Last updated: 01/06/2023
Teoxane SA is committed to respecting your privacy. When an incident or risk of an incident concerning one of TEOXANE SA's products is reported, Teoxane SA will collect certain information that will allow you to be identified ("Personal Data").
Teoxane SA is "Controller" for personal data collected in connection with the declaration of an incident or risk of incident concerning one of its products. This means that Teoxane SA is responsible for decisions concerning the collection and use of personal data. It also means that Teoxane SA is responsible for answering your questions and requests in relation to the personal data that Teoxane SA holds about you.
This information note ("Information Note") explains how Teoxane SA will process your personal data in the event of an incident or risk of an incident. It also explains your rights in relation to your personal data.
2. TO WHOM DOES THIS INFORMATION APPLY?
This information concerns you if you:
- are identified in a notification as having presented an incident or risk of incident; or
- make a notification of an incident or risk of incident on behalf of someone else (and you provide Teoxane SA with your identity when making this report).
By this Information Note, Teoxane SA expressly informs you that in the event that you yourself carry out the notification of the adverse health event to which you have been exposed, the secrecy of your identity cannot be preserved by Teoxane SA. However, the lifting of secrecy will be strictly limited to what is necessary to enable Teoxane SA to meet its obligations in terms of health surveillance and for a period strictly limited to what is necessary to meet the said obligations.
3. THE CATEGORIES OF PERSONAL DATA THAT TEOXANE SA COLLECTS
When you notify an incident or risk of an incident, Teoxane SA processes your full identity (surname, first name) as well as your contact details.
For each case of health surveillance that Teoxane SA receives, Teoxane SA collects data relating to the patient or the person who presented the incident or the risk of an incident: initials or identification number (code), descriptive information (age, year or date of birth, sex, weight, height), health data such as treatments administered, results of examinations, nature of incidents or risks of incidents, personal or family history, diseases or associated events, risk factors, information relating to ancestry and descent, data relating to professional life, lifestyle habits and behaviour.
Only adequate, relevant and necessary data in relation to the analysis of the case of health surveillance are collected.
4. HOW DOES TEOXANE SA COLLECT YOUR PERSONAL DATA?
Teoxane SA collects personal data directly from you when you yourself report an incident or risk of an incident to Teoxane SA. This may also be done through incident or risk of incident reporting forms, questionnaires, interviews or observations that Teoxane SA may make about you or your state of health after an incident or risk of incident has been reported to it.
Teoxane SA may also collect personal data about you indirectly from third parties who report to Teoxane SA an incident or risk of an incident. This may include your physician or other healthcare professionals, a distributor of Teoxane SA products, another entity within the group to which Teoxane SA belongs (when they receive information about incidents or risks of incidents) or any other person (such as a family member or friend) who reports an incident or risk of incident on your behalf.
Teoxane SA is also required to collect incidents or risks of incidents published in the literature or which may be mentioned on a website or online application (blog, discussion forum, commentary on a mobile application, etc.) which are the responsibility of Teoxane SA.
5. REASONS WHY YOUR PERSONAL DATA IS USED
In the table below, Teoxane SA presents:
- the purposes for which Teoxane SA collects and uses your personal data;
- the categories of personal data that TEOXANE SA collects for these purposes; and
- the legal basis that allows Teoxane SA to collect and use your personal data.
6. HOW WILL TEOXANE SA PROTECT YOUR DATA?
Teoxane SA has implemented appropriate technical and organizational security measures to prevent your personal data from being accidentally lost or used, accessed, modified or disclosed without authorization.
In addition, Teoxane SA limits access to your personal data to its employees and service providers, and only those who have a legitimate need to know them by virtue of their work or the services provided have access to them. These persons will only process your personal data in accordance with the instructions of Teoxane SA and will be obliged to maintain their confidentiality.
Teoxane SA has put in place procedures to act in the event of alleged violations of personal data and Teoxane SA will inform you and the relevant regulatory authorities, should such a case arise, in accordance with applicable legal requirements.
7. HOW LONG WILL TEOXANE SA KEEP YOUR DATA?
Teoxane SA keeps your personal data for as long as necessary to achieve the purpose for which it was collected, including to meet legal provisions or health surveillance reporting requirements. Thus, Teoxane SA informs you that your personal data will be kept on a dedicated database, on an active basis, for the duration of the marketing of the product concerned.
In order to assess the appropriate storage period for personal data, Teoxane SA takes into consideration the quantity, nature and sensitivity of the personal data, the potential risk of harm caused by the unauthorised use or disclosure of your personal data, the purposes for which Teoxane SA uses your personal data, and Teoxane SA tries to determine whether it can achieve these purposes by other means while complying with the relevant legal provisions.
In addition, Teoxane SA will archive your personal data in connection with incidents or risks of incidents related to its products, in intermediate archiving, for a period of fifteen (15) years after the last product is placed on the market, unless there is a specific legal obligation for Teoxane SA to archive your personal data for a longer period of time.
Under certain circumstances, Teoxane SA may ensure the anonymity of your personal data so that they can no longer be associated with you, in which case Teoxane SA may use this information for a longer period of time.
