Personal data protection policy

TILMAN S.A

Personal data protection policy

(Last update : October 09, 2018)

 

 

1. Who are we?

This document is the personal data protection policy of TILMAN S.A. a company incorporated under Belgian law, having its registered office in Zone d'activités Sud, Bail. 15, 5377 Somme-Leuze, registered with the company register (BCE) under number 0458.493.759, and having the following e-mail address: privacy@tilman.be (hereinafter referred to as "Tilman" or "us").

Contact details of the Data Protection Officer of the controller: dpo@tilman.be

In the course of our activities, we collect, store, process and sometimes share personal data.

 

 

2. Objective of this policy

2.1. Information

Concerned about respecting your privacy, and aware of the importance of complying with our legal obligations in this regard, we do everything in our power to protect your personal data.

The purpose of this policy is to inform you (as "data subject") about how we (as "controller") process your personal data, in accordance with all applicable data protection and privacy laws and regulations (hereinafter referred to as "Data Protection Laws"), and, more particularly and among others, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (or "GDPR").

This policy is also intended to inform you of your rights regarding the processing of your personal data.

 

2.2. Informed consent

In some cases (specified below), the legal basis for our data processing is your informed consent. In such cases, the other purpose of this policy is to provide you with the information necessary to obtain valid consent from you.

Where our processing of personal data is based on your consent, you have the right to withdraw your consent at any time, but this withdrawal may not affect the lawfulness of the processing carried out prior to this withdrawal. To withdraw your consent, you are invited to use the easy unsubscribe procedures provided to you by our communications tools or by sending us an e-mail (to the address indicated in the "Who to contact about your personal data" section).

When our processing of personal data is based on your consent, it is our duty to be able to demonstrate that you have consented to the processing of your personal data. To do so, we retain data relating to your consent as long as we need to demonstrate our full and complete compliance with Data Protection Laws.

If you are under 16 years of age, it is our duty to make reasonable efforts to verify, in such cases, that consent is given or authorized by the person having parental authority, taking into account the available technology. This explains why, if necessary, we may ask for more information about this holder of parental authority.

 

 

3. Information on the different processing of personal data

In this section 3, for each treatment we perform, we provide you with information on:

  • The purposes of the processing (why we process your data);
  • The legal basis of the processing (what justifies the processing); where this legal basis is a legitimate interest, we mention the nature of such interest;
  • The categories of personal data concerned (what types of data are processed);
  • If applicable, the categories of recipients of personal data (with whom we share data);
  • Where appropriate, the transfer of personal data to recipients in countries outside the EU or to international organizations and the safeguards allowing such transfer;
  • The retention period during which personal data are kept, or if it is not possible to specify, the criterion used to determine such period of time;

In order to be as transparent and clear as possible, this information is presented in the tables below, and is provided by category of data subjects and purpose.

 

3.1. Customers

 

Purpose Customer service (requests for information, complaints, after-sales services)
Categories of data identification 1, electronic identification 2, content of communications, commercial information, description of the complaint
Sources data subject
Recipients none5
Retention period duration of the interaction (the duration is longer if the data are used for other processing operations mentioned in this section)
Legal bases

GDPR, art.6, §1 a) (consent)
GDPR, art.6, §1 c) (performance of legal and regulatory obligations)

Transfer outside the EU no
   
Purpose Customer management (order tracking and fulfillment, sales information, invoicing)
Categories of data identification 1, electronic identification 2, administrative data 3, sectoral data 4, customer code, function, category / home group, language, currency, financial characteristics, representative, transport, content of communications, commercial information.
Sources data subjects, official databases, commercial (public) databases
Recipients sales representatives, distributors and sales intermediaries, public administrations
Retention period 10 years after the end of the treatment (usually the end of the contract)
Legal bases

GDPR, art.6, §1 b) (performance of contractual or pre-contractual measures)
GDPR, art.6, §1 c) (performance of legal and regulatory obligations)

Transfer outside the EU no
   
Purpose Satisfaction surveys
Categories of data identification 1, electronic identification2
Sources data subject
Recipients none5
Retention period anonymization after completion of processing of responses and sending of the reward if applicable
Legal bases

