PRIVACY POLICY
Privacy Policy, i.e., the principles of the processing of personal data by Bioton S.A., Bioton Marketing Agency sp. z o.o. and Biolek sp. z o.o. and the cookies policy for the website of Bioton S.A.
General Information
Bioton Group respects Users’ right to privacy and we process the personal data of these Users in accordance with the regulations in force. Below we present the principles of personal data processing by Bioton S.A., Bioton Marketing Agency sp. z o.o. and Biolek sp. z o.o.
Data Controller
The Personal Data Controller, i.e., the entity which determines for what purpose and to what extent personal data is processed, is Bioton S.A. or Bioton Marketing Agency sp. z o.o., depending on the entity you or your employer have business relations with.
- Bioton S.A. is a global pharmaceutical company.
- Bioton Marketing Agency sp. z o.o. is an entity marketing Bioton S.A. medicinal products.
Due to the business profile of Bioton S.A., Bioton Marketing Agency sp. z o.o. and Biolek sp. z o.o., personal data may disclosed to third parties, i.e.,:
- entities providing postal or courier services;
- banks, for settlement purposes;
- government bodies or other relevant entities, pursuant to the law in force;
- entities cooperating with Bioton S.A., Bioton Marketing Agency sp. z o.o. and Biolek sp. z o.o. at our request, in particular: suppliers of external systems supporting our business activity, auditing entities, entities rendering security services and, in the case of ADR reporting and drug safety in pregnancy, entities supporting report management.
Obtaining information on processing personal data
Bioton S.A., Bioton Marketing Agency sp. z o.o. and Biolek sp. z o.o. have assigned a Personal Data Protection Inspector, whom you can contact at iod@bioton.com
You can also contact your Personal Data Controller directly:
- Bioton S.A. with its registered seat at Starościńska 5 in Warsaw, postal address: Poznańska 12, Macierzysz, 05-850 Ożarów Mazowiecki;
- Bioton Marketing Agency sp. z o.o. with its registered seat at Poznańska 12, Macierzysz, 05-850 Ożarów Mazowiecki;
- Biolek sp. z o.o. with its registered office at Poznańska 12, Macierzysz, 05-850 Ożarów Mazowiecki.
Obtaining personal data and purpose of personal data processing
Bioton S.A., Bioton Marketing Agency sp. z o.o. and Biolek sp. z o.o. always process your personal data in a legal and safe manner.
- Bioton S.A.:
| Purpose of processing | Legal grounds for obtaining personal data and its retention period | Lawful basis for personal data processing (if applicable) |
|---|---|---|
| Entering into and performing a contract with a client or counterparty | Article 6 para. 1b and 1f GDPR Throughout the duration of the contract and, after the contract period, within the statute of limitations for the claims resulting thereof. | In justified cases, the Controller contacts the employees/collaborators of the client or counterparty in relation to actions prior to entering into or performing a contract. |
| Handling complaints | Article 6 para. 1b and 1f GDPR 1 year after the guarantee runs out or the complaint is settled. | In justified cases, the Controller contacts the employees/collaborators of the client or counterparty in relation to handling a complaint. |
| Pursuit of claims or defense against legal claims | Article 6 para. 1 lit. and 1f GDPR Throughout the claim pursuit process, i.e., until the claim is legally concluded and, in case of enforcement proceedings, until the final satisfaction of the pursued claims. | In justified cases, the Controller may process the data of the employees/collaborators of the client or counterparty in relation to the pursuit of claims or defense against legal claims. |
| Archiving documents, i.e., contracts and settlements | Article 6 para. 1c GDPR As required by law or, if the retention period of a particular document is not specified, for the duration of the Controller’s lawful basis resulting from the period for the potential satisfaction of claims. | |
| Statistical purposes | Article 6 para. 1f GDPR A retention period required by another legal basis. We do not retain data solely for statistical purposes. | Collecting statistical information on the Controller’s activities allows to optimize business activity. |
| Marketing own products and services, without advertising by electronic means | Article 6 para. 1f GDPR Until the User objects, i.e., until we are informed in any manner that the User does not want to receive advertising materials or be informed of our activities. | Conducting marketing activities to promote the company’s business. |
| Marketing own products and services by electronic means of advertising | Article 6 para. 1f of GDPR, whereas these activities require the consent of the User due to other legal regulations, in particular the Telecommunications Law and the Act on providing services by electronic means. Until the User objects or withdraws his/her consent, i.e., until we are informed in any manner that the User does not want to receive advertising materials or be informed of our activities. | Conducting marketing activities to promote the company’s business by email and phone. |
