Privacy and Data Protection Policy of DOCTUM S.A.

 

Date Application:  15.5.2019

 

Thank you for visiting the Website of the Société Anonyme with the name “DOCTUM PHARMACEUTICAL SA – K GIOKARIS KE SIA SA”, with the distinctive title “DOCTUM SA”, business registry number 004225901000 and VAT number 0940703. Paianias-Markopoulou Avenue, PC 19002, Athens, Attica.

Before using our service, please read this Personal Data Protection Policy carefully.

 

Introduction

DOCTUM S.A. hereinafter “DOCTUM” the controller informs you about how information about you is collected and processed.

Personal Data is any information that refers to individuals whose identities are known or can be verified.

The protection of your Personal Data is very important for DOCTUM. We process Personal Data in accordance with data protection legislation and ensure that our staff is aware of their obligations when processing Personal Data on behalf of the Company.

The aim of this policy is to ensure that the processing of Personal Data by DOCTUM complies with the requirements of data protection legislation and that its staff is aware of the rights of the subjects and the obligations of the Company when processing Personal Data.

As described in the Terms of Use and the Cookies Policy, the services provided through the website are aimed at the public, do not target minors and do not process Personal Data for minors under 16 years of age. 

The Policy applies to all members of the Company and to all Personal Data that are processed on behalf of DOCTUM by any means and in any form.

 

Definitions

Personal Data“: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing“: means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Restriction of Processing“: means the marking of stored Personal Data with a view to limiting their processing in the future;

Controller“: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; in this case DOCTUM.

Processor“: the natural or legal person, the public authority, the service or other body that processes Personal Data on behalf of DOCTUM.

Consent“: of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her;

Personal Data breach“: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

“Data Protection Officer”: Computer Studio A.E., located at 223 Vouliagmenis Ave., Athens, PC 172 37, Tel: (210) 9761865, Fax: (210) 9708067, www.computerstudio.gr, A natural person who has been declared to the Greek DPA is Mr. Lioulias Dimitrios, whom you contact via the email [email protected] 

Data Subject“: The person (natural person) to whom the data refers.

“Personal Data Protection Legislation”: includes Regulation 2016/679 on data protection (GDPR) and Law 2472/1997 on Personal Data Protection, instructions and decisions of the Personal Data Protection Authority, Law 3471/2006 on the protection of Personal Data in electronic communications and any other specific legislation in force in Greece regarding the protection of privacy and / or the processing of Personal Data. The legislation for data protection governs the way in which the data controller such as Doctum S.A. can process the personal data of the subjects recording and securing their rights. 

Personal Data Protection Authority (DPA)“: is the Greek DPA, located at 1-3 Kifissias Avenue, PC 115 23, Athens, tel.: + 30-210 6475600, Fax: + 30-2106475628, www.dpa.gr. DPA is a constitutionally established independent public authority, which has as its mission the supervision of the application of the General Data Protection Regulation (GDPR), national laws 4624/2019 and 3471/2006, as well as other regulations concerning the protection of the individual from the processing of Personal Data. The Greek DPA is preoccupied with protecting the rights and the privacy of the individual, aiding them in case of violation of their rights and offering support and guidance to the controllers for their complying with the rule of law.

Recipient” means a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a third party or not. However, public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process Personal Data;

Data Protection Policy“: a set of rules and procedures that everyone involved in the Company is required to follow. They balance the right and the need of the Company like DOCTUM to process Personal Data with the obligation to protect the rights and respect for the privacy of the Data Subject.

Staff“: includes all employees of DOCTUM which are linked to an employment contract or the provision of services as well as all temporary staff, contractors, consultants and third parties with whom there is cooperation and in the framework of which contracts have been concluded or confidentiality or non-disclosure clauses have been included.

“DOCTUM S.A.”, is a pharmaceutical, industrial and commercial company, based in the greater Athens area, manufactures pharmaceutical preparations, Artificial Kidney solutions and various medical devices, and represents in Greece pharmaceutical products of foreign companies. 

