Protection of personal data
INTRODUCTION
This General Policy on the Processing of Personal Data (“General Policy”) applies to all ASCENDIS activities involving the processing of personal data (“Personal Data”).
Personal Data is particularly valuable information, the processing of which is essential for ASCENDIS’ business, but at the same time entails considerable responsibility for all persons involved. Each ASCENDIS employee must be aware of the general rules contained in this Policy and pay close attention to any actions they take with respect to Personal Data (including simply storing it).
The processing of personal data is subject to specific legislation, which imposes numerous obligations on ASCENDIS and a severe legal liability. The cooperation of all ASCENDIS employees is required to ensure the full and correct application of the GDPR rules. |
The risks to which ASCENDIS may be exposed if the Personal Data protection rules are not respected include the following:
- Security incidents (loss, theft, destruction or other problems) affecting the Personal Data, in which case it may be mandatory to notify the NSAfPDP or the affected Data Subjects themselves. In such a context, the security incident could become public and affect the image of ASCENDIS, in addition to resulting in financial loss and harm to the rights of individuals.
- Fines and other sanctions imposed by the NSAfPDP. The sanctions are published by the authority on the institution’s website, which represents considerable exposure. Moreover, under its legal powers, the Authority may impose the restriction of processing or the erasure of personal data, which can result in financial losses far in excess of a monetary fine.
- Compensation to data subjects for damages caused by the unlawful processing of Personal Data. The GDPR establishes a system of liability for both Data Controllers and Data Processors towards data subjects whom they affect through unlawful processing of Personal Data.
ASCENDIS can prevent or reduce the risks associated with the unlawful processing of Personal Data by adopting privacy-friendly behaviours at the company’s level. These include:
- Awareness and acceptance of the Personal Data protection rules included in the policies and procedures adopted by ASCENDIS.
- Identifying the situations in which each ASCENDIS employee processes Personal Data and establishing the rules related to that activity.
- a culture of trust and communication between the employees and the Personal Data Protection Coordinator (DPC).
- a transparent approach to the processing of Personal Data, vis-à-vis the data subjects. Respecting the rights of data subjects under the GDPR.
- cooperating with the NSAfPDP or other personal data processing authorities in EU Member States in the context of information requests or investigations.
- Communicating to business partners and the general public regarding the commitment to comply with the personal data protection rules.
ASCENDIS management must ensure that this General Policy is understood and applied by employees, collaborators or other persons acting for ASCENDIS. To this end, ASCENDIS management shall make sure that:
- this General Policy, as well as the other specific policies applicable in the field of Personal Data protection are communicated to the employees, the collaborators and other persons acting for ASCENDIS.
- breaches of this General Policy, as well as other policies applicable to the processing of Personal Data, are addressed early and are dealt with, depending on their seriousness, in accordance with the applicable ASCENDIS disciplinary procedures.
Violations of this General Policy, as well as other policies or procedures applicable to the processing of Personal Data, may be considered disciplinary offences. |
Please review this Policy carefully in order to learn the general rules for the protection of Personal Data processed within ASCENDIS. Some of the obligations or activities set out in this document may be explained at length in specific procedures – in which case, if that procedure applies to you, please refer to it privately.
If you have any questions about the application of the rules for processing of Personal Data, please contact the ASCENDIS DPC. The ASCENDIS DPC oversees the application of this General Policy and other policies and procedures applicable to the processing of Personal Data. |
APPLICABLE LEGISLATION
The legal framework applicable to the activities covered by this Policy:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”).
- Law No 190/2018 on measures to implementing the GDPR (“Law 190/2018”).
- Law No 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, published in the Official Gazette No 1101 of 25.11.2004, as amended (“Law 506/2004”).
