Data security

DATA PROTECTION POLICY

1. INTRODUCTION

2. LAW ON DATA PROTECTION

3. PRINCIPLES OF DATA PROTECTION

4. WHAT DATA DO WE COLLECT FROM YOU, WHY DO WE COLLECT IT AND HOW LONG DO WE KEEP IT?

4.1 IF YOU ARE OUR BUSINESS PARTNER

4.2 IF YOU ARE A HEALTHCARE PROFESSIONAL WITH WHOM WE HAVE CONTRACTED E.G. COPYRIGHT AGREEMENT OR SOME OTHER TYPE OF BUSINESS COOPERATION

4.3 YOU ARE OUR POTENTIAL EMPLOYEE

4.5 IF YOU REPORT AN ADVERSE REACTION TO MEDICINES

4.6 IF YOU VISIT OUR BUSINESS CENTERS / VIDEO SURVEILLANCE

5. WHAT ARE YOUR RIGHTS AND HOW TO EXERCISE THEM?

6. PERSONAL DATA BREACH REPORTING SYSTEM

7. HOW WE SHARE DATA

8. MEASURES TO PROTECT YOUR DATA

9. CHANGES TO THE PERSONAL DATA PROTECTION POLICY  

 

1. INTRODUCTION

Thank you for your interest in data protection provided by PHOENIX Pharma doo Belgrade.

PHOENIX Pharma doo Belgrade recognizes the importance of security, privacy protection and protection of all data, business and personal, obtained in daily operations from all persons-employees, customers, suppliers, users of medical services and all other business partners. As part of the PHOENIX group, with business processes, management structures and technical systems, our goal is to provide protection for all our work processes and implement it in our daily operations. Our entire business is based on the principle of transparency.

The personal data protection policy informs you about our practice of privacy and data protection, methods of data collection, such as, for example, applying for a job in our company, concluding a business cooperation agreement, etc.

The Personal Data Protection Policy applies to companies:

  • PHOENIX PHARMA DOO BEOGRAD, Bore Stankovića no. 2 Belgrade-Makiš and its affiliated companies based in the RS
    • EVROPA LEK PHARMA DOO BEOGRAD, Bore Stankovića no. 2 Belgrade-Makiš
    • INO-PHARM DOO BEOGRAD, Bore Stankovića no. 2 Belgrade-Makiš

(hereinafter referred to as PHOENIX).

PHOENIX PHARMA DOO BEOGRAD is one of the leading wholesalers in Serbia and a member of the PHOENIX group, the leading European pharmaceutical wholesaler. The company ensures the delivery of medicines and medical products to numerous segments within the health care system: pharmacies, hospitals, healthcare centers.

This Policy also applies to all domains, services, applications, products and services of PHOENIX and its affiliates.

A part of PHOENIX is also BENU Pharmacy, whose privacy policy can be viewed at www.benu.rs

Personal data processing CONTROLLER and data protection officer        

The data controller is responsible for the collection, processing and use of your personal data within the meaning of the Data Protection Law

CONTROLLER:

PHOENIX PHARMA DOO BEOGRAD
Bore Stankovića 2, Belgrade-Makiš
11030 Belgrade, Serbia.

All your questions and requests regarding the processing of your personal data by PHOENIX and the exercise of your rights can be submitted to the Personal Data Protection Officer by emaildpo(at)phoenixpharma.rs or to the above-mentioned address.

 

2. LAW ON DATA PROTECTION

The Law on Data Protection is a binding legislative act that applies in its entirety in the Republic of Serbia.

The Law determines the rights of individuals, and accordingly the obligations of business entities that process personal data, as well as the obligations of supervisory bodies for the protection of personal data.

The most important concepts mentioned in the Law are:

Personal data: is any data relating to a natural person whose identity is identified or identifiable, directly or indirectly, in particular on the basis of an identity marker, such as name and identification number, location data, identifiers in electronic communication networks or one or more features of their physical, physiological, genetic, mental, economic, cultural and social identity.

Processing of personal data: is any action or set of actions performed automatically or manually with personal data or sets thereof, such as collection, recording, sorting, grouping, i.e. structuring, storing, harmonizing or changing, revealing, viewing, using, disclosure by transmission, i.e. delivery, reproduction, dissemination or otherwise making available, comparing, limiting, deleting or destroying.

