Privacy Statement

 

VIAN S.A. Privacy Policy

Updated: February 2019

VIAN S.A. (henceforth ‘the company’ or ‘we’) values communication with you and the information it provides you.

Contents

The present Privacy Statement includes the following:  

1. Who is the Data Controller handling your personal data
2. Which personal data we collect and which are the purposes of the processing for which the personal data are intended
3. How we use your personal data
4. Which is the legal basis for the processing of your personal data
5. Period for which your personal data will be stored or the criteria used to determine that period
6. With whom we might share your personal data
7. When automated decision-making and profiling are used
8. How we protect your personal data
9. What your rights are in relation to your personal data
10. What happens if you refuse to provide your personal data
11. Contact Details
12. Right to lodge a complaint with the Data Protection Authority (DPA) 

1. Who is the Data Controller handling your personal data

The company under the name ‘VIAN S.A., PUBLIC LIMITED COMPANY, INDUSTRIAL-COMMERCIAL COMPANY, DISTRIBUTOR OF PHARMACEUTICAL, PARAPHARMACEUTICAL, CHEMICAL, AND COSMETIC PRODUCTS’, trade name ‘VIAN S.A.’, headquartered in Kifissia, Attica, 15 Ermou Str., 14^th km Athens-Lamia National Road, is the Data Controller handling your personal data within the framework of the present Privacy Statement, according to current legal provisions.

2. Which personal data we collect and which are the purposes of the processing for which the personal data are intended

Personal data are defined as data that may be used to determine the identity of an individual or to establish communication with them, as well as other data associated with said individual that may help identify them.

The company collects personal data that relates to website visitors/users only when they provide them voluntarily in order to have access to services provided online. It also collects and processes personal data from other sources, which are acquired legally and the company is allowed to collect and process.

The company may collect and process personal data that relates to:

• Healthcare Professionals, such as:
• - Full name, social security number, occupation, specialisation, employment institution, and number of participations and documentation proving participation in scientific events and hospitality at scientific events, pursuant to circulars by E.O.F. (National Organisation for Medicines) and other national regulatory bodies.
• - Full name, address, specialisation, e-mail, and mobile phone number in order to provide promotional information (newsletters), following informed consent.
• - Full name and mobile phone number in order to provide medical information about products, handle complaints, and provide information about adverse reactions (Pharmacovigilance), pursuant to current legal provisions, following informed consent.
• - Full name, TIN, address, e-mail, and mobile phone number in order to handle orders and invoices (for pharmacists), in compliance with existing contracts and tax obligations.
• - Full name, occupation, specialisation, and institution (from publicly accessible sources, such as decisions by the Ministry of Health or E.O.F. regarding the appointment of members in Committees for Medicinal Products for Human Use) for documentation purposes, pursuant to legal provisions on anti-corruption.
• - Full name, telephone number, occupation, specialisation, institution, address, and number of visits by sales representatives of the company and by representatives of personal database management companies in order to develop marketing strategies for products and optimise medical information services, following informed consent (if necessary).
• - Bank account No (IBAN) for the purchase of goods and services.
• - Full name, occupation, specialisation, institution, and address of database management companies in order to update data that relates to Healthcare Professionals and ensure the accuracy of said data, when the company is assessed regarding its compliance with legal obligations, and to demonstrate its legitimate interest in anti-corruption, when the company is assessed by third parties.
• Consumers, such as:

- Full name, telephone number, and description of complaint in order to handle complaints.

- Full name, occupation, and telephone number in order to provide medical information, following informed consent.

- Full name, telephone number, name of medicinal product/description of adverse reaction, age, gender, weight, height, and date of birth in order to provide information about adverse reactions (Pharmacovigilance), pursuant to current legal provisions, following informed consent.

- Full name, telephone number, e-mail, and address (where the consumer wishes for a gift to be sent) in order to establish participation in promotional competitions for consumer and other OTC products via social media.

• Website visitors, such as:

- IP address and webpages visited prior to and after visiting a webpage of the company, information the visitor searches across websites, when and for how long a user visited a website, how much time a visitor spent on each webpage, the website that redirected the user to the website of the company, and information about the user’s device, such as the device’s identification number, the device model, the operating system and the version of the operating system of the device, and the mobile network operator, for statistical purposes.

- Full name, e-mail, and other personal information the visitor provides via the contact form on the website of the company.

- Full name, address, date of birth, telephone number, and ID card information, for visitors to be able to exercise their rights.

- Information included in the resumes of potential employees, only if they wish to provide said information.

- Information provided when contacting the Helpline for issues pertaining to Corporate Compliance & Ethics in order to place a complaint (such as first name, surname, e-mail, telephone number, and other information the Data Subject may provide).

