Personal data protection policy

TILMAN S.A

Personal data protection policy

(Last update : October 09,2018)

 

1. Who are we?

This document is the personal data protection policy of TILMAN S.A. a company incorporated under Belgian law, having its registered office in Zone d’activités Sud, Bail. 15, 5377 Somme-Leuze, registered with the company register (BCE) under number 0458.493.759, and having the following e-mail address: privacy@tilman.be (hereinafter referred to as “Tilman” or “us“).

Contact details of the Data Protection Officer of the controller: dpo@tilman.be

In the course of our activities, we collect, store, process and sometimes share personal data.

 

2. Objective of this policy

2.1. Information

Concerned about respecting your privacy, and aware of the importance of complying with our legal obligations in this regard, we do everything in our power to protect your personal data.

The purpose of this policy is to inform you (as “data subject”) about how we (as “controller”) process your personal data, in accordance with all applicable data protection and privacy laws and regulations (hereinafter referred to as “Data Protection Laws”), and, more particularly and among others, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (or “GDPR”).

This policy is also intended to inform you of your rights regarding the processing of your personal data.

 

2.2. Informed consent

In some cases (specified below), the legal basis for our data processing is your informed consent. In such cases, the other purpose of this policy is to provide you with the information necessary to obtain valid consent from you.

Where our processing of personal data is based on your consent, you have the right to withdraw your consent at any time, but this withdrawal may not affect the lawfulness of the processing carried out prior to this withdrawal. To withdraw your consent, you are invited to use the easy unsubscribe procedures provided to you by our communications tools or by sending us an e-mail (to the address indicated in the “Who to contact about your personal data” section).

When our processing of personal data is based on your consent, it is our duty to be able to demonstrate that you have consented to the processing of your personal data. To do so, we retain data relating to your consent as long as we need to demonstrate our full and complete compliance with Data Protection Laws.

If you are under 16 years of age, it is our duty to make reasonable efforts to verify, in such cases, that consent is given or authorized by the person having parental authority, taking into account the available technology. This explains why, if necessary, we may ask for more information about this holder of parental authority.

3. Information on the different processing of personal data

In this section 3, for each treatment we perform, we provide you with information on:

  • The purposes of the processing (why we process your data);
  • The legal basis of the processing (what justifies the processing); where this legal basis is a legitimate interest, we mention the nature of such interest;
  • The categories of personal data concerned (what types of data are processed);
  • If applicable, the categories of recipients of personal data (with whom we share data);
  • Where appropriate, the transfer of personal data to recipients in countries outside the EU or to international organizations and the safeguards allowing such transfer;
  • The retention period during which personal data are kept, or if it is not possible to specify, the criterion used to determine such period of time;

In order to be as transparent and clear as possible, this information is presented in the tables below, and is provided by category of data subjects and purpose.

3.1. Customers

PurposeCustomer service (requests for information, complaints, after-sales services)
Categories of dataidentification1, electronic identification2, content of communications, commercial information, description of the complaint
Sourcesdata subject
Recipientsnone5
Retention periodduration of the interaction (the duration is longer if the data are used for other processing operations mentioned in this section)
Legal basesGDPR, art.6, §1 a) (consent)
GDPR, art.6, §1 c) (performance of legal and regulatory obligations)
Transfer outside the EUno
PurposeCustomer management (order tracking and fulfillment, sales information, invoicing)
Categories of dataidentification1, electronic identification2, administrative data3, sectoral data4, customer code, function, category / home group, language, currency, financial characteristics, representative, transport, content of communications, commercial information.
Categories of datadata subjects, official databases, commercial (public) databases
Recipientssales representatives, distributors and sales intermediaries, public administrations
Retention period10 years after the end of the treatment (usually the end of the contract)
Legal basesGDPR, art.6, §1 b) (performance of contractual or pre-contractual measures)
GDPR, art.6, §1 c) (performance of legal and regulatory obligations)
Transfer outside the EUno
PurposeSatisfaction surveys
Categories of dataidentification1, electronic identification2
Categories of datadata subject
Recipientsnone5
Retention periodanonymization after completion of processing of responses and sending of the reward if applicable
Legal basesGDPR, art.6, §1 b) (performance of contractual or pre-contractual measures)
GDPR, art.6, §1, f) (legitimate interest: quality controls, process improvement)
Transfer outside the EUno
PurposeMarket analysis (statistical monitoring of purchases by central buying services)
Categories of dataidentification1, electronic identification2
Categories of datacentral purchasing offices
Recipientsnone5
Legal basesGDPR, art.6, §1 b) (performance of contractual or pre-contractual measures)
GDPR, art.6, §1, f) (legitimate interest: process improvement, internal management, market analysis)
Transfer outside the EUno
PurposeInformation campaigns(mailings)
Categories of dataidentification1, electronic identification2
Categories of datadata subjects, data providers
Recipientsnone5
Retention periodduration of consent
Legal basesGDPR, art.6, §1 a) (consent)
GDPR, art.6, §1, f) (legitimate interest: “soft opt-in” for persons who are already TILMAN’s customers)
Transfer outside the EUno