| Access control to the Controller’s premises, including CCTV | Article 6 para. 1f GDPR Until any objections are raised, but no longer than 1 year. | Keeping record of the persons entering the Controller’s premises is the Controller’s legitimate interest. The Controller may request the basic personal information of employee/collaborator (name and surname, place of employment or nature of collaboration) from the entity employing/collaborating with that person before his/her arrival at the Controller’s premises. |
| Recruitment | Article 6 para. 1a, 1c and 1f GDPR Throughout the recruitment process and, if the applicant agrees for his/her personal data to be retained for further recruitment, for maximum 1 year. | Without the consent of the person whose personal data is concerned, the Controller can retain the data of applicants who have not been hired for up to 6 months after the end of the recruitment process and it is the Controller’s legitimate interest, since the person employed may resign or be let go after the trial period. |
| Management of human resources – employees and collaborators | Article 6 para. 1a, 1b, 1c and 1f GDPR In accordance with the law in force that requires HR personal documents to be retained for 50 years and in some cases, in view of the most recent amendments, for 10 years. If the required retention period of certain documents is shorter, the Controller will retain the documents for this shorter period. Contracts under Civil Law will be retained until the end of the limitation period of the potential claims resulting thereof. | Within the lawful basis, the Controller can process the employee data obtained as a result of visual security monitoring or issuing personal access cards. The Controller does not use the image of employees/collaborators without their consent. |
| Handling ADR reports and drug safety in pregnancy | Article 6 para. 1c GDPR 10 years from the date the drug is withdrawn from the market. | |
| Processing the personal data of persons on managerial positions at the company of the Controller who is the issuer of an insider list | Article 6 para. 1c GDPR 5 years from the date the list is drawn up or updated. | |
| Recording and transcription of training sessions | Article 6(1)(f) of the GDPR For the time necessary to achieve the training purpose, but no longer than 4 years from the date of their collection. | In order to effectively conduct the training process, provide training materials to participants and ensure the quality of the training, the controller may record the course of the meetings. |
| Recording and transcription of business meetings and negotiations | Article 6(1)(f) of the GDPR For the duration of the cooperation or the term of the agreement and for the period necessary to secure any claims or arrangements between the parties arising from meetings. | In order to ensure the accuracy of the arrangements, the implementation of the contractual provisions and the possibility of demonstrating the content of the arrangements in the event of any disputes, the controller may record the course of the meetings. |
If the statute of limitations for potential claims is shorter than the retention period of settlement documents for tax purposes, we will retain these documents for the period required by law for settlement and tax purposes, i.e., for 5 (five) years from the end of the year in which the tax obligation is updated.
Information clause for online meetings
| Who is the controller of your data? BIOTON S.A. with its registered office at ul. Starościńska 5 in Warsaw, correspondence address: ul. Poznańska 12, Macierzysz (05-850 Ożarów Mazowiecki). Contact details of the data protection inspector: iod@bioton.com. | Who do we share it with? Personal data is shared with the IT environment and Teams messenger provider – Microsoft Ireland Ltd. Personal data is shared with the automatic speech transcription service provider. |
| For what purposes and on what basis will your data be processed within the framework of? Meetings conducted via the Microsoft Teams platform may be recorded and subject to automatic speech transcription. The controller shall inform participants of the fact of recording and transcription each time before the meeting begins.Business meetings Recording and transcription are carried out for the following purposes:
– this is our legitimate interest related to the performance of contractual provisions and the ability to demonstrate the content of arrangements in the event of any disputes (Article 6(1)(f) of the GDPR). Training meetings
– this is our legitimate interest in the effective implementation of the training process, making training materials available to participants and ensuring the quality of the training provided (Article 6(1)(f) of the GDPR). | What are your rights?