DEFINITIONS
In order to be able to apply this Policy, you need to understand the following key concepts of personal data protection law:
NOTION | DEFINITION |
NSAfPDP or the Supervisory Authority | means the National Supervisory Authority for Personal Data Processing, established by Law No 102/2005 regarding the setting up, organisation and functioning of the National Supervisory Authority for Personal Data Processing, as amended. |
Data Protection Coordinator (DPC) | means the person who holds the position of Compliance Director within ASCENDIS or another position that includes responsibilities in the area of personal data protection. |
Anonymous Data | means data that can no longer be attributed to a specific data subject, even using additional information. Anonymous data is non-identifiable and therefore not subject to GDPR protection. |
Personal Data | means any information relating to an identified or identifiable natural person. An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity. |
Pseudonymous Data | means personal data processed in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately and is subject to technical and organizational measures in order to ensure that the personal data are not attributed to an identified or identifiable natural person. |
Data from special categories | means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, as well as genetic data, biometric data uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, as regulated by Article 9(1) GDPR. |
Duration of keeping | means the period of time (fixed or determinable) during which the Personal Data are kept by ASCENDIS in a form that allows the identification of the Data Subjects. |
DPA or Data Processing Agreement | means a personal data processing agreement setting out the rights and obligations of the parties in the case of Controller-Principal and Associate Controller relationships respectively, with the minimum content indicated in Article 26 and 28 of the GDPR. |
DPIA | means the assessment of the impact of the processing operations on the protection of personal data. |
GDPR | means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC. |
Processor | means the person (or entity) processing Personal Data on behalf of an Operator. Please note: the employees of the Controller are not Processors within the meaning of the GDPR. |
ePrivacy legislation | means Law No 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector, published in the Official Gazette No 1101 of 25.11.2004, as amended. |
Information notification | means the document, in physical or electronic form, presented as a whole or in steps, which provides the data subject with details of how his or her personal data are processed (i.e., the elements required under Articles 13 and 14 GDPR). It may also be found under different names, such as the privacy statement or the privacy policy. |
National identification number | means the number by which a natural person is identified in certain record-keeping systems and which has general applicability, such as: personal identification number (CNP), ID card series and number, passport number, driving license number, social health insurance number. |
Controller | means the person who, alone or jointly with others, determines the purposes and means of the processing of Personal Data. |
Associated Controllers | means two or more Controllers jointly determining the purposes and means of processing. |
Data Subject | means the natural person to whom the Personal Data relates. |
Processing (or Personal Data processing) | means any operation or set of operations performed on Personal Data, with or without the use of automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise creation of availability, alignment or combination, restriction, erasure or destruction. |
Record of Processing Activities (ROPA) | means the instrument by which the record of personal data processing activities is maintained, according to Article 30 of the GDPR. |
ASCENDIS Network | means the network of physicians, pharmacists and other medical specialists developed within ASCENDIS with the aim of raising the awareness in this field by promoting and organizing medical events and conferences and promoting and presenting products. |
GENERAL ASPECTS
|
Within its business activities, ASCENDIS processes a large volume of Personal Data relating to physicians and pharmacists. This data includes information necessary to identify the individuals and manage the relationship with them (name, surname, email address, telephone number, signature, date of birth, seal code, image, etc.) for various purposes (promotion and organization of medical events and conferences, individual sponsorship activities, conducting marketing studies, etc.). ASCENDIS also processes the data of its own employees and collaborators – their representatives if the collaborators are legal entities (internal administrative processing).
The definition of Personal Data under GDPR is broad:
Article 4, pct. 1 GDPR: “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; |
Personal Data refers to individuals. Therefore, in the case of identifying data of legal persons (name, CUI, office@ email address, a telephone number not assigned to an individual, etc.) the GDPR protection shall not apply. However, please note that there are provisions in Law 506/2004, applicable in the particular case of direct marketing / unsolicited commercial communications, which are also intended to protect the legal persons.
Even if a piece of information is apparently anonymous, it could, when combined with other information, uniquely identify an individual. For example, a seal code (consisting only of digits and/or letters) if searched in the Ascendis Network, which is a larger database, can lead to the unique identification of a physician.
