Privacy Policy
The purpose of this Privacy Policy (hereinafter the "Policy") is to provide comprehensive information about the conditions for processing the personal data of customers, business partners, healthcare professionals, patients, website visitors and other persons (hereinafter the "Subject") of Dr. Max Pharma s.r.o., business ID number: 05051380, with its registered office at Na Florenci 2116/15, Nové Město, 110 00 Prague 1, entered in the Commercial Register maintained by the Municipal Court in Prague, section C, entry 257552 (hereinafter the "Controller").
The Controller determines the purpose and means of processing personal data.
When processing personal data, the Controller complies with all the relevant legal regulations, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter the "GDPR").
This Policy explains what personal data the Controller obtains directly from the Subject, generally in the context of communications with the Subject, in connection with the use of products and services provided by the Controller or in connection with other relationships. This Policy also explains what personal data the Controller obtains from other persons and sources and how it uses such data.
Personal data mean any information relating to an identified or identifiable data Subject. The Subject is deemed to be identified or identifiable if the Subject can be identified, directly or indirectly, in particular based on a number, code or one or more elements specific to his/her physical, physiological, psychological, economic, cultural or social identity; personal data include, for example, a person's first name, surname, e-mail address, mobile phone number and address; personal data may also include, in conjunction with other personal data, data on purchasing preferences (hereinafter referred to jointly as "Personal Data" or "Data").
The Subject's Personal Data are processed in accordance with this Policy and Data protection legal regulations, in particular the GDPR. The Controller takes a very careful approach to the protection of Personal Data and processes them in a completely transparent manner. Processing of Personal Data means any operation or set of operations performed on Personal Data, whether by automated or manual means, using computer technology or other means, in particular collection, storage on a storage medium, disclosure, adaptation or alteration, retrieval, use, transmission, storage, classification or combination, blocking and destruction (hereinafter "Processing").
As a matter of principle, the Controller only collects the Personal Data it actually needs for the purpose for which they are intended. The Controller continuously evaluates the Data Processing process both in terms of appropriate security, minimisation of Personal Data and transparency, fairness and lawfulness. The Controller respects the principles of accountability, integrity, confidentiality, accuracy and restricted storage.
The Controller is entitled to amend this Policy if necessary and to publish the current version on its website at any time, or to inform the affected Subjects of material changes in an appropriate manner.
In the event of any queries regarding this Policy, the affected Subject may at any time simply contact the Controller in paper form at the address of the Controller's registered office indicated above, electronically on info@drmaxpharma.com or by telephone on +420 222 811 991. The Controller has not appointed a data protection officer.
The Controller processes the Data collected depending on the nature of its relationship with the Data Subject, in particular for the following purposes, which correspond to the relevant legal grounds pursuant to the GDPR. Only Processing operations (activities) which are strictly necessary for the achievement of the purpose are always carried out as a part of the framework of the stated purpose. The Subject's Personal Data will be processed for a period of time appropriate to the purpose of the Processing and the relevant legal grounds.
The Personal Data that the Subject communicates to us in connection with his/her request or enquiry sent to the Controller's contact details will be kept confidential and processed based on the Controller's legitimate interest (Article 6(1)(f) of the GDPR), for the purpose of Processing the request or enquiry, including ensuring the effective functioning of a publicly accessible professional information service (PAPIS). In such cases, Personal Data will be retained by the Controller for a maximum of five years, except where the content of the request or enquiry is assessed as a report of an adverse reaction to a medicinal product or an adverse event of a medical device.
If the Subject notifies the Controller in any way of a potential adverse reaction to a medicinal product or a suspected adverse event in connection with the use of a medical device of the Controller, the Personal Data communicated to the Controller in this context, including any Data on the Subject's health status, will be kept confidential and processed to the extent necessary to comply with legal standards governing the safety of medicinal products and medical devices, in accordance with the Controller's standard operating procedures. In this case, the Personal Data will be used for the responsible handling of suspected adverse reaction/event cases, which may require, where necessary, obtaining additional information from the Subject about a specific suspicion. In such cases, Personal Data may be disclosed to the relevant supervisory authorities, if necessary to comply with the relevant statutory duties. The legal grounds for Processing Personal Data for this purpose is the performance of a legal duty to which the Controller is subject (Article 6(1)(f) of the GDPR). In such cases, the Processing of Personal Data concerning the Subject's health is necessary for reasons of public interest in the field of public health, such as ensuring strict quality standards for medicinal products or medical devices, based on legal regulations that provide for appropriate and specific measures to safeguard the Data Subject's rights and freedoms (Article 9(2)(i) of the GDPR).