8. WHO HAS ACCESS TO YOUR PERSONAL DATA?
Teoxane SA staff - your personal data will be accessible by Teoxane SA staff, but only when necessary for the performance of their duties.
Third parties processing personal data on behalf of Teoxane SA - third party service providers (surveillance services, data storage providers, data analysis providers and technical services) who use personal data in the context of providing a service they provide to Teoxane SA, may also have access to your personal data. They will be required to ensure the protection of your personal data and will not be authorized to use your personal data for their own purposes.
Third parties who provide your personal data to Teoxane SA when they notify an incident or risk of an incident - third parties (such as doctors or other health professionals, Distributors of Teoxane SA 's products or any person who reports an incident or risk of incident on your behalf or who would be able to provide Teoxane SA with additional information) may have access to personal data that Teoxane SA will communicate to them in the context of an incident or risk of incident report that they have made or that concerns them. Teoxane SA will only share your personal data with these third parties in order to comply with its legal obligations and to be able to respond to notifications in the event of incidents or risks of incidents.
Third party manufacturers whose products would be affected by the notification.
The Departments of Teoxane SA in charge of medical information or quality assurance, if the notification of health surveillance is associated with a request for medical information or a quality claim.
National health authorities or other health regulatory bodies - where Teoxane SA is required to inform national health authorities or other regulatory bodies, in the event of incidents or risks of incidents relating to Teoxane SA 's products, Teoxane SA will provide them with your personal data for the purposes set out above. National health authorities or other health regulatory bodies will become responsible for processing the personal data that Teoxane SA transfers to them. They will use the personal data for the purposes described above and their own privacy notice will apply to the use of the personal data held by them.
8. CAN TEOXANE SA TRANSFER YOUR PERSONAL DATA OUTSIDE EUROPE?
Having access to your personal data, for the reasons set out in this notice, Teoxane SA may have to transfer them to third parties and other companies of its group which are based outside the EU and EEA ("Europe").
Any transfer of data indirectly identifying persons exposed to an adverse health event and data directly identifying persons who have notified the adverse health event outside Europe shall be carried out in accordance with the applicable regulations under the following cumulative conditions:
- the provisions relating to the recipients of the data are complied with; and
- the transfer of data is strictly necessary for the implementation of the surveillance system.
To ensure the protection of your personal data, Teoxane SA will only transfer your personal data to other countries outside Europe in accordance with the General Data Protection Regulations ("GDPR"). This requires that one of the following conditions apply:
- the transfer is to a country or an international organization recognized by the European Commission as providing an adequate level of protection in accordance with Article 45 of the GDGR (adequacy decision);
- the transfer takes place subject to appropriate safeguards listed in Article 46(2) of the EPMR (in particular: standard contractual clauses approved by the European Commission, binding corporate rules, code of conduct, certification mechanism);
- in the absence of a decision on adequacy or appropriate safeguards, the transfer may be based on one of the exceptions provided for in Article 49 of the PGRD where such a transfer is not repetitive, massive or structured.
9. WHAT ARE YOUR RIGHTS?
You have the right to:
- Request access to your personal data (commonly referred to as a "data subject's data access request"). This allows you to receive a copy of the personal data that Teoxane SA holds about you and to verify that Teoxane SA is processing them lawfully.
- Request correction of the personal data that Teoxane SA holds about you. This enables you to rectify incomplete or inaccurate personal data concerning you that is in the possession of Teoxane SA.
- Request the limitation of the processing of your personal data. This makes it possible to suspend the processing of your personal data in certain circumstances, for example if you wish your data to be rectified and for the time that Teoxane SA carries out the necessary checks.
- Right to set guidelines for the fate of your data after your death. This right is provided for by French regulations on personal data and applies to all types of processing.
As health surveillance is a legal obligation of Teoxane SA, you may not object to the processing of your data or request their deletion.
You may exercise your rights by contacting Teoxane SA using the contact details provided at the bottom of this information note. Teoxane SA will always try to help you when you wish to exercise your rights, but in certain cases, Teoxane SA may be entitled to refuse your request.
Patients who are not themselves the originator of the notification may exercise their rights with Teoxane SA directly or through the Notifier.
Teoxane SA will immediately examine any request you make and will reply to you within one month of your request. Teoxane SA may extend this period by a further two months where this is necessary to enable Teoxane SA to respond properly to the request (for example if the request is complicated and Teoxane SA needs more time) but Teoxane SA will inform you of the reasons for the delay.
If Teoxane SA decides not to proceed with the request, Teoxane SA will inform you of the reasons for its decision.
If you do not agree with a decision that Teoxane SA takes following a request to exercise rights or if you believe that Teoxane SA does not comply with applicable European data protection laws, you may lodge a complaint with a supervisory authority in particular in the State in which your habitual residence, place of work or the place where you believe that a violation of the regulations has been committed.
10. NOTE TO NON-PATIENT NOTIFIERS
As Teoxane SA does not have access to the patient's full identity, Teoxane SA kindly asks you to provide the above information orally or to send this information note directly to the patient.
11. HOW TO CONTACT TEOXANE SA?
If you have any questions or if you wish to exercise any of your rights, you can contact Teoxane SA using the contact details below:
Teoxane SA Rue de Lyon 105 CH 1203 Geneva – Switzerland
Data Protection Officer