 

DOCTUM S.A. complies with GDPR

DOCTUM respects and observes the principles governing the processing of Personal Data, namely:

(a) Personal Data are processed lawfully and transparently in a transparent manner in relation to the data subject (“legality, objectivity and transparency”). This means DOCTUM S.A. will use Personal Data fairly and determine a legal basis for processing. When the subjects will provide to DOCTUM Personal Data for the first time or if the purpose of the processing changes, they have the right to request to know the way, the purpose, the period for which their Personal Data will be stored, the recipients or the categories of recipients, the contact information of the controller and the DPO, their rights with regard to data, including data access and transfer rights, correction and deletion, the right to object to the processing, the consequences of not providing the Personal Data required by law or for contractual purposes, and the existence and rights associated with automated decision-making, including profiling.

(b) Personal Data are collected for specified, express and lawful purposes and are not further processed in a manner incompatible with those purposes (“limitation of purpose”). DOCTUM processes Personal Data for processing purposes only and will not use them for other purposes that are not compatible with the original purposes. Subject to appropriate safeguards, further processing for archiving purposes of general interest, scientific or historical research or statistical purposes shall not be considered incompatible with the original purposes.

(c) Personal Data are appropriate, relevant and limited to what is necessary for the purposes for which they are processed (“data minimization”). DOCTUM ensures that only the absolutely necessary Personal Data are processed, for the purpose for which they were collected and will not be collected or retained because they may be useful in the future.

(d) Personal Data are accurate and, where necessary, updated, all reasonable steps will be followed to promptly delete or correct Personal Data which is inaccurate in relation to the purposes of the processing (“accuracy”). The data will be inaccurate when they are incorrect or misleading as to the facts to which they refer. DOCTUM has created and will periodically check whether it needs to develop other procedures, to maintain the quality of data collection, whether collected or received by the Company or not, as well as for their exact modification, update or correction.

(e) are kept in a form which allows the identification of data subjects only for the period required for the purposes of the processing of Personal Data (“limitation of the storage period”), and which in no case exceeds the period necessary for the purposes for which the Personal Data are processed. Each Address, Department or Office of the Company is responsible to identify and comply with the appropriate detention periods as well as to ensure their safe destruction when the time elapses or the purpose of processing ceases and there is no legal requirement or legitimate interest or right to continue their observance. They may be stored for a longer period of time, provided that Personal Data are processed solely for the purposes of archiving in the public interest, scientific and historical research or for statistical purposes subject to the application of appropriate technical and organisational measures.

(f) Personal Data shall be processed in such a way as to guarantee the appropriate security of Personal Data, including their protection against unauthorized or unlawful processing and accidental loss, destruction or deterioration, using appropriate technical organisational measures (“integrity and confidentiality “). For this reason, any Personal Data Processing on behalf of DOCTUM or Personal Data collected by the Company, takes place in compliance with strict contractual clauses. The Data Protection Officer of DOCTUM participates, learns and presents to the management its point of view in the initial stages of each project or in the proposed change of a process that has significant implications for the processing of Personal Data. The processing of Personal Data by any Address, Department, Office or employee complies with the Security Policy of DOCTUM the staff of DOCTUM has been informed in order to report any fact or suspicion that has or may result in loss, theft, unauthorized disclosure, accidental destruction or disclosure of Personal Data in accordance with the prescribed data breach response procedures.

DOCTUM respects and complies with European and Greek legislation, investing equally in the trust of the public and users of its infrastructure. Follows and follows the recommendations of the Greek DPA, the European Data Protection Council and the European Commissioner. Implements good practices and adopts appropriate codes of conduct and policies for the internal Company and management of Personal Data.

It is at the disposal of the Supervisory Authorities and the subjects in order to prove its compliance with the relevant provisions, providing the following information: a) the name and contact details of the data protection officer, b) the purposes of the processing and the legal basis, c a description of the categories of underlying data and Personal Data; (d) the recipients of any recipients of Personal Data that may exist; (e) if and in which countries the Personal Data is transmitted; organisational security measures of Personal Data.