Thus, the question that arises in determining the presence of Personal Data is: Can this information, using reasonable means (e.g., by combination with other information held or reasonably obtainable) lead to the unique identification or isolation of an individual?
In determining whether the effort to indirectly identify a person is reasonable, you must take into account objective factors such as the financial and time resources that would need to be allocated to bring about the identification, taking into account the technology available at the time of processing that data.
Pseudonymous Data (as opposed to Anonymous Data) continues to be Personal Data and is subject to the application of GDPR. |
If a database contains a mix between Personal Data and identifying information of the legal entities, the protection applied shall be in accordance with the GDPR standard.
The GDPR applies to the Personal Data stored electronically or physically, processed manually or automatically as long as those Personal Data are part of or intended to be part of a record-keeping system.
|
According to Article 9 of the GDPR, special categories of personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, as well as genetic data, biometric data uniquely identifying a natural person, data concerning the health or data concerning a natural person’s sex life or sexual orientation.
ASCENDIS does not routinely process Special Category Personal Data. Certain data, such as the health status and other data relevant from an employment law perspective, may be processed in the context of HR activity (for example, for the purpose of complying with sick leave entitlements).
The processing of Special Category Personal Data is subject to a general prohibition established by Article 9(1) of the GDPR. Exceptionally, special category data may be processed if, in addition to the existence of a ground for processing as set out in Article 6 GDPR, one of the conditions set out in Article 9(2) GDPR applies.
|
“Processing” refers to any operation or set of operations performed on Personal Data, whether by automated or manual means. For example: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The mere storage of Personal Data, even if the data is not routinely modified, accessed or reorganized, constitutes processing and falls under the GDPR. Therefore, the archiving of records containing Personal Data continues to constitute processing from a GDPR perspective. |
|
The answer is no. Some of the GDPR topics have been developed at national level by Law 190/2018. This law is important, among other things, as it regulates the framework applicable to the monitoring of employees at work through electronic means of communication, as well as the conditions for processing National Identification Numbers, such as the CNP.
Also, in the area of the privacy protection in the electronic communications sector, Law 506/2004 applies, which contains important provisions on the placement of cookies and similar technologies, as well as on the direct marketing. Please note: Law 506/2004 also regulates situations where information that is not necessarily Personal Data is processed. For example, the placement of cookies.
When developing a website, an online platform or an app for mobile devices, you need to consider both GDPR and Law 506/2004. |
|
The above structure outlines, in brief, the logical steps that must be applied each time we want to start processing any Personal Data. A detailed overview of each principle mentioned in the scheme is given in section 7 below. These principles are expressly regulated in Article 5 of the GDPR.
|
The content of the purpose limitation principle under Article 5(1)(b) of the GDPR: “Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”).” |
Firstly, it is important to note that not every purpose can be invoked for processing. It must be lawful, i.e., not in breach of data protection legislation or other legislation. The purposes of processing must be specified, and must be explicit and legitimate.
ASCENDIS must clearly state the purposes for which the data are processed and how it intends to process them. These elements must be made clear from the outset, before the gathering of the data.
The determination of the purposes from the outset and their documentation are also necessary for the fulfilment of other GDPR obligations. For example, Article 30 of the GDPR requires the keeping of a record of the processing activities under the responsibility of ASCENDIS (ROPA), which must mention, inter alia, the purposes of the processing. ASCENDIS must also inform the data subjects on the purposes of the processing of their data as part of its compliance with the obligation to inform.
ASCENDIS must ensure that, if data are processed for any purposes additional to those originally established, the new processing meets the conditions of fairness, lawfulness and transparency.
- Determined purpose
In order for a processing purpose to be determined, it is necessary for ASCENDIS to analyse the objectives achieved by processing the Personal Data. This effort must be completed before the actual processing begins (in order to comply with the accountability principle laid down in the GDPR).
ASCENDIS must specify as clearly as possible the purposes of a processing operation or provide sufficient information on the purpose envisaged. Purposes formulated too vaguely may have a negative chain effect – i.e., they will lead to a failure to comply with the obligation to inform and even to invalidation of consent (if this was the basis of the processing).
