Privacy policy

The Privacy Policy herein shall take effect from 25th May, 2018.

The objective of the Privacy Policy is to lay down principles of data protection and data processing applied at HUMAN BioPlazma Kft. (further referred to as: ‘the Company’) as well as the data protection and data processing policy of the Company with regard to its actual website (https://www.kedrion.hu; further referred to as: ‘the Website’) as provided for in Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; further referred to as: ‘EU Data Protection Regulation’) and in Act CXII of 2011 on informational self-determination and freedom of information (further referred to as: ‘Information Act’), with special regard to the provisions of Article 13 of the EU Data Protection Regulation.

This Privacy Policy describes how the Company is managing personal data made available for the Company by visitors of the Website as well as by natural persons filling in and submitting the form(s) available on the Website.

Our Company is committed to the protection of your personal data and we feel to be particularly important to respect the right of informational self-determination of the visitors of the Website and of the natural persons filling in and submitting the form(s) available on the Website. Our Company keeps personal data confidential and makes all security, technical and organisational steps to guarantee data safety.

If you cannot find the answer for your question in the Privacy Policy herein, please feel free to contact us at addresses indicated below.

I. Name of controller

The controller of the personal data (further referred to as: ‘Controller’):

HUMAN BioPlazma Gyártó és Kereskedelmi Korlátolt Felelősségű Társaság

seat, postal address: 2100 Gödöllő, Táncsics Mihály út 80.; commercial registry number: 13-09-113455; tax authority number: 13971227-2-13

electronic address: [email protected]

phone number: +36 28 532 200 (we give only general information via telephone)

contact of data protection officer: Bancard Tanácsadó Korlátolt Felelősségű Társaság (seat: 1165 Budapest, Ezerjó utca 44.; commercial registry number: 01-09-902766) – contact person: Ildikó Schuch; [email protected]; + 36 70 708 0121.

II. Purposes of processing and categories of personal data

The controller shall process and use personal data electronically and on paper in accordance with purposes below:

II/1. Purpose of processing: performing scientific medical information activities for distance learning and health education via all information channels as permitted under applicable law including e-mail, web conference and other possible information channels.

Legal basis of processing: the consent of data subject [GDPR Article 6(1)(a)].

Scope of personal data:

full name;
address;
phone number;
e-mail address;
fax number;
gender;
IP address.

Period of processing: from the filling in and submitting of the form until the withdrawal of consent or until the implementation of the purpose of processing, the latest.

Personal data can be accessed exclusively by authorised employees of the controller:

Persons in charge for medical service;
Medical assistant.

For filling in and submitting the form and for further information with regard to the purpose of processing in the section herein please also read our specific privacy policy available at the following link: https://www.kedrion.hu/en/privacy-policy-medical-and-scientific-information.

 

II/2. Purpose of processing: providing information services to respond to scientific questions of healthcare and medical service providers.

Legal basis of processing: the consent of data subject [GDPR Article 6(1)(a)].

Scope of personal data:

full name;
address;
phone number;
e-mail address;
fax number;
gender;
IP address.

Period of processing: from the filling in and submitting of the form until the withdrawal of consent or until the implementation of the purpose of processing, the latest.

Personal data can be accessed exclusively by authorised employees of the controller:

Persons in charge for medical service;
Medical assistant.

For filling in and submitting the form and for further information with regard to the purpose of processing in the section herein please also read our specific privacy policy available at the following link: https://www.kedrion.hu/en/privacy-policy-medical-and-scientific-information.

 

II/3. Purpose of processing: managing adverse reactions experienced and reported in relation to the administration of marketed medicinal products as well as managing other safety information.

Legal basis of processing: the consent of data subject [GDPR Article 6(1)(a)] or compliance with a legal obligation [GDPR Article 6(1)(c)].

Based on consent:

Scope of personal data:

full name;
address;
phone number;
e-mail address;
IP address.