3.2. Users of TILMAN products, doctors, pharmacists

PurposeCustomer service (requests for information, complaints)
See section “Customer > Customer service”.
PurposePharmacovigilance
Categories of dataidentification 1, electronic identification 2, date of birth, age, weight, height, gender, medical data: product involved (and production information), adverse reactions, medical history
Categories of datadata subjects, pharmacists, doctors
Recipientsofficial pharmacovigilance authorities
Retention period10 years after expiry of the marketing authorization
Legal basesGDPR, art.6, §1 c) (performance of legal and regulatory obligations)
GDPR, art.9, §2 i) (grounds of public interest in the field of public health)
Transfer outside the EUno

3.3. Health professionals, organizations

PurposeCustomer service(requests for information, complaints)
See section “Customer > Customer service”.
PurposeInformation campaigns (emailings)
See section “Customer > Information campaigns”.
Purposebe Transparent
Categories of dataidentification 1, electronic identification 2, administrative data 3 (business number), sectoral data 4 (INAMI number), national registration number, financial data
Categories of datapersons concerned, official databases
Recipientsbetransparent.be
Retention periodlegal period: 10 years from publication
Legal basesGDPR, art.6, §1 c) (performance of legal and regulatory obligations)
Transfer outside the EUno

3.3. Health professionals, organizations

(next)

PurposeCoupons (events and specialized press)
Categories of dataidentification 1, electronic identification 2, sectoral data 4 (INAMI number), language
Sourcesdata subject
Recipientsnone5
Retention periodFor event coupons: duration of the event
For coupons in the press: duration of the interaction
The duration is longer if the data are used for other processing operations mentioned in this section
Legal basesGDPR, art.6, §1 a) (consent)
Transfer outside the EUno

3.4. Suppliers

PurposeSupplier management(selection, order tracking, accounting and administration, quality controls)
Categories of dataidentification 1, electronic identification 2, administrative data 3, content of communications.
Categories of datadata subjects, official databases, commercial (public) databases
Recipientspublic administrations
Retention period10 years after the end of the treatment (usually the end of the contract)
Legal basesGDPR, art.6, §1 b) (performance of contractual or pre-contractual measures)
GDPR, art.6, §1 c) (performance of legal and regulatory obligations)
GDPR, art.6, §1, f) (legitimate interest: selection and management of suppliers, quality controls, process improvement, protection of TILMAN’s rights)
Transfer outside the EUno

3.5. Prospects

PurposeProspect service(request for information)
See section “Customer > Customer service”.
PurposeInformation campaigns (mailings)
See section “Customer > Information campaigns”.
PurposeGeneral prospecting
Categories of dataidentification 1, electronic identification 2, administrative data 3, sectoral data 4, customer code, function, category/group, language, currency, financial characteristics, representative, transport, content of communications, commercial information.
Categories of datadata subjects, official databases, commercial (public) databases
Recipientssales representatives, distributors and sales intermediaries
Retention periodIndefinite (normal lead management time)
Legal basesGDPR, art.6, §1, f) (legitimate interest: prospecting of professional customers, development of economic activities)
Transfer outside the EUno

