates. To meet these requirements, we collate and report information provided as part of an adverse event through a Global Safety Database. We have procedures in place to remove duplicate reports from the Global Safety Database. The Global Safety Database is hosted in the United States by a company within the Mundipharma global network of independent associated companies. It is administered and supported by our pharmacovigilance team, as well as teams from Canada and the United States. We also engage service providers to support our pharmacovigilance obligations, which may be located outside of Europe.

International transfers

We may transfer your personal data worldwide as part of the Global Safety Database, including to countries where the legal protections over personal data may be less than under your country’s national law. If we transfer your personal data outside of Europe to our and our Associates’ employees, agents, contractors, professional advisers, service providers or to third parties that collaborate with us, your data will be protected with safeguards such as contracts and suitable security measures. You can request information about such transfers by contacting us using the details below.

Data retention

The study site and the Sponsor are required to keep the data relating to adverse events for a minimum number of years after marketing authorisation for the product no longer exists. Subsequently, we will retain such data for the purposes set out above where the law and applicable ethical requirements allows it.

Automated decision making

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Your rights

In general, you have the following rights with respect to your personal data:
• The right to access
• The right to correction
• The right to restrict processing
• The right to erasure
• The right to object to processing
• The right to data portability

These rights may be limited by applicable law. Please contact our Pharmacovigilance team at [email protected] or our Data Protection Officer using the details below if you wish to exercise your rights.

Mundipharrma Research has assigned a data protection officer responsible for overseeing our compliance with EU data protection law, which you may contact at [email protected]; or c/o the Data Protection Officer, Mundipharma Research Limited, Unit 194 Cambridge Science Park, Milton Road, CB4 0GW in case of any questions or concerns regarding the processing of your personal data. Please explain your relationship and/or interactions with us, as well as the specifics of your query when contacting us. We may require you to provide proper identification before we comply with any request to access or correct your data.

If you are unhappy with how we process your personal data, you have a right to complain to the UK Information Commissioner’s Office (“ICO”). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Data controller

The entity registered as the Marketing Authorisation Holder for the product, indicated in the patient information leaflet, is the data controller responsible for processing of adverse event information for marketed products. Mundipharma Research may also act as a data controller when performing its pharmacovigilance obligations.

Definitions used in this privacy notice

Associates” means any organisation within the Mundipharma global network of independent associated companies.

data controller” means the company or organisation that, alone or jointly with others, determines the purpose and means of processing personal data.

data processor” means the company or organisation that processes personal data on behalf of the data controller.

personal data” means information that relates to any living identifiable individual (e.g. you, your medical practitioner or your family member).

products” medicinal products and devices marketed through the Mundipharma global network of independent associated companies or used in research studies, for which Mundipharma Research have pharmacovigilance obligations.

 

This Privacy Notice was last updated on 01 November 2018.