Nobelpharma Co., Ltd. (hereinafter referred to as “we, our, and us”) establishes the following personal data protection policy with regard to personal data (as defined in Article 4, Item (1) of GDPR) of individuals to whom GDPR (as defined in 2.1) applies (hereinafter referred to as “the Customer”) and processes the data thereof appropriately.

1. 1

   Regarding the Method of Acquisition of Personal Data

   We may acquire the Customer’s personal data directly from the Customer, or through the Customer’s access, etc., to our website, or otherwise indirectly from our group companies or third parties including outsourcing contractors. The acquisition of personal data will be conducted by proper means and for specified, clear, and lawful purposes of the processing.

2. 2

   Purposes of the Processing of Personal Data/Legal Basis of the Processing, etc.

   1. 2.1 We will process the Customer’s personal data in accordance with the General Data Protection Regulation (2016/679) of the EU^＊1 and UK domestic law enforced after the necessary revision of wording in the provisions of the General Data Protection Regulation (2016/679) in order to apply, along with Brexit, to post-Brexit UK the same content as the General Data Protection Regulation (2016/679), which had applied to the UK as a part of EU law before Brexit (hereinafter collectively referred to as “GDPR”).

      
      

   2. 2.2 We will process the Customer’s personal data in accordance with the purposes of the processing. The items of personal data that we process and the purposes of the processing will be mainly as follows:
      > Items of Personal Data Acquired/the Purposes of the Processing for Each Item/Principal Legal Basis

      
      

   3. 2.3 The processing of personal data in the preceding paragraph will be conducted relying on the following legal basis stipulated in Article 6, Paragraph 1 of GDPR:

      
      
      • (1)
        If the Customer has given consent to the processing of their personal data;
      • (2)
        if the processing is necessary for the performance of a contract to which the Customer is party or in order to proceed at the request of the Customer prior to entering into a contract;
      • (3)
        if the processing is necessary for compliance with legal obligations;
      • (4)
        if the processing is necessary in order to protect the vital interests of the Customer or of another natural person; or
      • (5)
        if the processing is necessary for the purposes of the legitimate interests^＊2 pursued by us or by a third party, except where such interests are overridden by fundamental rights and freedoms that require the protection of the Customer’s personal data.
      
      

   4. 2.4 With regard to the special categories of personal data including the Customer’s health/medical information, we will process such in accordance with the special conditions stipulated in Article 9 and Article 10 of GDPR, such as the Customer’s explicit consent.

      
      

   5. 2.5 The Customer has the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent prior to the withdrawal of consent.

      
      

   6. 2.6 We do not make any decision based on automated data processing that will cause legal consequences or similar material effect on the Customer.

      
      

   7. 2.7 The Customer will not, in principle, bear any obligation to provide their personal data, however, failure to provide personal data may have effects such as interfering with communication to the Customer.

      
      

   • ＊1：This means the European Union including European Union member states, and Iceland, Liechtenstein, and Norway under the Agreement of the European Economic Area (EEA).
   • ＊2：The content of legitimate interests differs depending on the purposes of the processing of personal data (the legitimate interests may be the provision/receipt of information/services, the furtherance of marketing/promotion, the analysis/evaluation of quality/safety/efficacy of pharmaceuticals, the ensuring of the safety of pharmaceuticals. Please also refer to the Attachment).
3. 3

   Regarding the Customer’s Rights

   With regard to our processing of personal data, the Customer may exercise the following rights in accordance with the qualifications set forth by GDPR:

   • (1)
     Right of Access to Personal Data
     The Customer will have the right to obtain from us confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, the right to access the personal data and the relevant certain information (Article 15 of GDPR).
   • (2)
     Right to Rectification of Personal Data
     The Customer will have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning them, and have incomplete personal data completed (Article 16 of GDPR).
   • (3)
     Right to Erasure of Personal Data
     The Customer will have the right to have personal data concerning them erased without undue delay where one of the following grounds applies (Article 17 of GDPR):

     • (i)
       the Customer’s personal data is no longer necessary in relation to the purposes for which they were collected;
     • (ii)
       in the case that the processing of personal data is allowed only based on the Customer’s consent and the Customer withdraws consent; and
     • (iii)
       the Customer objects to the processing of personal data on the grounds of legitimate interests and the legitimate interests do not override the Customer’s interests, rights, and freedom.
   • (4)
     Right to Restriction of Processing of Personal Data
     The Customer will have the right to obtain from us restriction of processing of personal data where one of the following grounds applies (Article 18 of GDPR):

