Website Privacy Notice
From time to time, just like many other companies, we collect or use personal data. In this privacy notice, we explain the:
- purposes we collect and use your personal data for;
- categories of personal data we collect for those purposes; and
- how we collect your personal data.
Importantly, we also tell you what your rights are in relation to the personal data we hold and what you can do to enforce them.
If you’d like, you can scroll down and read the whole policy. But you can also jump to the section you are interested in by clicking on one of the headings below.
- CATEGORIES OF PERSONAL DATA WE COLLECT
- HOW DO WE COLLECT YOUR PERSONAL DATA
- HOW AND WHY WE USE YOUR PERSONAL DATA
- YOUR CONSENT
- HOW WE WILL KEEP YOUR DATA SECURE
- HOW LONG WE WILL KEEP YOUR PERSONAL DATA FOR?
- WHO HAS ACCESS TO YOUR PERSONAL DATA?
- DO WE TRANSFER YOUR PERSONAL DATA OUTSIDE OF THE EUROPE?
- WHAT RIGHTS DO YOU HAVE?
- DIRECT MARKETING
- CONTACT US
- UPDATES TO THIS NOTICE
If this privacy notice doesn’t answer your questions, then get in touch with us using the contact details below.
At CSL Behring UK Limited (“we“, “us“, “CSL Behring”) we are committed to protecting your privacy. When you use our websites, we will collect certain information that can be used to identify you (“personal data“).
CSL Behring is the “data controller” of the personal data we collect. This means that we are responsible for decisions about the collection and use of personal data. It also means we are responsible for responding to your questions and requests in relation to the personal data we hold about you.
This privacy notice explains how we use the personal data we collect when you use our website. It also explains the rights you have in relation to your personal data.
2. CATEGORIES OF PERSONAL DATA WE COLLECT
We may collect the following types of personal data from you when you use our website:
- Contact details: this is information that allows us to contact you, such as your name, address, telephone numbers, email addresses and social media handles/user names.
- Demographic information: this is information about your background and which can help us identify you more precisely such as gender, citizenship, date of birth.
- Payment information, purchase and account history: if you are a healthcare professional/ provider or a distributor of products we will collect information about your account and business with us. This may include information such as credit/debit card details, bank account details, billing addresses and customer numbers, as well as records relating to the products and services which you have been purchased from us.
- Personal data in reports and notifications you submit to us: if you submit information to us about our products and services through our website, for example, through a suspected adverse event reporting form, we will collect any personal data you include within your report.
- Health data: if you submit healthcare data to us in relation to our products or services, we will collect any personal data and sensitive personal data you include.
- Records of your discussions with us: when you contact us using the contact options on the website (whether by email, phone, an online form or through social media (such as through Twitter or on Facebook), we may keep a record of the information you provide when doing this.
- How you use our website: we collect information about the pages you look at and how you use them.
- Location information: your smartphone or computer’s IP address may tell us your approximate location when you connect to our website (this will usually be no more precise than a country or city location).
3. HOW WE COLLECT YOUR PERSONAL DATA
We will collect personal data from a number of sources. These include:
- Directly from you: for example, we will collect personal data directly from you when you set up an account with us, purchase products or services from us, complete forms we provide to you, make a report or notification about our products or services or contact us by phone, email, or communicate with us directly in some other way (such as through social media).
- Our website: we will collect information we observe about the way you use our website.
- Third parties: we may collect personal data about you from third parties. This typically includes: credit reference agencies (if we believe this is necessary to facilitate your purchase of products or services from us), or healthcare professional/providers (in relation to your use of our products).
4. HOW AND WHY WE USE YOUR PERSONAL DATA
We collect and use your personal data for the purposes described in the below table.
|Purpose of processing||Categories of data typically processed for the purpose|
|Contact and communicate with you in relation to our business, products and services||All the personal data listed above|
|If you are a healthcare professional/provider or distributor of our products, we will use your personal data to manage your account with us, perform credit checks where this is necessary, take payment for our products and services and arrange delivery||
Payment information, purchase and account history
Records of your discussions with us
|If you contact us with any queries or complaints, we will use your personal data to help us respond to you||All the personal data listed above|
|In the course of investigating misuse of your account, fraud and debt collection||All the personal data listed above|
|To review our products and services, assess their safety and performance and to develop new products and services||All the personal data listed above|
|To perform online advertising||
Payment information, purchase and account history
How you use our website
|To conduct market research||
Other personal data relevant to the market research being conducted
|To conduct direct marketing||
Purchase and account history
How you use our website
Any personal data you submit to us about products or services you are interested in
|For individuals to report Suspected Adverse events||
(Further information about our collection and use of personal data for this purpose will usually be provided by us in a specific Suspected Adverse Event Privacy Notice)
We will only use your personal data when the law allows us to. Most commonly, we will rely on the lawful grounds listed below when we use your personal data.
- Consent: if you have consented to the collection and use of your personal data.
- Contract: if we need to use your personal data to perform a contract between us. For example, where we enter a contract with you to provide you with our products or perform services.
- Legal obligation: if we need to comply with a legal obligation. For example, where we have a legal obligation to report suspected adverse events to our medicinal products.
- Vital interests: if our use of your personal data is needed to protect the vital interests of you or another person. For example, where there is a serious health risk to you or another person.
- Public interest: if our use of your personal data is needed in the public interest.
- Legitimate interest: if our use of your personal data is for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. This includes carefully considered and specific purposes that enable us to enhance the services we provide, but which we believe also benefit our customers and ultimate consumers. It also includes the legitimate interest we have in assessing our products performance and safety and meeting our industry and regulatory obligations.
