Notice for suppliers and vendors
Santen Pharmaceuticals and its Affiliates (hereinafter “Santen”) is using third-party service providers to support it in providing its medicinal products and services to all individuals concerned. In so doing, Santen contracts out with such third parties on specific terms and conditions in accordance with applicable data protection laws and regulations, including but not limited to the European General Data Protection Regulation 2016/679, any derivatives thereof and any other relevant national data protection or privacy law or regulation of any other country, including any codes of conduct or guidance issued by a national Regulator (collectively “Data Protection Legislation”).
Scope of this notice
This notice governs the collection, use and retention by Santen of personal data relating to: i) Santen’s suppliers, contractors, consultants and service providers in general that are natural persons, including self-employed individuals; ii) employees, workers, agents, delegates, and representatives of any third party supplier or vendor (legal entities) delivering products or services to Santen or acting for and on Santen’s behalf.
This notice may be updated periodically to reflect changes in our personal data processing practices. In that case we will inform you of any significant changes through the same channel we normally communicate with you.
Purposes of processing and retention
Santen collects and processes your personal data (provided by the company you work for or obtained directly from you) for the below purposes:
- Management of a business/contractual relationship with suppliers and vendors
- Execution and performance of a contract with you and/or your employer
Your personal data may include your personal (name, surname, job position/title) and business contact details (business address, email address or phone numbers), your professional background, your registration/identification information (identity card numbers) (insofar required for the delivery of the services to Santen, including onsite access to Santen premises), your financial information (bank name, bank accounts, credit card numbers), your electronic identification information (insofar required for the delivery of services to Santen such as IP addresses, login user credentials, employee ID number etc.).
Your personal data will be retained for the duration of the business relationship between Santen and you/your employer and as further required under applicable laws and Santen’s internal policies.
Failure to provide the abovementioned personal data prevents Santen from entering into and maintaining a valid contractual relationship with you/your employer (including receiving the services, allowing you access to Santen premises, handling billing and invoicing, etc.).
Disclosure of data and contractual arrangements with third parties
As a data controller, Santen aims to establish a high level of data protection and privacy for its data subjects and partners alike. To that end, Santen has developed and uses specific privacy- and security-related language in its contractual arrangements with third party service providers acting for the benefit of Santen as data processors in compliance with applicable Data Protection Legislation.
Through its privacy-compliant contractual arrangements, Santen sets out the scope, subject-matter, duration and purpose of the data processing activities carried out by its data processors and their sub-processors (if any) as well as the types of personal data processed and the involved categories of data subjects. Moreover, details are provided with regard to the service provider’s obligations in its role as data processor, which include indicatively its confidentiality obligations, the procedure to be followed in case of a data breach incident, cooperation regarding inquiries from data subjects and authorities, assistance for the performance of data protection impact assessments, international data transfer mechanisms to be executed in the case of cross border data transfers, specific rules for the due diligence and engagement of sub-processors, implementation of appropriate security measures and personal data breach indemnification commitments.
International data transfers
Our service providers, are required to be transparent and inform us in advance about their affiliates and any external collaborators (acting as sub processors) that might be involved in processing activities. In case that a service provider and/or any of its collaborators, are located outside the European Union (EU) and/or the European Economic Area (EEA), we request that they execute appropriate data transfer mechanisms; in particular the EU Standard Contractual Clauses (SCCs) for controllers or processors for cross-border data transfers from the Community to third countries as approved by the European Commission, in the absence of an adequacy decision and/or any other data protection related certifications (e.g. Privacy Shield) in place, necessary to guarantee an adequate level of data protection and security in the recipient third country. This approach establishes and maintains a high level of data protection and privacy for our data subjects in the EU and beyond.
Further information and contact
To ask questions or comment about this notice, to complain or raise a concern or to exercise any of your rights under data protection laws, please contact our Privacy EMEA office by emailing us at firstname.lastname@example.org.
Last Updated: 7 November 2019