In this Data Privacy Statement, “Grünenthal”, “we”, “us” and ‘’our’’ refers to Grünenthal GmbH, Aachen, Zieglerstraße 6, 52078 Aachen, Germany.
As a science-based pharmaceutical company, we may process personal data about reporters of potential adverse events regarding our pharmaceutical products, and also about patients experiencing these adverse events.
We take the privacy and security of your personal data very seriously. In particular, with this privacy statement, we would like to inform you about the data we may collect from you or other persons, the purposes of processing these data, the way the data are collected and processed, and to what extent they are transmitted to third parties. We also explain which rights you have with regards to this data and provide useful contact details in case you have questions or concerns.
The collection and processing of personal data is carried out in accordance with the applicable law, namely the General Data Protection Regulation (GDPR).
Who is responsible for the processing of your personal data?
When you report a potential adverse event through the form available in this website, any personal data submitted will be processed by Grünenthal GmbH.
When you report an event by other means to another company of the Grünenthal Group, the corresponding Grünenthal entity will be responsible for the processing of any personal data submitted. You can find more information about how that entity processes any personal data reported, in the privacy statement available in its corresponding website.
What types of personal data do we process?
If you are a reporter, we process personal data such as your name, profession, contact data and the circumstances of the event itself.
In case personal data about patients experiencing adverse events is reported to us, we collect their name or initials, age, gender, details of the Grünenthal products that were applied as well as other information regarding the circumstances of the event.
For what purposes do we process personal data?
We process contact data from reporters to be able to investigate events and, if necessary, follow-up with them in order to gain additional information if needed.
We are required to share reports about adverse events with health authorities worldwide. We may also share these reports with our group entities in order to analyze and investigate specific events and define required actions.
What is the legal basis for the processing of the personal data?
The legal basis for this kind of processing is article 6 (1) lit. c) GDPR (the processing of the personal data is necessary for compliance with a legal obligation to which we are subject), and art. 9 (2) lit. i) GDPR (processing is necessary for reasons of public interest in the area of public health, on the basis of Union or Member State law).
Who will be the recipients of the personal data?
We may be required to share these reports, including personal data, with health authorities, licensing partners and other entities of the Grünenthal group. We will not share any personal data that is not necessary for investigating the event with any of these third parties. When possible, we will apply techniques, such as pseudonymization or encryption, to render the personal data unintelligible to any person who does not need to access, or is not authorised to access, the personal data for the purposes described above.
We also share your personal data with third parties that help us handle and investigate each case (e. g. our own service providers). We use Grunenthal proprietary and standard industry solutions to process your data in a safe environment. We ensure that all our service providers process personal data securely, both contractually and factually.
Will the personal data be transferred to third countries?
Some of the data recipients are located in countries outside the European Union, where there is a lower level of data protection. This is justified by Art. 49 (1) lit. d) GDPR. In such cases, Grünenthal will ensure that a sufficient level of protection is provided for your data, e.g. by concluding specific agreements with these contractual partners. Grünenthal will apply the EU-Standard-Contractual Clauses to such transfers wherever feasible.
How long will the personal data be processed for?
Reports about adverse events are stored in our systems at least 10 years after the respective product has been withdrawn from the market.
What are your data privacy rights?
The following rights are available to you based on applicable privacy laws:
- Right to information about personal data on you stored by us
- Right to deletion or restriction of processing, unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or in the event that the processing serves the enforcement, exercise or defence of legal claims
- Right to correct your personal data
- Right to object to processing that serves a public interest, unless we can establish compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or, in case, that the processing serves the enforcement, exercise or defence of legal claims
- Right to data transferability
Right to complain to a supervisory authority
If you want to exercise your rights, please address your request to firstname.lastname@example.org
You may also directly contact our Data Protection Officer by using the following email address: email@example.com