Based on legal obligation (Article 18 of Act XCV of 2005 on medicinal products for human use and amending other acts regulating the pharmaceutical market):

Scope of personal data:

whether the reporter is a health professional;
relationship to the patient;
date of birth;
age;
gender;
start of experiencing adverse reaction;
end of experiencing adverse reaction;
detailed description of the adverse reaction (including the results of examination important from the aspect of adverse reaction and the description of the treatment of the adverse reaction);
classification of the adverse reaction according to severity;
data of the medicinal product believed to cause the adverse reaction (name and pharmaceutical form of the medicinal product or active substance, serial number, dosage and the method of administration, start and end of treatment, indication);
data of the medicinal products administered in parallel (name and pharmaceutical form of the medicinal product or active substance, serial number, dosage and the method of administration, start and end of treatment, indication);
medical history
IP address.

Period of processing: 30 (thirty) years (Act XCV of 2005) or throughout the authorised marketing of the medicinal product, as well as 10 (ten) years after the date of withdrawal from the market.

Personal data can be accessed exclusively by employees of the pharmacovigilance team.

For filling in and submitting the form and for further information with regard to the purpose of processing in the section herein please also read our specific privacy policy available at the following link: https://www.kedrion.hu/en/privacy-policy-pharmacovigilance.

 

II/4. Purpose of processing: recording data and professional profile of candidates applying for job openings via the electronic contacts listed at the Website ([email protected]) to enable evaluation during selection procedure.

Legal basis of processing: the consent of data subject [GDPR Article 6(1)(a)].

Scope of personal data: personal data provided by the applicants.

Period of processing: until the withdrawal of consent or until the last day of the 6th month after submitting the application, at the latest.

Personal data can be accessed exclusively by authorised employees of the controller: HR Department.

When recording personal data, this fact is clearly stated. The Controller shall document the consent of the data subject electronically for reasons of accountability and ensuring traceability.

If the data subject does not give his or her consent with regard to some of the processing purposes, it means that he or she cannot benefit from or cannot benefit fully from the service(s) related to the given purpose(s).

III. Accessibility of personal data by third parties

Third parties can access the personal data provided by the visitors of the Website and by natural persons filling in and submitting the form(s) available on the Website exclusively subject to the existence of some of the legal bases specified by the EU Data Protection Regulation (except for the employees of the Controller listed in the relevant column of the table in Section II).

Before fulfilling certain request for data from authorities or court, the controller shall examine for each and every of the personal data if there is a valid legal basis for data transfer.

In order to check the lawfulness of data transfer and to inform the data subject, controller shall maintain records of transfer as part of its own data protection records specifying the date of the transfer of personal data, the legal basis and recipient of transfer, the defined scope of personal data transferred as well as other data specified by the legislation regulating processing.

IV. Data security measures

Our Company has taken appropriate technical and organisational measures to protect personal data in accordance with the provisions of EU Data Protection Regulation and the Information Act.

Appropriate technical and organisational measures include fields as follows:

unauthorized access and disclosure;
unauthorised alteration;
deletion or accidental or unauthorised destruction;
damage or eventual loss.
Our Company stores personal data on its Website servers protected by 24-hour personal security guarding and connected to the Hungarian Internet backbone network.

V. Data processor(s)

Our Company does not employ processors for information sent by the Website.

VI. Data transfer to other countries

Personal data collected in line with the Privacy Policy herein are transferred beyond national borders and to the territory of other EU Member States (primarily to Italy to Kedrion S.p.A.) subject to restrictions under applicable law. Such data transfer shall be performed only for the above purposes and to the extent appropriate with regard to any activities of the Kedrion Group (where the Company is member of).

VII. Rights of data subjects

Data subjects may request for information about the processing of their personal data and they may also request the rectification or withdrawal of personal data – without prejudice to obligatory data processing – as well as they may exercise their right to data portability and the right to object at contacts above.

Rights of information
Our Company takes appropriate steps to provide data subjects with all information specified in Articles 13 and 14 of EU Data Protection Regulation on the processing of personal data as well as with all information under Articles 15-22 and 34 in a concise, transparent, easily accessible and easy to understand form, in clear and plain language within the frames of the Privacy Policy herein or of other additional independent privacy policy documents.