Special category of personal data (sensitive personal data): includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic and biometric data, data related to health or sexual orientation.

Controller: natural or legal person who determines the purpose and means of personal data processing.

Processor: natural or legal entity that processes personal data on behalf of the Controller.

Personal data breach: is a breach of personal data security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that has been transmitted, stored or otherwise processed.

3. PRINCIPLES OF DATA PROTECTION                         

  • Legality, fairness and transparency

We process personal data in a legal, fair and transparent manner. All data processing is carried out:

  1. based on your consent
  2. for the purpose of fulfilling mutual obligations based on the agreement
  3. for legitimate purposes with the aim of carrying out mutual business activities
  4. respecting other legal obligations.

PHOENIX reserves the right to additionally process personal data in extraordinary situations in compliance with the legal framework, i.e. as part of legal proceedings or criminal investigations. We respect the specifics of each business relationship by applying all data protection measures. We also enable the exercise of the rights of each person whose data we process and the availability of all information in a clear manner, in accordance with the law.

  • Limiting the purpose and reducing the amount of personal data

Personal data is processed exclusively for the purposes for which it is collected, we will not process it in a way that is inconsistent with the stated purpose, and we will limit the collection of personal data to what is necessary in relation to the purposes for which it is processed.

  • Accuracy and limitation of personal data storage

We take all measures and actions to ensure that personal data is always accurate and up-to-date and that it is stored only as long as is necessary to fulfill the purpose for which it was collected.

  • Data security and integrity

PHOENIX takes all reasonable steps to preserve the integrity and security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage by applying appropriate technical and organizational measures.

                                                                

 

 

4. WHAT DATA DO WE COLLECT FROM YOU, WHY DO WE COLLECT IT AND HOW LONG DO WE KEEP IT?

4.1 IF YOU ARE OUR BUSINESS PARTNER                                                         

  • On the basis of business cooperation, we collect data related to the conclusion of purchase and sales agreements, as well as all other agreements that enable the performance of our activities and the execution of business processes: name, surname, address, personal identification number, registration number, telephone number, current account, email address and other similar data. The legal basis for this processing is a concluded agreement or legitimate interest. Collected data is stored for 10 years from the date of expiry of the agreement, i.e. in accordance with legal provisions.
  • During the organization of various educations intended for business partners, we collect: name and surname, e-mail address, address of the institution, information on whether the person is the owner of the institution or an employee. The purpose of data processing is to carry out education about products and services on the market, and every participant voluntarily accesses education online or in person. Data is stored until the user requests data deletion or in accordance with legal provisions. The deadline for data deletion is 30 days from the date of receipt of the request.
  • Data on recipients of donations or sponsorships: name, surname, address, company name, personal ID number. The purpose of processing payment data is donations or sponsorships, and they are collected based on the voluntary request of the recipient of the donation or offer for sponsorship and are needed to conclude a donation or sponsorship agreement.
  • In case you are our new business partner, we conduct a due diligence through a special system. Selected future/potential business partners are subject to a due diligence procedure in order to avoid any legal, financial or reputation risks. The legal basis for this processing is legitimate interest. For natural persons, the legal basis for data processing is based on consent. The data collected includes: name and surname, contact information / e-mail address of the business partner, address, title, information about the responsible persons, name and surname of the beneficial owners of the business partners.

4.2 IF YOU ARE A HEALTHCARE PROFESSIONAL WITH WHOM WE HAVE CONTRACTED E.G. COPYRIGHT AGREEMENT OR SOME OTHER TYPE OF BUSINESS COOPERATION

  • When concluding a copyright agreement with healthcare professionals or during some other type of business cooperation, we collect this personal data for a number of different purposes:
  • for concluding a copyright agreement: name and surname, address, personal ID number, account number. The purpose of data collection is to conclude and fulfill obligations under the Copyright Agreement.
  • Participation in professional lectures, congresses, etc. organized or sponsored by PHOENIX: name and surname, institution / place of work, signature. We process participant data for reporting purposes related to transparency and compliance in relation to cooperation with healthcare professionals. We base this data processing on our agreement with you and our legitimate interest.
  • to interact with you: we need your contact information to respond to your inquiries and provide information when you request it or when we believe our products and services may be of interest to you. If we intend to share electronic marketing messages with you, we will ask for your consent where necessary and you can opt-out at any time;
  •  to invite you to provide us with feedback, participate in research, surveys or attend events.
  • when planning engagements with sales representatives; to report adverse drug reactions that you have informed us about;
  • We store the personal data we collect about you in a secure environment. Your personal information is protected from unauthorized access, disclosure, use, alteration or destruction by any organization or individual.
  • PHOENIX, affiliated companies and our service providers selected by PHOENIX may process your data, however, PHOENIX ensures that all transmitted personal data remains protected and secure.