GDPR, art.6, §1 b) (performance of contractual or pre-contractual measures)
GDPR, art.6, §1, f) (legitimate interest: quality controls, process improvement)

Transfer outside the EU no
   
Purpose Market analysis (statistical monitoring of purchases by central buying services)
Categories of data identification 1, electronic identification2
Sources central purchasing offices
Recipients none5
Retention period 10 years after the end of the treatment (usually the end of the contract)
Legal bases

GDPR, art.6, §1 b) (performance of contractual or pre-contractual measures)
GDPR, art.6, §1, f) (legitimate interest: process improvement, internal management, market analysis)

Transfer outside the EU no
   
Purpose Information campaigns (mailings)
Categories of data identification 1, electronic identification 2
Sources data subjects, data providers
Recipients none5
Retention period duration of consent
Legal bases

GDPR, art.6, §1 a) (consent)
GDPR, art.6, §1, f) (legitimate interest: "soft opt-in" for persons who are already TILMAN’s customers)

Transfer outside the EU no

 

3.2. Users of TILMAN products, doctors, pharmacists

 

Purpose Customer service (requests for information, complaints)
  See section "Customer > Customer service"
   
Purpose Pharmacovigilance
Categories of data identification 1, electronic identification 2, date of birth, age, weight, height, gender, medical data: product involved (and production information), adverse reactions, medical history
Sources data subjects, pharmacists, doctors
Recipients official pharmacovigilance authorities
Retention period 10 years after expiry of the marketing authorization
Legal bases

GDPR, art.6, §1 c) (performance of legal and regulatory obligations)
GDPR, art.9, §2 i) (grounds of public interest in the field of public health)

Transfer outside the EU no

 

3.3. Health professionals, organizations

 

Purpose Customer service (requests for information, complaints)
  See section "Customer > Customer service"
   
Purpose Information campaigns (emailings)
  See section "Customer > Information campaigns"
   
Purpose be Transparent
Categories of data identification 1, electronic identification 2, administrative data 3 (business number), sectoral data 4 (INAMI number), national registration number, financial data
Sources persons concerned, official databases
Recipients betransparent.be
Retention period legal period: 10 years from publication
Legal bases

GDPR, art.6, §1 c) (performance of legal and regulatory obligations)

Transfer outside the EU no
   
Purpose Coupons (events and specialized press)
Categories of data identification 1, electronic identification 2, sectoral data 4 (INAMI number), language
Sources data subject
Recipients none5
Retention period

For event coupons: duration of the event
For coupons in the press: duration of the interaction
The duration is longer if the data are used for other processing operations mentioned in this section

Legal bases

GDPR, art.6, §1 a) (consent)

Transfer outside the EU no

 

3.4. Suppliers

 

Purpose Supplier management (selection, order tracking, accounting and administration, quality controls)
Categories of data identification 1, electronic identification 2, administrative data 3, content of communications.
Sources data subjects, official databases, commercial (public) databases
Recipients public administrations
Retention period 10 years after the end of the treatment (usually the end of the contract)
Legal bases

GDPR, art.6, §1 b) (performance of contractual or pre-contractual measures)
GDPR, art.6, §1 c) (performance of legal and regulatory obligations)
GDPR, art.6, §1, f)  (legitimate interest: selection and management of suppliers, quality controls, process improvement, protection of TILMAN's rights)

Transfer outside the EU no

 

3.5. Prospects

 

Purpose Prospect service (request for information)
  See section "Customer > Customer service"
   
Purpose Information campaigns (mailings)
  See section "Customer > Information campaigns"
   
Purpose General prospecting
Categories of data identification 1, electronic identification 2, administrative data 3, sectoral data 4, customer code, function, category/group, language, currency, financial characteristics, representative, transport, content of communications, commercial information
Sources data subjects, official databases, commercial (public) databases
Recipients sales representatives, distributors and sales intermediaries
Retention period Indefinite (normal lead management time)
Legal bases

GDPR, art.6, §1, f)  (legitimate interest: prospecting of professional customers, development of economic activities)

Transfer outside the EU no

 

3.6. Candidates for employment

 