Rights of data subjects to access and reproduce data
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed;
the envisaged period for which the personal data will be stored;
rights to rectification, to erasure, to restriction of processing and to object;
the right to lodge a complaint with a supervisory authority;
available information as to the source of data;
the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Our Company provides information not later than one month from the submission of the request via the same channel used for enquiry.

Right to rectification
The data subject shall have the right to obtain from the Company the rectification of inaccurate personal data concerning him or her and to have incomplete personal data completed.

Right to erasure
The data subject shall have the right to obtain from the Company the erasure of personal data concerning him or her without undue delay for any of the reasons below:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
the personal data have been collected in relation to the offer of information society services.
The erasure of data shall not apply to the extent that processing is necessary:

for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
for the establishment, exercise or defence of legal claims.
e)    Right to restriction of processing

At the data subject’s request, the Company shall restrict processing where one of the following applies:

the accuracy of the personal data is contested by the data subject, for a period enabling the verification of the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

The data subject shall be informed by the Company before the restriction of processing is lifted.

Right to data portability
Pursuant to Article 20 of EU Data Protection Regulation, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to our Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from our Company.

Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is carried out for reasons of public interest or required by the implementation the exercise of official authority vested in the controller or required for reasons of legitimate interests of the controller or third parties, including profiling based on those provisions. In case of objection, the controller shall no longer process the personal data unless justified by compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

This right shall not apply if the processing

is necessary for entering into, or performance of, a contract between the data subject and a data controller;
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
is based on the data subject’s explicit consent.
Right to withdrawal
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Procedural rules
Controller shall inform the data subject without undue delay and in any event within one month of receipt of the request on actions taken following the data subject’s request to grant rights referred to in Article 15-22 of the EU Data Protection Regulation, as described in sections a)-i) above. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic means, the information shall be provided in electronic form, unless otherwise requested by the data subject.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Our Company provides the requested information free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or refuse to act on the request.

The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in electronic form.

Right to be forgotten
This right can be exercised in accordance with the rules set out in the EU Data Protection Regulation.

VIII. Legal remedies

Initiating dispute resolution at the controller
It is advisable that the data subject contacts the controller primarily and directly (at contacts described above) in the context of a complaint about processing, before seeking judicial remedy or initiating administrative procedure from the Hungarian National Authority for Data Protection and Freedom of Information (primarily by contacting the data protection officer). Our Company shall co-operate with regard to proceedings on actual requests.

Right of access to a court; Compensation and grievance fees
In the event of violation of his or her rights in relation to data protection, the data subject may bring a legal action against the controller. The court shall give priority to such case.

Any person who has suffered material or non-material damage as a result of an infringement of legislation on data protection shall have the right to receive compensation from the controller or processor for the damage suffered. A processor shall be liable for the damage caused by processing only where it has not complied with obligations laid down by law specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage.

A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Administrative procedure of the data protection authority
The data subject may appeal to the Hungarian National Authority for Data Protection and Freedom of Information if considers that the processing of personal data relating to him or her infringes the applicable law.

Name: Hungarian National Authority for Data Protection and Freedom of Information

Seat: 1055 Budapest, Falk Miksa u. 9-11.; Postal address: 1363 Budapest, Pf.: 9.; Phone number: 06/1-391-1400; Fax: 06/1-391-1410; E-mail: [email protected]; Honlap: http://www.naih.hu

IX. Visiting the Website of HUMAN BioPlazma Kft. (https://www.kedrion.hu)

SERVER LOGGING

Like it is the case with other websites, information on Internet related activity will automatically be recorded when entering the Website herein, to be stored in so called ‘server log files’. The web server automatically records information as follows: IP address, date and time of entering the web page, pages viewed, source server, browser type (e.g. Internet Explorer), operating system (e.g. Windows 7), name and address of domain provider (e.g. Tin.it). Where the Website uses cookies (see below), the web server records related information as well. In order to accurately assess the usage of our Website and to provide highest quality services, we have to regularly examine server logs to estimate the frequency of visits. This ‘web statistics’ enables us to maintain and continuously develop our services. In addition to that, this information allows to explore sources of abuse in co-operation with the Internet service provider of the user and/or with local authorities in the event of abuse reported.

