This Policy contains the information required by art. 13 of Regulation (EU) 679/2016, concerning the protection of natural persons with regard to the processing of Personal Data (hereinafter “GDPR“), which will become applicable in all the Member States of the European Union and belonging to the European Economic Area from May 25, 2018. By filling out the contact form, you consent to the collection and use of Personal Data as described in this Notice.
We inform you that the treatment of Personal Data (name, surname, telephone, email address and any further Personal Data indicated in the message) (the “Data”) by you spontaneously provided filling out the contact form on the website http://summitpharmaeurope.com/ (the “Website”) will respect the principles of fairness, legality and transparency and protection of your privacy and your rights.
1. DATA CONTROLLER
The Data Controller of Personal Data is Summit Pharmaceuticals Europe Ltd, operating in Italy through its Italian branch established in Milan, Viale Piero e Alberto Pirelli 6, TAX code and VAT code 04573470962, in person of its legal representative pro tempore, that can be reached at the email firstname.lastname@example.org (hereinafter “SPE” or “us” or “Data Controller”).
SPE is the Data Controller pursuant to article 4, n. 7) of GDPR and, as such, is responsible for the legitimate and correct processing of your Data.
2. THE PURPOSES OF PERSONAL DATA PROCESSING
The Data provided by you by filling the contact form on the Website will be processed by us in respect of the modalities provided by the GDPR for the following purposes:
- to process your requests of information and/or contacts and to respond to such requests, also by sending communications and details relating to the above;
- with your prior express consent, to send to you, by email, newsletters having informative / advertising nature, commercial communications and invitations to events organized by SPE or by the companies of the Sumitomo Corporation Group.
3. DATA RECIPIENTS – TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS
In order to process your request for information and/or contact and only if this is deemed as necessary from the content of the same, your Data may be communicated to other entities of the Sumitomo Corporation Group if directly interested by your request. Said other companies of the Sumitomo Corporation Group will process your Data as an independent Data Controller.
In some cases, the personal data we collect from you might be processed outside the European Economic Area (“EEA”), such as the United States and the countries in which the companies of the Sumitomo Corporation Group operates. However, SPE warrants that your Data processed outside of the EEA are protected in the same ways as it would be if it were processed within the EEA. For this purpose, SPE also guarantees that an adequate level of protection is afforded by ensuring that at least one of the following safeguards is implemented:
- your Data is transferred to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
- we use the EU approved Standard Contractual Clauses as provided by Chapter V – Section 5 of GDPR; and
- where your personal Data is transferred to third party providers based in the US, data may be transferred to them if they have self-certified under the Privacy Shield framework.
The aforementioned Data shall not be disclosed to undetermined subjects. For further information regarding the countries to which your Data may be transferred, please contact us using the details below.
Your Data will also be made accessible to third parties who perform maintenance and technical assistance activity on the IT systems used for the processing and storage of Data, which will be appointed by us as Data Processors. The updated list of Data Processors will be made available upon request to the Data Controller to be sent by email to the following address email@example.com.
The Data will also be processed for the purposes referred to in point 2 above by the SPE personnel, who will have received prior appointment as Data Processor.
4. DATA PROCESSING ARRANGEMENTS – DATA RETENTION TIME.
Your Data will be processed using both paper and electronic means.
Your Personal Data will be stored by adopting technical and organizational security measures appropriate to ensure their protection, for the period of time strictly necessary to execute your request for information and / or contact, unless you have authorized us to use it for the further purpose referred to in point 2 b) above. In this case, we will store your data for a period of time equal to twenty-four months from the date of their registration in our database. In any case, once the maximum Data retention period has elapsed, they will be automatically deleted or rendered anonymous.
Your data will not be used for profiling purposes.
5. MANDATORY OR OPTIONAL NATURE OF PROVIDING OF DATA – CONSEQUENCES OF THE POSSIBLE REFUSAL.
The provision of Data for the purposes referred to in paragraph 2 a) above is mandatory as necessary to enable us to process your request for information and / or contact.
The provision of Data for the purposes referred to in paragraph 2 b) above is optional; consequently, without your explicit consent, we will not process the Data for advertising and marketing purposes indicated therein. You have the right to freely object at any time to the processing of your personal data for marketing purposes. If you change your mind about being contacted for marketing purposes in the future, please select “unsubscribe” from our messages if you do not want to receive further marketing emails.
6. DATA SUBJECT’S RIGHTS
As a data subject, You are granted the rights pursuant to GDPR (Article 15), the text of which is fully reproduced hereinafter, as follows.
EU REGULATION NO. 679/2016, ARTICLE 15 – RIGHT OF ACCESS BY THE DATA SUBJECT
- The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
- The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
- The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
You are also granted the rights referred to in Articles 16 (Right to rectification), 17 (Right to erasure), 18 (Right to restriction of processing), 19 (Notification obligation), 20 (Right to data portability) and 21 (Right to object) of the GDPR.
The exercise of such rights is not subject to any form constraint and is free of charge. For this purpose, you may contact the Data Controller by sending a registered letter to the address in point 1 above, or by e-mail using the following address: firstname.lastname@example.org.