• Visitors to the facilities of the company, such as:
• - Video and images from CCTVs.
• - Entry/exit data for all the facilities of the company in order to ensure the protection of the facilities, individuals, and goods.
• Suppliers and partners of the company, such as:
• - Identity data and contact details (full name, address, TIN, IBAN) in order to process/fulfil orders and invoices, in compliance with existing contracts and tax obligations.
• - Data needed to assess due diligence, pursuant to national and foreign legislation regarding transparency and preventing corruption and bribery (full name of owners, partners, shareholders, administration members, executives, position title, public official post or government employee/official post).

 3. How we use your personal data

In addition to all of the above, we may also use your personal data for the following purposes:

A. To provide information and services, following informed consent, e.g.:

• Participation/enrolment within the framework of scientific events
• Medical information about the products of the company
• Information about online events
• Send promotional/informative, advertising material of the company
• Send press releases
• Announce job openings
• Contact website visitors

B. To comply with our legal obligations, e.g.:

• Comply with applicable legislation, regulations, and directives (e.g. tax legislation, E.O.F. requirements)
• Comply with requests or orders by regulatory bodies, the government, or judicial and other authorities
• Investigate potentially illegal or offending conduct on the part of users and take remedial measures

C. To improve our day-to-day operations, e.g.:

• For internal purposes, to conduct audits, data analysis, and research in order to provide and improve our digital platforms, content, and services
• To monitor and analyse trends, use, and activities associated with our products and services in order to identify which elements of our digital platforms and services attract the most interest and subsequently improve the design and content of our platforms and services
• To improve our products, services, and communication with you, as well as to optimise our medical information services
• To ensure your contact details are updated (if applicable)

The company may also process part or all of the personal data sent by visitors/users for statistical purposes and to improve the services/information provided via the website.

4. Which is the legal basis for the processing of your personal data

The company pledges to process your personal data in a transparent manner, in accordance with the principles of legality and confidentiality. Therefore, we process your personal data for one or more of the following reasons:

• For legal business purposes, in the context of our legitimate interest: We use your personal data to make our communication with you more relevant and personalised and to create an effective and efficient information and communication channel for you regarding our products and services. In addition, the data we collect help us improve our operation, minimising disruptions to the services we provide you. Also, the company may use your personal data in order to substantiate and protect its interests.
• To implement a contract to which you are a party: We may need to process your personal data in order to provide a product or service that you have already received or have requested. The purpose of personal data processing depends on specific requirements for each product or service and the contractual terms and conditions provide more details about relevant purposes.
• To comply with our legal obligations: We value compliance with national and EU laws, regulations, and circulars (e.g. legislation governing medicinal products, tax legislation).
• You have given your consent: From time to time, we may request your consent to use your personal data for one or more of the purposes described above. You have the right to withdraw consent at any time. In this case, however, any processing of personal data prior to submitting your withdrawal form will not be affected.

5. Period for which your personal data will be stored or the criteria used to determine that period

We will keep your personal data for as long as we have a business or other relation with you.

Criteria used to determine the period for which personal data will be stored:

• Nature of the data
• Purpose of processing
• Legal and regulatory requirements applicable in the field in which the company operates
• Value of the data to the company
• Potential risks to the company and the Data Subjects resulting from the data being kept
• Potential obligations for the company resulting from the data being kept

The period for which personal data will be stored also depends on: (i) applicable legal requirements (e.g. tax legislation, requirements regarding Pharmacovigilance data) and (ii) the nature of our relation with you and the requirements governing said relation.

After the required retention period has expired, data will be deleted from the company's databases unless a longer retention period is required in order to comply with relevant legal provisions or a contractual obligation of the company.

6. With whom we might share your personal data

Within the company, your personal data is handled only by employees and departments that need them in order to fulfil contractual and legal obligations and also in the context of collaborations, operational needs, etc. These persons have been authorised by the company to handle personal data.

We may share your personal data with the following third parties in order to fulfil contractual, legal, or regulatory obligations:

• Companies within the Group the company pertains to, when exercising their competences. Local or foreign partners of the company, in the context of audits, on the basis of a written agreement safeguarding your personal data, so that the company can fulfil its contractual obligations.
• In general, public entities or other entities entrusted by the Greek State with tasks performed to the benefit of the public interest (e.g. Public Finance Departments, as well as any public service and any administrative, judicial, supervisory, regulatory, or other authority) in the context of their legitimate duties and responsibilities, if the law requires that personal data be shared in order to comply with relevant legal requirements (e.g. E.O.F., judicial authorities).
• Your bank in order to complete a transaction.
• Insurance companies in case of compensation claims.
• Third parties in case of foreclosure and trustees in case of bankruptcy.
• Independent contractors and/or consultants to whom the company delegates the processing of personal data or in the framework of a collaboration (e.g. legal advisers, accountants, companies organising conferences, travel agencies, providers of IT services, such as data analysis, website development/hosting/support, providers of logistics, tech, tax, and/or legal support, cloud providers, as well as companies storing, filing, and/or managing archives), under relevant contracts regarding the processing and protection of your data.
• Auditors in order to safeguard the legitimate interest of the company and fulfil contractual obligations.

