W
DATA PROTECTION POLICY
1. INTRODUCTION
2. LAW ON DATA PROTECTION
3. PRINCIPLES OF DATA PROTECTION
4. WHAT DATA DO WE COLLECT FROM YOU, WHY DO WE COLLECT IT AND HOW LONG DO WE KEEP IT?
4.1 IF YOU ARE OUR BUSINESS PARTNER
4.2 IF YOU ARE A HEALTHCARE PROFESSIONAL WITH WHOM WE HAVE CONTRACTED E.G. COPYRIGHT AGREEMENT OR SOME OTHER TYPE OF BUSINESS COOPERATION
4.3 YOU ARE OUR POTENTIAL EMPLOYEE
4.5 IF YOU REPORT AN ADVERSE REACTION TO MEDICINES
4.6 IF YOU VISIT OUR BUSINESS CENTERS / VIDEO SURVEILLANCE
5. WHAT ARE YOUR RIGHTS AND HOW TO EXERCISE THEM?
6. PERSONAL DATA BREACH REPORTING SYSTEM
7. HOW WE SHARE DATA
8. MEASURES TO PROTECT YOUR DATA
9. CHANGES TO THE PERSONAL DATA PROTECTION POLICY
1. INTRODUCTION
Thank you for your interest in data protection provided by PHOENIX Pharma doo Belgrade.
PHOENIX Pharma doo Belgrade recognizes the importance of security, privacy protection and protection of all data, business and personal, obtained in daily operations from all persons-employees, customers, suppliers, users of medical services and all other business partners. As part of the PHOENIX group, with business processes, management structures and technical systems, our goal is to provide protection for all our work processes and implement it in our daily operations. Our entire business is based on the principle of transparency.
The personal data protection policy informs you about our practice of privacy and data protection, methods of data collection, such as, for example, applying for a job in our company, concluding a business cooperation agreement, etc.
The Personal Data Protection Policy applies to companies:
(hereinafter referred to as PHOENIX).
PHOENIX PHARMA DOO BEOGRAD is one of the leading wholesalers in Serbia and a member of the PHOENIX group, the leading European pharmaceutical wholesaler. The company ensures the delivery of medicines and medical products to numerous segments within the health care system: pharmacies, hospitals, healthcare centers.
This Policy also applies to all domains, services, applications, products and services of PHOENIX and its affiliates.
A part of PHOENIX is also BENU Pharmacy, whose privacy policy can be viewed at www.benu.rs
Personal data processing CONTROLLER and data protection officer
The data controller is responsible for the collection, processing and use of your personal data within the meaning of the Data Protection Law
CONTROLLER:
PHOENIX PHARMA DOO BEOGRAD
Bore Stankovića 2, Belgrade-Makiš
11030 Belgrade, Serbia.
All your questions and requests regarding the processing of your personal data by PHOENIX and the exercise of your rights can be submitted to the Personal Data Protection Officer by email: dpo(at)phoenixpharma.rs or to the above-mentioned address.
2. LAW ON DATA PROTECTION
The Law on Data Protection is a binding legislative act that applies in its entirety in the Republic of Serbia.
The Law determines the rights of individuals, and accordingly the obligations of business entities that process personal data, as well as the obligations of supervisory bodies for the protection of personal data.
The most important concepts mentioned in the Law are:
Personal data: is any data relating to a natural person whose identity is identified or identifiable, directly or indirectly, in particular on the basis of an identity marker, such as name and identification number, location data, identifiers in electronic communication networks or one or more features of their physical, physiological, genetic, mental, economic, cultural and social identity.
Processing of personal data: is any action or set of actions performed automatically or manually with personal data or sets thereof, such as collection, recording, sorting, grouping, i.e. structuring, storing, harmonizing or changing, revealing, viewing, using, disclosure by transmission, i.e. delivery, reproduction, dissemination or otherwise making available, comparing, limiting, deleting or destroying.
Special category of personal data (sensitive personal data): includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic and biometric data, data related to health or sexual orientation.
Controller: natural or legal person who determines the purpose and means of personal data processing.
Processor: natural or legal entity that processes personal data on behalf of the Controller.
Personal data breach: is a breach of personal data security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data that has been transmitted, stored or otherwise processed.