Right to object Right to lodge a complaint |
| Obligation to provide data The provision of your personal data is necessary for the purposes of the legitimate interests pursued by the Controller. | Transfer of data abroad Your data is transferred outside the European Economic Area. In the case of our IT solution providers, your personal data may be transferred to the USA. We transfer personal data to entities based in the USA that participate in the Data Privacy Framework programme. For more information, please visit: https://www.dataprivacyframework.gov/s/. In other cases, we enter into standard contractual clauses with our suppliers. For more information, including copies of the standard contractual clauses we use, please contact our data protection officer at iod@bioton.com. |
| How long is your data processed? Recordings of meetings are stored for a period of 4 years from the date of acquisition. Transcripts are stored for a period of 4 years from the date of acquisition. | Profiling and automated decision-making No automated decision-making, including profiling, takes place. |
- Bioton Marketing Agency sp. z o.o.:
| Purpose of processing | Legal grounds for obtaining personal data and its retention period | Lawful basis for personal data processing (if applicable) |
|---|---|---|
| Entering into and performing a contract with a doctor and pharmacist and/or nurse as well as a counterparty | Article 6 para. 1b and 1f GDPR Throughout the duration of the contract and, after the contract period, within the statute of limitations for the claims resulting thereof. | In justified cases, the Controller contacts the employees/collaborators of the counterparty in relation to actions aimed at entering into or performing a contract. |
| Marketing Bioton S.A. products without advertising by electronic means | Article 6 para. 1f GDPR Until the User objects, i.e., until we are informed in any manner that the User does not want to receive advertising materials or be informed of our activities. | Conducting marketing activities to promote the company’s business. |
| Marketing Bioton S.A. products by electronic means of advertising | Article 6 para. 1f GDPR, whereas these activities require the consent of the User due to other legal regulations, in particular the Telecommunications Law and the Act on providing services by electronic means. Until the User objects or withdraws his/her consent, i.e., until we are informed in any manner that the User does not want to receive advertising materials or be informed of our activities. | Conducting marketing activities to promote the company’s business by email and phone |
| Ordering and confirming the delivery of medicinal product / medical device samples | Article 6 para. 1c GDPR 6 years from the date the samples are delivered | |
| Acquiring the consent for doctors’ visits | Article 6 para. 1a and 1c GDPR 6 years from the date the consent is withdrawn | |
| Pursuit of claims or defense against legal claims | Article 6 para. 1 lit. and 1f GDPR Throughout the claim pursuit process, i.e., until the claim is legally concluded and, in case of enforcement proceedings, until the final satisfaction of the pursued claims. | In justified cases, the Controller may process the data of the employees/collaborators of the client or counterparty in relation to the pursuit of claims or defense against legal claims. |
| Archiving documents, i.e., contracts and settlements | Article 6 para. 1c GDPR As required by law or, if the retention period of a particular document is not specified, for the duration of the Controller’s lawful basis resulting from the period for the potential satisfaction of claims. | |
| Statistical purposes | Article 6 para. 1f GDPR A retention period required by another legal basis. We do not retain data solely for statistical purposes. | Collecting statistical information on the Controller’s activities allows to optimize business activity. |
| Recruitment | Article 6 para. 1a,1c and 1f GDPR Throughout the recruitment process and, if the applicant agrees for his personal data to be retained for further recruitment, for maximum 1 year. | Without the consent of the person whose personal data is concerned, the Controller can retain the data of applicants who have not been hired for up to 6 months after the end of the recruitment process and it is the Controller’s legitimate interest, since the person employed may resign or be let go after the trial period. |
| Management of human resources – employees and collaborators | Article 6 para. 1a, 1b, 1c and 1f GDPR In accordance with the law in force that requires HR personal documents to be retained for 50 years and in some cases, in view of the most recent amendments, for 10 years. If the required retention period of certain documents is shorter, the Controller will retain the documents for this shorter period. Contracts under Civil Law will be retained until the end of the limitation period of the potential claims resulting thereof. | Within the lawful basis, the Controller can process the employee data obtained as a result of visual security monitoring or issuing personal access cards. The Controller does not use the image of employees/collaborators without their consent. |
| Recording and transcription of training sessions | Article 6(1)(f) of the GDPR For the time necessary to achieve the training purpose, but no longer than 4 years from the date of their collection. | In order to effectively conduct the training process, provide training materials to participants and ensure the quality of the training, the controller may record the course of the meetings. |
| Recording and transcription of business meetings and negotiations | Article 6(1)(f) of the GDPR For the duration of the cooperation or the term of the agreement and for the period necessary to secure any claims or arrangements between the parties arising from meetings. | In order to ensure the accuracy of the arrangements, the implementation of the contractual provisions and the possibility of demonstrating the content of the arrangements in the event of any disputes, the controller may record the course of the meetings. |
If the statute of limitations for potential claims is shorter than the retention period of settlement documents for tax purposes, we will retain these documents for the period required by law for settlement and tax purposes, i.e., for 5 (five) years from the end of the year in which the tax obligation is updated.
If we process personal data for marketing purposes using electronic means, the legal basis for this are in particular:
- Article 10 of the Act of 18 July 2002 on providing services by electronic means (Polish Journal of Laws of 2017 item 1219 as amended), if you agree to receive information by email;
- Article 172 of the Act of 16 July 2004 Telecommunications Law (Polish Journal of Laws of 2017 item 1907 as amended), if you agree to receive information by phone.