3.6. Candidates for employment

PurposeRecruitment
Categories of dataidentification 1, electronic identification 2, family composition, leisure, education, professional data, CV data.
Categories of datadata subject
Recipientsnone 5
Retention periodrecruitment period (the duration may be extended to one year with the consent of the person concerned)
Legal basesGDPR, art.6, §1 b) (pre-contractual measures)
GDPR, art.6, §1 a) (consent for subsequent storage)
Transfer outside the EUno

3.7. Sponsoring

PurposeCustomer management (order tracking and fulfillment, sales information, invoicing)
Categories of dataidentification 1, electronic identification 2, administrative data 3.
Categories of datadata subject
Recipientsnone5
Retention period10 years after the end of the treatment (usually the end of the contract)
Legal basesGDPR, art.6, §1 b) (performance of contractual or pre-contractual measures)
Transfer outside the EUno

3.8. Visitors to the site

PurposeSecurity (recording of entries and exits in our buildings)
Categories of dataidentification 1, name of employer, visit data (arrival and departure times)
Categories of datadata subject
Recipientsnone5
Retention period30 days
Legal basesGDPR, art.6, §1, c) (performance of legal and regulatory obligations)
GDPR, art.6, §1, f) (legitimate interest: protection of the company, its property and its staff)
Transfer outside the EUno

1Identification” data includes: first name, last name, physical address and telephone number.

2Electronic identification” data includes the email address (and possibly identifiers on the Internet or social networks)

3 Administrative data” is all data necessary for tax and accounting purposes (VAT, company registration number, JNL codes,…).

4 Sectoral data” is all data related to identification, certification, labelling or authorization as an economic actor (e.g. in the pharmaceutical production and distribution sector: IMS code, APB code, INAMI number, BIO control body code, FLOCERT identification number), logistics (e.g. EAN code, Certipost) or organisational logic (SCM, MPO).

5 The data shall at least be made accessible to TILMAN’s staff and subcontractors (access rules shall be established so that only those persons who need it in the course of their work have access to the data). “None” means that the data is not disclosed to any other person or entity.

4. Your rights as a data subject

Data Protection Laws grant you rights on certain bases and under certain conditions, including the rights of access, rectification, opposition to processing, or request for deletion of your personal data, as well as the right to request the limitation of processing. Under certain conditions, you also have a right to the portability of your data.

Please contact us as specified in the “Who to contact about your personal data” section below to make any request to exercise your rights or if you have any questions or concerns about how we handle your personal data.

Please note that some personal data may be exempted from the rights of access, rectification, objection, deletion, limitation or portability in accordance with personal Data Protection Laws or other legislations.

 

5. Safety and security

Tilman takes appropriate technical, physical, legal and organizational measures, which comply with the Personal Data Protection Laws. Unfortunately, no data transmission over the Internet or data storage system can be guaranteed to be 100% secure. If you have reasons to believe that an interaction with us is no longer secure (for example, if you believe that the security of any personal data you may have with us has been compromised), please notify us immediately. See the section “Who to contact about your personal data” below.

When Tilman provides personal data to a service provider, the service provider is carefully selected and must use appropriate measures to protect the confidentiality and security of personal data.

 

6. Personal data of third parties

If you provide us with personal data from third parties, you agree: (a) to inform the third party about the content of this Privacy Policy; and (b) to obtain the required consent for the collection, use, disclosure and transfer (including cross-border transfer) of the third party’s personal data in accordance with this Privacy Policy, unless you can demonstrate that you can rely on a legal basis other than consent.

 

7. Complaints and complaints

If you are not satisfied with our processing of your personal data and if you think that contacting us will not solve the problem, the Data Protection Laws give you the right to file a complaint with the competent supervisory authority (more information on the latter’s website: www.autoriteprotectiondonnees.be

 

8. Who to contact about your personal data

If you have any questions about our use of your personal data you can

  • send us an e-mail to the following address : privacy@tilman.be,
  • or write to us at the following physical address :
    TILMAN S.A.
    15, Z.I. Sud
    5377 Baillonville
    BELGIUM
  • or contact our DPO at the following email address : dpo@tilman.be

 

9. Changes to this Policy

We regularly review this Policy and reserve the right to make changes at any time to reflect changes in our business or new legal requirements.

To inform you of the changes, we will post updates on our website: www.tilman.be. In some cases, we may also notify you by email.

Please check the “last updated” date at the top of this Policy to see when it was last revised.