USE OF IP ADDRESSES

Our Website checks IP (Internet Protocol) addresses. IP address is an identification number assigned to the computer of the user by the Internet service provider. Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them. In the event of abuse, the IP address as well as the location and time of use can be used in trying to trace the person visiting the Website by establishing Internet connection.

COOKIES

Cookies are small files sent by websites visited and stored in the memory of the computer. Cookies are stored in the file folder of the computer. The next time the user visits the website, the browser reads the cookie and passes on information to the website or the developer of the cookie. If you want to know more about this technology and how it works, please visit an information website like: http://www.allaboutcookies.org.

Certain parts of Website may use cookies (temporary cookies). Cookies may have different information content, e.g. special technical information necessary for certain CMS Drupal functions (e.g. search, login, tool bar) or user id to enable monitoring of pages visited. Cookies exclusively include personal information provided by the visitors of the Website and by natural persons filling in and submitting the form(s) available on the Website. Cookies cannot read information either from the hard disk of the visitor or the natural person filling in and submitting the form(s) available on the Website or from cookies generated by other websites. If the visitor or the natural person filling in and submitting the form(s) available on the Website does not want to receive cookies while browsing the Internet, he or she can set the browser to send warnings about cookies to be able to decide if allowing or blocking cookies. The visitor or the natural person filling in and submitting the form(s) available on the Website can block all cookies already in the browser but in that case it may happen that he or she cannot use all the pages properly. Pages may explicitly ask the visitor or the natural person filling in and submitting the form(s) available on the Website to enable cookies so that certain operations can be performed. It may happen that the visitor or the natural person filling in and submitting the form(s) available on the Website does not need to enable all cookies for visiting many types of websites, however, cookies may absolutely be necessary for accessing certain special websites, registration data or special information used by CMS services.

TEMPORARY COOKIES

When the visitor or the natural person filling in and submitting the form(s) available on the Website goes from one page of the Websites to the other, it may be necessary to store related technical information. This information is used for improving navigation on the website. This type of cookie does not include identifying information and is stored exclusively for the time of the stay at the website.

TEMPORARY COOKIES ASSOCIATED WITH ENTRY

When the user enters a secure interface after prior registration, his or her computer may display a cookie to record entry data. This is meant to serve the convenience of the user because he or she does not have to re-enter his or her access details during subsequent visits.

COOKIES CREATED BY THIRD PARTIES

The Controller does not allow third parties to create cookies on the computer of the visitor or the natural person filling in and submitting the form(s) available on the Website via the Website unless explicitly asked for by us, or provided that the cookies are under our direct control and cannot be used or accessed by third parties, without prejudice to the provisions of the Privacy Policy herein.

X. Miscellaneous

LIMITATION AND EXCLUSION OF LIABILITY

Visitors of the Website of the Company take note that

visiting and using of the Website for any purpose shall exclusively be based on everyone’s own discretion and responsibility; using the information downloaded and acquired through the Website is voluntary, done by the user at his or her own discretion and exclusively at his or her own risk;
the Company as well as the developers and operators of the Website shall not be liable for any error, disadvantage or damage resulting from the visit or use of the Website;
the Company shall not be liable for any direct or indirect damage, loss or costs eventually resulting from the malfunction or breakdown of the Website as well as for the content of the Website and the data and information available on the Website or via the Website including but not limited to the accuracy, actuality, completeness, validity, suitability, reliability or reasonability of data and information thereof;
the Company shall not take liability for any potential damage caused by or resulting from the unlawful access to other data not qualifying as personal data as well as the destruction, damage, unauthorised disclosure of those data; exclusively the person with that conduct shall be liable for that act;
the Company reserves the right to alter the actual content of the Website by any method, as well as to cease or suspend some or all services thereof;
the Website may be connected to other websites (links) – although the Company continuously monitors the usability of those websites, it excludes any liability for the content of those websites or the disadvantages or damages resulting from the use of those websites; since the principles and procedures herein may not apply to those other websites, we suggest you to enquire about data protection, security and recording standards valid for those other websites at the system operator of those websites; it may happen that the information found on other websites connected to our Website does not comply with the applicable legislation and opinions stated there may not necessarily be in line with the standpoint of our Company;
any information on our Website is meant for information purposes only, is of general character and under no circumstances to be considered advice or recommendation; in addition to that, information like that should not be the basis of any decision or measure, including but not limited to medical information which may not substitute medical advice with detailed consultation;
The controller shall not take any responsibility for the content of former versions of its Websites deleted but retrieved or archived by Internet search engines. Those should be removed by the operator of the relevant search engine;
our Company is the exclusive owner of the full content as well as of any element of the Website, therefore, any unauthorised use with regard to full content or any element of the Website shall constitute an infringement of copyright and shall have legal consequences.

MINORS

Our Website is not intended or programmed to be consulted by minors. We never record data related to minors in a way enabling clear and unambiguous tracing or identification of the minor in question, therefore, we do not process personal data with regard to minors.

AMENDING THE PRIVACY POLICY

The Privacy Policy of the Website can be updated where required. Any amendment to the Privacy Policy will be made available for the visitors of the Website.

DANGERS THREATENING PRIVACY

The use of Internet entails various dangers threatening privacy. We draw your attention to the fact that your opinion or message entered to the Website qualify as personal data and these data may reveal your sensitive data, origin or political opinions. These data may be accessed by anyone. Therefore, we suggest to use PETs (privacy enhancing technologies). You may find information in this regard at several websites.

IMPORTANT URLS:

Hungarian National Authority for Data Protection and Freedom of Information: http://www.naih.hu/
National Media and Infocommunications Authority: http://nmhh.hu/
Legislation in force: http://www.njt.hu

Privacy Policy

This Privacy Policy aims at informing you on our practices relating to the collection, use, and disclosure of the information you may send via this Kedrion Medical Information Service. Please read all this Privacy Policy before using or sending information via this service.

Your Consent

By using this Kedrion Medical Information Service, you accept the provisions of this Privacy Policy. Whenever you provide information via this service, you consent to the collection, use, and disclosure of said information in compliance with this Privacy Policy.

Except as otherwise specified in relation to the place where the information is collected, your personal information provided to this service shall be processed by other companies of the Kedrion.

Informed consent

Pursuant to art. 13 of Legislative Decree no. 196/2003 (formerly, art. 10 of Law no. 675/1996) of the aforesaid law, we provide you with the following information:

The data you actively provide shall be processed, within the limits of data protection provisions, for the following purposes: Global Medical Information Management System activities.

The data shall be processed through IT tools suitable to ensure their security and confidentiality.

Your personal data will be handled  exclusively, within Kedrion S.p.A.,  by persons entrusted   who  operate  under the direct authority of the  “ Processor  of Personal Data” and   who have received  adequate  instructions on how to handle  your personal data.

Your data could also be handled  by Kedrion Group Companies or by  third party companies, for the same purposes mentioned above,  which will  handle the personal data as  “independent holder of processing private data” as being alien to the original processing of personal data in our society and thus having full autonomy in the management of data processing.

We inform you that personal data revealing racial and ethnic origins, religious, philosophical or other beliefs, political opinions, membership in political parties, trade unions, or religious, philosophical, political or unionist associations or organisations, as well as personal data revealing one’s health status and sexual life, and health data, are sensitive information. Such data you actively provide shall not be processed without your express written consent;

The Data Controller is Kedrion S.p.A. with registered office in Italy, Loc. ai Conti Castelvecchio Pascoli (Province of Lucca), which you may contact for any question about your data.

You may exercise your rights against the data controller at any time, pursuant to art. 7 of the Data Protection Code, in particular, you may ask whether or not your data is being processed; to obtain without delay the disclosure, in readable form, of said data and its origin, their deletion, anonymisation or blocking of the data processed in breach of the law; the updating, rectification or correction of the data; for the certification that the above-mentioned operations have been notified to the entities to which the data has been disclosed, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the protected right; you may object in whole or in part, on legitimate grounds, to the processing of your personal data, even if relevant to the purposes of collection.