PRIVACY POLICY
Privacy Policy, i.e., the principles of the processing of personal data by Bioton S.A. and Bioton Marketing Agency sp. z o.o. and the cookies policy for the website of Bioton S.A.
General Information
Bioton Group respects Users’ right to privacy and we process the personal data of these Users in accordance with the regulations in force. Below we present the principles of personal data processing by Bioton S.A. and Bioton Marketing Agency sp. z o.o.
Data Controller
The Personal Data Controller, i.e., the entity which determines for what purpose and to what extent personal data is processed, is Bioton S.A. or Bioton Marketing Agency sp. z o.o., depending on the entity you or your employer have business relations with.
- Bioton S.A. is a global pharmaceutical company.
- Bioton Marketing Agency sp. z o.o. is an entity marketing Bioton S.A. medicinal products.
Due to the business profile of Bioton S.A. and Bioton Marketing Agency sp. z o.o., personal data may disclosed to third parties, i.e.,:
- entities providing postal or courier services;
- banks, for settlement purposes;
- government bodies or other relevant entities, pursuant to the law in force;
- entities cooperating with Bioton S.A. and Bioton Marketing Agency sp. z o.o. at our request, in particular: suppliers of external systems supporting our business activity, auditing entities, entities rendering security services and, in the case of ADR reporting and drug safety in pregnancy, entities supporting report management.
Obtaining information on processing personal data
Bioton S.A. and Bioton Marketing Agency sp. z o.o. have assigned a Personal Data Protection Inspector, whom you can contact at iod@bioton.pl
You can also contact your Personal Data Controller directly:
- Bioton S.A. with its registered seat at Starościńska 5 in Warsaw, postal address: Poznańska 12, Macierzysz, 05-850 Ożarów Mazowiecki;
- Bioton Marketing Agency sp. z o.o. with its registered seat at Poznańska 12, Macierzysz, 05-850 Ożarów Mazowiecki.
Obtaining personal data and purpose of personal data processing
Bioton S.A. and Bioton Marketing Agency sp. z o.o. always process your personal data in a legal and safe manner.
- Bioton S.A.:
| Purpose of processing | Legal grounds for obtaining personal data and its retention period | Lawful basis for personal data processing (if applicable) |
|---|---|---|
| Entering into and performing a contract with a client or counterparty | Article 6 para. 1b and 1f GDPR Throughout the duration of the contract and, after the contract period, within the statute of limitations for the claims resulting thereof. | In justified cases, the Controller contacts the employees/collaborators of the client or counterparty in relation to actions prior to entering into or performing a contract. |
| Handling complaints | Article 6 para. 1b and 1f GDPR 1 year after the guarantee runs out or the complaint is settled. | In justified cases, the Controller contacts the employees/collaborators of the client or counterparty in relation to handling a complaint. |
| Pursuit of claims or defense against legal claims | Article 6 para. 1 lit. and 1f GDPR Throughout the claim pursuit process, i.e., until the claim is legally concluded and, in case of enforcement proceedings, until the final satisfaction of the pursued claims. | In justified cases, the Controller may process the data of the employees/collaborators of the client or counterparty in relation to the pursuit of claims or defense against legal claims. |
| Archiving documents, i.e., contracts and settlements | Article 6 para. 1c GDPR As required by law or, if the retention period of a particular document is not specified, for the duration of the Controller’s lawful basis resulting from the period for the potential satisfaction of claims. | |
| Statistical purposes | Article 6 para. 1f GDPR A retention period required by another legal basis. We do not retain data solely for statistical purposes. | Collecting statistical information on the Controller’s activities allows to optimize business activity. |
| Marketing own products and services, without advertising by electronic means | Article 6 para. 1f GDPR Until the User objects, i.e., until we are informed in any manner that the User does not want to receive advertising materials or be informed of our activities. | Conducting marketing activities to promote the company’s business. |
| Marketing own products and services by electronic means of advertising | Article 6 para. 1f of GDPR, whereas these activities require the consent of the User due to other legal regulations, in particular the Telecommunications Law and the Act on providing services by electronic means. Until the User objects or withdraws his/her consent, i.e., until we are informed in any manner that the User does not want to receive advertising materials or be informed of our activities. | Conducting marketing activities to promote the company’s business by email and phone. |
| Access control to the Controller’s premises, including CCTV | Article 6 para. 1f GDPR Until any objections are raised, but no longer than 1 year. | Keeping record of the persons entering the Controller’s premises is the Controller’s legitimate interest. The Controller may request the basic personal information of employee/collaborator (name and surname, place of employment or nature of collaboration) from the entity employing/collaborating with that person before his/her arrival at the Controller’s premises. |
| Recruitment | Article 6 para. 1a, 1c and 1f GDPR Throughout the recruitment process and, if the applicant agrees for his/her personal data to be retained for further recruitment, for maximum 1 year. | Without the consent of the person whose personal data is concerned, the Controller can retain the data of applicants who have not been hired for up to 6 months after the end of the recruitment process and it is the Controller’s legitimate interest, since the person employed may resign or be let go after the trial period. |
| Management of human resources – employees and collaborators | Article 6 para. 1a, 1b, 1c and 1f GDPR In accordance with the law in force that requires HR personal documents to be retained for 50 years and in some cases, in view of the most recent amendments, for 10 years. If the required retention period of certain documents is shorter, the Controller will retain the documents for this shorter period. Contracts under Civil Law will be retained until the end of the limitation period of the potential claims resulting thereof. | Within the lawful basis, the Controller can process the employee data obtained as a result of visual security monitoring or issuing personal access cards. The Controller does not use the image of employees/collaborators without their consent. |
| Handling ADR reports and drug safety in pregnancy | Article 6 para. 1c GDPR 10 years from the date the drug is withdrawn from the market. | |
| Processing the personal data of persons on managerial positions at the company of the Controller who is the issuer of an insider list | Article 6 para. 1c GDPR 5 years from the date the list is drawn up or updated. |
If the statute of limitations for potential claims is shorter than the retention period of settlement documents for tax purposes, we will retain these documents for the period required by law for settlement and tax purposes, i.e., for 5 (five) years from the end of the year in which the tax obligation is updated.
