Privacy policy pharmacovigilance

1. Data Controller and contact details

The data controller is Istituto Gentili S.r.l.
The company is based at via San Giuseppe Cottolengo n. 15, 20143, Milan, Italy, e-mail: privacy@istitutogentili.com.

2. Data Protection Officer

The Group DPO can be contacted at the email address dpo@mediolanum-farma.com

3. Type of data processed and purpose of processing

We inform you that the Data Controller will process your data exclusively for purposes strictly related to the management of Pharmacovigilance, as required by law (Directive 2010/84 of the European Parliament and of the Council of 15 December 2010), and in particular purposes related to the management of the report (investigating the adverse event, comparing the report with other reports of adverse events already received, provide the Authorities with all and more complete information). The reference legislation requires ensuring that adverse events are traceable and available for follow-up, therefore, for the complete evaluation of the report it will be useful to be able to contact the reporter again.

For the purposes described, the Data Controller may process data:

A) of the person to whom the adverse event refers personal data (initials of the name and surname; age; date of birth; year of birth and the like) and details, i.e. suitable for revealing the state of health, contact details. Your data will be pseudonymousized.

B) the signaller personal data (full name and surname), profession and/or relationship with the subject to whom the adverse event refers.

4. Nature of data processing and legal bases

The processing of your data (and their provision), as functional to the execution of the Pharmacovigilance activities to which the Data Controller is required:

  • it is necessary to comply with a legal obligation to which the Data Controller is subject (Art. 6, 1 para., letter c); 
  • it is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health or the guarantee of high standards of quality and health safety and of medicinal products and medical devices (Article 9(ii)(i));

Failure to provide it prevents the Data Controller from establishing and managing the relationship with the data subject and from carrying out the consequent and necessary acts.

5. Processing methods and data retention times

Your data will be processed with automated tools and on paper, for the time strictly necessary to achieve the purposes for which they were collected and in any case for the duration of the life cycle of the product to which the adverse event refers and for a further 10 years from the withdrawal of the product from the market.

When personal data are processed by IT means, they are entered into a system of interconnected databases, accessible only by authorised representatives. This system is protected by security measures (firewalls and other protections) suitable for minimizing the risks of intrusion by third parties, deterioration of data and/or accidental destruction of the same; it is also constantly monitored by authorized managers. The security measures are constantly updated.

6. Persons authorised to process

Your data will be processed by the Data Controller through its own representatives (belonging to the Pharmacovigilance office) and may be known by the Data Controller's subsidiaries/affiliates.

Your data may be communicated, for the purposes indicated above, to external parties specifically appointed as Data Processors, including, by way of example: those who carry out maintenance and assistance to the Database of adverse reactions and related Services.

Strictly necessary personal data will be communicated, where applicable, to the following categories of independent Data Controllers who will process them exclusively for the purposes specified below, without being able to make any other use of them:

  • authorities and public administrations, for the performance of institutional functions, within the limits established by law and regulations (Regulatory Authorities, AIFA; EMEA etc...); 
  • other pharmaceutical companies holding MAs, for the performance of legal obligations, within the limits established by pharmacovigilance agreements.

7. Transfer of data to third countries

Due to the organisational solutions of the Data Processors and Sub-processors used by the Data Controller, the data will be transferred to non-EU countries, on the basis of the adequacy decision of the European Commission.

8. Rights of the data subject

At any time, you will have the right to exercise the rights referred to in Articles 15 et seq. of EU Regulation 2016/679, namely:

i. access to personal data (art. 15 GDPR); 
ii. to obtain the rectification (art. 16 GDPR) or erasure of the same (art. 17 GDPR) or the limitation of processing (art. 18 GDPR) concerning you; 
iii. to object to the processing (art. 21 GDPR); 
iv. data portability (art. 20 GDPR); 
v. to lodge a complaint with the supervisory authority (Data Protection Authority) (art. 77 GDPR).

To exercise the aforementioned rights, make a report or receive information on how personal data is processed, requests can be made by writing to Istituto Gentili S.r.l., Via San Giuseppe Cottolengo n. 15, 20143, Milan or to the following email address privacy@istitutogentili.com. Alternatively, you can contact the DPO at dpo@mediolanum-farma.com. We also remind you that you can take legal action if you believe that the data processing is in violation of the provisions of the GDPR.