Examples of vaguely worded purposes: the Article 29 Working Party considers that wording such as “improving user experience,” “marketing purposes,” “security and IT purposes” or “further research” are vague and general and would not satisfy the requirement of the purpose to be determined. Other examples of vague purposes: “we process your personal data for our internal purposes,” “the purpose of promoting our partners’ products.” |
- Explicit purpose
Having an explicit purpose means that it is understandable enough to be understood by persons outside the organisation. Thus, ASCENDIS must ensure that:
- can effectively formulate the purpose and explain it to those seeking clarification;
- the wording of the purpose is clear and does not create difficulties of interpretation (it is not ambiguous);
- the wording of the purpose can be understood by persons outside the organisation, such as data subjects, supervisory authorities or other third parties;
- it makes the language accessible in order to make the purpose understandable to the intended audience.
- Legitimate purpose
A processing operation is carried out for a legitimate purpose if, throughout its course:
- the operation can be founded on at least one of the grounds set out in Article 6(1) of the GDPR; and
- it does not contravene any laws in the field of personal data protection or in any other field (e.g. consumer protection, electronic communications, labour relations, competition, etc.).
- Subsequent processing
In the course of carrying out the processing operations on the Personal Data, ASCENDIS may identify other purposes for which the processing is or becomes necessary. The GDPR does not prohibit the processing of Personal Data for a purpose subsequent to the original purpose if the following conditions are met:
- the new purpose is compatible with the original purpose, in which case a new legal basis is not required [see preamble No 50 GDPR and Article 6(4) GDPR]; or
- the consent of the data subject is obtained for the new purpose or there is a legal provision requiring processing or the processing is necessary for the performance of a task carried out in the public interest or resulting from a legal provision.
According to the GDPR, the subsequent processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes should be considered as lawfully compatible processing operations.
Any subsequent processing for a purpose different from that for which the Personal Data were originally collected must comply with the requirement of transparency by updating the initial information to the Data Subjects with the new details of the processing operation.
QUALIFICATION ACCORDING TO GDPR: INDEPENDENT OR ASSOCIATED CONTROLLERS, PROCESSORS
The correct determination (qualification) of the quality ASCENDIS has under the GDPR when processing Personal Data is particularly important as it determines which regulatory framework applies to the organization. For each Personal Data processing activity, ASCENDIS must determine whether it is a controller (independent or associated with another controller) or a processor (acting on behalf of another controller).
Independent or associated controllers
- (Independent) Controller
The controller is, according to GDPR, “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.” [Article 4(7) GDPR] |
The qualification of a controller as independent or associated with another controller is particularly important in view of the specific obligations and legal responsibilities related to the processing of Personal Data. The greatest impact such qualification has is the triggering of joint and several liability of the Associated Controllers towards the Data Subjects.
ASCENDIS must bear in mind that the granting of the status of Independent or Associate Controller reflects a factual situation, namely the way in which the processing of Personal Data actually takes place. One legal status or another cannot be formally chosen to govern the relationship between collaborators and their liability regime – a qualification as an Associate or Independent Controller that does not correspond to the factual situation may be modified (reclassified) by the Supervisory Authority.
Examples of processing operations for which ASCENDIS is an (independent) Operator:
|
In the case of the relationship between Independent Operators:
- The conclusion of a personal data processing agreement is not required, but an agreement on the transfer of personal data from one Controller to another (data sharing agreement) may be concluded;
- The controllers shall be independently responsible towards the data subjects.
- Associated Controllers
According to Article 26, the Associated Controllers are two or more Controllers who jointly determine the purposes and means of processing the personal data. The impact of ASCENDIS qualifying as an Associate Controller with another entity is reflected in the following consequences:
- the need for the conclusion of a data processing agreement (DPA) between the Associate Controllers;
- the obligation to inform the data subjects of the substance of the processing agreement between the Associate Controllers and of their identity;
- the possibility for the Data Subjects to exercise their rights against any of the Associated Controllers;
- the establishment of joint liability between the Associated Controllers regarding the Data Subjects.
