TILMAN S.A
Personal data protection policy
(Last update : October 09,2018)
1. Who are we?
This document is the personal data protection policy of TILMAN S.A. a company incorporated under Belgian law, having its registered office in Zone d’activités Sud, Bail. 15, 5377 Somme-Leuze, registered with the company register (BCE) under number 0458.493.759, and having the following e-mail address: privacy@tilman.be (hereinafter referred to as “Tilman” or “us“).
Contact details of the Data Protection Officer of the controller: dpo@tilman.be
In the course of our activities, we collect, store, process and sometimes share personal data.
2. Objective of this policy
2.1. Information
Concerned about respecting your privacy, and aware of the importance of complying with our legal obligations in this regard, we do everything in our power to protect your personal data.
The purpose of this policy is to inform you (as “data subject”) about how we (as “controller”) process your personal data, in accordance with all applicable data protection and privacy laws and regulations (hereinafter referred to as “Data Protection Laws”), and, more particularly and among others, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (or “GDPR”).
This policy is also intended to inform you of your rights regarding the processing of your personal data.
2.2. Informed consent
In some cases (specified below), the legal basis for our data processing is your informed consent. In such cases, the other purpose of this policy is to provide you with the information necessary to obtain valid consent from you.
Where our processing of personal data is based on your consent, you have the right to withdraw your consent at any time, but this withdrawal may not affect the lawfulness of the processing carried out prior to this withdrawal. To withdraw your consent, you are invited to use the easy unsubscribe procedures provided to you by our communications tools or by sending us an e-mail (to the address indicated in the “Who to contact about your personal data” section).
When our processing of personal data is based on your consent, it is our duty to be able to demonstrate that you have consented to the processing of your personal data. To do so, we retain data relating to your consent as long as we need to demonstrate our full and complete compliance with Data Protection Laws.
If you are under 16 years of age, it is our duty to make reasonable efforts to verify, in such cases, that consent is given or authorized by the person having parental authority, taking into account the available technology. This explains why, if necessary, we may ask for more information about this holder of parental authority.
3. Information on the different processing of personal data
In this section 3, for each treatment we perform, we provide you with information on:
- The purposes of the processing (why we process your data);
- The legal basis of the processing (what justifies the processing); where this legal basis is a legitimate interest, we mention the nature of such interest;
- The categories of personal data concerned (what types of data are processed);
- If applicable, the categories of recipients of personal data (with whom we share data);
- Where appropriate, the transfer of personal data to recipients in countries outside the EU or to international organizations and the safeguards allowing such transfer;
- The retention period during which personal data are kept, or if it is not possible to specify, the criterion used to determine such period of time;
In order to be as transparent and clear as possible, this information is presented in the tables below, and is provided by category of data subjects and purpose.
3.1. Customers
| Purpose | Customer service (requests for information, complaints, after-sales services) |
|---|---|
| Categories of data | identification1, electronic identification2, content of communications, commercial information, description of the complaint |
| Sources | data subject |
| Recipients | none5 |
| Retention period | duration of the interaction (the duration is longer if the data are used for other processing operations mentioned in this section) |
| Legal bases | GDPR, art.6, §1 a) (consent) GDPR, art.6, §1 c) (performance of legal and regulatory obligations) |
| Transfer outside the EU | no |
| Purpose | Customer management (order tracking and fulfillment, sales information, invoicing) |
|---|---|
| Categories of data | identification1, electronic identification2, administrative data3, sectoral data4, customer code, function, category / home group, language, currency, financial characteristics, representative, transport, content of communications, commercial information. |
| Categories of data | data subjects, official databases, commercial (public) databases |
| Recipients | sales representatives, distributors and sales intermediaries, public administrations |
| Retention period | 10 years after the end of the treatment (usually the end of the contract) |
| Legal bases | GDPR, art.6, §1 b) (performance of contractual or pre-contractual measures) GDPR, art.6, §1 c) (performance of legal and regulatory obligations) |
| Transfer outside the EU | no |
| Purpose | Satisfaction surveys |
|---|---|
| Categories of data | identification1, electronic identification2 |
| Categories of data | data subject |
| Recipients | none5 |