Sensitive personal data (such as health data) requires us to have additional legal grounds to collect and use it. Most commonly, we will rely on the lawful grounds listed below when we use your sensitive personal data.
- Consent: if you have given us your explicit consent to use your personal data.
- Vital interests: if our use of your personal data is needed to protect the vital interests of you or another person and you are incapable of giving your consent. For example, where there is a serious health risk to you or another person.
- Provision of health care: if your personal data is needed for the provision of health care or treatment.
- Public interest: if your personal data is needed in the public interest, such as protecting against serious threats to health and ensuring high standards of our medicinal products and related healthcare.
5. YOUR CONSENT
Under certain circumstances, where the legal basis for using your personal data is that you have provided your consent, you may withdraw your consent at any time. If you withdraw your consent, this will not make processing which we undertook before you withdrew your consent unlawful.
You can withdraw your consent by contacting us using the contact details listed below.
6. HOW WE WILL KEEP YOUR DATA SECURE
We have put in place appropriate security measures to prevent your personal data from being accidentally lost or used, accessed, altered or disclosed in an unauthorised way.
In addition, we limit access to your personal data by our employees and service providers, to individuals who need access to perform their job or provide a service to us. They will only use your personal data on our instructions and are required to keep your personal data confidential.
We have put in place procedures to deal with suspected data security breaches and will notify you and any applicable regulators of breaches in accordance with relevant legal requirements.
7. HOW LONG WE WILL KEEP YOUR PERSONAL DATA FOR?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, whether we can achieve those purposes through other means and the applicable legal requirements.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
8. WHO HAS ACCESS TO YOUR PERSONAL DATA?
We may share personal information with the following:
- Our staff – your personal data will be accessed by our staff but only where this is needed for their job role.
- Companies in the same group of companies as us – for the purpose of providing a service to you.
- Delivery companies – to deliver products that you have ordered from us.
- Credit reference agencies – so that we can verify your identity, and to provide information on missed or late payments or other activity which may affect your credit score.
- Other service providers and advisors – such as companies that support our IT, help us analyse the data we hold, process payments, send communications to our customers, provide us with legal or financial advice and help us deliver our services to you.
- The government or our regulators – where we are required to do so by law or to assist with their investigations or initiatives, including relevant data protection and healthcare regulators. Such parties use the personal data for their own purpose and their own privacy notice will apply to the use of the personal data they hold.
We do not disclose personal information except as set out above or where we have a legal obligation to do so, or we need to share information to assist with the investigation and prevention of crime. We may provide other third parties with statistical information and analytics but we will make sure that the information is aggregated and no one can be identified from this information before we disclose it.
9. DO WE TRANSFER YOUR PERSONAL DATA OUTSIDE OF EUROPE?
In order to process your personal data for the purposes set out in this notice, we may transfer your personal data to third parties and other companies in our group which are based outside of the EU and EEA (“Europe“).
To ensure that your personal data is secure, we will only transfer your information to countries outside of Europe where we do so in accordance with the EU’s General Data Protection Regulation (“GDPR“). This requires that one of the following conditions applies:
- the European Commission has decided that the country provides an adequate level of protection for your personal data (in accordance with Article 45 of the GDPR);
- the transfer is subject to a legally binding and enforceable commitment on the recipient to protect the personal data (in accordance with Article 46 of the GDPR);
- the transfer is made subject to binding corporate rules (in accordance with Article 47 of the GDPR); or
- the transfer is based on a derogation from the GDPR restrictions on transferring personal data outside of the EU (in accordance with Article 49).
10. WHAT RIGHTS DO YOU HAVE?
Under certain circumstances you have the right to:
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate personal data we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You can also object to receiving direct marketing.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you under certain circumstances, for example if you want us to restrict processing while the accuracy of the personal data is being established.
- Request that we transfer personal data that you have provided to us to you or another party.
- Request not to be subjected to automated decision-making. We will only use automated decision making and profiling for our online operations in limited circumstances.
You can exercise your rights by using the ‘CSL rights portal’ by following this link:
Alternatively, you can contact us using the contact details at the end of this notice. We will always aim to help you when you wish to exercise your rights but in some instances we may have lawful grounds to reject your request.
We will investigate any request you make immediately and will respond to you within a month of your request. That period may be extended by us for a further two months where this is needed to help us respond properly (for example if the request is complicated for us to deal with and we need more time) but we will let you know the reasons for the delay.
If we decide to not take action on the request, we will inform you of the reasons for not taking action.
If you do not agree with a decision we make in relation to a rights request or believe that we are in breach of data protection laws in Europe, then you can lodge a complaint with a data protection regulator in Europe.
11. DIRECT MARKETING
If you are a healthcare professional or provider and, depending on the marketing preferences that you indicate to us at the time we collect your personal data, we may contact you via post, telephone or electronic methods with information about our products and services. You can opt-out by the options provided to you within our communications or by contacting us using the contact details at the end of this notice.
12. CONTACT US
If you have any questions about how we process your personal data or want to exercise one of your rights, you can contact us using the details below:
Or, via the CSL rights portal:
13. UPDATES TO THIS NOTICE
We may update this notice from time to time to reflect changes in the way we process personal data (e.g., if we implement new systems or processes that involve new uses of personal data) or to clarify information we have provided in the notice. Our changes will be in accordance with applicable data protection laws.
We recommend that you check for updates to this notice from time to time but we will notify you directly about changes to this notice or the way we use your personal data when we are legally required to do so.
LAST UPDATED: May 2018
Date of preparation: May 2018