FIDIA Privacy Notice – Pharmacovigilance/Vigilance System

pursuant to Article. 13 and 14 of 2016/679 European Regulation (hereinafter "GDPR" or "Regulation")

Controller of personal data

FIDIA FARMACEUTICI S.P.A., having its registered office at Via Ponte della Fabbrica, No. 3/A, 35031 Abano Terme (Padua), Italy (in the following: FIDIA).

Should you request any additional information or for exercising your rights under the personal data protection legislation, contact our DPO (Data Protection Officer). Send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. or a letter to this address: FIDIA FARMACEUTICI S.P.A., having its registered office at Via Ponte della Fabbrica, No. 3/A, 35031 Abano Terme (Padua), Italy - to the attention of the DPO.

Essential Definitions for helping in reading this Privacy Notice

Pharmacovigilance: it has been defined by the World Health Organization (WHO) as the science and activities relating to the detection, assessment, understanding and prevention of adverse effects or any other medicine-related problem.

Vigilance: activities aim to improve the protection of health and safety of patients, healthcare professionals, and other users by reducing the likelihood of reoccurrence of adverse event related to the use of a product (European Commission definition).

Products: medicinal products (for which FIDIA is Marketing Authorization), medical devices (for which Fidia is Manufacturer), food supplements and cosmetics (for which FIDIA is responsible for placing the product in the market).

Adverse event/undesirable effects: unwanted, unintended or harmful event in relation to the use of a FIDIA product.

Personal Data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Health Data: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

Enquirer: person disclosing to FIDIA information about his/her health care professionals, relatives, personal data related to the physical or mental health).

Scope of this Privacy Notice

Ensuring patient safety is extremely important to FIDIA and we take the safe use of all our products seriously. We need to be able to get in touch with people who contact us about our products in order to follow-up and obtain further information, give answers to requests or to send requested material.

This Privacy Notice describes how we collect and use Personal Data and Health Data whether received, to help us fulfil our duty to monitor the safety of all medicinal products (also known as our Pharmacovigilance obligations).

The notice is also applicable to medical devices, food supplements and cosmetics since the relevant regulations on such products require essentially same safety and quality monitoring (Vigilance obligations).

This Privacy Notice applies to information we collect from or about you online, by phone, fax, e-mail or post, or as part of the adverse event or quality reporting regulations applicable to us. We may also collect this information about you through specific forms submitted by you on a site web that is owned or controlled by us. If you are a patient we may also be provided with information about you by a third party reporting an adverse event that affected you or a request of information about our product with regards to its use made or to be made by you such as for example: health care professionals, relatives or other members of the public.

Information we collect and related purpose and legal basis

We are under a legal obligation in order to comply with relevant EU/national binding regulations regarding safety of health related products (EU regulation 2016/679 Article 6(1)(c)) for the reasons of public interest in the area of public health (EU regulation 2016/679 Articles 9.2(g) and (i)).

Data Retention period

In accordance with the law, as Market Authorisation Holders of products, we retain all product-related documents for at least the time period of the Market Authorisation, plus 10 years following its expiry, however the data retention period could be extended, on a case by case basis, for the establishment, exercise or defence of legal claims.

This retention policy is applicable also for medical devices, food supplements and cosmetics.

The personal data that we may collect about you

You as patient/consumer

To the maximum extent we may collect the following information about you:

• name or initials;
• age and date of birth;
• gender;
• weight and height;
• details of the product causing the reaction or the request of information, including the dosage you have been taking or were prescribed, the reason you have been taking or were prescribed the product and any subsequent change to your usual regimen;
• details of other medicines or remedies or medical devices you are taking or were taking at the time of the reaction or request of information, including the dosage you have been taking or were prescribed, the period of time you were taking that medicine, the reason you have been taking that products and any subsequent change to your regimen;
• details of the adverse reaction you suffered, the treatment you received for that reaction, and any long-term effects the reaction has caused to your health;
• other medical history considered relevant by the Enquirer, including documents such as lab reports, medication histories and patient histories. Some of this information could include, about you: health data ethnicity; religion; sexual life. Such information shall only be processed where relevant and necessary to document your reaction/provide answers properly and for the purpose of meeting our Pharmacovigilance/Vigilance, safety, as well as any other applicable legal requirement.

You as Enquirer other than the patient/subject of the request

We collect information about you when you provide us with information in relation to an adverse event/ request of information you report. Pharmacovigilance/Vigilance laws require us to ensure that such events are traceable and available for follow-up. As a result, we must keep sufficient information about Enquirers to allow us to contact you once we have received the request/report.

The personal data that we may collect about you:

• name and contact details (which may include your address, e-mail address, phone number or fax number);
• relationship with the subject of the request/report.

How we use and share information

In order to meet our legal obligations, we may use and share the information received to:

• investigate the adverse event;
• contact the Enquirer or you for further information about the request/case report;
• collate the information about your case report with information about other requests received/ other adverse events received in order to analyse the matters for the purpose of Pharmacovigilance/Vigilance;
• provide mandatory reports to national and/or regional and/or international competent authorities such as the European Medicines Agency.

We may also share Personal Data with other pharmaceutical companies who are our co-marketing, co-distribution, or other license partners, where Pharmacovigilance/Vigilance obligations for a product require such exchange of safety information.

Furthermore, we can involve service providers in processing data for the purpose of this Privacy Notice, properly selected and working under binding contractual data protection clauses.

Security Measures

We take adequate measures to secure the data processed from accidental loss and from unauthorised access, use, alteration or disclosure. Additionally, we take further information security measures including access controls, stringent physical security and robust information collection, storage and processing practices.

International transfers

In case the data need to be transferred to entities established in extra EU countries, it shall be adopted, case by case, the relevant instruments to lawfully transfer the data.

EU adequacy decision or standard contractual clauses issued by the European Commission (GDPR Articles: 45, 46) or applicable derogations on a case by case basis (GDPR Articles 49).

Your privacy rights

With regards to the processing described above, at any time as data subject you can exercise the rights provided for by the Regulation. In general, the data subjects will be able to exercise the right to:

• access their personal data, obtain evidence of the purposes pursued by the Controller, the categories of data processed, the recipients to whom they may be communicated, their retention period, the existence of automated decision-making processes, including profiling and in such cases information on the logics used, and the possible consequences for the data subjects;
• obtain without delay the correction of inaccurate personal data concerning them;
• obtain, in the cases provided for by law, the erasure of their data;
• obtain the limitation of processing in the cases provided for by law
• object to the processing, where provided for, based on the rules applicable to the specific case;
• in the cases provided for by law, obtain the portability of the data provided to the Controller as well as receive it in a structured format, commonly used and readable by automatic devices or request the transmission of such data to another Controller where possible;
• if it is considered appropriate, submit a complaint to the Data Protection Authority in your country.

Effective date of this Notice: 29 September 2020