4.3 IF YOU APPLY FOR A JOB WITH OUR COMPANY

We process your data if you apply for employment for a vacant position for the following purposes:

Selection of a suitable employee/trainee within the current selection procedure (conclusion of employment, professional training, practice, scholarship).

  • In order to select suitable employees and subsequently conclude an employment agreement (training, internship, scholarship), it is necessary to process the personal data of the candidates involved in the selection process. When filling out the application, you give us data that may include:
  1. mandatory (name, surname, place of residence, telephone, degree, city where you would work, etc.);
  2. not mandatory (work location, cover letter, desired salary, language skills, etc.).

The provision of this personal data for the purpose of selecting a suitable candidate in the current selection process is not mandatory, however, without such data, it will be difficult for the Employer to decide on the candidate's employment or other relationship.

  • The candidate's personal data may also be processed for potential further contact with a job offer in the future, provided that the candidate has given his consent to such processing. The data will be stored until the end of the 3rd calendar year after the end of the initial selection procedure for employment, i.e. until the end of the 1st calendar year for professional training, internship, scholarship, when the data will be deleted in the following year. Of course, the data will not be used for these purposes if you revoke your consent earlier.

Consent can be revoked at any time at: fledgehr(at)phoenixphrama.com

  • Processing for the purpose of employer’s legitimate interests

As a result of the selection process, the personal data of unsuccessful candidates will also be stored after the end of the process in order to protect the legitimate interests of the employer. This processing therefore applies in particular to cases where the employer believes that there is a risk of litigation with the (unsuccessful) candidate regarding the reasons for rejection or to prove compliance with all legal obligations in the event of a labor inspection (or other inspection bodies). In connection with this purpose, the candidate's personal data will be stored as long as there is a risk of a possible dispute with the candidate or when it is possible that the employer will be sanctioned by the control authorities, i.e. generally during 3 years from the end of the selection procedure.

  • The scope of personal data processing strictly corresponds to the above-mentioned purposes of their processing. Thus, the employer will mainly process personal data specified in the candidate's application and in the candidate's CV (if submitted), or in other documents submitted by him (educational documents, motivational letters, etc.), or data personally submitted during the interview, etc. All these data should refer to the previous work of the candidate, his skills and knowledge (qualifications), and therefore the prerequisites for performing future work for the employer.
  • Candidate personal data is generally obtained directly from the candidate, generally by entering a CV on the BENU website or on the employer's website on the FledgeHr server linked by the BENU website or as part of a completed questionnaire to be submitted to the employer. Personal data is also collected as part of the Employer's activities (e.g. the assessment of candidates by the HR manager or assessment of technical knowledge by the relevant manager during the selection process). Personal data may also be obtained from other sources, for example through professional (work-related) social media, especially LinkedIn, or from recruitment agencies. The employer does not check the applicant's background through third parties.
  • In the event that we intend to conclude an employment agreement with the selected candidate, PHOENIX will be obliged to collect certain other data from the candidate for which there is a legal obligation to collect, which will be provided with a separate notification.

 

4.5 REPORTING AN ADVERSE REACTION TO MEDICINE

 

We will process your data in case you report an adverse reaction to the drug (an adverse reaction is any unwanted, accidental or harmful phenomenon associated with the use of a specific drug). Such monitoring of adverse reactions is called pharmacovigilance.

