Privacy Notification for reporting of Adverse Events to Lundbeck

Privacy Notification for reporting of Adverse Events to Lundbeck

In connection with the reporting of adverse events, Lundbeck’s headquarter in Denmark, H. Lundbeck A/S, will (as data controller and Global Safety Database Holder) receive, process, use and disclose personal data about you as described in more details in this Privacy Notification.  

This Privacy Notification also applies to processing performed by other Lundbeck companies, when involved in the handling of your request, as further described below. In such case, the local Lundbeck company will act as an independent data controller. Please find a list of Lundbeck companies here. H. Lundbeck A/S and each of the local Lundbeck companies are separately referred to as “Lundbeck” or “we”.

 

Lundbeck will process your personal data according to applicable legislation, including the EU General Data Protection Regulation (“GDPR”).

 

If you report personal data on behalf of the data subject, please ensure that the data subject receives this Privacy Notification.


 

What categories of personal data are we processing and for what purposes? 

 

We collect and process personal data about you as received when adverse events related to the use of Lundbeck’s products are reported to us. Depending on whether you are the patient, an individual reporting on behalf of the patient, or a healthcare professional, the following types of personal data may be processed:

 

Patient:

 

  • Contact information (name / initials, address, country of residence, e-mail address);
  • Information on date of birth, age / age group, gender; 
  • Information on health and medication; 
  • Ethnicity / Racial origin;
  • Sex life / Sexual orientation (only if reported and relevant*); *This category of data is not specifically requested and collected, but only captured and processed if reported in connection with an adverse event and if relevant for the medical and scientific assessment and evaluation of the case.
  • Criminal convictions / Criminal offences (only if reported and relevant*); *This category of data is not specificallyrequested and collected, but only captured and processed if reported in connection with an adverse event related to a legal case or an insurance case or where the data is relevant for the medical and scientific assessment and evaluation of the case.
  • Other information (only if relevant and voluntarily included in the report).

 

Healthcare Professionals (HCP) and other individuals reporting on behalf of a patient:

 

  • Contact information (name / initials, address, country of residence, e-mail address);
  • HCP organization / profession / title (only HCPs);
  • Other information (only if relevant and voluntarily included in the report).

 

We process your personal data for the purposes of handling the adverse event in accordance with applicable legislation. Lundbeck is obliged to register, monitor and analyse all adverse events that are reported to Lundbeck and to perform a medical and scientific assessment and evaluation of such adverse events if related to a Lundbeck product. 

 

This is done to ensure high standards of quality and safety of medicinal products, to enhance patient care and patient safety and to assess the risk-benefit profile of medicines.

 

How did we obtain your personal data?

 

The personal data is collected:

  • Directly from you in your capacity as a patient;
  • From a relative or other individual reporting an adverse event on behalf of a patient;
  • From a Healthcare Professional (e.g. a general practitioner, a nurse, a pharmacy);
  • From publicly available sources belonging to third parties (e.g. websites, social media*). *In general, publicly available sources belonging to third parties are not monitored. However, due to applicable legislation, Lundbeck employees that incidentally identify adverse events via publicly available sources are obliged to ensure proper reporting and handling of such adverse events. 

 

When we collect personal data directly from you in your capacity as a patient, you provide the personal data on a voluntary basis. You are not obliged to provide any information to Lundbeck, although we strongly encourage you to report any and all adverse events for the safety of yourself and other patients.

 

What is the legal basis for our processing of your personal data? 

 

The legal bases for our collection and processing of your personal data as set out above are (depending on the circumstances):

  • Legal obligations set out in Directive 2010/84/EU of the European Parliament and of the Council (dated 15 December 2010) amending, as regards pharmacovigilance, Directive 2001/83/EC on the Community code relating to medicinal products – mainly Article 104 (as implemented through national legislation), cf. GDPR Article 6 (1) (c);
  • The processing is necessary for reasons in the area of public health (ensuring high standards of quality and safety of health care and of medicinal products, cf. GDPR Article 9 (2) (i);
  • Data on criminal convictions / criminal offences will only be processed if the processing is in line with GDPR Article 10 and if the processing in Lundbeck’s assessment is necessary (and relevant) for the medical and scientific assessment and evaluation and to ensure high standards of quality and safety of health care and of medicinal products. 

 

Will we disclose your personal data to third parties? 

 

To continuously ensure the high standards of quality and the safety of Lundbeck’s products, we disclose and share your personal data with the following recipients:

  • Relevant local health authorities (globally);
  • Business partners;
  • Other entities in the Lundbeck group (only if relevant; mainly H. Lundbeck A/S)

 

The legal bases for the disclosure follow the above-mentioned legal requirements, i.e. mainly GDPR Articles 6 (1) (c) and 9 (2) (i).

 

Will we disclose your personal data to data processors?

 

All Lundbeck entities processing your request may transfer your personal data to consultants, business partners and IT service providers, which will process your personal data solely on our behalf and on our instructions, provided that such data processors have provided sufficient guarantees to implement appropriate technical and organisational measures to
ensure the protection of your rights as a data subject. 

 

During the initial processing of the personal data, full names and contact details will be redacted to ensure that direct identification of the data subject is not possible.

 

Will we transfer your personal data to recipients in countries outside the EU/EEA?

 

In order to comply with applicable pharmacovigilance legislation, we transfer your personal data to relevant health authorities outside the EU/EEA. The legal basis for such transfer is GDPR Article 49 (1) (d), as the transfer is deemed necessary for important reasons of public interest (public health).

 

Furthermore, if relevant in order to handle your request, your personal data may be transferred to a private recipient in a country outside of EU/EEA not providing the same level of protection as within the EU/EEA. Lundbeck will in this case ensure that such transfer(s) will be carried out in accordance with the applicable data protection legislation, including the GDPR. Such transfer may only take place if we can ensure an adequate level of data protection by ensuring that the recipient enters into the EU Standard Contractual Clauses with Lundbeck. The Standard Contractual Clauses are available in several languages here.

 

If your personal data gets transferred to other Lundbeck affiliates, the transfer will be based on the Lundbeck Intra-Group Data Protection Agreement or the Lundbeck Binding Corporate Rules (once approved and implemented). More information regarding this can be obtained by contacting your local Lundbeck company or Lundbeck’s Group Data
Protection Officer via (dataprivacy@lundbeck.com). 

 

How long will we store your personal data? 

 

According to applicable legislation relating to pharmacovigilance, Lundbeck is required to store your personal data for the lifetime of the Lundbeck product in question plus additional 10 years (as a minimum). However, the retention period may be longer where required by union law or national law. 

 

Your rights

 

Subject to certain exceptions and restrictions set out in applicable legislation, you enjoy the right to request access to your personal data, to have your personal data rectified, to have your personal data deleted, and to have the processing thereof restricted. 

 

If you are not satisfied with Lundbeck’s handing of your request, you have the right to lodge a complaint with the competent supervisory authority, e.g. the Danish Data Protection Agency or the national supervisory authority in your country. A list of all supervisory authorities is available here.

 

Contact details of Lundbeck and Lundbeck’s Group Data Protection Officer

 

Should you have any questions in regard to the protection of your personal data or if you wish to exercise your legal rights, please contact H. Lundbeck A/S, your local Lundbeck company or Lundbeck’s Group Data Protection Officer (DPO) by using the below contact details:

 

 

 

H. Lundbeck A/S

Ottiliavej 9

2500 Valby

Denmark

Phone no.: +45 3630 1311

 

Lundbeck’s Group Data Protection Officer (DPO): 

E-mail: dataprivacy@lundbeck.com