     • (i)
       the Customer disputes the accuracy of their personal data (only for a period enabling us to verify the accuracy of the personal data);
     • (ii)
       we no longer need the personal data, except for the case of the establishment, exercise, or defense of legal claims; or
     • (iii)
       the Customer objects to the processing of personal data on the grounds of legitimate interests (only for a period enabling us to judge whether the legitimate interests override the Customer’s interests, rights, and freedom).
   • (5)
     Right to Objection to the Processing of Personal Data
     The Customer will have the right to object to the processing of personal data concerning them in the case that the personal data is processed on the grounds of legitimate interests (Article 21 of GDPR).
   • (6)
     Right to Data Portability of Personal Data
     If personal data is processed on the grounds of the Customer’s consent or contract, and when there are no other grounds and the processing is conducted by automated means, the Customer will have the right to receive personal data concerning them in a structured, commonly used and machine-readable format and transmit such data to another controller without hindrance from us (Article 20 of GDPR).

   
   If you intend to exercise the rights mentioned above, please contact our customer service desk described in 8 below.
   
   The Customer may file a complaint with supervising authorities^＊3 located in their place of residence, etc., over our processing of the Customer’s personal data.

   • ＊3：This means one or more independent public authorities responsible for monitoring the application of GDPR established by each member state under Article 51, Paragraph 1 of GDPR.
4. 4

   Regarding the Retention Period of Personal Data

   We will retain the Customer’s personal data only for the period necessary to achieve the purposes of the processing. The specific retention period will be determined with consideration for the purpose of the processing of personal data, the nature of the personal data, the legal or business necessity of retention of personal data, etc., but in no event exceeding the period of 10 years in principle.

5. 5

   Regarding the Sharing of Personal Data

   1. 5.1 We may share the Customer’s personal data with any of our group companies or other third parties. We will, if sharing personal data with these third parties, conduct appropriate handling in accordance with GDPR. The principal sharing destinations are as follows:
      - Any of our group companies^＊4
      - Service providers such as outsourcing contractors and other business partners
      - Professionals (attorneys, tax accountants, certified public accountants, and others) and other expert advisers
      - Authorities concerned

      
      

   2. 5.2 We may, along with the acquisition of the Customer’s personal data, and in association with the sharing mentioned above, transfer the Customer’s personal data to countries outside the EU or the UK, including Japan, or countries such as the US or China where our group companies outside Japan are located. Japan has received the adequacy decision from the European Commission and has been designated as a country with an adequate level of data protection by the UK Government. However, if a relevant other country has not received such a decision or designation, we will transfer personal data after taking measures to transfer such data outside the EU lawfully in accordance with Chapter V of GDPR (for example, execution of standard contract clauses approved by the European Commission or the UK Government and others). The Customer may confirm further details (including transcripts of standard contract clauses) regarding the measures to transfer personal data outside the EU lawfully by contacting our customer service desk described in 8 below.

   • ＊4：This means the companies listed in the “Global” column on our webpage (https://www.nobelpharma.co.jp/en/company/profile/information/).
6. 6

   Regarding the Management of Personal Data

   We will take necessary and appropriate measures for the prevention of leakage, loss or damage to, and other safety management of personal data.

7. 7

   Regarding Changes to this Policy

   This policy is subject to change at any time. We will, upon making substantial or material changes, inform the Customers through this website and by notice using e-mail, etc., sent to the Customers if necessary.

8. 8

   Inquiries

   Please contact us at the following address for any questions or inquiries on this policy.
   
   Personal Data Controller
   Nobelpharma Co., Ltd.
   1-17-24, Shinkawa, Chuo-ku, Tokyo
   Customer Service Desk:info@nobelpharma.co.jp
   
   
   

   Attachment: Items of Personal Data Acquired/the Purposes of the Processing/Principal Legal Basis

   (1) Personal data of health care professionals including physicians, nurses, etc.

