GC Aesthetics – GDPR Patient Privacy Notice
Effective Date: May 25, 2018
The new General Data Protection Regulation (GDPR) cames into effect on May 25th 2018. It builds on existing EU data privacy rules, strengthening in many key areas and non-compliance potentially results in severe financial penalties.
GC Aesthetics is highly committed to maintaining high standards of information security, privacy and transparency, whether as a data controller or data processor.
We take our responsibilities in relation to the protection and security of our data and that of our employees, customers, vendors and partners incredibly seriously and the changes being introduced to ensure GDPR compliance are part of a continuous, ongoing process that has always been central to what we do.
Going forwards, GC Aesthetics will comply with applicable GDPR regulations when they take effect on 25th May 2018, while also working closely with our clients and vendors to meet contractual obligations for our products and services.
Application of this Privacy Notice?
This EU General Data Protection Regulation (GDPR) Privacy Notice explains how GC Aesthetics, including affiliated companies (Nagor and Eurosilicone – referred to collectively as “GC Aesthetics,” “we,” “our,” or “us”) handles your Personal Data and can include Personal Data about others where you share their Personal Data with us. It details how we collect your Personal Data, why we collect it, and to whom we may share it. This Privacy Notice also discloses your Personal Data rights. It applies to all your Personal Data, including Personal Data stored electronically or in hard copy and Sensitive Personal Data, which includes Personal Data about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, and data relating to convictions, decisions on penalty, fines, and other decisions issues in court or administrative proceedings.
What Personal Data may we collect about you?
GC Aesthetics collects and processes your Personal Data, which can come directly from you or from third parties with whom we contract or provide services or for compliance reasons. Personal Data includes all information that identifies you or can be used to identify you.
The types of your Personal Data we collect depends on the nature of your relationship with GC Aesthetics and applicable laws. The Personal Data we process about you, includes the data we collect directly from you either as part of your relationship with us or through other interactions you may have with us.
The information we process about you may include the following categories of Personal Data:
- Age and date of birth
- Demographic data
- Health and other Sensitive Personal Data
- Data collected from Cookies
- Data collected from website/mobile device usage and analytics
- Personal contact information (address, telephone, email address)
- Programs and activities in which you participated
- Trials and use of our products
- Opinions about us or our product and services
- Communication and other personal preferences
- Product request information
- Photographs and video
- Payment related information
- Financial information
- Product identifying, generated, usage, and diagnostic data; and/or
- Product service and error data
How will we use your Personal Data?
Processing of your Personal Data includes where we may record, organize, structure, store, adapt or alter, retrieve, consult, use, disclose by transmission, dissemination, or otherwise make available, align or combine, restrict, erase, or destroy your Personal Data.
We may process your Personal Data for the following purposes:
- Processing and reporting of adverse events
- To communicate product safety information to you
- Product quality and complaint management
- Administering and maintaining legally required product registries, including medical device tracking
- Administering and maintaining voluntary patient engagement and support platforms
- Responding to your requests for information, products, or services
- Our company compliance and facility and network security purposes
- Internal investigations of possible misconduct or failure to comply with our policies and procedures
- Auditing our programs and services for compliance purposes
- Legal proceedings and government investigations (such as pursuant to warrants, subpoenas, and court legal orders)
- Where we have Legal obligations to process the personal data
- Communications regarding our studies
- Communications about market research and product developments
- Communications about product information
- Communications about general health information (such as information on certain health conditions)
- To determine your eligibility for certain products, services, or programs
- Organizational planning and development (such as internal communications, budgets, administration, and project management)
- Administering educational programs
- Business and marketing research
- Authenticating and verifying your identity in your interactions with us
- Tracking your interactions (online and offline) with us
- Improvement and development of our products and services
- Device and application diagnostics
- Statistical analysis
- Payment processing; and/or
- Website administration
For any additional purposes where we are required to notify you and get your consent, including those purposes required by local law, we will obtain your consent before we process your Personal Data for those purposes.
What is our legal basis for processing your Personal Data?
The applicable legal basis for which we process your Personal Data for the specific purposes listed above, include the following:
Based on your consent: In some cases, we may ask you for your consent to collect and process your Personal Data and/or your Sensitive Personal Data. If you choose to provide us with your consent, you may later withdraw your consent (or opt-out) by contacting us as described in the “how do you contact us” section below. Please note that if you withdraw your consent it will not affect any processing of your Personal Data that has already occurred. Where we process your Personal Data based on consent, we will provide more detailed information to you at the time when we obtain your consent.