What should the data processing agreement between the Associated Controllers contain?
The mandatory elements of a DPA between the Associated Controllers required by Article 26 para. (1) of the GDPR, are the following:
- setting out in a transparent manner the responsibilities of the Associated Controllers to fulfil their obligations under the GDPR, in particular with regard to:
- the exercise of the rights of the data subjects; and
- the duties of each of the Associated Controllers to comply with the obligation of transparency towards the data subjects (provision of the information set out in Articles 13 and 14 of the GDPR).
- the roles and relationships of the Associated Operators towards the Data Subjects.
GDPR provides the option for the Associated Controllers to designate a point of contact among them to manage the relationship with the data subjects.
The Processors
According to Article 4(8) GDPR, a processor is defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The controller will exercise overall control over the purposes and means of data processing. However, in reality, a Processor may also exercise some level of control over the means of processing (in particular regarding the technical aspects).
The mere fact that one entity provides services to another entity does not mean that the former is a data processor of the latter. It must first be considered whether or not the service provider has any role with regard to the processing of personal data. Then, if it is established that the provider takes part in a data processing operation, depending on the degree of control it has, it is determined whether it is a Processor, an Associated Controller or an Independent Controller in relation to that processing operation.
The processors have significantly fewer direct obligations under the GDPR than the Controllers, but can be held liable if they go beyond the Controller’s instructions for processing the Personal Data or if they affect the rights of the Data Subjects.
Given the specific nature of the activity, it is unlikely that ASCENDIS will have the status of a Processor with regard to the processing of the personal data in the activity carried out. However, it is important to know what the role of a Processor is in order to be able to assess when third parties may have this capacity. |
In cases where ASCENDIS is the Operator and will engage the services of a Processor, ASCENDIS shall consider, among other things, the following:
- ensure that it only works with the Processors which offer adequate and sufficient safeguards to protect the Personal Data;
- enter into a DPA in accordance with Article 28(3) of the GDPR;
- make sure that the contracted processors allow ASCENDIS to respect the rights of the Data Subjects.
THE GROUNDS FOR PROCESSING OF PERSONAL DATA
GDPR indicates 6 situations (grounds) in which personal data may be processed. In ASCENDIS activity, most often the processing will be based on:
- The consent of the data subject;
- Legitimate interest of ASCENDIS or a third-party organization;
- Compliance with a legal obligation applicable to ASCENDIS (for example, the obligation to maintain supporting accounting documents);
- Performance of a contract to which the data subject is a party (e.g. the payment of salary entitlements to the employees).
ASCENDIS must identify the legal basis for processing the Personal Data only when it has the quality of Controller for the processing of Personal Data, and not when it is acting as a Processor (in which case it is the Controller who has contracted ASCENDIS that is obliged to set the basis for processing).
The list of legal grounds for processing presented at Article 6(1) of the GDPR must be interpreted as exhaustive – it can neither be supplemented nor amended by interpretation. The items in the list must be considered equal in legal terms, so there is no hierarchy between the grounds. However, there are situations where the law requires a certain legal basis – for example, the legal basis of consent in the case of commercial communications under Article 12(1) of Law 506/2004, with the exception mentioned in para. (2) of the same act – a matter to be considered on a case-by-case basis.
The order in which ASCENDIS is recommended to consider which legal basis is applicable is as follows:
If the processing includes the Personal Data of special categories (Article 9 GDPR), then a special condition among those set out in Article 9(2) for the processing of this type of data must also be identified.
Legal obligation
There are situations in which the collection and use of Personal Data are subject to legal obligations applicable to ASCENDIS. For example:
- Keeping of the relevant records in terms of financial and accounting legislation.
- Collection of Personal Data necessary for the registration of individual employment contracts in REVISAL.
- Identification of the Data Subject for the settlement of his/her claims.