| Retention period | anonymization after completion of processing of responses and sending of the reward if applicable |
| Legal bases | GDPR, art.6, §1 b) (performance of contractual or pre-contractual measures) GDPR, art.6, §1, f) (legitimate interest: quality controls, process improvement) |
| Transfer outside the EU | no |
| Purpose | Market analysis (statistical monitoring of purchases by central buying services) |
|---|---|
| Categories of data | identification1, electronic identification2 |
| Categories of data | central purchasing offices |
| Recipients | none5 |
| Legal bases | GDPR, art.6, §1 b) (performance of contractual or pre-contractual measures) GDPR, art.6, §1, f) (legitimate interest: process improvement, internal management, market analysis) |
| Transfer outside the EU | no |
| Purpose | Information campaigns(mailings) |
|---|---|
| Categories of data | identification1, electronic identification2 |
| Categories of data | data subjects, data providers |
| Recipients | none5 |
| Retention period | duration of consent |
| Legal bases | GDPR, art.6, §1 a) (consent) GDPR, art.6, §1, f) (legitimate interest: “soft opt-in” for persons who are already TILMAN’s customers) |
| Transfer outside the EU | no |
3.2. Users of TILMAN products, doctors, pharmacists
| Purpose | Customer service (requests for information, complaints) |
|---|---|
| See section “Customer > Customer service”. |
| Purpose | Pharmacovigilance |
|---|---|
| Categories of data | identification 1, electronic identification 2, date of birth, age, weight, height, gender, medical data: product involved (and production information), adverse reactions, medical history |
| Categories of data | data subjects, pharmacists, doctors |
| Recipients | official pharmacovigilance authorities |
| Retention period | 10 years after expiry of the marketing authorization |
| Legal bases | GDPR, art.6, §1 c) (performance of legal and regulatory obligations) GDPR, art.9, §2 i) (grounds of public interest in the field of public health) |
| Transfer outside the EU | no |
3.3. Health professionals, organizations
| Purpose | Customer service(requests for information, complaints) |
|---|---|
| See section “Customer > Customer service”. |
| Purpose | Information campaigns (emailings) |
|---|---|
| See section “Customer > Information campaigns”. |
| Purpose | be Transparent |
|---|---|
| Categories of data | identification 1, electronic identification 2, administrative data 3 (business number), sectoral data 4 (INAMI number), national registration number, financial data |
| Categories of data | persons concerned, official databases |
| Recipients | betransparent.be |
| Retention period | legal period: 10 years from publication |
| Legal bases | GDPR, art.6, §1 c) (performance of legal and regulatory obligations) |
| Transfer outside the EU | no |
3.3. Health professionals, organizations
(next)
| Purpose | Coupons (events and specialized press) |
|---|---|
| Categories of data | identification 1, electronic identification 2, sectoral data 4 (INAMI number), language |
| Sources | data subject |
| Recipients | none5 |
| Retention period | For event coupons: duration of the event For coupons in the press: duration of the interaction The duration is longer if the data are used for other processing operations mentioned in this section |
| Legal bases | GDPR, art.6, §1 a) (consent) |
| Transfer outside the EU | no |
3.4. Suppliers
| Purpose | Supplier management(selection, order tracking, accounting and administration, quality controls) |
|---|---|
| Categories of data | identification 1, electronic identification 2, administrative data 3, content of communications. |
| Categories of data | data subjects, official databases, commercial (public) databases |
| Recipients | public administrations |
| Retention period | 10 years after the end of the treatment (usually the end of the contract) |
| Legal bases | GDPR, art.6, §1 b) (performance of contractual or pre-contractual measures) GDPR, art.6, §1 c) (performance of legal and regulatory obligations) GDPR, art.6, §1, f) (legitimate interest: selection and management of suppliers, quality controls, process improvement, protection of TILMAN’s rights) |
| Transfer outside the EU | no |
3.5. Prospects
| Purpose | Prospect service(request for information) |
|---|---|
| See section “Customer > Customer service”. |
| Purpose | Information campaigns (mailings) |
|---|---|
| See section “Customer > Information campaigns”. |
| Purpose | General prospecting |
|---|---|
| Categories of data | identification 1, electronic identification 2, administrative data 3, sectoral data 4, customer code, function, category/group, language, currency, financial characteristics, representative, transport, content of communications, commercial information. |
| Categories of data | data subjects, official databases, commercial (public) databases |
| Recipients | sales representatives, distributors and sales intermediaries |
| Retention period | Indefinite (normal lead management time) |
| Legal bases | GDPR, art.6, §1, f) (legitimate interest: prospecting of professional customers, development of economic activities) |
| Transfer outside the EU | no |
3.6. Candidates for employment
| Purpose | Recruitment |
|---|---|
| Categories of data | identification 1, electronic identification 2, family composition, leisure, education, professional data, CV data. |
| Categories of data | data subject |