- Bioton Marketing Agency sp. z o.o.:
| Purpose of processing | Legal grounds for obtaining personal data and its retention period | Lawful basis for personal data processing (if applicable) |
|---|---|---|
| Entering into and performing a contract with a doctor and pharmacist and/or nurse as well as a counterparty | Article 6 para. 1b and 1f GDPR Throughout the duration of the contract and, after the contract period, within the statute of limitations for the claims resulting thereof. | In justified cases, the Controller contacts the employees/collaborators of the counterparty in relation to actions aimed at entering into or performing a contract. |
| Marketing Bioton S.A. products without advertising by electronic means | Article 6 para. 1f GDPR Until the User objects, i.e., until we are informed in any manner that the User does not want to receive advertising materials or be informed of our activities. | Conducting marketing activities to promote the company’s business. |
| Marketing Bioton S.A. products by electronic means of advertising | Article 6 para. 1f GDPR, whereas these activities require the consent of the User due to other legal regulations, in particular the Telecommunications Law and the Act on providing services by electronic means. Until the User objects or withdraws his/her consent, i.e., until we are informed in any manner that the User does not want to receive advertising materials or be informed of our activities. | Conducting marketing activities to promote the company’s business by email and phone |
| Ordering and confirming the delivery of medicinal product / medical device samples | Article 6 para. 1c GDPR 6 years from the date the samples are delivered | |
| Acquiring the consent for doctors’ visits | Article 6 para. 1a and 1c GDPR 6 years from the date the consent is withdrawn | |
| Pursuit of claims or defense against legal claims | Article 6 para. 1 lit. and 1f GDPR Throughout the claim pursuit process, i.e., until the claim is legally concluded and, in case of enforcement proceedings, until the final satisfaction of the pursued claims. | In justified cases, the Controller may process the data of the employees/collaborators of the client or counterparty in relation to the pursuit of claims or defense against legal claims. |
| Archiving documents, i.e., contracts and settlements | Article 6 para. 1c GDPR As required by law or, if the retention period of a particular document is not specified, for the duration of the Controller’s lawful basis resulting from the period for the potential satisfaction of claims. | |
| Statistical purposes | Article 6 para. 1f GDPR A retention period required by another legal basis. We do not retain data solely for statistical purposes. | Collecting statistical information on the Controller’s activities allows to optimize business activity. |
| Recruitment | Article 6 para. 1a,1c and 1f GDPR Throughout the recruitment process and, if the applicant agrees for his personal data to be retained for further recruitment, for maximum 1 year. | Without the consent of the person whose personal data is concerned, the Controller can retain the data of applicants who have not been hired for up to 6 months after the end of the recruitment process and it is the Controller’s legitimate interest, since the person employed may resign or be let go after the trial period. |
| Management of human resources – employees and collaborators | Article 6 para. 1a, 1b, 1c and 1f GDPR In accordance with the law in force that requires HR personal documents to be retained for 50 years and in some cases, in view of the most recent amendments, for 10 years. If the required retention period of certain documents is shorter, the Controller will retain the documents for this shorter period. Contracts under Civil Law will be retained until the end of the limitation period of the potential claims resulting thereof. | Within the lawful basis, the Controller can process the employee data obtained as a result of visual security monitoring or issuing personal access cards. The Controller does not use the image of employees/collaborators without their consent. |
If the statute of limitations for potential claims is shorter than the retention period of settlement documents for tax purposes, we will retain these documents for the period required by law for settlement and tax purposes, i.e., for 5 (five) years from the end of the year in which the tax obligation is updated.
If we process personal data for marketing purposes using electronic means, the legal basis for this are in particular:
- Article 10 of the Act of 18 July 2002 on providing services by electronic means (Polish Journal of Laws of 2017 item 1219 as amended), if you agree to receive information by email;
- Article 172 of the Act of 16 July 2004 Telecommunications Law (Polish Journal of Laws of 2017 item 1907 as amended), if you agree to receive information by phone.
Entitlements in the scope of data processing and freedom to provide personal data
Moreover, you have the right to submit a complaint to the supervisory authority, i.e., the President of the Personal Data Protection Office. More information is available athttps://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A32016R0679, in Articles 12-23 of the General Data Protection Regulation (GDPR).
In addition, the person shall have the right to lodge a complaint with the supervisory body, i.e. the President of the Personal Data Protection Office; more information at: https://uodo.gov.pl/pl/p/skargi
Providing your personal data is mandatory to enter into contracts and perform settlements, as well as in cases required by law. Except for the above cases, providing your personal data is voluntary.
Transfer of data to third countries
As a rule, we do not transfer personal data to third countries, i.e., your personal data will be processed within the European Economic Area. There may be situations when the basic personal data of a Bioton S.A. employee/collaborator (e.g. name and surname, position, work phone number and email address) is transferred to a third country, however this requirement will be necessary for the performance of the contract between Bioton S.A. and the employee/collaborator whose data is transferred. The transfer of data to third countries will only concern employees/collaborators who perform activities for Bioton’s client or potential client from a third country.
Automated personal data processing
Your personal data is not subject to automated processing (including profiling) in a manner that would allow decision-making, and that may have a legal or similarly significant effect on our clients and counterparties or their employees, doctors and nurses.
We use cookies to monitor and analyze traffic on our websites.