   Items of Personal Data:	・ Contact address, etc., information (name, the name and address of the organization to which the Customer belongs, telephone number, mobile phone number, e-mail address, etc.) ・ Information on business cards/e-mail signature spaces
   Purposes of the Processing of Personal Data	・ To contact/respond upon the occurrence of adverse drug reactions, accidents, recall, etc., of pharmaceuticals, etc. ・ To provide/collect/examine/transmit information on the quality, safety or efficacy of pharmaceuticals, etc. ・ To request/implement/support clinical studies, clinical research, post-marketing surveillance, etc., of pharmaceuticals, etc. ・ To provide information for effective furtherance of promotional activities for pharmaceuticals, etc. ・ To respond to inquiries, etc.
   Principal Legal Basis	2.2(5) Legitimate interests＊5

   • ＊5：Legitimate interests: the analysis/evaluation of quality/safety/efficacy of pharmaceuticals, the ensuring of the safety of pharmaceuticals, the furtherance of promotion, the provision/receipt of information/services, etc.

   (2) Personal data of officers and employees who belong to pharmaceuticals wholesalers or other business acquaintances that have business relationships with us, and individuals thereof

   Items of Personal Data:	・ Contact address, etc., information (name, the name and address of the organization to which the Customer belongs, telephone number, mobile phone number, e-mail address, etc.) ・ Information on business cards/e-mail signature spaces ・ History (start date of purchasing, records of inquiries, complaints, etc.)
   Purposes of the Processing of Personal Data	・ To provide/collect necessary information on business operations, transactions, etc. ・ To execute rights/perform obligations under contracts such as confidential obligation ・ To respond to inquiries, etc.
   Principal Legal Basis	2.2(5) Legitimate interests＊6, 2.2(2) performing a contract or taking steps prior to entering into a contract

   • ＊6：Legitimate interests: the maintenance/management of business relationships, the furtherance of transactions, the provision/receipt of information/services, etc.

   (3) Personal data of patients

   Items of Personal Data:	・ Contact address, etc., information (name, the name and address of place of employment, telephone number, mobile phone number, e-mail address, date of birth, gender, language, country of residence, etc., under the pseudonym/anonymity in principle under certain conditions, such as upon the occurrence of adverse events) ・ Health/medical information (adverse drug reactions, medical histories, test results, diagnostic information, treatment information, etc., to the minimum extent necessary)
   Purposes of the Processing of Personal Data	・ To collect information on adverse drug reactions of pharmaceuticals, etc. ・ To conduct clinical studies of pharmaceuticals, etc. ・ To respond to authorities ・ To respond to inquiries, etc.
   Principal Legal Basis	2.2(1) Consent, 2.2(5) Legitimate interests＊7, 2.2(3) Compliance with legal obligations With regard to health/medical information, we will process it only after receiving the Customer’s explicit consent in accordance with Article 9, Paragraph 2, Item (a) of GDPR.

   • ＊7：Legitimate interests: the maintenance/ensuring of patients’ safety, the development of pharmaceuticals for patients, the provision/receipt of information/services, etc.

   (4) Personal data of job applicants

   Items of Personal Data:	・ Contact address, etc., information (name, the name and address of place of employment, telephone number, mobile phone number, e-mail address, date of birth, language, country of residence, etc.) ・ Information described in resumes (educational background, work history and other experience, qualifications, thesis, etc.) ・ Records of interviews (evaluations, analyses, occupational preferences, specific conditions or proposals, etc.)
   Purposes of the Processing of Personal Data	・ To screen candidates for employment ・ To contact for screening, etc. ・ To respond to inquiries, etc.
   Principal Legal Basis	2.2(1) Consent, 2.2(5) Legitimate interests＊8

   • ＊8：Legitimate interests: human resource management, the provision/receipt of information and others

   (5) Personal data of website visitors

   Items of Personal Data:	・ Contact address, etc., information (name, the name and address of the organization to which the Customer belongs, telephone number, mobile phone number, e-mail address, etc.) ・ IP address, Cookie information
   Purposes of the Processing of Personal Data	・ To respond to inquiries, etc. ・ To improve the Customer’s convenience upon the usage of the website, optimize the content of publications, etc.
   Principal Legal Basis	2.2(5) Legitimate interests＊9

   • ＊9：Legitimate interests: the provision/receipt of information/services, optimization of the website, the handling of investigations of infringement/misconduct, etc.