Performance of a contract with the data subject
This basis for processing may be invoked when the Personal Data are necessary for the performance of a contract to which the Data Subject is a party. For example:
- The payment of the wage (execution of the individual employment contract).
- the processing of data required for the conclusion of a medical sponsorship contract.
The legitimate interest of ASCENDIS
The legitimate interest must be clear and explicit. Also, for this ground to be used, the legitimate interest formulated must pass the balancing test set out in Article 6(1)(f) of the GDPR, i.e., it must outweigh the rights and freedoms of the Data Subject.
Consent of the data subject
Last but not least, the data processing may be based on the consent given by the Data Subject. As stated above, the consent of the data subject is not a preferred legal ground under the GDPR, and should not be considered above the other grounds.
Article 4 of the GDPR defines the consent: “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
In order to be valid, the consent must meet the following conditions:
- It is a manifestation of will consisting of an unequivocal statement or action;
- It is free, it is specific, it is informed;
- The request regarding the consent must be presented in a form that clearly distinguishes it from other matters, intelligible and easily accessible, using a clear and simple language;
- The consent may be withdrawn at any time in a manner as simple as obtaining it;
- Obtaining can be demonstrated by the Controller.
PRACTICAL GUIDELINES FOR THE COMPLIANCE WITH THE GDPR PRINCIPLES
The principles enshrined in Article 5 of the GDPR represent the fundamental rules governing any processing of personal data that falls under the GDPR. As a result, all provisions in the GDPR, as well as in other legislation that complements the GDPR, must be interpreted and applied in accordance with these principles.
Even though the principles are formulated in a general manner in Article 5 of the GDPR, ASCENDIS must bear in mind the following key issues related to their interpretation and application:
- (i) The principles are not optional, but are key to the interpretation of personal data protection legislation, regardless of the source of that legislation, as long as reference is made to the GDPR.
- The principles apply in their entirety regardless of the basis on which the data are processed. For example, processing of data on the basis of the data subject’s consent does not exclude the compliance with the sub-principle of transparency or the principle of data minimization.
In the following we present each GDPR data protection principle and the actions ASCENDIS has taken to comply with these requirements.
Principle of legality, fairness and transparency
GDPR requirement The personal data must be processed in compliance with all three components of this principle, namely lawfulness, fairness and transparency towards the data subject. | Implementation by ASCENDIS The Company is transparent with the Data Subjects as to the purpose for which the Personal Data is collected and how it is intended to be used. There are legitimate reasons for collecting and processing the Personal Data. The personal Data shall not be used in ways that result in undue adverse effects on the Data Subjects. The means are established by which the Data Subjects are informed – e.g., information notices, privacy policies, etc. The personal data are treated as the Data Subjects would reasonably expect. |
The information to be provided to the Data Subjects by the Controllers processing their Personal Data is set out in Articles 13 and 14 of the GDPR. This information must be provided in writing, including even its transmission by e-mail or its publication on the website.
Purpose-related limitation
GDPR requirement The personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. | Implementation by ASCENDIS The purposes of the processing are determined before collecting the Personal Data. The purposes shall be specified, explicit and legitimate. The purposes are documented in the records regarding the Personal Data processing activities. |
Please refer to section 4.6 above for a detailed description of the determination of the purposes for processing Personal Data.
Data minimization
GDPR requirement The personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. | Implementation by ASCENDIS The data needed for the activities they carry out are collected and used. Further collection of Personal Data is avoided, even if such collection might be technically possible. Excessive or irrelevant Personal Data is deleted. |
Accuracy of personal data
GDPR requirement Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that the personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. | Implementation by ASCENDIS It implements measures to prevent inaccurate or incomplete data collection. Where appropriate, it implements measures to allow the rectification or completion of the data already collected. |
The application of the principle of accuracy should not become an impossible or particularly onerous task for ASCENDIS, especially where the personal data is provided directly by the Data Subject, as in this case it is the responsibility of ASCENDIS to ensure the accuracy of the information. Although it is more difficult to verify the accuracy of the data from sources other than the Data Subject, ASCENDIS should use data from sources it can trust, especially in the cases in which the Data Subjects could be affected in some way if the data are incorrect.