  1. if you are a patient: we may collect your name and surname and/or initials, date of birth, age, gender, weight, height. We also collect data that are considered particularly sensitive personal data, namely data on health, i.e. medical history and health status. Health data is processed only when it is important and necessary for the proper documentation of an adverse reaction and to fulfill the requirements in the field of pharmacovigilance. In addition to personal data, we may also collect data on the product that is suspected of causing an adverse reaction, as well as data on concurrently administered drugs (therapies), including the dose you are taking or that has been prescribed to you, the reason why you are taking the product or why it was prescribed to you, and any subsequent changes in your usual medication schedule, as well as information about the adverse reaction you have had, therapies and any additional relevant information to supplement the already reported case.
  1. if you are a healthcare professional who reports: we can collect your name and surname, specialty, institution where you are employed, address, phone, e-mail.
  2. In fulfillment of our obligations in the field of pharmacovigilance, we share your data with competent regulatory bodies.
  3. Given that patient safety is important, we store all information we collect about you as part of collected reports on adverse drug reactions so that we can correctly assess the safety of product use over time, and the data is stored for a minimum of 10 years from the date of receipt of the report.

                                                                                                                                    

4.6 IF YOU VISIT OUR BUSINESS CENTERS / VIDEO SURVEILLANCE

  • When you visit our head office, upon entering the building, we collect your name and surname and the company you work for, for the purpose of protecting property and people and controlling movement in and around our facilities. We base data processing on legitimate interest, and only responsible persons have access to the data. The data will be stored in the PHOENIX system for a period of 30 days and will be deleted after the expiry of the period.
  • In order to protect property, employees and visitors, each of our branches has a built-in video surveillance system. The legal basis for processing this data, which includes recordings of visitors, employees and facilities, is based on the legitimate interest of the Controller. Video surveillance does not include, i.e. it is prohibited to establish surveillance in rooms for personal hygiene and rooms intended for workers' changing (changing rooms). Rooms that are under video surveillance are marked with adequate signs that unambiguously let all workers and third parties know that the room is under video surveillance, before the person enters the recording parameter. Notifications are displayed in visible places and contain all the necessary information. Data obtained through the use of video surveillance are adequately protected because only an authorized person has the right of access. Third parties do not have access. The data can be given to competent authorities at their request.

 

5. WHAT ARE YOUR RIGHTS AND HOW TO EXERCISE THEM?

   YOU CAN ASK PHOENIX AT ANY TIME

  1. to provide you with access to your personal data

At any time, you have the right to request to access your personal data, to receive information about the purpose for which the data is used and processed, the category of your personal data that we store, the period during which we process and store your data. You can also get information from us about third parties and categories of third parties with whom we share your data.

  1. to give you a copy of the personal data we process

You have the right to request that we give you a copy of some or all of the personal data we process. We can deliver a copy to you electronically, in a commonly used electronic form, unless you request a copy to be delivered in another way.

  1. da to request correction and supplement of your personal data

It is important to us that your data is accurate and complete. You have the right to demand that your incorrectly entered data be deleted or corrected without delay, as well as to ask us to supplement and update it if it is out of date.

  1. to request deletion of personal data

If you want your data to be deleted or you want us to stop processing it, you can contact us. In case that your data is necessary to fulfill contractual obligations towards you and you request data deletion, we draw your attention to the fact that in that case the contractual obligations may not be fulfilled.

  1. to limit the processing of your personal data by us or a third party in a certain part or completely in the case:

you contest the accuracy of the personal data relating to you, in case that the processing is illegal and you object to the deletion and request the limitation of use, if we no longer need it but you request it in order to submit, exercise or defend a legal claim, if you have submitted objection to data processing in accordance with Article 37, paragraph 1 of the Law on Personal Data Protection, and an assessment is ongoing as to whether the legal basis for processing by the controller outweighs your interests.

  1. to submit an objection

It is very important for you to know that at any time you have the right to submit an objection to our pharmacy establishment regarding the processing of your data if your data is processed on the basis of a legitimate interest. You also have the right to object at any time to the processing of your personal data that is processed for the purposes of direct advertising, including profiling to the extent that it is related to such direct advertising.

  1. to transfer your data to another controller

If the data processing is based on your consent or the processing is automated, you have the right to ask our company to transfer your personal data to another controller.

  1. to withdraw your consent to the processing of your personal data

When processing is based on your consent, you have the right to revoke it at any time. Please note that if you revoke your consent, the revocation does not affect the permissibility of the processing that was carried out on the basis of your consent before the revocation.

  1. to submit a complaint to the commissioner

In case you believe that data processing is carried out contrary to the Law, you have the right to file a complaint with the Commissioner for Personal Data Protection. (www.poverenik.rs).

