The following personal data policy has been adopted by EQL Pharma AB, hereinafter referred to as the Company, on September 3, 2018, and shall apply from this date.
1. Background
EQL Pharma AB, org. nr. 556713–3425, (”EQL”), is a limited company. EQL Pharma specializes in developing and selling generics, i.e. medicines that are medically equivalent to reference medicines. EQL has approximately 8 employees.
Within EQL´s operations, various personal data is processed. It is of the utmost importance that all such processing is carried out in a correct manner that does not jeopardize the personal integrity of the person whose personal data is processed. EQL shall at all times ensure that personal data is processed in a lawful and correct manner, and that everyone who processes personal data on behalf of EQL has the qualifications and knowledge required to process such data.
This Privacy Policy (the ”Policy”) contains rules and guidelines for the processing of personal data by EQL as personal data controller, regardless of the type of personal data and the personal data concerned.
2. For what, why and how long we process?
2.1 Generally
EQL collects and processes personal data in the areas and functions listed below.
In several cases when we request personal data, we do so with the aim of complying with statutory or contractual requirements or requirements that are necessary to enter into an agreement with, for example, an employee, a customer or a supplier. In cases where the data subject does not provide the information we request, in some cases we may not be able to conclude an agreement or fulfill our obligations in an agreement with the data subject. Below are the areas within which EQL processes personal data. In connection with each area, the objectives and the legal basis for the treatment are also stated, which receive the information and the storage period etc.
How long is the data stored?
EQL never store data longer than necessary for the purpose of processing. EQL therefore carries out regular thinning of personal data and deletes the data that is no longer needed. When an employee leaves the company, there is no reason to save the former employee personal data. This includes the employee´s e-mail account and information about the employee on the EQL website. In such cases, thinning shall take place as soon as possible after termination of employment.
However, there are important exceptions to this. In order to fulfill its obligations in accordance with labor law, tax law and social security legislation, EQL needs to save certain information about the employee even for a period after termination of employment. For example, data must be saved in order to fulfill legal obligations regarding the employee´s preferential right to re-employment in the Act (1982: 80) on employment protection and to handle legal requirements that may be directed at EQL. Sometimes it is also required that data be retained for payment of, for example, pensions or severance pay. In these exceptional cases, data is stored for 2 years and 10 years, respectively (regarding accounting, taxation and limitation periods).
We may also process data in connection with employee surveys. Such investigations are carried out to enable EQL to identify deficiencies and then to work with and ensure a better working environment. In these cases, automated decision-making, including profiling, may occur.
Some of the personal data EQL processes as a result of the employment may constitute sensitive data. Among these can be mentioned disease state or union membership. See more about EQL´s handling of sensitive data below.
2.2 Customers
What is the legal basis for the processing?
In order to be able to enter into and manage agreements with our customers, EQL processes personal data belonging to people who represent our customers. Some personal data can also be processed because EQL has a legal obligation to do so, for example personal data on invoices as a result of accounting obligations.
What personal data is processed and who is the recipient?
We process personal data regarding representatives of companies with whom we have customer agreements. Personal information processed may include name, telephone number, e-mail, social security number and copy of ID / driving license.
We may also process personal data regarding the preference of companies that are potential customers. Personal information processed may include name, telephone number, address and e-mail.
Those who receive the information are mainly relevant to the agreement in the sales department, the finance department, QA responsible, the marketing department, managers and contract administrators. Helpdesk and technicians may also receive the information.
For what purposes is the personal data processed?
In cases where there is an existing customer agreement, EQL only process personal information that is relevant to the customer relationship and what is required for the fulfillment of the agreement. Personal information such as name, e-mail and telephone number of the representative is processed in order to be able to have a dialogue with the customer and to manage the customer agreement in general. Personal information such as social security number or driving license is processed only if necessary, to administer invoicing, credit rating or the like.
In cases where EQL processes personal data regarding representatives of potential customers, this is done in order to contact the customer in order to be able to provide the customer with offers and information by telephone, e-mail or to manage scheduled meetings. As stated in section 4.3, the representative always has the right to object to treatment for direct marketing.
How long the personal data is stored?
EQL never stores data longer than necessary for the purpose of processing. EQL therefore carries out regular thinning among stored personal data and removes the information that is no longer needed after the customer relationship has ended.
However, EQL may need to store personal data after the customer relationship has ended, including to administer any guarantees and claims deadlines or to handle legal requirements that may be directed at EQL. Exceptionally, therefore, personal data is saved for a certain period after the end of the customer relationship or until the person objects to direct marketing.
Personal data concerning representatives of potential customers is deleted when the dialogue with the customer has ceased, provided that no customer relationship has been initiated, or directly if the person objects to direct marketing.
More generally, personal data may need to be stored to ensure compliance with legal obligations, such as accounting. If such an obligation exists, personal data can be stored for up to 10 years.
2.3 Suppliers
What is the legal basis for the processing?
In order to be able to enter into and manage agreements with suppliers, EQL process personal data of persons who represent suppliers. Some personal data can also be processed because EQL has a legal obligation to do so, for example personal data on invoices as a result of accounting obligation.
What personal data is processed and who is the recipient?
We process personal data regarding representatives of supplier companies with whom we have or intend to enter into agreements. Personal data processed may include name, telephone number, e-mail, address and professional title.