Compliance with applicable laws or performance of a contract: In specific circumstances, we may need to process your Personal Data to comply with a relevant law/regulation (such as when we are required by medical regulations to track usage of medical devices) or to fulfil our obligations under a contract to which you are subject. Where we process your Personal Data to meet our legal obligations, you will likely not be permitted to object to this processing activity, but you will usually have the right to access or review this information unless it would impede our legal obligations. Where we are processing to fulfil our contract obligations under a contract where you are a party, you might not be able to object to this processing, or if you do choose to opt-out or object to our processing, it may impact our ability to perform a contractual obligation that you are owed.
Our legitimate interest: We may process your Personal Data based on our legitimate interests in communicating with you and managing our interactions with you regarding our products and services, scientific research, and education opportunities. In addition to the other rights you may have described below, you have the right to object to such processing of your Personal Data. You can register your objection by contacting us as described in the “how do you contact us” section below.
To whom and when will we disclose or share your Personal Data?
We will share or disclose your Personal Data with the following entities:
- Our global affiliates.
- Third parties with whom we contract to carry out services on our behalf to perform activities or functions related to the processing purposes regarding your Personal Data that are described above. If we do, we will require that these third parties acting on our behalf protect the confidentiality and security of your Personal Data that we share with them. These third parties must contractually agree that they will not use or disclose your Personal Data for any other purposes than necessary to provide us services, perform services on our behalf, or to comply with applicable laws or regulations.
- Government agencies, auditors, and authorities. If we pay you for services you provide, we may disclose your Personal Data, including your financial relationship with us and any amounts you have been paid by us, to government authorities, auditors, and agencies, relating to our regulatory activities, in response to authorized information requests, or as otherwise required by laws, regulations, or industry codes.
- Potential or actual third party purchasers. If we decide to reorganize or divest our business through a sale, merger, or acquisition, we may share your Personal Data with actual or prospective purchasers. We will require that any such purchasers treat your Personal Data consistently with this Privacy Notice.
How do we transfer your Personal Data internationally?
We may transmit your Personal Data to our other global affiliates. Additionally, these affiliates may further transmit your Personal Data to our other global affiliates. Some of our affiliates and their database locations may be in countries that do not ensure an adequate level of data protection similar to the laws in the country in which you reside. Regardless, all our affiliates are required to treat your Personal Data in accordance with this Privacy Notice and our privacy and data protection policies and procedures.
For more information about our cross-border transfers of your Personal Data, please contact us using the information as described in the “how do you contact us” section below.
How do we protect your Personal Data?
We use industry-standard administrative, technical, and physical safeguards to protect your Personal Data against loss, theft, misuse, unauthorized access, modification, disclosure, and destruction. We restrict access to your Personal Data to only those employees and third parties acting on our behalf who have a legitimate business need for such access. We will only transfer your Personal Data to third parties acting on our behalf where we have received written assurances that your Personal Data will be protected in a manner consistent with this Privacy Notice and our privacy policies and procedures.
How long do we retain your Personal Data?
Your Personal Data will be maintained for the duration of your relationship with us. We will store and retain the Personal Data we collect about you in accordance with our Corporate Record Retention Policy, after which it will be archived or deleted. Certain information could be retained for longer periods of time if we have continuing obligations to you or if required by local law.
What are your rights?
You have the right to see and get a copy of your Personal Data, including an electronic copy, that we have as well as to ask us to make any corrections to inaccurate or incomplete Personal Data we have about you. You can also request that we erase your Personal Data when it is no longer needed for the purposes for which you provided it, restrict how we process your Personal Data to certain limited purposes where erasure is not possible, or object to our processing of your Personal Data. In certain circumstances you may be able to request that we send a copy of your Personal Data to a third party of your choosing.
To exercise any of these rights, please contact us as set forth in the “how do you contact us” section below. You also have the right to lodge a complaint with the supervisory authority (see details under “remedies” below) where you believe that your rights have been violated.
What if we revise this Privacy Notice?
From time to time we may make changes to this Privacy Notice to reflect changes in our legal obligations or the ways in which we process your Personal Data. We will communicate to you any material edits to this Privacy Notice and it will become effective when it is communicated.
How do you contact us if you have any questions or concerns?
Please contact GC Aesthetics’s Data Protection team using the below information to:
- Ask questions
- File a concern or complaint
- Opt-out of a program or service; and/or
- To exercise any of your rights listed above, including access, correction, portability, objection, restriction, and erasure.
GC Aesthetics’s GDPR Compliance team
Suite 601, Q House,
Sandyford, Dublin 18,
Email Address: [email protected]
What remedies do you have available?
For more information about your privacy and data protection rights, or if you are not able to resolve a problem directly with us and wish to make a complaint, please contact your country-specific data protection authority or GC Aesthetics’s lead data protection supervisory authority:
Irish Data Protection Commissioner
Canal House, Station Road, Portarlington, R32 AP23 Co. Laois
+353 57 8684800
+353 (0)761 104 800
Email Address: [email protected]