Policy on protection of personal data to which GDPR is applied

This “POLICY ON PROTECTION OF PERSONAL DATA TO WHICH GDPR IS APPLIED” (this “Policy”) governs only processing by Kyorin Pharmaceuticals, Co. Ltd. (“we” or “us”) of personal data to which “REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)” and its equivalent of the United Kingdom (“GDPR”) is applied.

1. Our policy on personal data protection

The purpose of the present Policy is to illustrate how we collect and process as the data controller the personal data of natural persons (“data subjects”) domiciled in European Economic Area (“EEA”), regardless of whether we obtained the personal data directly from data subjects or through third parties. We process the personal data in accordance with GDPR (and other regulations of EU or its Member States, if any, such as specific laws regarding pharmaceutical products or clinical studies).

Processing of “personal data” under this Policy means either of the followings:

  1. (i) Processing of personal data in the context of the activities of an establishment of a controller or a processor in the EEA, regardless of whether the processing takes place in EEA or not (Article 3, paragraph 1 of GDPR)
  2. (ii) Processing of personal data of data subjects domiciled inside EEA by a controller or processor not established in EEA, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in EEA; or (b) the monitoring of their behavior as far as their behavior takes place within EEA (Article 3, paragraph 2 of GDPR)

2. Collection and processing of personal data

We always process personal data in accordance with any of the principles set out in GDPR (Article 5, 6 and 7). Further, where we process special categories of personal data, we abide by the special rules of GDPR (Article 9 and 10).

We collect and process personal data where we have either of the following lawful bases:

  1. (i) It is necessary for us to process personal data for the purposes of legitimate interests pursued by us or a third party, including the performance of the obligation under the applicable laws and regulations (which include those outside EEA such as Japan), such as the application for marketing licenses of pharmaceuticals, pharmacovigilance activities, etc.
  2. (ii) We have a contractual relationship with the individual or the company for which the individual works and the processing is necessary to perform our obligations under the contract; or
  3. (iii) We have obtained the appropriate consent to the processing for a specific purpose including possible big data applications.

When we do so, we provide data subjects with the purpose of collecting and processing personal data through appropriate means such as consent forms or contracts.

Personal data processed in the context of above-mentioned (i) includes information (collected in clinical trials, genetic and epidemiological studies, during the monitoring of pharmacovigilance information) about individuals who took drugs of which we have marketing license or investigational products. Patients’ personal data collected in clinical trials (for the avoidance of doubt, in this Policy, by “clinical trial” we refer to those conducted in accordance with applicable laws and regulations) may include: age, gender, medical history, phenotype (set of observable characteristics such as anatomy, morphology), genotype (gene composition) etc.

Informed consent is required each time a patient participates in our clinical trials, in order to ensure both (a) voluntary participation in the study and (b) the patient’s right to privacy and data protection consistent with the requirements of applicable law. No consent is required for the reporting of side effects or other adverse events in the course of pharmacovigilance activities, but the person who reports the case, most often the healthcare professional, will inform the patient of the transfer of non-directly identifiable health data (pseudonomized) relating to him or her. This transfer is restricted to pharmacovigilance purposes and to the market-authorization holders, manufacturing license holders, selling-license holders, and health authorities in charge of pharmacovigilance.

The data subject shall have the right to withdraw his or her consent at any time. Please note, however, that the withdrawal of consent shall not affect the lawfulness of collection or other processing based on consent before its withdrawal: even after the withdrawal, we may continue using the personal information in question if there are other lawful basis.

We collect personal data for specified, explicit and legitimate purposes and do not further process the personal data in a manner that is incompatible with those purposes; prior to processing personal data for purposes other than those for which the personal data were initially collected, we always notify the data subject of such purposes.

We keep personal data for no longer than is necessary to perform legal obligations imposed on us and maintain our business activities (GDPR Article 5 and Article 25, paragraph 2).

We ensure that personal data we process are limited to those that are adequate, relevant and limited to what is necessary in relation to the purposes.

3. Sharing/disclosure of personal data

We ensure that we will never sell, lease or otherwise dispose of the personal data we collected as an object of transactions.

At times we share personal data we collected with our group companies and third parties. When we share personal data with third-party processor, we take appropriate measures to implement GDPR requirements (GDPR Article 24, 26, 28 and 29). Further, where third parties with whom we share personal information are domiciled or established outside EEA, we take appropriate measures pursuant to GDPR Chapter V so as to ensure an essentially equivalent level of protection.

We also ensure that we abide by the specific laws and regulations, where applicable, that governs sharing of personal data with third parties. By way of example, we process the personal data we collected (either as controller, joint controller or processor) during clinical studies in accordance with applicable laws (e.g. Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use) and regulation (e.g. Member States’ rules implementing ICH-GCP, including pseudonomization requirements).

Our business partners

Personal data may be transferred to, retained and processed by our business partners who jointly develop, apply for marketing license on, manufacture or sell pharmaceuticals, in a form being unable to identify a particular individual.

Delegation to processor

For the purposes of editing data to the extent not to prejudice the identicalness (such as preparing data to be input onto the format designated by the competent authority), we may have third-party service provider undertake processing work of personal data. When executing contracts for such purposes, we carefully examine if the contracting party is suitable for undertaking the task. Through the contract, we set out processor’s obligations on implementing appropriate technical and organizational measures, obligations of confidentiality, conditions on engaging sub-processor and other matters relating to appropriate processing of personal data. We properly supervise the processor through regular monitoring of its performance etc.

Group companies / corporate reorganization

At times we share personal data with our group companies. When there occurs any transfer of all or part of our business through corporate reorganization, stock acquisition (including in the context of bankruptcy proceedings) etc., transfer of personal data may take place accordingly.