Taking into account the right of rectification established by the GDPR, the Data Subjects may request ASCENDIS to correct certain inaccuracies in their personal data held by ASCENDIS. If the Personal Data are incomplete, the Data Subject may request ASCENDIS to complete the data or to supplement it accordingly.
The principle of storage limitation
GDPR requirement The personal data must be kept in a form which permits the identification of the data subjects for no longer than is necessary for the purposes for which the data are processed. | Implementation by ASCENDIS It keeps the personal data only as long as necessary or required by law. It sets fixed (e.g., in terms of months or years) or determinable (e.g., dependent on another external event, such as the deletion of a social media account or website) storage durations. It adopts procedures for data destruction or anonymization after the expiry of storage durations.
|
The principle of integrity and confidentiality
GDPR requirement The personal data must be processed in a manner that ensures their appropriate security, including the protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by taking the appropriate technical or organisational measures. | Implementation by ASCENDIS It keeps the personal data confidential and secure. It adopts internal policies regarding the matter of the breaches of personal data security. It regularly trains its employees. |
The preservation of the security of personal data is a fundamental obligation of ASCENDIS.
THE MANAGEMENT OF THE SECURITY INCIDENTS
GDPR, Article 4(12): “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; |
In the event of a Personal Data security breach (a security incident) the first step ASCENDIS must take is to analyse the risk for the data subjects.
When assessing the risk, ASCENDIS will take into account elements such as the type and importance of the data, the duration of the incident, the frequency of the incident, the number of individuals affected, the damage caused or likely to be caused to individuals, the remedial measures taken.
If it is determined that there are risks (regardless of level) to the rights and freedoms of the Data Subjects, then ASCENDIS must notify the NSAfPDP within a maximum of 72 hours, as per Article 33. If the risks identified are high, then it becomes necessary to also notify the affected Data Subjects.
ASCENDIS shall keep a record of all personal data breaches, which shall include a description of the situation in which the breach occurred, its effects and the remedial measures taken. The most important factor is that the incident response procedure is started as soon as possible after the detection so that an effective response can be advanced.
Please notify the ASCENDIS DPC immediately if you suspect that a security incident involving Personal Data has occurred. For a full description of the steps to follow in the event of a security incident, please see the Policy regarding the Management of the Personal Data Security Breaches. |
TRANSFER OF PERSONAL DATA OUTSIDE OF EEA
The transfers of personal data outside the European Economic Area (EEA) are considered restricted under the Personal Data Protection legislation and can only take place under the conditions set out in Chapter V of the GDPR (conditions which are intended to ensure an adequate level of protection for the data subjects).
When contracting with third parties which process Personal Data, check whether they are going to store such data outside the EEA. If so, check whether there is a situation covered by Chapter V of the GDPR that would allow such a transfer. |
THE RECORD OF DATA PROCESSING ACTIVITIES
As Controller, ASCENDIS shall maintain records of the processing of Personal Data in accordance with the requirements of Article 30 of the GDPR (ROPA). These records shall be updated periodically (recommended annually) to reflect the current status of the data processing activities.
THE RIGHTS OF THE DATA SUBJECTS
ASCENDIS treats with the utmost seriousness the requests addressed by the Data Subjects regarding the exercise of their rights under the GDPR.
The deadline for responding to requests based on the GDPR is 1 month from the receipt of the request. The deadline may be extended in exceptional circumstances by up to 2 months, with the notification of the Data Subject of the need for that extension. |
ASCENDIS sets up dedicated communication channels to receive requests from the Data Subjects. ASCENDIS employees who receive requests of the type indicated in the table below, or any other requests that invoke the GDPR, must notify the DPC immediately to allow the request to be reviewed and a decision taken for its approach.