| Recipients | none 5 |
| Retention period | recruitment period (the duration may be extended to one year with the consent of the person concerned) |
| Legal bases | GDPR, art.6, §1 b) (pre-contractual measures) GDPR, art.6, §1 a) (consent for subsequent storage) |
| Transfer outside the EU | no |
3.7. Sponsoring
| Purpose | Customer management (order tracking and fulfillment, sales information, invoicing) |
|---|---|
| Categories of data | identification 1, electronic identification 2, administrative data 3. |
| Categories of data | data subject |
| Recipients | none5 |
| Retention period | 10 years after the end of the treatment (usually the end of the contract) |
| Legal bases | GDPR, art.6, §1 b) (performance of contractual or pre-contractual measures) |
| Transfer outside the EU | no |
3.8. Visitors to the site
| Purpose | Security (recording of entries and exits in our buildings) |
|---|---|
| Categories of data | identification 1, name of employer, visit data (arrival and departure times) |
| Categories of data | data subject |
| Recipients | none5 |
| Retention period | 30 days |
| Legal bases | GDPR, art.6, §1, c) (performance of legal and regulatory obligations) GDPR, art.6, §1, f) (legitimate interest: protection of the company, its property and its staff) |
| Transfer outside the EU | no |
1 “Identification” data includes: first name, last name, physical address and telephone number.
2 “Electronic identification” data includes the email address (and possibly identifiers on the Internet or social networks)
3 “Administrative data” is all data necessary for tax and accounting purposes (VAT, company registration number, JNL codes,…).
4 “Sectoral data” is all data related to identification, certification, labelling or authorization as an economic actor (e.g. in the pharmaceutical production and distribution sector: IMS code, APB code, INAMI number, BIO control body code, FLOCERT identification number), logistics (e.g. EAN code, Certipost) or organisational logic (SCM, MPO).
5 The data shall at least be made accessible to TILMAN’s staff and subcontractors (access rules shall be established so that only those persons who need it in the course of their work have access to the data). “None” means that the data is not disclosed to any other person or entity.
4. Your rights as a data subject
Data Protection Laws grant you rights on certain bases and under certain conditions, including the rights of access, rectification, opposition to processing, or request for deletion of your personal data, as well as the right to request the limitation of processing. Under certain conditions, you also have a right to the portability of your data.
Please contact us as specified in the “Who to contact about your personal data” section below to make any request to exercise your rights or if you have any questions or concerns about how we handle your personal data.
Please note that some personal data may be exempted from the rights of access, rectification, objection, deletion, limitation or portability in accordance with personal Data Protection Laws or other legislations.
5. Safety and security
Tilman takes appropriate technical, physical, legal and organizational measures, which comply with the Personal Data Protection Laws. Unfortunately, no data transmission over the Internet or data storage system can be guaranteed to be 100% secure. If you have reasons to believe that an interaction with us is no longer secure (for example, if you believe that the security of any personal data you may have with us has been compromised), please notify us immediately. See the section “Who to contact about your personal data” below.
When Tilman provides personal data to a service provider, the service provider is carefully selected and must use appropriate measures to protect the confidentiality and security of personal data.
6. Personal data of third parties
If you provide us with personal data from third parties, you agree: (a) to inform the third party about the content of this Privacy Policy; and (b) to obtain the required consent for the collection, use, disclosure and transfer (including cross-border transfer) of the third party’s personal data in accordance with this Privacy Policy, unless you can demonstrate that you can rely on a legal basis other than consent.
7. Complaints and complaints
If you are not satisfied with our processing of your personal data and if you think that contacting us will not solve the problem, the Data Protection Laws give you the right to file a complaint with the competent supervisory authority (more information on the latter’s website: www.autoriteprotectiondonnees.be
8. Who to contact about your personal data
If you have any questions about our use of your personal data you can
- send us an e-mail to the following address : privacy@tilman.be,
- or write to us at the following physical address :
TILMAN S.A.
15, Z.I. Sud
5377 Baillonville
BELGIUM
- or contact our DPO at the following email address : dpo@tilman.be
9. Changes to this Policy
We regularly review this Policy and reserve the right to make changes at any time to reflect changes in our business or new legal requirements.
To inform you of the changes, we will post updates on our website: www.tilman.be. In some cases, we may also notify you by email.
Please check the “last updated” date at the top of this Policy to see when it was last revised.