Information clause for online meetings
| Who is the controller of your data? BIOTON MARKETING AGENCY Sp. z o.o. with its registered office at ul. Poznańska 12, Macierzysz (05-850 Ożarów Mazowiecki). Contact details of the data protection inspector: iod@bioton.com. | Who do we share it with? Personal data is shared with the IT environment and Teams messenger provider – Microsoft Ireland Ltd. Personal data is shared with the automatic speech transcription service provider. |
| For what purposes and on what basis will your data be processed within the framework of? Meetings conducted via the Microsoft Teams platform may be recorded and subject to automatic speech transcription. The controller shall inform participants of the fact of recording and transcription each time before the meeting begins.Business meetings Recording and transcription are carried out for the following purposes:
– this is our legitimate interest related to the performance of contractual provisions and the ability to demonstrate the content of arrangements in the event of any disputes (Article 6(1)(f) of the GDPR). Training meetings
– this is our legitimate interest in the effective implementation of the training process, making training materials available to participants and ensuring the quality of the training provided (Article 6(1)(f) of the GDPR). | What are your rights?
Right to object Right to lodge a complaint |
| Obligation to provide data The provision of your personal data is necessary for the purposes of the legitimate interests pursued by the Controller. | Transfer of data abroad Your data is transferred outside the European Economic Area. In the case of our IT solution providers, your personal data may be transferred to the USA. We transfer personal data to entities based in the USA that participate in the Data Privacy Framework programme. For more information, please visit: https://www.dataprivacyframework.gov/s/. In other cases, we enter into standard contractual clauses with our suppliers. For more information, including copies of the standard contractual clauses we use, please contact our data protection officer at iod@bioton.com. |
| How long is your data processed? Recordings of meetings are stored for a period of 4 years from the date of acquisition. Transcripts are stored for a period of 4 years from the date of acquisition. | Profiling and automated decision-making No automated decision-making, including profiling, takes place. |
- Biolek sp. z o.o.:
| Purpose of processing | Legal grounds for obtaining personal data and its retention period | Lawful basis for personal data processing (if applicable) |
|---|---|---|
| Entering into and performing a contract with a doctor and pharmacist and/or nurse as well as a counterparty | Article 6 para. 1b and 1f GDPR Throughout the duration of the contract and, after the contract period, within the statute of limitations for the claims resulting thereof. | In justified cases, the Controller contacts the employees/collaborators of the counterparty in relation to actions aimed at entering into or performing a contract. |
| Handling complaints | Article 6 para. 1b and 1f GDPR 1 year after the guarantee runs out or the complaint is settled. | In justified cases, the Controller contacts the employees/collaborators of the client or counterparty in relation to handling a complaint. |
| Marketing Biolek Sp. z o.o. products without advertising by electronic means | Article 6 para. 1f GDPR Until the User objects, i.e., until we are informed in any manner that the User does not want to receive advertising materials or be informed of our activities. | Conducting marketing activities to promote the company’s business. |
| Marketing Biolek Sp. z o.o. products by electronic means of advertising | Article 6 para. 1f GDPR, whereas these activities require the consent of the User due to other legal regulations, in particular the Telecommunications Law and the Act on providing services by electronic means. Until the User objects or withdraws his/her consent, i.e., until we are informed in any manner that the User does not want to receive advertising materials or be informed of our activities. | Conducting marketing activities to promote the company’s business by email and phone |
| Ordering and confirming the delivery of medicinal product / medical device samples | Article 6 para. 1c GDPR 6 years from the date the samples are delivered | |
| Acquiring the consent for doctors’ visits | Article 6 para. 1a and 1c GDPR 6 years from the date the consent is withdrawn | |
| Pursuit of claims or defense against legal claims | Article 6 para. 1 lit. and 1f GDPR Throughout the claim pursuit process, i.e., until the claim is legally concluded and, in case of enforcement proceedings, until the final satisfaction of the pursued claims. | In justified cases, the Controller may process the data of the employees/collaborators of the client or counterparty in relation to the pursuit of claims or defense against legal claims. |
| Archiving documents, i.e., contracts and settlements | Article 6 para. 1c GDPR As required by law or, if the retention period of a particular document is not specified, for the duration of the Controller’s lawful basis resulting from the period for the potential satisfaction of claims. | |
| Statistical purposes | Article 6 para. 1f GDPR A retention period required by another legal basis. We do not retain data solely for statistical purposes. | Collecting statistical information on the Controller’s activities allows to optimize business activity. |
| Recruitment | Article 6 para. 1a,1c and 1f GDPR Throughout the recruitment process and, if the applicant agrees for his personal data to be retained for further recruitment, for maximum 1 year. | Without the consent of the person whose personal data is concerned, the Controller can retain the data of applicants who have not been hired for up to 6 months after the end of the recruitment process and it is the Controller’s legitimate interest, since the person employed may resign or be let go after the trial period. |
| Management of human resources – employees and collaborators | Article 6 para. 1a, 1b, 1c and 1f GDPR In accordance with the law in force that requires HR personal documents to be retained for 50 years and in some cases, in view of the most recent amendments, for 10 years. If the required retention period of certain documents is shorter, the Controller will retain the documents for this shorter period. Contracts under Civil Law will be retained until the end of the limitation period of the potential claims resulting thereof. | Within the lawful basis, the Controller can process the employee data obtained as a result of visual security monitoring or issuing personal access cards. The Controller does not use the image of employees/collaborators without their consent. |
| Recording and transcription of training sessions | Article 6(1)(f) of the GDPR For the time necessary to achieve the training purpose, but no longer than 4 years from the date of their collection. | In order to effectively conduct the training process, provide training materials to participants and ensure the quality of the training, the controller may record the course of the meetings. |
| Recording and transcription of business meetings and negotiations | Article 6(1)(f) of the GDPR For the duration of the cooperation or the term of the agreement and for the period necessary to secure any claims or arrangements between the parties arising from meetings. | In order to ensure the accuracy of the arrangements, the implementation of the contractual provisions and the possibility of demonstrating the content of the arrangements in the event of any disputes, the controller may record the course of the meetings. |
Information clause for online meetings
| Who is the controller of your data? Biolek Sp. z o.o. with its registered office at ul. Poznańska 12, Macierzysz (05-850 Ożarów Mazowiecki). Contact details of the data protection inspector: iod@bioton.com. | Who do we share it with? Personal data is shared with the IT environment and Teams messenger provider – Microsoft Ireland Ltd. Personal data is shared with the automatic speech transcription service provider. |
| For what purposes and on what basis will your data be processed within the framework of? Meetings conducted via the Microsoft Teams platform may be recorded and subject to automatic speech transcription. The controller shall inform participants of the fact of recording and transcription each time before the meeting begins.Business meetings Recording and transcription are carried out for the following purposes:
– this is our legitimate interest related to the performance of contractual provisions and the ability to demonstrate the content of arrangements in the event of any disputes (Article 6(1)(f) of the GDPR). Training meetings
– this is our legitimate interest in the effective implementation of the training process, making training materials available to participants and ensuring the quality of the training provided (Article 6(1)(f) of the GDPR). | What are your rights?
Right to object Right to lodge a complaint |
| Obligation to provide data The provision of your personal data is necessary for the purposes of the legitimate interests pursued by the Controller. | Transfer of data abroad Your data is transferred outside the European Economic Area. In the case of our IT solution providers, your personal data may be transferred to the USA. We transfer personal data to entities based in the USA that participate in the Data Privacy Framework programme. For more information, please visit: https://www.dataprivacyframework.gov/s/. In other cases, we enter into standard contractual clauses with our suppliers. For more information, including copies of the standard contractual clauses we use, please contact our data protection officer at iod@bioton.com. |
| How long is your data processed? Recordings of meetings are stored for a period of 4 years from the date of acquisition. Transcripts are stored for a period of 4 years from the date of acquisition. | Profiling and automated decision-making No automated decision-making, including profiling, takes place. |
Entitlements in the scope of data processing and freedom to provide personal data
Moreover, you have the right to submit a complaint to the supervisory authority, i.e., the President of the Personal Data Protection Office. More information is available athttps://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679, in Articles 12-23 of the General Data Protection Regulation (GDPR).
In addition, the person shall have the right to lodge a complaint with the supervisory body, i.e. the President of the Personal Data Protection Office; more information at: https://uodo.gov.pl/pl/p/skargi
Providing your personal data is mandatory to enter into contracts and perform settlements, as well as in cases required by law. Except for the above cases, providing your personal data is voluntary.
Transfer of data to third countries
As a rule, we do not transfer personal data to third countries, i.e., your personal data will be processed within the European Economic Area. There may be situations when the basic personal data of a Bioton S.A. employee/collaborator (e.g. name and surname, position, work phone number and email address) is transferred to a third country, however this requirement will be necessary for the performance of the contract between Bioton S.A. and the employee/collaborator whose data is transferred. The transfer of data to third countries will only concern employees/collaborators who perform activities for Bioton’s client or potential client from a third country.
Automated personal data processing
Your personal data is not subject to automated processing (including profiling) in a manner that would allow decision-making, and that may have a legal or similarly significant effect on our clients and counterparties or their employees, doctors and nurses.
We use cookies to monitor and analyze traffic on our websites.