Compliance with laws

Based on or in the context of the provisions of applicable laws, legal proceedings, court proceedings, requests/orders of the competent authorities and other governmental entities (which may be inside or outside of the country where data subjects are domiciled), we may be obliged to disclose personal data. We may also disclose personal data where we deem it appropriate to do so in view of national security, law enforcement or other important social issues.

In addition, we may disclose personal data where we believe it reasonably necessary in good faith to do so in order to protect our rights and interests, seek any available reliefs, execute our internal rules, investigate wrongdoings, or protect our business or stakeholders.

Sharing or disclosing personal data as above may necessitate transfer of personal data outside EEA. As a prerequisite for this, we ensure to adequately protect the personal data to be transferred through the measures that ensure an essentially equivalent level of protection.

4. Our records on personal data processing

When we process personal data, we process the recorded materials in accordance with GDPR (Article 30). We adhere to GDPR, and reflect in these recorded materials all the information necessary for cooperation with the competent authorities in accordance with Article 31 of GDPR.

5. Protection of personal data

  1. (1) Security
    We protect the personal data by implementing appropriate technical and organizational measures (including pseudonymization) that prevent the personal data from unauthorized, unlawful or accidental loss, destruction, corruption, alteration, leakage of, or access to personal data transmitted, stored or otherwise processed (GDPR Article 25, paragraph 1 and Article 32).
  2. (2) Processing likely to result in a high risk to the rights and freedoms of data subject
    Where we envisage a type of processing that is likely to result in a high risk to the rights and freedoms of the data subject, we carry out an assessment of the impact of the envisaged processing operations prior to the processing, and ensure that such processing operations are in compliance with the requirements of GDPR, or implement appropriate technical and organizational protection measures in order to continue such processing operations (GDPR Article 35). In case of any doubt, we consult the supervisory authority for advice and proposal prior to processing (GDPR Article 36).
  3. (3) Notification of a personal data breach to the supervisory authority
    In preparation to security compromise that is likely to lead to unauthorized, unlawful or accidental loss, destruction, corruption, alteration, leakage of, or access to personal data transmitted, stored or otherwise processed (“personal data breach”), we have implemented the internal system and measures to screen, detect and assess the personal data breach. Unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, we make necessary notification of the personal data breach to the competent supervisory authority and the affected data subject (GDPR Article 33 and 34).

6. Rights of data subjects

Data subjects shall have the right to obtain from us the update, the rectification, the deletion, the copies, the restriction or the prohibition of the processing of the personal data we retain. In addition, we inform the data subject of the vested rights in accordance with GDPR and other applicable legislation, in light of the characteristics of the personal data in question, when notifying the purposes of our personal data processing.

Please refer to the contact information in Section 9 below when data subjects intend to exercise the above-mentioned rights. If the data subjects are not satisfied with, or have any complaints on, our actions in response to his/her requests, they have the right to lodge a complaint with a supervisory authority.

7. About personal data of children

Where we process personal data of children below the age of 16 (where a Member State provides by law lower age, below such age), we properly collect and process the personal data in accordance with the applicable GDPR provisions by, among others, obtaining effective consent from the holder of parental responsibility over the child.

8. Amendments to this Policy

This policy does not constitute a contract between data subjects and us. Accordingly, we may amend this policy in order to comply with the applicable laws and regulations, or to adapt this policy to our business operations. All the amendments to this Policy become effective, without directly notifying to data subjects, upon posting the amended Policy on this website. When we make amendments we consider important, we inform such amendments to data subjects to the extent feasible on this website; we may request consents from data subjects as the case may be.

9. Contact information

For any questions or requests on this Policy, please contact either of the followings.

OUR JAPANESE HEADQUARTERS

For any queries, please contact privacyinquiry@mb.kyorin-pharm.co.jp, via phone at 81-3-3525-4703, or via regular mail at Kyorin Pharmaceutical Co., Ltd, Attn: Legal and Corporate Compliance, 4-6 Kanda-Surugadai, Chiyoda-ku, Tokyo 101-8311, Japan.

DATA PROTECTION OFFICER

We have appointed Huette Rechtsanwälte Partnerschaft mbB to act as our Data Protection Officer. For any queries, please contact kyorin-dpo@huette-legal.com, via phone at +49 69 24 75 612 10, or via regular mail at Huette Rechtsanwälte Partnerschaft mbB, Bethmannstraße 8, 60311 Frankfurt am Main, Germany.

EU REPRESENTATIVE

As we are based outside of the EU, Article 27 required that we appoint an EU representative to handle certain data subject requests and queries. In compliance with this, we have appointed Data Protection Representative Limited, d.b.a. DataRep, to act as our representative. Any queries requiring the input of our representative, should please be directed as follows:

  • sending an email to DataRep at datarequest@datarep.com quoting <KYORIN Pharmaceuticals Co., Ltd.> in the subject line,
  • contacting on DataRep’s online webform at www.datarep.com/data-request, or
  • mailing your inquiry to DataRep at the most convenient of the addresses (refer here(DataRep, PDF/140KB)).

PLEASE NOTE: when mailing inquiries, it is ESSENTIAL that you mark your letters for ‘DataRep’ and not ‘KYORIN Pharmaceuticals Co., Ltd.’, or your inquiry may not reach DataRep. Please refer clearly to KYORIN Pharmaceuticals Co., Ltd. in your correspondence. On receiving your correspondence, we request evidence of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you. If you have any concerns over how DataRep will handle the personal data, please refer to its privacy notice at www.datarep.com/privacy-policy.