By confirming his/her interest in participating in a selection procedure for a position, the Subject, as an applicant, acknowledges that for the purposes of such selection procedure the Controller will process all Personal Data provided by him/her. The Controller may also process Data collected about the applicant from public sources or social networks (e.g. LinkedIn), if the applicant makes his/her Personal Data available on these sites. In such case, the Data are processed for the conclusion of a contract to which the Data Subject is a party, if selected, and for the implementation of measures taken prior to the conclusion of a contract at the Data Subject's request (Article 6(1)(b) of the GDPR). At the same time, the Processing is also necessary to protect the Controller's legitimate interests for the purpose of demonstrating compliance during inspections by supervisory authorities and for the defence and exercise of the Controller's rights (Article 6(1)(f) of the GDPR). The provision of Personal Data is therefore mandatory and in the event of failure to provide the required Data, an applicant will not be included in the selection procedure for a position. The applicant's Personal Data are processed by the Controller for the above purpose for a maximum period of 6 months from the end of the selection procedure for the position for which the applicant applied. If the Subject gives his/her consent, the Controller will also process the Personal Data obtained in the context of the selection procedure for the purposes and under the conditions specified here.
The Controller processes the basic Personal Data of healthcare professionals for the purpose of managing relationships with such professionals and providing professional information about its products and services, in strict compliance with all relevant legal regulations governing this activity. The Controller obtains the Personal Data of healthcare professionals relating exclusively to their professional activities directly from the affected Subjects or from reliable publicly available sources, such as the websites of the Subjects themselves or their employers, the National Register of Healthcare Service Providers (NRHSP) and public records of the relevant professional chambers, etc. The legal grounds for the Processing of Personal Data of healthcare professionals for this purpose is the Controller's legitimate interest (Article 6(1)(f) of the GDPR).
In cases where, in particular for the promotion and direct marketing of the Controller's products, services, training events, etc., it is necessary to obtain the prior consent of the affected person, the Controller processes the Personal Data of healthcare professionals only after obtaining their voluntary consent. Such consent may be withdrawn by a healthcare professional at any time, without prejudice to the lawfulness of the Processing carried out prior to its withdrawal. The legal grounds for Processing Personal Data in such cases is the consent of each individual healthcare professional (Article 6(1)(a) of the GDPR).
Healthcare professionals who choose to enter into a contractual relationship with the Controller acknowledge that their Personal Data will also be processed for the purpose of concluding the relevant contract and for the implementation of measures taken prior to the conclusion of such contract (Article 6(1)(b) of the GDPR).
If, when providing professional information about products and services, the Controller is required to comply with a specific legal duty set out in specific regulations (in particular in the area of the safety of medicinal products and pharmacovigilance) and compliance with it requires the Processing of Data Subjects' Personal Data, the Controller will process such Data to the extent and in the manner set out in such specific regulations.
Personal Data will be processed in an automated or manual manner by the Controller's own employees or by persons acting as processors who have been authorised by the Controller to process Personal Data and with whom the Controller has concluded the relevant contracts for the Processing of Personal Data (such person is hereinafter referred to as the "Processor"). Processing will also be carried out by computer.
The Subject acknowledges that to achieve the purpose the Controller uses Processors who have access to the necessary extent of the Subject's Personal Data for the performance of their task. The Subject's Personal Data may also be provided to other recipients involved in the Controller's activities to the extent necessary to fulfil the relevant purpose of the Processing.
They are Processors and recipients in particular in the following areas:
The Controller will provide further details of the involvement of any Processors and other recipients of the Controller to the Subject upon request.
The Controller does not intend to transfer Personal Data outside the EU/EEA to third countries within the meaning of the GDPR, except where necessary for the achievement of one of the aforementioned purposes, and only on condition that an adequate level of Personal Data protection is ensured.
