Information notice - Consultancy register
EU General Data Protection Regulation (2016/679), Articles 13 and 14 and 30
Date of drafting: May 31st , 2018
Updated: 11.12.2019 version 1.1
We may update or revise this Information Notice/ Record of Processing Activities at any time, with any notice to you as may be required under applicable law.
1. Controller/Company
Orion Corporation (Company Identification Number: 1999212-6)
Orionintie 1
02200 Espoo
Finland
Tel. 010 4261
2. The Person in charge/contact person
Hanna Seppänen
Orion Corporation
Orionintie 1A
02200 Espoo
Tel. 010 426 3564
e-mail: hanna.seppanen@orionpharma.com
Contact details of the Data Protection Officer: Mikko Kemppainen
e-mail: privacy@orion.fi
3. Name of the file
Consultancy Register
4. The purpose for processing the personal data / recipients (or categories of recipients) of personal data / the legal basis for processing the personal data
The purpose for use of this data file is fulfilling Orion’s contractual obligations with consultants and partners and keeping up their contact information for the possible future need.
The enabling of the above for it shall require the collection of personal data of the consultants.
We may share your information with third parties, such as those who assist us by performing technical operations such as data storage and hosting or media and marketing companies for planning of meetings and symposiums.
If ownership or control of Orion Corporation or all or any part of our products, services or assets changes, we may disclose your personal data to any new owner, successor or assignee.
The legal basis for processing of the personal data is performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (EU General Data Protection Regulation Article 6.1.b) or the legitimate interest of the controller/ collaboration with consultants for the purpose of arranging trainings and tutorials in congresses and expert meetings (EU General Data Protection Regulation Article 6.1.f).
When we process your personal information for our legitimate interests, we make sure to consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. Our legitimate business interests do not automatically override your interests - we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
5. Content of the data file
The register contains information regarding Orion’s consultants and partners such as key opinion leaders. The following data can be collected: name, birth date, personal identity code, residential address, work address, phone number,
e-mail address, bank information (bank name, address, account number, BIC), passport information.
6. Source of information
The information is collected from the consultants and key opinion leaders themselves or collected by Orion’s employees from public sources such as internet.
7. Retention period of the personal data
The data files are periodically updated to include only data which is relevant for the purpose.
8. The principles how the data file is secured
The data file is located on a server in a private hosting environment. The application is used via a secure https connection and only with a personal username and password. The server is accessible with a personal username and password. The information is accessible only by such company employees who need the information based on their role. Part of the information is stored in a locked cabin in paper copies.
9. Right of access and right to data portability
The data subject shall have the right of access, after having supplied sufficient search criteria, to the data on himself/herself in the personal data file, or to a notice that the file contains no such data. The controller shall at the same time provide the data subject with information on the sources of the data, on the uses for the data in the file, and the destinations of disclosed data.
The data subject shall have the right to data portability, i.e. the right to receive his or her personal data, which the data subject has provided to the controller and that is being processed by automated means, in a structured and machine readable format and the right to transmit those data to another controller, where the basis for processing is consent or the fulfilment of a contract between the controller and the data subject.
The data subject who wishes to have access to the data on himself/herself, as referred to above, shall make a request to this effect to the person in charge at controller by a personally signed or otherwise comparably verified document and by verifying his or her identity by attaching a copy of an official identification document.
10. Right to object to processing
In case the legal basis for processing the personal data is the legitimate interests of the controller, the data subject has the right to object to processing on grounds relating to his or her particular situation.
In case the data subject wishes to use its above-mentioned rights, he or she shall make a request to this effect to the person in charge at the data controller by a personally signed or otherwise comparably verified document in writing to the representative of the data controller named under section 2. hereinabove.
11. Rectification, restriction of processing and erasure
A controller shall, on its own initiative or at the request of the data subject, without undue delay rectify, erase or supplement personal data contained in its personal data file if it is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing.
Under specific circumstances, the data subject has the right to obtain from the controller restriction of processing of his or her personal data.
If the controller refuses the request of the data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal. In this event, the data subject may bring the matter to the attention of the Data Protection Ombudsman.
The controller shall undertake reasonable measures to notify the erasure to the controllers to whom the data has been disclosed and who are processing the data. However, there is no duty of notification if this is impossible or unreasonably difficult.
Requests for the above uses of data subject’s rights shall be made by contacting the representative of the controller named under section 2 hereof.