Data Privacy Information for Specific Processing Activities

List of specific processing activities of Personal Data:

 

1. Processing of your Personal Data when you visit and use our websites

See the company's privacy statement for the Icepharma website.

2. Processing Personal Data of our contracted partners

Nature:
In connection with the diverse operational activities of the company, the employees communicate with a wide group of customers, suppliers, and other contracted partners. We process contact information (like name, email address, telephone number, position, and role in the company) of employees of our customers, suppliers, or contracted partners or of individuals who directly act as our customers, suppliers, or contracted partners. We also might process individuals' payment data (like bank account information), if applicable.

Purpose:
We use this information to manage our business relationship with our customers, suppliers, and other contracted partners, e.g., to process your orders and deliver service to you, to manage your purchase history, or to pay any due invoices.

Legal basis:
The legal basis for the processing of Personal Data for the aforementioned purposes lies in the legitimate interest of the company (Art. 6(1)(f) GDPR). As far as it is necessary to process the data to fulfill a contract with you, the legal basis is Art. 6(1)(b) GDPR.

Data retention:
We retain this kind of Personal Data for as long as it is necessary to continuously manage our relationship or to fulfill our contract with the relevant customer, supplier, or contracted partner. Legal archiving requirements may exceed this retention period, for example, to meet tax legislative requirements for archiving. We delete this Personal Data as soon as it is no longer needed.

3. Processing Personal Data in relation to marketing and promotion activities

Nature:
We perform various actions in connection with the marketing and promotion of the company's products and services. All marketing and promotional activities are conducted in line with local laws and regulations. We may collect and process Personal Data about the person to whom the marketing activities are directed, and this primarily refers to an individual's contact information, such as name, telephone number, and e-mail address. We also might process individual's payment data (like bank account information), if applicable.

Purpose:
We only direct marketing material and marketing and promotional activities to those who have a legitimate interest in receiving such material or those who have specifically registered on a mailing list and agreed to receive certain marketing material or promotional activities from the company. We have a strong obligation to inform healthcare professionals and patients to ensure the correct use of medicinal products and medical devices and to promote innovations in connection with treatments of patients, products, and services. In connection with such activities, the company's representatives communicate with healthcare professions, individual healthcare professionals, patients, clients, relatives, and others. In connection with other general marketing and promotional work, an individual may be asked to provide Personal Data to the company. The delivery of Personal Data for the general purpose of marketing is always optional for individuals and never a condition for the service provided. 

Legal basis:
Processing Personal Data for marketing purposes is either based on the consent of the person to whom the marketing and promotional activities are directed or that the company has legitimate interests in approaching the person in question for the benefit of the company's marketing and promotional activities and to maintain a good relationship with healthcare professionals, customers, and others as well as due to the legitimate interest of the receiver in obtaining information about:

• innovations in connection with the treatment of patients/clients.
• innovations in connection with the range of products and services.
• presentations, educational courses, meetings, and conferences.

If an individual wishes to refuse contact from our representatives in the form of receiving marketing and commercial material a request to that effect can be sent to the email: personuvernd@icepharma.is. Your request will be respected and you will no further be contacted for the purpose of marketing or promotion activities. However, we would like to draw your attention to the fact that it may be necessary for our representatives to approach you for other purposes, e.g. to comply with our statutory disclosure obligations, e.g. to distribute educational material to healthcare professionals and patients.

Data Retention:
We will only store your Personal Data for as long as necessary to stay in contact with you.

4. Processing of Personal Data due to general inquiries and complaints

Nature:
We may receive a variety of inquiries and/or complaints related to our products and/or service offerings. In cases where it is not possible to respond to such inquiries and/or complaints as soon as they are received, the person making the inquiry and/or complaint may be asked to provide contact information (like name, email address, telephone number) so that contact can be made with the person again in connection with the processing and follow-up of the inquiry/complaint.

Purpose:
The purpose of processing your Personal Data is to manage your report, analyze the inquiry or complaint, ensure the quality of our service, and, if necessary, deliver a respective response to your inquiry or complaint.

Legal basis:
The processing of Personal Data in connection with general inquiries and/or complaints is considered necessary for the legitimate interests of the company to analyze inquiries and/or complaints that may concern the quality and safety of products or services offered by us and may require action or security measures based on laws and regulations.

Data retention:
When all handling of a general inquiry or complaint is completed and no further action or follow-up is required, the personal information is deleted or made anonymized if in line with local data privacy requirements.

5. Processing of Personal Data for safety reasons 

Nature:
Pharmacovigilance means activities that aim at reporting, registration and processing adverse drug reactions with pharmaceutical products including prescription medicines and over-the-counter medicines. Medical Device Reporting means activities that aim at reporting, registration, and processing suspected device-associated deaths, serious injuries, and malfunctions. We encourage healthcare professionals and others who wish to submit Pharmacovigilance Data or Medical Devices to report directly to the Icelandic Medicines Agency, Lyfjastofnun. If you nevertheless report to us, we will be legally bound by Icelandic laws and regulations and contractual obligations toward the Legal Manufacturer/Marketing authorization holder to deal with your communication and may have to contact you for clarification purposes. In that context we may need to collect information that allows us to identify a person directly or indirectly and, in this case, are Personal Data which are protected by data privacy laws.