3. PRINCIPLES OF DATA PROTECTION
We process personal data in a legal, fair and transparent manner. All data processing is carried out:
PHOENIX reserves the right to additionally process personal data in extraordinary situations in compliance with the legal framework, i.e. as part of legal proceedings or criminal investigations. We respect the specifics of each business relationship by applying all data protection measures. We also enable the exercise of the rights of each person whose data we process and the availability of all information in a clear manner, in accordance with the law.
Personal data is processed exclusively for the purposes for which it is collected, we will not process it in a way that is inconsistent with the stated purpose, and we will limit the collection of personal data to what is necessary in relation to the purposes for which it is processed.
We take all measures and actions to ensure that personal data is always accurate and up-to-date and that it is stored only as long as is necessary to fulfill the purpose for which it was collected.
PHOENIX takes all reasonable steps to preserve the integrity and security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage by applying appropriate technical and organizational measures.
4. WHAT DATA DO WE COLLECT FROM YOU, WHY DO WE COLLECT IT AND HOW LONG DO WE KEEP IT?
4.1 IF YOU ARE OUR BUSINESS PARTNER
4.2 IF YOU ARE A HEALTHCARE PROFESSIONAL WITH WHOM WE HAVE CONTRACTED E.G. COPYRIGHT AGREEMENT OR SOME OTHER TYPE OF BUSINESS COOPERATION
4.3 IF YOU APPLY FOR A JOB WITH OUR COMPANY
We process your data if you apply for employment for a vacant position for the following purposes:
Selection of a suitable employee/trainee within the current selection procedure (conclusion of employment, professional training, practice, scholarship).
The provision of this personal data for the purpose of selecting a suitable candidate in the current selection process is not mandatory, however, without such data, it will be difficult for the Employer to decide on the candidate's employment or other relationship.
Consent can be revoked at any time at: fledgehr(at)phoenixphrama.com
As a result of the selection process, the personal data of unsuccessful candidates will also be stored after the end of the process in order to protect the legitimate interests of the employer. This processing therefore applies in particular to cases where the employer believes that there is a risk of litigation with the (unsuccessful) candidate regarding the reasons for rejection or to prove compliance with all legal obligations in the event of a labor inspection (or other inspection bodies). In connection with this purpose, the candidate's personal data will be stored as long as there is a risk of a possible dispute with the candidate or when it is possible that the employer will be sanctioned by the control authorities, i.e. generally during 3 years from the end of the selection procedure.
4.5 REPORTING AN ADVERSE REACTION TO MEDICINE
We will process your data in case you report an adverse reaction to the drug (an adverse reaction is any unwanted, accidental or harmful phenomenon associated with the use of a specific drug). Such monitoring of adverse reactions is called pharmacovigilance.
4.6 IF YOU VISIT OUR BUSINESS CENTERS / VIDEO SURVEILLANCE
5. WHAT ARE YOUR RIGHTS AND HOW TO EXERCISE THEM?
YOU CAN ASK PHOENIX AT ANY TIME
At any time, you have the right to request to access your personal data, to receive information about the purpose for which the data is used and processed, the category of your personal data that we store, the period during which we process and store your data. You can also get information from us about third parties and categories of third parties with whom we share your data.
You have the right to request that we give you a copy of some or all of the personal data we process. We can deliver a copy to you electronically, in a commonly used electronic form, unless you request a copy to be delivered in another way.
It is important to us that your data is accurate and complete. You have the right to demand that your incorrectly entered data be deleted or corrected without delay, as well as to ask us to supplement and update it if it is out of date.
If you want your data to be deleted or you want us to stop processing it, you can contact us. In case that your data is necessary to fulfill contractual obligations towards you and you request data deletion, we draw your attention to the fact that in that case the contractual obligations may not be fulfilled.
you contest the accuracy of the personal data relating to you, in case that the processing is illegal and you object to the deletion and request the limitation of use, if we no longer need it but you request it in order to submit, exercise or defend a legal claim, if you have submitted objection to data processing in accordance with Article 37, paragraph 1 of the Law on Personal Data Protection, and an assessment is ongoing as to whether the legal basis for processing by the controller outweighs your interests.
It is very important for you to know that at any time you have the right to submit an objection to our pharmacy establishment regarding the processing of your data if your data is processed on the basis of a legitimate interest. You also have the right to object at any time to the processing of your personal data that is processed for the purposes of direct advertising, including profiling to the extent that it is related to such direct advertising.
If the data processing is based on your consent or the processing is automated, you have the right to ask our company to transfer your personal data to another controller.
