close menu
X

Anfarm Hellas S.A. - Main Section

Anfarm Hellas S.A. - Main Component

Privacy Policy

PRIVACY POLICY AND GDPR COMPLIANCE

The present Privacy Policy has been drafted by ANFARM HELLAS SA (herein after ANFARM, or we/ us), an EU GMP Pharmaceuticals’ Manufacturer located in Gerakas area, Attica, Greece, 53-57 Perikleous str., tel. 210 6831632, email: dpo@anfarm.com. ANFARM operates in Europe and third countries since 1967, providing services of manufacturing generic pharmaceuticals with an extended export activity worldwide, through licensing, direct exports and as a third party manufacturer. It has been certified according to ISO 9001 standards, since 2008.
This Privacy Policy outlines ANFARM’s general policy and practices for complying - among others - with the applicable EU General Data Protection Regulation 2016/679 (GDPR), including the types of personal data we process, the reasons and the legal basis for that processing, the technical and security measures that we apply and the rights that individuals have under GDPR. This Privacy Policy applies to all personal information (as these are defined under the GDPR) of natural persons received by our Company, whether in electronic or paper format.

Notice


ANFARM shall inform individuals of the purpose for which it collects and uses their personal data and the types of third parties to which it may disclose that information. ANFARM shall provide individuals with the choice and means for limiting the use and disclosure of their personal information. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal information to ANFARM, or as soon as practicable thereafter, and in any event before ANFARM uses or discloses the information for a purpose other than for which it was originally collected.
ANFARM may not need to furnish notice where the processing in question is necessary to respond to a government inquiry; is required / authorized by applicable laws, court orders or government regulations; or is necessary to protect ANFARM legal interests.

1. Types of personal data that ANFARM processes, purposes and legal basis of processing


1.1. ANFARM endeavors to use personal data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the Individual. We are taking reasonable steps designed to ensure that only Personal Information that is relevant to its intended use, accurate, complete, current, and otherwise reliable in relation to the purposes for which the information was obtained, is used by ANFARM.
1.2. ANFARM will only process sensitive personal information about individuals as required or authorized by the law, as well as in case the individual affirmatively and explicitly consents to the processing (“opt-in”).

1.3. More specifically, we may process data mainly in the course of our following services:

a) Employee and Human Resource data
1. ANFARM collects personal information from applicants to open positions within ANFARM, including private contact details, professional qualifications and previous employment history, necessary to reach to employment decisions. Once employed, ANFARM collects information on staff for human resource, performance, payroll and tax purposes. Various ANFARM internal systems will collect and record employee information consistent with standard business operations. ANFARM may process similar information relating to consultants contracted on a freelance basis.
2. ANFARM may also collect and transfer the CVs of its employees or partners to competent authorities and/or its contractual partners, in cases this is mandated by standard legal procedures and/or according to an existing contract between ANFARM and the said partner (e.g. CV of Qualified Person Responsible For Pharmacovigilance-EU QPPV).
3. ANFARM may also keep Employee Training Records, containing their personal information, experience, position and training details, which Records employees should ensure are being regularly updated.
4. Lastly, for security reasons and due to our awareness of the sensitive nature of certain processes within our company, in commonly used spaces and in storage rooms, at commonly used areas of our premises in Athens, as well as in our company’s factory, we have installed security cameras systems (CCTV). We ensure that any recording within the offices of our company is not directed to any of our employee’s office/working space. All our employees are officially informed of this security measure and of the processing of some of their personal data that may arise thereof, which does not aim to the recording of their performance.

b) Web visitors
1. ANFARM may collect named information about visitors of its website, www.anfarm.com, when they fill our on-line contact form. For example, we may collect information where a client addresses to us a request on a ANFARM’s service, a health care professional is interested in collaborating with us, someone wants to apply for a vacant position with ANFARM, or when someone wants to participate in training events that ANFARM may organize.
2. Moreover, through the use of cookies, ANFARM may collect various data linked to the virtual identities of visitors who access our website. More specifically, our website, www.anfarm.com, uses cookies to improve and optimize your experience as a user. Cookies are small text files that are placed on your computer, smartphone or other device when you access the internet. We use cookies to: a) Ensure that web pages can function properly, and b) Collect anonymous statistical information, such as which sections you have visited, and how long you have been in our environment. You may modify and / or block the installation of cookies sent by the website of ANFARM, however, the quality of the operation of the services may be affected.
3. Moreover, Google Analytics uses "Cookies", to help the website to analyze users' use of the website. Information generated by Cookies about your use of the website (including your IP address) will be directly transmitted and stored by Google on servers in the United States. Google will use this information on our behalf for the purpose of keeping track of your use of the website, compiling reports of website activity and providing other services related to website activity and Internet use. Google may transfer such information to third parties when required by law, or when such third parties process the information on behalf of Google. Google will not associate your IP address with any other data available to Google. You may refuse to treat data or information by refusing to use Cookies by selecting the appropriate settings from your browser.

c) Pharmacovigilance
1. Pharmacovigilance (PV) is an activity contributing to the protection of patients’ and public health. Each Marketing Authorization Holder (MAH) has to establish an appropriate pharmacovigilance system for the collection, evaluation and notification of safety information relevant to the risk-benefit balance of medicinal products of its responsibility. ANFARM, when operating as a MAH, has contractually assigned (outsourced) the conduct of all the functions of the Pharmacovigilance System to external partners, who are strictly contractually bound to comply with the legal PV provisions as well as with the applicable data protection laws.
2. According to the applicable EU legislation the MAHs should collect as much information as possible on the suspected drug-related adverse events. Thus, the PV data that our partners may collect and process on the behalf of ANFARM, may include information that identifies the patient and the reporter, such as contact details, age, weight, height, ethnic origin and health status/medical history.

d) Regulatory Affairs
ANFARM’s Regulatory Affairs Department may collect- among others- contact details of our partners legal representatives (such as name/surname, e-mail address), solemn declarations containing some personal information of our contractual partners’ legal representatives that we are obliged to acquire according to the law for certain procedures, CVs of clinical experts.

e) Quality Unit
In addition to a comprehensive internal quality assurance program, we provide –among others-QA services to our clients, as a part of either a full-service or a stand-alone project. These include but are not limited to: System audits, in which we assess SOPs, staff training program(s) and procedures, pre-inspection checks to help the sites to prepare for regulatory inspections.

2. Transfer of Data

2.1. We do not and will not sell, rent out or trade your personal information. We will only disclose (transfer, share, send, or otherwise make available or accessible) your personal information to third parties in the ways set out in this Policy.
2.2. ANFARM may disclose individuals’ personal information to a third party or use it for a purpose other than the purpose for which it was originally collected, only if the individual consents to such further processing and in any case as mandated by the relevant legal provisions.
2.3. ANFARM may share individuals’ personal information with its employees, agents, contractors, clients or partners in connection to services that they perform for, or with, ANFARM. We shall ensure that any third party to which personal information may be disclosed subscribes to the principles set hereby and is subject to applicable legal framework (including GDPR), providing the same level of privacy protection as is required by these principles and agree in writing to provide an adequate level of privacy protection.
2.4. In some cases, ANFARM may disclose personal information if required to do so by law, if disclosure is required to be made to law enforcement authorities, if we believe disclosure is necessary or appropriate to prevent vital individual’s interests (e.g. from physical harm) or in connection with an investigation of suspected or actual illegal activity.
2.5. ANFARM may also transfer personal information in the event we sell or transfer all or a portion of our business or assets.

3. Security measures


3.1. ANFARM operates in compliance with strict and detailed policies and procedures and employs reasonable physical, electronic, managerial and technical procedures to safeguard and secure any personal information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Applied information security management helps us not only to grow, innovate and expand our services, as well as identify the risks related to these information, and to put in place appropriate controls to mitigate and manage the risk thereof. Moreover, we shall destroy or restrict personal information we have obtained, once we no longer require it for our business purposes, or as required by law.
3.2. To get quality as an outcome, all our procedures are planned, executed, evaluated, reviewed and upgraded according to the highest standards. We implement Privacy and Quality by Design and by Default, as a holistic systems-based approach to the design, development and delivery of services to our clients. We operate under Standard Operating Procedures and we have been certified according to ISO 9001 standards, since 2008.
3.3. More specifically, ANFARM operates a local network domain at its Athens premises, controlled by two Windows Domain Controllers. External network perimeter is established and secured by a contemporary firewall with application control capabilities. Local switching is done on four managed Ethernet switches. Wireless access is provided by two access points with wireless protection authorization and encryption. Operational service provisioning is provided by a total of six servers in different roles. A high-capacity system provides uninterruptible power to both the computer room and Desktop computers throughout the building. All equipment has current support contracts provided either by the respective manufacturer, the vendor or an IT support company. The Servers, the Router and Firewall, the Switches and the Backup system are in a secure Computer Room with A/C and Temperature meter.
3.4. Moreover, we train all personnel meticulously and we expect them to follow the principle of strict compliance with all ethical and legal requirements. Violations of the law are not tolerated in our company.
3.5. Paper format files storage and protection: ANFARM needs to store and process some necessary files (such as contracts, consent forms, invoices etc) containing personal information in hard-copy versions. All such paper-formatted files are filed based on each of our company’s department and are stored in specially designed storage rooms within the premises of our Athens based company. These rooms are locked and access is only granted to personnel at a need-to-know basis. Also, safety measures in the event of fire are implemented, including fire-fighting equipment. Our offices are supplied with shredders, in order to eliminate the possibility of unauthorized access to files containing personal data.
3.6. Electronic Filing and Storage: Some of your personal information will be stored in the database of our company’s website and/or of our company’s server. There is one leased fiber connection line to access the internet via a router and a Watchguard firewall device which separates the local network from the Internet and prevents unauthorized access.
We apply scaled access to files saved at our network containing personal data, and especially personal data of special categories. More specifically, data is stored in separate data servers for every facility of our company, whereby access is granted only after supervisor’s permission. According to that, Virtual Privacy Network (VPN) secure connections are being established through the WatchGuard firewall using company's and personal VPN passwords to our employees and/or partners, with specific rights for each user and only on a need-to-know basis.
Centrally-controlled cloud Anti-malware software is running on all PCs and Servers which is updated in a constant (multiple times per day) basis.
3.7. Recovery and Back-up Procedures: Each server has a mirror disk-set for redundancy and availability (RAID-1). The Domain Controllers offer clustered DNS and DHCP services for the internal network, so in case of a server failure the network will continue to operate. All equipment is connected to UPS power in case the A/C mains power fails. Backup is running every night. A notification mail is being sent in case of backup failure to a certain person to alarm that the backup has been unsuccessful.
3.8. General Controls: Also, controls are implemented on workstations (automatic locking, regular updates, configuration, physical security, etc.) to reduce the possibility to exploit software properties (operating systems, business applications etc.) to adversely affect personal data.
3.9. Email: The data sent to us via email is protected through the Simple Mail Transfer Protocol (SMTP). Our SMTP servers are protected by a TLS security protocol (SSL), meaning that email is encrypted using 256-bit SHA-2 encryption before being sent over the Internet. The content of the email is decrypted by our local computers and devices.
3.10. Incident response plan: We have a privacy incident response program designed to promptly respond to and escalate all privacy-related questions, complaints, concerns, including any potential privacy or security breach incident.

4. Individuals’ rights


4.1. Upon request, and as required by law, ANFARM will provide to the individuals access to their personal information and allow them to correct, amend or delete inaccurate information, except where the rights of other persons would be violated, legal provisions prohibit it and in any case in accordance to the relevant provisions of GDPR. Individuals, moreover, have the right to address to the Greek Data Protection Authority, if they believe that any of their rights thereof are being violated.
4.2. ANFARM reserves the right to charge in some cases a reasonable fee to cover costs for providing copies of Personal Information requested by Individuals, especially when justified by their volume.
4.3. ANFARM, when not acting as a study sponsor/marketing authorization holder, has no direct relationship with medical research subjects and any such Individuals who seek access, or who seek to correct, amend, or delete their Personal Information should direct his or her query to the relevant study sponsor or investigator, which has only transferred such Personal Information to ANFARM for processing according to their agreement.

5. Data retention


5.1. We will not retain data longer than necessary to fulfil the purposes for which it was collected, according to our contractual arrangements, or as required by applicable laws and regulations.
5.2. The information you provide to us may be archived or stored periodically by us, according to backup processes and will only be retained for as long as is it required for the purposes for which it was collected, unless the law requires us to hold your personal information for a longer period, or delete it sooner, or unless you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law.
5.3. Namely, regarding pharmacovigilance, according to the provisions of “Commission Implementing Regulation (EU) No 520/2012 on the performance of pharmacovigilance activities provided for in Regulation (EC) No 726/2004 of the European Parliament and of the Council and Directive 2001/83/EC of the European Parliament and of the Council” and articles 12 and 16 thereof: “Marketing authorization holders shall arrange for the elements referred to in Article 2 (the pharmacovigilance system master file) to be kept for at least five years after the system as described in the pharmacovigilance system master file has been formally terminated by the marketing authorization holder. Pharmacovigilance data and documents relating to individual authorized medicinal products shall be retained as long as the product is authorized and for at least 10 years after the marketing authorization has ceased to exist. However, the documents shall be retained for a longer period where Union law or national law so requires.”.
5.4. According to Direction no 1/2011 of the National Data Protection Authority, data logs of the security cameras system shall be stored for a specified time, according to the purpose for which they are processed. Unless otherwise provided by law, or unless it is necessary for the investigation of a security breach incident, such files are being destroyed every 15 working days.

6. Our commitment to children's privacy


6.1. Protecting the privacy of children is especially important for us. For that reason, we do not intend to collect or maintain information at our Website from those we know are under 16 years of age, and no part of our Website is structured to attract anyone under 16.
6.2. Also, in cases we need to collect and process personal data of children under 18 years old, we only do that after obtaining explicit consent from their parents or legal guardians (e.g. for the collection of their data in the context of pharmacovigilance).


7. Compliance - Inquiries, Complaints and Requests to Exercise Rights


ANFARM uses an assessment approach, by an expert legal and IT team, to assure compliance with this privacy policy and periodically verifies that the policy is accurate, comprehensive and in conformity with the legal principles.
We encourage interested persons to raise any concerns using the contact information provided and we will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of personal information in accordance with this policy and GDPR. Communications, queries or requests to exercise informational rights (e.g., access to data) or complaints can be addressed to our company’s address or emailed at dpo@anfarm.com, to the attention of our company’s Data Protection Officer, mr. Dimitrios Zervos.
Within the EU, individuals have the right in law to complain about how their information is handled to the supervisory authority that is responsible for regulating compliance with the Regulation. A list of all EU supervisory authorities is available on the European Commission website: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.

8. Amendments


This privacy policy may be amended from time to time consistent with the requirements of the GDPR. We will post any revised policy on this website.