Please submit all questions and requests regarding the processing of your personal data by PHOENIX and the exercise of your rights in writing to the following address:

PHOENIX PHARMA DOO BEOGRAD, Bore Stankovića 2, Beograd-Makiš

or

The Data Protection Officer via e-mail:

dpo@phoenixpharma.rs

PHOENIX is obliged to respond to you within 30 days from the date of receipt of the request.

6. PERSONAL DATA BREACH REPORTING SYSTEM

PHOENIX has established an online reporting system that allows employees, business partners, customers and third parties to easily report personal data breaches.

All reports are taken seriously and dealt with immediately. Any knowledge can be used to further improve the protection of personal data.

The online reporting system (PHOENIX Group platform) is available here:

phoenixgroup.integrityplatform.org

The platform is in Serbian and contains questions that can be used for easy reporting.

In case of reports, our employees adhere to internal guidelines, in particular the Privacy Policy.

                                                     

For others, we provide answers to the most frequently asked questions:

What is a breach of privacy?

These are events that have led or could lead to (i) accidental or intentional loss of personal data (in electronic or paper form), (ii) destruction of data, or (iii) unauthorized access to data.

When should I report such an incident?

In certain cases, the personal data controller is obliged to report a personal data security breach to the Personal Data Protection Commissioner within 72 hours from the moment he became aware of it. Therefore, if you discover a breach of personal data where our company acts as an administrator, please do not hesitate to report the incident immediately.

Which incidents should be reported and how?                              

All personal data incidents are reported using the online reporting system. Severity and impact are assessed by the personal data controller himself. If the PHOENIX group platform is not functional, you can contact dpo@benu.rs; our employee then also informs his manager.

What happens after I send a message?

The privacy team will review the incident report and contact you for more information or, if necessary, assist you with actions to address the impact of such an event.

PHOENIX ensures that in the event of a breach of personal data, without undue delay, no later than 72 hours after becoming aware of the breach, it informs the Commissioner for the Protection of Personal Data, unless it is likely that the breach of personal data will cause a risk to the rights and freedoms of the individual.

In accordance with the provisions of the Law, we will notify persons without undue delay about the breach of personal data.

7. HOW WE SHARE DATA

Personal data may be forwarded within the PHOENIX Group to our parent company PHOENIX Pharmahandel GmbH & Co as the sole founder of PHOENIX.

Your data may also be forwarded to trusted third parties, whom we have entrusted to perform certain tasks on our behalf. The data will be forwarded to such third parties only to the extent necessary for them to be able to perform their duties, and we require them not to use the data for any other purpose. We will always make sure that any third parties we work with keep your personal data as secure as possible.

Recipients can also be data processors in accordance with the Law. If necessary and in accordance with the limitations prescribed by the Law, other entities (e.g. IT service providers) may be involved in data processing. We enter into a contractual relationship with such entities and ensure that personal data is protected in an appropriate manner in accordance with the Law.

If PHOENIX, together with other entities, determines the purpose and means of personal data processing, it forms a joint Controller together with those entities. In that case, we will determine in a transparent manner the responsibilities for compliance with the obligations from the Law with special attention to the exercise of the rights of the person whose data is being processed.

PHOENIX complies with legal provisions in every segment of its operations. Accordingly, we may also share your personal information if we feel we must do so for the following reasons:

  • based on orders from appropriate legislative bodies, courts, prosecutor's offices and other public institutions, including requests related to national security or law enforcement
  • compliance with any law, regulation, subpoena or order.
  • investigating and preventing security threats, fraud or other criminal or malicious activities.

8. MEASURES TO PROTECT YOUR DATA

PHOENIX protects your data. To prevent unauthorized access or disclosure of data and to ensure its adequate use, we use reasonable and appropriate physical, technical and administrative data protection measures. In order to prevent unauthorized use or disclosure of personal data, we have implemented security measures and procedures to protect personal data from loss, misuse, unauthorized access, transfer, alteration or destruction of personal data.

All our employees attended training on the protection of personal data and signed and are obliged to comply with all internal procedures related to the protection of personal data.

8. CHANGES TO THE PERSONAL DATA PROTECTION POLICY

The Personal Data Protection Policy may change from time to time to reflect changes in the way we process personal data. We will post any changes on our website.