It strives to design and develop the appropriate structures for the operation of the systems and procedures for the proper and legal processing of all Personal Data, in a way that ensures their integrity, accuracy, relevance and safety. For this reason, it adopts solutions for the protection of privacy and confidentiality by definition and specially designed for the needs of DOCTUM.

DOCTUM follows the recommendations of the Supervisory Greek and European authorities, i.e. DPA. DOCTUM categorizes Personal Data and controls, recognizes, takes action and eliminates the processing risk, in order to eliminate as much as possible, the risk to Personal Data Protection and the privacy of the Data subjects.

Ensures transparent processing and provides alerts and updates regarding Personal Data processing. While it uses consent as the legal basis for the processing of Personal Data, when this is the appropriate choice to serve the processing purposes.

Controls and ensures that Personal Data are not disclosed to the ones having not the relevant right nor third parties, unless permitted or required by law. For this purpose, it ensures that the staff of DOCTUM who is directly involved in the processing of personal data has been trained and updated on an annual basis. DOCTUM verifies and ensures that external partners receiving Personal Data from the Company, whether they can be considered as processors or not, have taken the appropriate, technical and organisational measures to ensure compliance with the data protection principles and related requirements described in the current policy. The control of employees and external collaborators is continuous. Violation of the rules and principles of the protection of Personal Data by an employee of the Company also has disciplinary sanctions.

Thoroughly monitors and evaluates its associates, who transmit data back to the Company and asks for the appropriate assurance and affirmation that they have the right and have taken the appropriate measures in order not to assert the rights of the subjects.

DOCTUM manages the requests of the subjects who oppose to the processing or who wish to limit it, in order to respond to a great extent and it also voluntarily corrects inaccurate data or even deletes them. In any case, it respects and satisfies the requests of subjects not to use their data for commercial purposes and promotional activities.

It has established the appropriate structure and procedures for managing any incident or complaint concerning the processing of Personal Data and the Company’s compliance with this policy. Any complaint and incident will be handled by the Company as a controller with the assistance and advice of the Data Protection Officer [email protected]

 

DOCTUM as a Controller

At DOCTUM the entire staff is responsible for supporting compliance with this policy. The staff processes Personal Data only to serve the legitimate, operational purposes directly related to the performance of their duties. All staff of the Company are responsible for reporting breaches that have occurred or are in progress, to the Data Protection Officer, as soon as they become aware of and follow the procedures and actions provided by internal policy. These procedures are described in detail in the documents of the Company.

 

The Data Protection Officer (DPO)

Takes into great consideration the risk associated with processing operations, while evaluating the nature, scope, context and purposes of processing and is responsible for informing and advising DOCTUM and its employees working on their obligations under European and Greek data protection legislation. Monitors compliance with European and Greek legislation, the Company’s policies regarding the protection of Personal Data, including the delegation of responsibilities, awareness and training of staff involved in processing operations, and related audits. Provides advice, when requested, on impact assessment on data protection and monitors its implementation. It cooperates with the supervisory authority, and acts as a point of contact for the supervisory authority and the subjects on processing-related matters. DPO also keeps the documentation records of the procedures for the protection of Personal Data and manages in cooperation with the Company the process of informing the data subjects and the DPA. 

 

Internal audit

DOCTUM has adopted procedures for the preclusive audit regarding the compliance of the staff and of all the involved partners, during the Personal Data Processing with the procedures and policies that have been communicated to them by the Company. It is also responsible for investigating and assigning responsibilities to anyone who may be involved in an incident of breach of the Company’s obligations regarding the lawful Personal Data of the subjects.

 

Changes to Privacy Policy

This policy was approved by the Board of Directors of the Company on 15.5.2019 and will be subject to review whenever deemed appropriate by DOCTUM.

Please check the Implementation Date (see beginning of this Policy) to see when this Policy was last revised. Each review will take effect upon posting on the website in the appropriate section, and the previous one will be archived.

If we make substantial changes to this Policy that extend our rights to use the personal data we have already collected from you, we will notify you and provide you with the option to use this data in the future.