Last revised on 01.05.2018
This privacy notice explains how Boehringer Ingelheim Portugal, Lda. and/or its affiliated companies of the Boehringer Ingelheim group of companies acting as respective data controller (hereafter "Boehringer Ingelheim", "we", "us";) processes which personal data of you for which purposes. In any event, collection and processing of personal data will only take place conformable to the applicable law (i.a. the General Data Protection Regulation, "GDPR").
For communicating, providing information and services and for the purposes connected with the relationship personal data is needed, e.g. name, contact data and function of the data subject.
1. Personal Data we might process
The following data categories may be collected and processed:
a. Identification data, e.g. name, gender, date and place of birth (visitors), national identification number (truck drivers), images (badges), CCTV (visiting monitored areas), User ID (using Business applications)
b. Addresses and contact data, e.g. postal addresses, e-mail addresses, phone numbers, organizational data such as company/organization, department, function
c. Authorizations and their use e.g. IP-addresses or User-Accounts for Wi-Fi (Guest-Net), online services or used business applications
d. Time and attendance, e.g. being on the company premises or for providing services
e. Activities, tasks and operations, e.g. for projects
2. Purpose
Personal Information of individuals may be used in general for:
- Communication, e.g. for clarifying questions, exchanging information or appointments
- Documenting activities, e.g. meetings, events and agreements
- Complaint management and solving of disputes, exercise or defend legal claims
Related to business partners, e.g. suppliers, customers, contractors or service providers, it may be used in addition for:
- Settlement of transactions, e.g. payment, invoicing and contract management
- Logistics, e.g. transportation
- Authorization and identity management for electronic services, including technical support and troubleshooting
- Administrative communication, e.g. sales promotion or product development
- Monitoring, e.g. for complying with our legal obligations such as Business Partner compliance screening obligations
- checks and surveys
Related to media representatives, interested persons and visitors it may be used for:
- Identification and Authorization
- Providing information and requested services, e.g. newsletter
- Monitoring, safety checks
The processing of your personal data is necessary for the purposes listed above. The legal basis for the processing, unless stated otherwise, is Article 6 (1) b) GDPR (performance of contracts), Article 6 (1) f) GDPR (legitimate interests) or Article 6 a) GDPR where you have given your consent.
3. Monitoring and investigation
Different methods are used for protecting data privacy and our IT security against different threats (malicious software, hacker attacks, spam, espionage and theft of intellectual property), e.g. exchanged data are examined for viruses and connection data are analyzed for abnormalities. For suspicious cases relevant documents and connection data can be analyzed.
In order to comply with existing export- and payment restrictions - e.g. companies and persons are listed in different government lists – business partner data may be checked against these lists.
In addition, in the case of suspicions, which have been reported via the compliance hotline, in the case of official investigations and defense against claims, an investigation and, where appropriate, provisioning of data and documents relating to the respective case and the persons concerned may be necessary.
In all cases internal regulations, legal requirements and the personal rights of the data subjects are respected.
4. Processing Principles
Reasonable technical and organizational measures for data security are implemented through internal regulations and - if the data is processed by an external service provider - by means of appropriate contractual agreements, for example through the use of the EU standard contract clauses for data processing outside the European Union.
5. Data Transfer / Disclosure
In compliance with legal requirements and existing internal regulations, the data required for the respective purpose can be passed to other internal and external bodies in the following cases:
1. Reporting obligations to regulatory authorities and enforcement of rights
As a pharmaceutical company, we are subject to specific regulations, such as pharmacovigilance. Some of these laws require us to send your reports to regulators or other authorities worldwide (including countries that may have a different level of data protection than the EU). We only provide authorities with personal data if we are legally obliged to do so.
In order to protect our rights or the rights of third parties, we may also disclose data to rights holders, consultants and authorities in accordance with legal provisions.
2. Service providers
We engage service providers to process your personal data for the purposes described in this data protection information. These service providers process the data only on our behalf, in accordance with our instructions and under our control in accordance with this data privacy declaration.
3. Boehringer Ingelheim companies
As part of a global group of companies, we involve other Boehringer Ingelheim companies that support us in data processing. These group companies process the data exclusively for the purposes stated in this data protection declaration.
4. Data transfer to recipients outside the EU
Some of these service providers and Boehringer Ingelheim companies process personal data outside the EU. In these cases, we ensure an adequate level of data protection to comply with European law (usually through EU standard contractual clauses published by the European Commission).
6. Data Storage
Personal data will only be kept for as long as necessary to meet the respective purpose and to fulfill regulatory requirements, as a rule for the duration of the respective contractual relationship, including a possible statutory retention period.
For business partners, the deletion usually takes place 10 years after the last contact, for other persons, e.g. visitors or subscribers of information/newsletters 5 years after the last contact or on request.
Data erasure is carried out within the framework of the deletion routines implemented by the process managers.
7. Your Rights
You can request information which personal data we store. If you have provided personal data based on a contract or consent, you have the right to receive this data in a common and machine-readable format.
In justified cases, you may also request the deletion, correction or limitation of the processing of your data. If your personal data is transferred to a country outside the EU that does not provide adequate protection, you may request a copy of the contract that provides adequate protection of personal data.
Where you provided consent for the use of your personal data, you can withdraw your consent at any time with future effect.
If we use your personal data on the basis of a balance of interests, you can object to the use of your data. In this case, we will no longer use your data unless our interests prevail. You can object to the use of your data for direct marketing purposes, e.g. the receipt of mailings, at any time without further consideration.
8. Contact
If you have any questions about our use of personal data, this data protection declaration or would like to exercise your rights, you can contact us at any time or you can reach out to our local data protection contact:
Boehringer Ingelheim Portugal, Lda.
– Data Protection –
Av. De Padua No 11
1800-294 Lisbon, Portugal
webmaster@lis.boehringer-ingelheim.com
In case of questions or concerns you can also contact the lead data protection authority supervising us:
Comissão Nacional de Protecção de Dados (CNPD)
Rua de São Bento n.º 148-3º
1200-821 Lisbon
Tel: +351 213928400
geral@cnpd.pt
https://www.cnpd.pt/
This privacy notice may be updated from time to time as appropriate.