If the Processing is based on informed and voluntary consent, the Subject is not obliged to provide Personal Data and give consent. However, if the Subject does not give consent, the Processing in question will not be possible. Where the Processing is based on the Controller's legitimate interest, the Subject is entitled to object to the Processing in order to establish whether the Controller's legitimate interests outweigh the Subject's legitimate reasons. In such case, Personal Data Processing will be limited to storage or to the establishment, exercise or defence of the Controller's legal claims, for the protection of the rights of another natural or legal person or for reasons of important public interest.
In connection with Personal Data Processing in accordance with this Policy, the Subject has to the following rights, which are further regulated by Articles 15 to 22 of the GDPR. The Subject may exercise these rights at any time by simply contacting the Controller using the contact details provided in this Policy. In the same way, the Subject may contact the Controller with any further questions or comments on the conditions for Processing Personal Data. Each Subject also has the right to address a complaint to the competent supervisory authority, which in the Czech Republic is the Office for Personal Data Protection (https://uoou.gov.cz/).
The Subject has the right to obtain confirmation from the Controller as to whether his/her Personal Data are being processed and, if so, the right to request information on the purpose, categories, sources, recipients, duration of Processing, existence of the rights to rectification, erasure, restriction, to object and to lodge a complaint with a supervisory authority.
The Controller has measures in place to provide each Subject with all information and statements about Processing. The Controller will provide the information electronically or in paper form.
The Controller will not refuse to comply with a request by the Subject during the exercise of the Subject's rights unless it cannot reliably identify the Data Subject to whom the Data relate.
All information, communications and actions are provided free of charge. If requests made by the Subject are assessed as manifestly unfounded or unreasonable, and in particular if they are repetitive, the Controller may either: (i) impose a reasonable fee taking into account the administrative costs of providing the requested information or statement, or taking the requested actions; or (ii) refuse to comply with the request.
If the Controller has reasonable doubt as to the identity of the natural person making a request, the Controller may request additional information necessary to confirm the Subject.
The Subject has the right to have inaccurate Personal Data relating to the Subject rectified by the Controller without undue delay.
Taking into account the purposes of the Processing, the Subject also has the right to have incomplete Personal Data supplemented, including by providing an additional declaration.
The Data Subject has the right to have the Controller erase Personal Data concerning the Data Subject without undue delay and the Controller is obliged to erase Personal Data without undue delay if one of the following grounds applies:
The above does not apply if the Processing is necessary:
The Data Subject has the right to have the Controller restrict Processing in any of the following cases:
If Processing was restricted in accordance with the aforementioned "Right to Restrict Processing", with the exception of their storage, the Personal Data may only be processed with the Subject's consent, or for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or a Member State.
The Subject has the right to obtain Personal Data concerning him/her which he/she disclosed to the Controller in a structured, commonly used and machine-readable format and to transmit such Data to another Controller, without hindrance from the Controller to whom the Personal Data were disclosed, where:
Data obtained by the Controller's activities is not subject to the "Right to Portability".
When exercising his/her right to Data portability, the Data Subject has the right to have the Personal Data transmitted directly by the Controller to another controller, if technically feasible.
The exercise of the aforementioned "Right to Data Portability" is without prejudice to the aforementioned "Right to Erasure".
The aforementioned "Right to Data Portability" must not adversely affect the rights and freedoms of other persons.
For reasons relating to the Subject's particular situation, the Subject has the right to object at any time to the Processing of Personal Data concerning him/her which are processed based on a legitimate interest of the Controller.
If Personal Data are processed for the purposes of defending against claims of the Subject, recovering the Controller's receivables or proving compliance during an inspection by a supervisory authority, the Subject has the right to object at any time. The Controller reviews the Processing based on such objection and no longer processes the Personal Data, unless there are compelling legitimate grounds for the Processing which outweigh the Data Subject's interests or rights and freedoms, or for the establishment, exercise or defence of legal claims.
The Subject has the right not to be subject to any decision based solely on automated Processing, including profiling, which produces legal effects affecting the Subject or has a similarly significant effect on the Subject.
The Controller does not base any of its decisions solely on automated Processing and profiling that would have legal effects on the Subject or significantly affect him/her.