Ignoring the requests of the Data Subjects constitutes a GDPR violation and a particularly risky behaviour towards the company. Often, the Data Subjects who do not receive a timely response will approach the Data Protection Authority, which may initiate an investigation. |
Table on the applicability of the rights of the Data Subjects
The table below presents the extent to which THE RIGHTS OF THE DATA SUBJECTS apply, depending on the basis ASCENDIS uses to process the Personal Data in respect of which the rights are exercised. Please note that the table is indicative and that each request must be managed on a case-by-case basis, taking into account the context.
Consent | Contract (in force) | Legal obligation | Vital interests | Public interest | Legitim interest | |
|---|---|---|---|---|---|---|
Information (Articles 13 and 14 GDPR) | ☒ | ☒ | ☒ | ☒ | ☒ | ☒ |
Access (Article 15 GDPR) | ☒ | ☒ | ☒ | ☒ | ☒ | ☒ |
Rectification (Article 16 GDPR) | ☒ | ☒ | ☒ | ☒ | ☒ | ☒ |
Erasure (Article 17 GDPR) | ☒ | ☒ | ||||
Restriction of processing (Article 18 GDPR) | ☒ | ☒ | ☒ | ☒ | ☒ | ☒ |
Portability (Article 20 GDPR) | ☒ | ☒ | ||||
Objection (Article 21 GDPR) | ☒ | ☒ |
In order to see more details in relation to the subject of the rights of the Data Subject, please refer to the Procedure for the Management of the Data Subject Requests. |
DATA PROTECTION COORDINATOR
The controllers and the processors must designate a data protection officer if they are in any of the situations set out in Articles 37-39 of the GDPR.
In view of the work carried out by ASCENDIS, the need to designate such a person has been analysed and it has been concluded that the organisation is not, at the time of drafting this Policy, required to designate such an officer. However, given that the personal data of the individuals (employees, physicians, pharmacists, etc.) are processed and need to be managed in such a way as to comply with the provisions of the GDPR, ASCENDIS has appointed a person within the organisation who has control over all matters relating to the protection of personal data – THE DATA PROTECTION COORDINATOR (DPC).
The role of the DPC is to oversee the manner in which personal data is processed within the organisation and to take the necessary steps to ensure the compliance with the provisions of the GDPR and the provisions of any other applicable personal data protection legislation.
DPIA: ANALYSES (ASSESSMENT) OF THE IMPACT ON PERSONAL DATA PROTECTION
Article 35(1) of the GDPR requires the Data Controllers to carry out DPIA if a certain type of processing of personal data is likely to result in a high risk to the rights and freedoms of the natural persons (general rule on DPIA obligation).
Article 35(1) “Taking into account the nature, scope, context and purposes of the processing, where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.” |
The purpose of the DPIA is to identify the risks associated with certain personal data processing operations and to propose measures to mitigate those risks. The risks relate to all the rights and freedoms of data subjects, not just the protection of personal data.
In addition to the general rule indicated above, Article 35(3) of the GDPR indicates three illustrative situations in which DPIA is considered mandatory.
Article 35(3) “The data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale.” |
Also, pursuant to Article 35(4) of the GDPR, the NSAfPDP has published, by Decision No 174/2018, a list of the types of processing operations subject to the DPIA requirement.
TRAINING
ASCENDIS will provide regular training and instruction to its employees on issues related to the protection of personal data as well as on the compliance with the company’s internal procedures in this area. ASCENDIS will establish an internal training programme, which will include at least one training session per year for all employees whose duties involve the processing of Personal Data.
CONTACT
For more details about the application of this Policy, please contact the Data Protection Coordinator designated at ASCENDIS level: dataprotection@sunwavepharma.com.
OTHER GDPR POLICIES AND PROCEDURES
This General Policy is complemented by the following policies and procedures adopted by ASCENDIS on the protection of personal data:
- Procedure regarding the management of the breaches of Personal Data security
- Policy on establishing retention periods for the retention of the personal data
- Procedure for managing the requests from data subjects.