When processing is based on your consent, you have the right to revoke it at any time. Please note that if you revoke your consent, the revocation does not affect the permissibility of the processing that was carried out on the basis of your consent before the revocation.
In case you believe that data processing is carried out contrary to the Law, you have the right to file a complaint with the Commissioner for Personal Data Protection. (www.poverenik.rs).
Please submit all questions and requests regarding the processing of your personal data by PHOENIX and the exercise of your rights in writing to the following address:
PHOENIX PHARMA DOO BEOGRAD, Bore Stankovića 2, Beograd-Makiš
or
The Data Protection Officer via e-mail:
dpo@phoenixpharma.rs
PHOENIX is obliged to respond to you within 30 days from the date of receipt of the request.
6. PERSONAL DATA BREACH REPORTING SYSTEM
PHOENIX has established an online reporting system that allows employees, business partners, customers and third parties to easily report personal data breaches.
All reports are taken seriously and dealt with immediately. Any knowledge can be used to further improve the protection of personal data.
The online reporting system (PHOENIX Group platform) is available here:
phoenixgroup.integrityplatform.org
The platform is in Serbian and contains questions that can be used for easy reporting.
In case of reports, our employees adhere to internal guidelines, in particular the Privacy Policy.
For others, we provide answers to the most frequently asked questions:
What is a breach of privacy?
These are events that have led or could lead to (i) accidental or intentional loss of personal data (in electronic or paper form), (ii) destruction of data, or (iii) unauthorized access to data.
When should I report such an incident?
In certain cases, the personal data controller is obliged to report a personal data security breach to the Personal Data Protection Commissioner within 72 hours from the moment he became aware of it. Therefore, if you discover a breach of personal data where our company acts as an administrator, please do not hesitate to report the incident immediately.
Which incidents should be reported and how?
All personal data incidents are reported using the online reporting system. Severity and impact are assessed by the personal data controller himself. If the PHOENIX group platform is not functional, you can contact dpo@benu.rs; our employee then also informs his manager.
What happens after I send a message?
The privacy team will review the incident report and contact you for more information or, if necessary, assist you with actions to address the impact of such an event.
PHOENIX ensures that in the event of a breach of personal data, without undue delay, no later than 72 hours after becoming aware of the breach, it informs the Commissioner for the Protection of Personal Data, unless it is likely that the breach of personal data will cause a risk to the rights and freedoms of the individual.
In accordance with the provisions of the Law, we will notify persons without undue delay about the breach of personal data.
7. HOW WE SHARE DATA
Personal data may be forwarded within the PHOENIX Group to our parent company PHOENIX Pharmahandel GmbH & Co as the sole founder of PHOENIX.
Your data may also be forwarded to trusted third parties, whom we have entrusted to perform certain tasks on our behalf. The data will be forwarded to such third parties only to the extent necessary for them to be able to perform their duties, and we require them not to use the data for any other purpose. We will always make sure that any third parties we work with keep your personal data as secure as possible.
Recipients can also be data processors in accordance with the Law. If necessary and in accordance with the limitations prescribed by the Law, other entities (e.g. IT service providers) may be involved in data processing. We enter into a contractual relationship with such entities and ensure that personal data is protected in an appropriate manner in accordance with the Law.
If PHOENIX, together with other entities, determines the purpose and means of personal data processing, it forms a joint Controller together with those entities. In that case, we will determine in a transparent manner the responsibilities for compliance with the obligations from the Law with special attention to the exercise of the rights of the person whose data is being processed.
PHOENIX complies with legal provisions in every segment of its operations. Accordingly, we may also share your personal information if we feel we must do so for the following reasons:
8. MEASURES TO PROTECT YOUR DATA
PHOENIX protects your data. To prevent unauthorized access or disclosure of data and to ensure its adequate use, we use reasonable and appropriate physical, technical and administrative data protection measures. In order to prevent unauthorized use or disclosure of personal data, we have implemented security measures and procedures to protect personal data from loss, misuse, unauthorized access, transfer, alteration or destruction of personal data.
All our employees attended training on the protection of personal data and signed and are obliged to comply with all internal procedures related to the protection of personal data.
8. CHANGES TO THE PERSONAL DATA PROTECTION POLICY
The Personal Data Protection Policy may change from time to time to reflect changes in the way we process personal data. We will post any changes on our website.