Data relating to the reporter may include:

• _{Contact information such as name, address, phone or other contact information;}
• _{Profession (this allows to determine the follow-up questions you are asked depending on your assumed level of medical knowledge);}
• _{Relationship with the subject of the report.}

Data relating to the person suffering from an adverse drug reaction or adverse event may include:

• _{Information allowing to identify the case and prevent double reporting, such as name and/or initials (if provided);}
• _{Demographic data such as date of birth, age group, sex, weight, or height;}
• _{Information about health, racial or ethnic origin, religious beliefs, and sexual life.}
• _{Medical information concerning the adverse event, such as:}
  • _{Details of the product suspected to cause the adverse event, including dosage, reasons for application, or changes to the usual regimen;}
  • _{Details of concomitant medication, including dosage, application duration, reasons for application, or changes to the usual regimen;}
  • _{Details of the adverse drug reaction or adverse event, the treatment in that regard, potential long-term effects the adverse drug reaction or adverse event has caused, or any other medical information considered relevant including documents like lab reports, medication histories, and patient histories}

Purpose:
To investigate the adverse drug reaction or adverse event, we might need to contact you for further information about the event you reported and to provide mandatory reports to the Legal Manufacturer/Marketing Authorization Holder of the medicinal product or the Icelandic Medicines Agency so they can analyze the safety of the product. When documenting, reporting, and transferring information about adverse drug reactions or adverse events we follow an internal procedure to anonymize the patient data to protect the personal data and keep the identity of a person private.

Legal basis:
We process information about adverse drug reactions or adverse events relating to the product as required by applicable local Pharmacovigilance legislation and to comply with our contractual obligations towards the Legal Manufacturer/Marketing authorization holder of the product. Where such information includes Personal Data, this processing is done as it is necessary for compliance with a legal obligation of which the Marketing authorization holder (the Data Controller) is subject and for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices (Art. 6 (1) (c, e) and Art. 9 (2) (i) GDPR in conjunction with Pharmacovigilance legislation and local data privacy laws).

When Personal Data related to an adverse drug reaction or an adverse event needs to be transferred from the European Economic Area (EEA) to countries with a lower data protection level than in the EEA, e.g., for reporting to the Legal Manufacturer/Marketing Authorisation Holder of the product or Health Authorities of such countries, such transfers may be based on Art. 49 (1) (d) GDPR.

Data Retention:
We use and store Personal Data in accordance with legal requirements governing the storage and reporting of Pharmacovigilance-related information. We therefore may be required to retain such information for the duration of the product lifecycle and for an additional period, which depends on local regulations, after the respective medicinal product has been taken from the market.

6. Processing of Personal Data to answer medical inquiries

Nature:
In case you contact us with a question relating to products, we may process your Personal Data. Data relating to the person submitting the medical inquiry may include:

• Contact information such as name, address, phone or other contact information;
• Professions such as health care professionals;
• Demographic data such as data of birth, age group, sex, weight, or height;
• Information is being provided as part of the inquiry or complaint;
• Information about health, racial or ethnic origin, and sexual life.

Purpose:
To take care of your inquiry, contact you for follow-up questions and clarification purposes, analyze the inquiry, ensure the quality of our services, provide a respective response, and to provide mandatory reports to the Legal Manufacture/Marketing Authorization Holder of the product.

Legal basis:
We process your Personal Data to answer your medical inquiry. The processing is necessary for compliance with a legal obligation to which the Marketing Authorization Holder (Data Controller) is subject (Art. 6 (1) (c) GDPR). It is therefore our contractual obligation to process your Personal Data to answer your request and to comply with documentation and recording requirements including sharing the information provided with the responsible Legal Manufacturer/Marketing Authorization Holder of the product .). Where possible and legally required, we ask for your consent when being contacted (Art. 6 (1) (a) and 9 (2) (a) GDPR). Medical Inquiries that include information about adverse drug reactions and adverse events are handled according to requirements for pharmacovigilance.

Data Retention:
After having answered your inquiry, we retain information about the inquiry as long as required for local record-keeping purposes and regulatory compliance. When all handling of an inquiry is completed and no further action or follow-up is required, the personal data is deleted or made anonymized if in line with local data privacy requirements. Medical Inquiries that include information about adverse events are handled according to requirements for pharmacovigilance.

7. Processing of Personal Data to manage product complaints

Nature:
If a certain product shows defects or does not meet quality expectations your feedback helps to improve control methods and processes. To manage your feedback or requests, we may process Personal Data including:

• Contact information such as name, address, phone, or other contact information;
• Demographic data such as date of birth;
• Information is being provided as part of the inquiry or complaint;
• Information about purchase/origin of product such as pharmacy, hospital, internet;
• Information about caregivers who may have handled the product.

Purpose:
To take care of your complaint, contact you for follow-up questions and clarification purposes, analyze the product complaint, ensure the quality of our services, provide a respective response, and provide mandatory reports to the Legal Manufacture/Marketing Authorization Holder of the product.