Purpose Recruitment
Categories of data identification 1, electronic identification 2, family composition, leisure, education, professional data, CV data.
Sources data subject
Recipients none5
Retention period recruitment period (the duration may be extended to one year with the consent of the person concerned)
Legal bases GDPR, art.6, §1 b) (pre-contractual measures)
GDPR, art.6, §1 a) (consent for subsequent storage)
Transfer outside the EU no

 

3.7. Associations and beneficiaries of sponsors

 

Purpose Sponsoring
Categories of data identification 1, electronic identification 2, administrative data 3
Sources data subject
Recipients none5
Retention period 10 years after the end of the treatment (usually the end of the contract)
Legal bases GDPR, art.6, §1 b) (performance of contractual or pre-contractual measures)
Transfer outside the EU no

 

3.8. Visitors to the site

 

Purpose Security (recording of entries and exits in our buildings)
Categories of data identification 1, name of employer, visit data (arrival and departure times)
Sources data subject
Recipients none5
Retention period 30 days
Legal bases GDPR, art.6, §1, c) (performance of legal and regulatory obligations)
GDPR, art.6, §1, f)  (legitimate interest: protection of the company, its property and its staff)
Transfer outside the EU

no

1 "Identification" data includes: first name, last name, physical address and telephone number.

2 "Electronic identification" data includes the email address (and possibly identifiers on the Internet or social networks)

3 "Administrative data" is all data necessary for tax and accounting purposes (VAT, company registration number, JNL codes,...).

4 "Sectoral data" is all data related to identification, certification, labelling or authorization as an economic actor (e.g. in the pharmaceutical production and distribution sector: IMS code, APB code, INAMI number, BIO control body code, FLOCERT identification number), logistics (e.g. EAN code, Certipost) or organisational logic (SCM, MPO).

5 The data shall at least be made accessible to TILMAN's staff and subcontractors (access rules shall be established so that only those persons who need it in the course of their work have access to the data). "None" means that the data is not disclosed to any other person or entity.

 

 

4. Your rights as a data subject

Data Protection Laws grant you rights on certain bases and under certain conditions, including the rights of access, rectification, opposition to processing, or request for deletion of your personal data, as well as the right to request the limitation of processing. Under certain conditions, you also have a right to the portability of your data.

Please contact us as specified in the "Who to contact about your personal data" section below to make any request to exercise your rights or if you have any questions or concerns about how we handle your personal data.

Please note that some personal data may be exempted from the rights of access, rectification, objection, deletion, limitation or portability in accordance with personal Data Protection Laws or other legislations.

 

 

5. Safety and security

Tilman takes appropriate technical, physical, legal and organizational measures, which comply with the Personal Data Protection Laws. Unfortunately, no data transmission over the Internet or data storage system can be guaranteed to be 100% secure. If you have reasons to believe that an interaction with us is no longer secure (for example, if you believe that the security of any personal data you may have with us has been compromised), please notify us immediately. See the section "Who to contact about your personal data" below.

When Tilman provides personal data to a service provider, the service provider is carefully selected and must use appropriate measures to protect the confidentiality and security of personal data.

 

 

6. Personal data of third parties

If you provide us with personal data from third parties, you agree: (a) to inform the third party about the content of this Privacy Policy; and (b) to obtain the required consent for the collection, use, disclosure and transfer (including cross-border transfer) of the third party's personal data in accordance with this Privacy Policy, unless you can demonstrate that you can rely on a legal basis other than consent.

 

 

7. Complaints and complaints

If you are not satisfied with our processing of your personal data and if you think that contacting us will not solve the problem, the Data Protection Laws give you the right to file a complaint with the competent supervisory authority (more information on the latter's website: https://www.autoriteprotectiondonnees.be/)

 

 

8. Who to contact about your personal data

If you have any questions about our use of your personal data you can

  • send us an e-mail to the following address : privacy@tilman.be,
  • or write to us at the following physical address :    
    TILMAN S.A.
    15, Z.I. Sud 
    5377 Baillonville

    BELGIUM
  • or contact our DPO at the following email address : dpo@tilman.be

 

 

9. Changes to this Policy

We regularly review this Policy and reserve the right to make changes at any time to reflect changes in our business or new legal requirements.

To inform you of the changes, we will post updates on our website: www.tilman.be. In some cases, we may also notify you by email.

Please check the "last updated" date at the top of this Policy to see when it was last revised.