Those who receive the data are mainly EQL’s purchasing department, responsible manager, CEO, finance department, QA manager and IT department.
For what purposes is the personal data processed?
EQL processes the personal data in order to generally be able to administer purchasing agreements, handle invoices and to be able to ask questions to the supplier EQL may have regarding the goods or services we buy.
How long is the personal data stored?
EQL never stores data longer than necessary for the purpose of processing. EQL therefore carries out regular thinning among stored personal data and removes the information that is no longer needed after the contractual relationship has ended.
However, EQL may need to store personal data after the contractual relationship has ended, including to administer any guarantees and claims deadlines or to handle legal requirements that may be directed at EQL. Exceptionally, therefore, personal data is stored for 2 years from the termination of the contractual relationship.
More generally, personal data may need to be stored to ensure compliance with legal obligations, such as accounting. If such an obligation exists, personal data can be stored for up to 10 years
2.4 On sensitive data
Sensitive information in the Policy refers to personal data that discloses racial or ethnic origin, personal opinions, religious or philosophical beliefs or membership in a trade union and the processing of genetic data, biometric data to uniquely identify a physical person, health information or information about a physical person, a person’s sex life or sexual orientation.
EQL never processes sensitive data without the consent of the data subject or without the support provided by Article 9 of the Data Protection Regulation, for example to fulfill obligations or exercise specific rights in labor law, social security and social protection or when the processing is necessary to protect it. If the data is already published by the data subject, if it is necessary for the sake of an important public interest, if the data is already disclosed by the data subject, for reasons related to, among other things, the assessment of workers’ working capacity or the provision of health care or, if necessary, for statistical purposes.
EQL always takes appropriate security measures to protect the data at processing of sensitive data. Personal data is never available to more people than is necessary.
3. How we process personal data?
3.1 Generally
When EQL collects, processes and stores personal data, this should in any case be done in a legal, correct, transparent and appropriate manner and only to the extent that EQL deems it necessary. EQL shall continuously process personal data in a way that avoids violating the data subject’s personal privacy. In all cases of personal data processing, EQL is very careful that the personal data is protected by appropriate security measures.
In several cases when we request personal information, we do so, as mentioned above, for the purpose of complying with statutory or contractual requirements or requirements that are necessary to enter into an agreement with an employee. In cases where the data subject does not provide the information we request, we may not be able to conclude an agreement or fulfill our obligations in an agreement with the data subject. If the data subject feels hesitant or anxious about submitting a certain personal data, he or she can contact EQL (see below under Contact details) so we can give the data subject additional information.
3.2 EQL shares data with an external part
EQL may, from time to time, need to provide information to relevant third parties (including, but not limited to, situations where we have a legal obligation to do so). In each case, to ensure that personal data is processed in a safe and secure manner, EQL has as a routine for the establishment of agreements (assistance agreements or similar) with each external party that processes personal data on behalf of EQL. Such agreements always specify the subject matter of the processing, the duration of the processing, the nature and the purpose, the type of personal data and categories of data subjects, as well as our obligations and rights as personal data controller. Furthermore, EQL always provides documented instructions to the personal data assistant that the personal data assistant is obliged to follow.
4. What rights has the data subject?
4.1 Right of access
The data subject has the right to apply to EQL, as personal data controller, for access to the personal data that EQL process and is also informed of, among other things, the purpose of the processing and those who receive the personal data.
EQL shall, as personal data controller, provide the data subject with a free copy of the personal data processed.
4.2 Right to rectification, deletion or restriction
The data subject has the right to have his or her personal data corrected without undue delay or, under certain conditions, restricted or deleted. If the data subject considers that EQL process personal data about him or her that is incorrect or incomplete, the data subject may require that these be corrected or supplemented.
The data subject also has the right to have his data deleted, among other things, in case they are no longer necessary.
4.3 Right to object
The data subject has the right at any time to object to the processing of his personal data. The legal basis for the objection processing is a balance of interests in accordance with Article 6.1 (f) of the Data Protection Regulation.
The data subject also has the right at any time to object to the processing of his personal data if these are processed for direct marketing.
4.4 Right to data portability
The data subject has the right to obtain the personal data which he has provided to the data controller and has the right to transfer this data to another data controller. However, this only applies provided that it is technically feasible and the legal basis for the treatment is consent or that the treatment is necessary for the performance of an agreement.
4.5 Right to revoke consent
If the processing of personal data is based on the data subject’s consent, he or she has the right to revoke this consent at any time. Such a revocation does not affect the legality of the personal data processing before the consent was revoked.
4.6 Right to complain to the data inspection
The data subject has the right to make complaints to the Data Inspection.
Contact details
Phone number: 08-657 61 00
E-mail: datainspektionen@datainspektionen.se
5. Contact details
If you have any questions about the Policy or other personal data requests, please contact EQL’s personal data representative.
Contact details
Name: Christer Fåhraeus
Phone number: 0755-55 12 95
E-mail: christer.fahraeus@eqlpharma.com
6. Changes to the policy
EQL reserves the right to change and update the Policy. In the event of material changes to the Policy or whether existing information is to be treated in a different way than stated in the Policy, EQL will inform about this in an appropriate manner.