Legal basis:
We process your Personal Data to answer your product complaint. The processing is necessary for compliance with a legal obligation to which the Marketing Authorization Holder (Data Controller) is subject (Art. 6 (1) (c) GDPR). It is therefore our contractual obligation to process your Personal Data to answer your complaint and to comply with documentation and recording requirements including sharing the information provided with the responsible Legal Manufacturer/Marketing Authorization Holder of the product. Where possible and legally required, we ask for your consent when being contacted (Art. 6 (1) (a) and 9 (2) (a) GDPR). Product complaints that include information about adverse events are handled according to requirements for pharmacovigilance.

Data Retention:
After having answered your complaint, we retain information about it for record-keeping purposes and regulatory compliance as long as required according to local laws. Product complaints that include information about adverse drug reactions and adverse events are handled according to requirements for pharmacovigilance.

8. Processing of Personal Data in connection with the distribution of safety material

Nature:
According to Directive 2001/83/EC of the European Parliament and of the Council on Community rules for medicinal products intended for human use, the Marketing Authorization Holder of a product may be obliged to provide healthcare professionals with educational materials and other information regarding the safety of medicinal products (hereinafter referred to as "educational material") in compliance with the risk management plan for the drug approved by the European Medicines Agency. In that context, the Marketing Authorization Holder must submit a distribution plan for the relevant educational material/safety substance to the pharmaceutical authorities, for review and approval. The Marketing Authorization Holder must keep a record to confirm that an approved distribution has taken place and it must be available to the Marketing Authorization Holder upon request during an audit or inspection.

Purpose:
In order to fulfill the above-mentioned obligations, Icepharma, as an agent of a Marketing Authorization Holder, collects the necessary Personal Data about the recipients of educational material and keeps a record of the recipients.

Legal basis:
The broadcast and distribution of educational material are necessary for compliance with a legal obligation to which the Marketing Authorization Holder (Data Controller) is subject (Art. 6 (1) (c) GDPR) and has the purpose of ensuring that important safety information is delivered to healthcare professionals and patients. The collection and processing of Personal Data about recipients of security material are therefore considered necessary to fulfill this legal obligation.

Data Retention:
The Personal Data collected is stored and preserved for the aforementioned purpose while the product that the safety material is about is on the market and longer if required by local law and regulations.

9. Processing of Personal Data of employees

The processing of the Personal Data of employees is necessary for the performance of a contract to which the employee is a party (Art. 6 (1) (b) GDPR). Detailed information on the processing of Personal Data about employees can be found in Icepharma's policy on the protection of employees´ personal data and supported instructions, both of which are available to employees on the company's intranet.

10. Processing of Personal Data of job applicants

Nature:
In connection with the recruitment of new employees, we collect and process your Personal Data when we consider your application. We collect Personal Data through your application, CV, transcripts, appendices, and searches on social media as well as other official channels and possibly through references from previous employers. As part of the recruitment process, the following general Personal Data about you is processed: name, contact information, date of birth, education, and references. If you are asked to carry out personal profile tests in connection with the recruitment, we will also process the result. As a rule, sensitive personal data about you is not processed. You should therefore only submit necessary and relevant personal data when applying for a job.

Purpose:
We process your personal data for the purpose of considering you in relation to a specific position at the company.

Legal basis:
The processing is necessary for the performance of a contract to which the job applicant is party or in order to take steps at the request of the job applicant prior to entering into a contractual relationship (Art. 6 (1) (b) GDPR). Personal profile tests and cognitive tests as well as obtaining references are, however, processed on the basis of your consent (Art. 6 (1) (a) GDPR).

Data Retention:
We retain your personal data for as long as necessary to fulfill the purposes described above. We thus store your personal data until the specific position is filled and the recruitment process is completed. If you are offered a position at the company your personal data will become part of your HR personnel portfolio. If you are denied the position, we store your personal data for up to 6 months after the end of recruitment, after which it is deleted. Personal data that is no longer necessary to fulfill the purpose described above are generally deleted on an ongoing basis.

11. Processing of Personal Data in connection with electronic monitoring

Nature:
Due to the nature of our operations, electronic monitoring with surveillance cameras is carried out on and around the company's premises. Visitors who come to our premises, e.g., for meetings or other events, may be asked to provide personal data, e.g., name.

Purpose:
The information is processed and retained for security reasons and property protection. Care is taken to provide those who are subject to security camera surveillance with appropriate information on the surveillance. We also ensure that guests and employees are clearly informed about the monitoring and responsibilities of the company, with signs or by other conspicuous means.

Legal basis:
The processing of personal data for this specified purpose is necessary due to the legitimate interests of the company (Art. 6 (f) GDPR), which include, among other things, guarding safety and property.

Data Retention:
All processing and data retention in relation to electronic monitoring is treated as confidential and in compliance with Rules nr. 50/2023 on electronic monitoring which is established pursuant to the authorization in Act no. 90/2018 on personal protection and processing of personal data (Art. 14 (5))