Your personal data is not transferred to third countries (i.e. countries outside the European Economic Area) unless (i) you have given informed consent thereof, (ii) transfer is required by the law, or (iii) transfer is required for the company to fulfil contractual obligations. PDP legislation in third countries to which your personal data are transferred may not be equivalent to or may not ensure the same level of protection as the legislation applicable in Greece or the EU in general. In this case, the company makes sure that Data Controllers or Processors in these countries comply with European data protection standards and provide appropriate safeguards regarding data transfers according to Article 46 of the GDPR.

The company will not sell or otherwise transfer or disclose personally identifiable information to third parties not related to it without your consent, unless this is required in order to comply with legal provisions; in any case, said information will solely be transferred to competent authorities.

7. When automated decision-making and profiling are used

We do not use automated decision-making processes during the development and implementation of our business activities. 

We may process some of your personal data to create a profile, though without using automated means exclusively, and/or to implement automated decision-making on the basis of said profile.

In any case, we will request your informed consent prior to proceeding to automated decision-making based on profiling.

8. How we protect your personal data

The company implements all necessary technical and organisational measures in order to ensure personal data protection and security. The electronic systems of the company have been developed according to the principle of data minimisation, granting you access by providing only the minimum personal data required.

We use various security measures and technologies in order to protect your personal data from unauthorised access, use, disclosure, alteration, or destruction, in accordance with relevant legislation regarding personal data protection and privacy, such as anonymisation, pseudonymisation, data encryption, firewalls, privacy by design and by default, and also organisational measures, such as strict policies for system access, employee secrecy commitments, personnel training, regular audits, etc. Unfortunately, no data transfer or storage system is 100% secure.

When we share your personal data or transfer them to third parties, we make sure said parties keep your data confidential and implement appropriate security measures in order to safeguard your data.

Access to websites not owned or controlled by the company (links) – Services provided by third parties:

The website of the company may provide access to third-party websites (websites of natural or legal entities) through links. These links have been used solely to assist website visitors/users; the respective websites operate under their own Terms of Use.

The use of links does not imply approval or acceptance regarding the content of the respective websites on the part of the website operator; the operator does not assume any liability for the content, privacy protection measures, or accuracy of information associated with these websites. In case website visitors/users decide to visit third-party websites through links, they may do so under their own responsibility.

9. What your rights are in relation to your personal data

Users may exercise the rights stemming from the GDPR (Articles 15-22) and the applicable legal framework.

In particular, you have the following rights:

• Right to access, i.e. the right to be informed, following a respective request, whether your personal data are legally processed and request information about said processing.
• Right to request:
• - correction of any incorrect, incomplete, or inaccurate personal data we keep about you
• - completion of your personal data
• - and/or restriction of your personal data
• Right to request a copy of the personal data we keep about you in a structured, commonly used, machine-readable format to facilitate data transfer (either by you or by us) to other organisations of your choosing (right to data portability).
• Right to prohibit the processing of your personal data (right to object), including profiling.
• Right to have the processing of your personal data restricted
• Right to have your personal data deleted (right to be forgotten), provided that deletion does not contravene applicable legal requirements.
• Right to withdraw the consent you have given us regarding the processing of your personal data at any time. It should be noted that any withdrawal of consent will not affect the legitimacy of prior processing that was based on your informed consent.

In case the aforementioned rights are exercised, respective user requests may be disclosed to third parties who have received the personal data of the user, according to the above.

In case any of the aforementioned rights are exercised, the company must respond without undue delay and in any case within 30 days of receiving and identifying the request. This response time may be extended to 2 months for complex requests. In this case, the company must inform you thereof within one month of receiving the request, justifying the delay.

Requests pertaining to the aforementioned rights will be assessed according to applicable laws. In some cases, the company may not be legally required to comply with your request. All requests pertaining to the right to access, rectification, data portability, erasure, objection, and restriction of processing are dealt with free of charge. The company may charge administrative costs when dealing with requests that are manifestly unfounded or excessive, in particular because of their repetitive character, or reject requests which entail that the privacy of others is at stake.

For more information, please refer to the Data Subject Access Request (DSAR).

10. What happens if you refuse to provide your personal data

In case informed consent is required for the collection of your personal data, you may refuse to give consent. If you object to the processing of your personal data or withdraw your consent for processing, we shall respect your choice, in accordance with applicable legal requirements. In this case, we may not be able to proceed to necessary actions that will allow you to use the services we offer. It should be noted that any withdrawal of consent will not affect the legitimacy of prior processing that was based on your informed consent.

11. Contact Details

If you have any questions or requests regarding the present Privacy Policy or if you wish to exercise your rights, please contact our Data Protection Officer:

E-mail: dpo@vianex.gr             

Mailing address:  8 Varibobi Street, 146 71, Nea Erythraia 

12. Right to lodge a complaint with the Data Protection Authority (DPA)

In case your issue has not been resolved, you may lodge a complaint with the Data Protection Authority (DPA). The website of the DPA provides information on how to lodge a complaint: http://www.dpa.gr