(v1 July 2018)
The purpose of this policy is to provide any person (or ‘data subject’) in relation to whom ICEMVO holds personal data, with details of the information that we collect, how we process it and who we share it with. It also explains your rights under data protection law in relation to our processing of your data.
Certain key terms are used in this policy such as ‘personal data’, ‘processing’, ‘data protection law’ and these are defined in the Definitions section included at Annex 1.
This policy applies to ICEMVO’s employees, contractors and officers.
Who controls the use of your personal data?
Lyfjaauðkenni ehf. – The Icelandic Medicines Verification Organisation (ICEMVO), a company limited by guarantee), whose registered address is Kringlan 7, IS 103 Reykjavik, Iceland, is the company that controls and is responsible for personal data that is covered by this policy. ICEMVO is therefore a ‘data controller’.
Compliance with principles of data protection law
ICEMVO adheres to the principles of the data protection law and as a result, your personal data will be:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary;
- Accurate and up-to-date;
- Kept for no longer than is necessary for the specified purpose or purposes; and
- Processed in a manner that maintains the integrity and confidentiality of your data.
What personal data is collected?
The type of information that ICEMVO holds (in both paper or electronic format), where appropriate and permitted by law, includes personal details relating to you, such as your name, professional contacts, bank account details (if required for payments in performance of a contract) and related information. Additional personal information is held about employees and parties such as directors so that ICEMVO can comply with relevant contractual and/or statutory obligations.
Where do we collect your personal data?
Most of your personal data that we collect will be provided by you through your interactions with us. Certain personal information (name, job title, business email address, business address and/or mobile phone number) may be provided to ICEMVO by third parties (such as your employer) on your behalf for the purpose of contacting you about legitimate ICEMVO business. ICEMVO may also source personal data from publicly-available sources such as a company website, commercially published directory, etc.
Legal basis for processing your information
We process your personal data in order to provide you with our services and to assist us in the operation of our business. Under data protection law we are required to ensure that there is an appropriate basis for the processing of your personal data, and we are required to let you know what that basis is.
There are various options under data protection law, but the primary bases on which we process your personal data are:
- Performance of a contract or agreement with you – we collect and use your information primarily for the purpose of managing our working relationship with you, for example, in order to provide services, to arrange payment for the provision of your services or to collect payment for our services, to communicate with you, and otherwise to fulfil any contractual obligations owed to you.
- Where required by applicable law – ICEMVO may be required under local laws to maintain records that can include personal information, such as mandatory reporting, tax and accounting requirements. In particular, ICEMVO processes personal data relating to pharmaceutical manufacturers, marketing authorisation holders, wholesalers and persons authorised or entitled to supply medicines to the public, and other relevant parties, in order to fulfil its obligations under Commission Delegated Regulation (EU) 2016/161 of 2 October 2015 supplementing Directive 2001/83/EC of the European Parliament and of the Council by laying down detailed rules for the safety features appearing on the packaging of medicinal products for human use (and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in Iceland).
- To fulfil our legitimate business interests – ICEMVO also may process your personal data to pursue our legitimate business interests, which shall include planning for, conducting and monitoring the activities of ICEMVO, providing service information, etc.
- Where you have consented – for certain types of information, ICEMVO may rely on your consent to the use of such information. Our policy is to keep to the minimum necessary, any data where the basis for processing is your consent. In that event, you will have been asked for your explicit and specific consent, and you will be entitled to withdraw your consent at any time by contacting us using the contact details at the bottom of this policy. Please note that if you withdraw your consent we may not be able to continue providing you with the service to which the consent related.
ICEMVO will only use your information for the purposes for which it was collected, unless we reasonably consider that we need it for another purpose that is compatible with the original purpose. If we need to use your information for an unrelated but compatible purpose, we will notify you in advance of our use of your information and explain the legal basis for this. Note that we may process your information without your knowledge or consent where this is required or permitted by applicable law.
ICEMVO will not use your personal data for any marketing or promotional purposes.
Who do we share your personal data with?
You should be aware that in certain circumstances, ICEMVO may need to transfer or disclose your personal information to third parties, including service providers who render administration, technical and other support services to ICEMVO, but will only do so where it is consistent with the purposes outlined above.
ICEMVO will also disclose your personal information in response to a valid, legally compliant request by a competent authority or in response to a court order or otherwise in compliance with any applicable law, regulation, legal process or enforceable governmental request or other statutory requirement; to detect, prevent or otherwise address fraud, security or technical issues; or to protect against imminent harm to the rights, property or safety of ICEMVO, its employees, its members or the public, as required or permitted by law.
ICEMVO will ensure through contracts and data processing agreements that third parties with whom your personal data is shared, apply appropriate security measures to protect your data from loss, misuse and unauthorised access or disclosure.
Transfers outside of the European Economic Area (EEA)
ICEMVO does not transfer personal data outside the European Economic Area.
You have various rights under data protection law, subject to certain exemptions, in connection with our processing of your personal data:
- Right to access the data – You have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.
- Right to rectification – You have the right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information, you may request that we update the information such that it is complete.
- Right to erasure – You have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the ‘right to be forgotten’.
- Right to restriction of processing or to object to processing – You have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.
- Right to data portability – You have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine readable format.
- Right to complain – You have the right to lodge a complaint with the Data Protection Authority if you are unhappy with our processing of your personal data.
- Right to withdraw your consent – When we process your personal data on the basis of your consent, you are free to withdraw that consent at any time by contacting us using the contact details below. Please note that if you withdraw your consent we may not be able to continue providing you with the service to which the consent related.
In order to exercise any of these rights, please get in touch using the contact details set out below.
Changes to this policy
The provisions of this policy may be altered by ICEMVO from time to time. Any alteration or addition will be posted on our website at www.lyfjaaudkenni.is.
Queries and complaints
ICEMVO has not appointed a data protection officer, however, if you have any queries or complaints in connection with our processing of your personal data, you can get in touch with us using the following contact details:
- Post: ICEMVO Executive Director, Lyfjaauðkenni ehf, Kringlan 7, IS 103 Reykjavik, Iceland.
- E-Mail: firstname.lastname@example.org
Complaints may also be submitted to the Icelandic Data Protection Authority (see www.personuvernd.is):
◾Post: Persónuvernd, Raudarárstígur 10, IS 105 Reykjavik, Iceland.
◾Tel: + 354 510 9600.
Annex 1 – Key Definitions:
“Data Protection Authority” means Persónuvernd which is ICEMVO’s supervisory authority in the European Economic Area.
“data protection law” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in Iceland and any successor legislation to the GDPR or the Data Protection Acts 77/2000.
“consent” of the data subject means any freely given, specific, informed an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her – such as a written/electronic statement or an oral statement.
“data controller” means the legal person or company who determines the purposes and means of the processing of personal data, e.g. ICEMVO.
“data processor” means a person or company who processes personal data on behalf of the data controller, e.g. ICEMVO’s payroll provider.
“data subject” means an identifiable natural person who is the subject of the personal data, e.g. an employee, an employee of an ICEMVO member organisation;
“personal data” means any information relating to an identified or identifiable natural person (data subject).
“processing” means any operation which is performed on personal data, where automated or not, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction.