Corporate Privacy Notice for EEA, UK, and Switzerland
Last Updated: February 6, 2020
This Corporate Privacy Notice for EEA, UK, and Switzerland (“Notice”) applies to most of the personal data collected by Arena from people in the European Economic Area, the United Kingdom, and Switzerland (“personal data”) in the course of conducting our general business operations. There are four main exceptions:
- This Notice does not apply to personal data collected via the www.arenapharm.com website (the “Website”), for which we have a separate Privacy Statement that is available here.
- This Notice does not apply to personal data that we obtain in connection with clinical studies sponsored by Arena in Europe. Clinical trial participants (and their parents or guardians, if applicable) will have received a separate notice concerning their personal data. If you have any concerns about our processing of personal data in connection with a clinical trial, please see the data protection notice provided as part of the clinical trial intake process, as that notice will contain important information and a designated contact person for concerns–but you can always contact us using the contact information provided below.
- This Notice does not apply if you have received (directly or through our service providers or collaborators) a separate notice concerning our use of your personal data. This may occur when we need to provide a separate notice to meet the requirements of specific laws or when required by generally accepted good practices in the pharmaceutical industry.
- This Notice does not apply to the personal data of our employees, which are governed by Arena’s internal European Data Protection Policy, available to our employees on Arena’s SharePoint site.
The processing of personal data is governed by the EU’s General Data Protection Regulation (“GDPR”) and Swiss data privacy laws.
The GDPR and Swiss law require us to provide certain information concerning our processing of personal data.
Names and contact details of data controllers
Arena Pharmaceuticals, Inc.
Joint controller for
from the EEA and the UK:
Joint controller for
Arena Pharmaceuticals, Inc.
|Arena Pharmaceuticals Limited
70 Sir John Rogerson's Quay
Dublin 2, D02 R296, Ireland
Arena Pharmaceuticals Development
DATA PROTECTION OFFICER
Our Data Protection Officer can be contacted at email@example.com or by post at Arena Pharmaceuticals, Inc. Attn: Data
Protection Officer, 6154 Nancy Ridge Drive, San Diego, California 92121, USA
PURPOSES OF THE PROCESSING
We may use your personal data to:
- Contact you
- Respond to your comments and questions
- Consider you as a clinical investigator, advisor or other contractor
- Enter into, or take steps to enter into, a contract with you or your employer or business
- Perform our contracts with you or your employer or business
- Make payments to you
- Process your application if you apply for a job with us (other than via the Website)
- Comply with our legal and regulatory obligations including pharmaceutical quality and safety data reporting obligations
LAWFUL BASIS FOR THE PROCESSING
Generally, we process personal data on the basis that the processing is necessary for purposes of our legitimate interest in conducting our business in a manner typical in the US pharmaceutical industry, having taken into account any risks to your fundamental rights and freedoms (including your right to privacy). Our legitimate interests include general legal compliance, product development, commercialization of approved therapeutic products and devices, promoting our company, educating the public about diseases of interest to the company, and the routine operation of our business.
We also may process personal data on other bases permitted by the GDPR and other applicable laws, such as when the processing is necessary for us to:
- Comply with our legal obligations under European Union, Member State or Swiss law (as when we process personal data for purposes of complying with pharmaceutical quality and safety data reporting obligations)
- Enter into or perform a contract with you
- Protect your vital interests or those of another person
When we process sensitive (also known as “special category”) personal data, we do so on the basis of a further condition under Article 9 of the GDPR. Typically, the condition will be that the processing is necessary for reasons of public interest in the area of public health (as when we process personal data to purposes of complying with pharmaceutical quality and safety data reporting obligations).There may be instances where we process sensitive personal data under this Notice because it is necessary for scientific research purposes, subject to the safeguard for that kind of processing set out in the GDPR. (As noted above, our processing of sensitive personal data in connection with clinical trials is governed by a separate data protection notice that is provided to the clinical trial participant prior to enrollment, as part of the enrollment process required by the relevant clinical trial regulations.)
THE CATEGORIES OF PERSONAL DATA CONCERNED
We may process the following categories of personal data, as appropriate for the relevant processing activity:
THE RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA
We may share your personal data with:
- Our subsidiaries, joint ventures, or other companies under a common control (“Affiliates”), in which case we will require our Affiliates to honor this Privacy Notice
- Our service providers under appropriate contractual restrictions
- Companies or individuals who advise us or collaborate with us in connection with the development or commercialization of our pharmaceutical products
- Third parties in connection with or during negotiation of any merger, financing, acquisition or dissolution, transaction or proceeding involving sale, transfer, divestiture, or disclosure of all or a portion of our business or assets. In the event of an insolvency, bankruptcy, or receivership, personal data may also be transferred as a business asset. If another company acquires our company, business, or assets, that company will possess the personal data collected by us and will assume the rights and obligations regarding your personal data as described in this Notice
- Relevant authorities, or other recipients as required in litigation, if Arena believes in good faith that such disclosure is necessary (i) in connection with any legal investigation; (ii) to comply with relevant regulatory requirements and laws, such as laws requiring the disclosure of payments made to healthcare providers, (iii) to respond to subpoenas or warrants served on Arena; (iv) to protect or defend the rights or property of Arena; or (v) to investigate or assist in preventing any violation or potential violation of the law
INFORMATION REGARDING THE TRANSFERS OF PERSONAL DATA OUTSIDE OF THE EUROPEAN ECONOMIC AREA (EEA), THE UNITED KINGDOM (UK), AND SWITZERLAND
Arena Pharmaceuticals, Inc. (headquartered in the USA) has entered into the controller-to-controller Standard Contractual Clauses with our Irish affiliate, Arena Pharmaceuticals Limited, with respect to EEA and UK personal data, and our Swiss affiliate, Arena Pharmaceuticals Development GmbH, with respect to Swiss personal data. A copy of the relevant Standard Contractual Clauses is available upon request by e-mailing firstname.lastname@example.org.
THE PERIOD FOR WHICH THE PERSONAL DATA WILL BE STORED, OR THE CRITERIA FOR DETERMINING THE RETENTION PERIOD
How long we retain personal data varies according to the type of data in question and the purpose for which it is used. Certain laws may require us to store personal data for specified periods. We delete personal data within a reasonable period after we no longer need to use it for the purpose for which it was collected or for any subsequent purpose that is compatible with the original purpose. This does not affect your right to request that we delete your personal data before the end of its retention period. We may archive personal data (which means storing it in inactive files) for a certain period prior to its final deletion, as part of our ordinary business continuity procedures.
YOUR RIGHTS TO ACCESS, CORRECT, RESTRICT, OR DELETE YOUR PERSONAL DATA AND OBJECT TO PROCESSING
You have the right to request access to your personal data, to have your personal data corrected, restricted or deleted, and to object to our processing of your personal data. If any of our processing is based on your consent, you have the right to withdraw your consent (which will not affect the lawfulness of our processing based on your consent prior to its withdrawal). The GDPR’s data portability rights usually will not be relevant to the kinds of processing that we do, but if we are processing your information via automated means, on the basis of your consent or necessity to enter into or perform a contract, you may request that we give you or your designated recipient a copy of the personal data that you provided to us. Your rights may be subject to various limitations under the GDPR. If you wish to exercise any of these rights, or if you have any concerns about our processing of your personal data, please contact us in any of the ways listed above.
THE RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
You have the right to file a complaint concerning our processing of your personal data with your national (or in some countries, regional) data protection authority. The EU Commission has a list here.
STATUTORY OR CONTRACTUAL REQUIREMENT OR OTHER OBLIGATION TO PROVIDE ANY PERSONAL DATA
Individuals usually are under no statutory or contractual requirement or other obligation to provide personal data to us. However, health care providers may be required by applicable laws to provide certain information to us in the course of making a product quality complaint or reporting an adverse event (and we expect that health care providers will already be familiar with the laws applicable to them). Also, if a health care provider or other individual has entered into a contract with us, that contract will state whether there is any obligation to provide personal data to us (for example, to comply with laws relating to transparency in dealings between health care providers and pharmaceutical companies).
CHANGES TO THIS NOTICE
This Notice may be amended from time to time for any reason. Generally, we will notify you of any changes to this Notice by posting a new Notice on this page as indicated by changing the “Last updated” date above. However, if we intend to process your personal data for a purpose other than the purposes for which it was initially collected, we will take appropriate steps to contact you first and notify you of the new purpose.