4. Building Data Protection in Business Activities
In order to demonstrate compliance with the principles of data protection, Pharm-Olam has build data protection into its business activities.
4.1 Privacy Notices to Data Subjects
When individuals are first asked to provide personal data to Pharm-Olam, or as soon as practicable thereafter and in any event before Pharm-Olam uses or discloses the information for a purpose other than for which it was originally collected, Pharm-Olam properly informs Data Subjects of the following: the types of personal data collected, the purposes of the processing, processing methods, the data subjects’ rights with respect to their personal data, the retention period, potential international data transfers, if data will be shared with third parties and the Company’s security measures to protect personal data. This information is provided through a Privacy Notice in clear and understandable language.
Since Pharm-Olam has multiple data processing activities, it has developed different privacy notices depending on the processing activity, the Data Subject and the categories of personal data collected. Pharm-Olam´s Data Protection Officer is responsible for creating and maintaining the Register of Privacy Notices. Where special categories of personal data are being collected, the Privacy Notice explicitly states the purpose for which this data is being collected.
Where Pharm-Olam, as a Processor, receives personal data from its subsidiaries, affiliates or other entities in the EU, Switzerland and any other country, it shall use such data in accordance with all applicable laws and regulations, including the GDPR. Where Pharm-Olam, as a Controller, receives personal data from third parties, it shall provide the subjects with an appropriate Privacy Notice within a reasonable period after obtaining the personal data, at the time of the first communication or first disclosure to another recipient.
4.2 Data Subject's Choice and Consent
Whenever personal data processing is based on the Data Subject's consent, Pharm-Olam retains a record of such consent. Pharm-Olam provides Data Subjects with options to provide the consent and informs and ensures that their consent (whenever consent is used as the lawful ground for processing) can be withdrawn at any time. When requests to correct, amend or destroy personal data records, Pharm-Olam ensure that these requests are handled without undue delay and in any event within one month of receipt of the request. Pharm-Olam´s Data Protection Officer also records the requests and keeps a log of these.
Personal data is only processed for the purpose for which it was originally collected. If Pharm-Olam wants to process collected personal data for another purpose, it seeks the consent of its Data Subjects in clear and concise writing.
Pharm-Olam will obtain consent from all customers, employees, healthcare professionals, medical research subjects, clinical investigators, customers, business partners, contractors, subcontractors, consultants and investors, where required, for processing, use and/or distribution of any personal and/or special categories of personal data prior to the processing, use or distribution of such data.
4.3 Use, Retention and Disposal
The purposes, methods, storage limitation and retention period of personal data are consistent with the information contained in the Privacy Notice. Pharm-Olam maintains the accuracy, integrity, confidentiality and relevance of personal data based on the processing purpose. Adequate security mechanisms designed to protect personal data are used to prevent personal data from being stolen, misused, or abused and prevent personal data breaches.
4.4 Disclosure to Third Parties
Pharm-Olam may share an individual's personal data with agents, contractors, partners or vendors of Pharm-Olam in connection with services that these individuals or entities perform for, or with, Pharm-Olam. Whenever Pharm-Olam uses a third-party vendor to process personal data on its behalf, Pharm-Olam ensures that this vendor can provide security measures to safeguard personal data that are appropriate to the associated risks. Pharm-Olam always remain liable in cases of onward transfers of personal data to third parties.
Pharm-Olam contractually requires the vendor to provide the same level of data protection. The vendor must only process personal data to carry out its contractual obligations towards Pharm-Olam or upon the instructions of Pharm-Olam and not for any other purposes. Pharm-Olam explicitly specifies the respective responsibilities of the third party in the relevant contract or any other legal binding document, such as the Data Processing Agreement.
Pharm-Olam may also have a requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
4.5 Cross-border Transfer of Personal Data
Pharm-Olam intends that all transfers of personal data comply with all applicable international laws and regulations, including the GDPR.
When transferring personal data out of the European Economic Area (EEA), adequate safeguards will be used, such as including standard contractual clauses issued by the European Commission in contracts with third parties. Specifically, for example, for transfers of personal data from Switzerland and the EU to the US, Pharm-Olam follows and complies with the EU-US Privacy Shield and the Swiss-U.S. Privacy Shield Principles published by the U.S. Department of Commerce. Pharm-Olam certifies that it adheres to the Privacy Principles of notice, choice, onward transfer, security, data integrity, access and enforcement. To learn more about the Privacy Shield please visit https://www.privacyshield.gov/list. Transfers of personal data outside of the European Union, other than to the U.S. shall be made in accordance with the data protection principals prescribed by the international law and regulations applicable in the relevant countries.
4.6 Privacy Shield Enforcement
The Federal Trade Commission has jurisdiction over Pharm-Olam’s compliance with the Privacy Shield.
In compliance with the Privacy Shield Principles, Pharm-Olam commits to resolve complaints about our collection or use of personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Pharm-Olam at: DPO@pharm-olam.com.
Pharm-Olam has further committed to refer unresolved Privacy Shield complaints regarding transferring personal data from EU to the US to the EU Data Protection Authorities (DPAs). For unresolved Privacy Shield complaints regarding transferring personal data from Switzerland to the US, Pharm-Olam has committed to refer to the Judicial Arbitration and Mediation Services, Inc. (JAMS), an alternative dispute resolution provider located in the United States.
If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, you could invoke binding arbitration by contacting or visiting EU DPAs at: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080 or JAMS at: https://www.jamsadr.com/eu-us-privacy-shield. The services of EU DPAs or JAMS are provided at no cost to you.
Pharm-Olam commits to cooperate with EU Data Protection Authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship
4.6 Subject Rights
Rights of Access by Data Subjects
When acting as a Controller, Pharm-Olam provides data subjects with a mechanism to enable them to access their personal data and allows them to update, rectify, erase, or transmit their personal data, if appropriate or required by law. The access mechanism is further detailed in Pharm-Olam´s Data Subject Access Request Procedure, as well as in the Privacy Notices.
Data Subjects have the right to receive, upon request, a copy of the data they provided to Pharm-Olam in a structured format and to transmit those data to another Controller, for free. Pharm-Olam´s Data Protection Officer is responsible to ensure that such requests are processed within one month, are not excessive and do not affect the rights to personal data of other individuals.
Right to be Forgotten
Upon request, Data Subjects have the right to obtain from the Company the erasure of its personal data, if applicable. When the Company is acting as a Controller, Pharm-Olam will take necessary actions to inform the third-parties who use or process that data to comply with the request.