DATA PROTECTION NOTICE
1. Introduction
The P.A.C. company, as a data controller in accordance with data protection regulations and as a provider of the services defined in the Agreement with P.A.C., is obliged to collect and use a variety of information about i individuals and companies in the context of our activities. Information collected includes customers, suppliers, employees and anyone else deemed necessary in the course of conducting business.
This policy exists to further reinforce the compliance displayed by P.A.C., showing good practices and processes in relation to data protection legislation. It will protect the rights of staff, customers and all other related parties whilst being transparent about how customer data is processed and retained. This policy should also protect P.A.C. against the risk of data breach.
P.A.C. will respect the general points below with regard to data processing:
Fair and lawful treatment
Obtained only for specific legal purposes
Be relevant, adequate and not excessive
Be kept up to date and accurate
Kept no longer than necessary
Maintained and managed in accordance with data protection rights and regulations
To be adequately protected
2. Scope of the policy
When referring to “P.A.C.", " PHARMA ASSETS CRE", "the Company" or "we" in the body of this policy document, includes all direct trade names, subsidiaries and affiliates, including but not limited to " P.A.C."
All personnel associated with any of the above entities or business names, volunteers, contractors, suppliers or anyone else acting on behalf of P.A.C. will be covered by this policy.
This policy encompasses the subject access request procedure, the data retention and destruction policy, the list of data retention periods and the data loss notification procedure, all detailed within.
It will cover any information or other data held on any identifiable customer. This includes: names, addresses, email addresses, telephone numbers, and any other information.
3. Subject access requests
In all cases, an individual will have the right to have their personal information deleted (forgotten) from our system. The only caveat to this is where it impacts P.A.C.in the provision or completion of any service for which the entity has been contracted.
All customers who have data stored by P.A.C. and its sister companies have the right to know what information the company holds about them, why it is held and how to access the data.
Each customer must be informed of how their data is kept up to date and how P.A.C. complies with its data obligations.
Requests for information of this type may be submitted to the Data Protection Officer (DPO) confirmed at “contact.pac.com”. The aim is to provide information on all requests within 14 days, but in exceptional circumstances this will not exceed 30 days. Please note that appropriate steps will be taken to confirm the identity of the applicant before providing any information. Once a request has been made, it is the responsibility of the Data Protection Officer (or if a Company Director is unavailable) to prepare the Subject Access Report.
The report must review all email communications and information held on the server regarding a customer. In addition, any documentation or paper files must be listed and the subject informed of the data it contains.
A report must be submitted within the above deadlines, which must include a list of all information held by the Company about the Customer and any relevant third parties with whom the information was shared.
The report must be reviewed, verified and signed by the DPO and at least one director of the company.
4. Data retention and destruction
In any case, the data will not be kept for longer than necessary and, if necessary, destroyed securely.
We are legally required to retain files and information throughout a continuous service period and for five years after a customer cancels the Company's services. Records that are no longer considered continuing clients are transferred to the archives section of our secure file storage area, retained and disposed of appropriately when no longer required. Once a client leaves, remaining documents, if any, are securely sent to the client. Documents kept securely by P.A.C. after cancellation of services are destroyed by means of shredding, as detailed below, once the tracking period has expired
In all cases, data must be destroyed appropriately. All elements of P.A.C. use approved shredding facilities to ensure data integrity. These bins are located in offices, are locked at all times with restricted access and are permitted to be shredded on site once a month. Unless otherwise stated in this policy, data will be retained by P.A.C. for a period of five years after the data has been classified as inactive. This is represented by the client or request no longer being considered active or in progress. This will be indicated by the cancellation of the services either by the customer, by any element of P.A.C., or by a request received deemed inactive to be more than one year old.
5.Data accuracy
In all cases, data should be kept in as few places as possible. Hard copies are stored in a secure location and CRM data and soft copies of files are kept on the secure server.
Alongside the regulations, a continuous review of all company files takes place based on a risk-based rating system. Depending on risk, data should be reviewed in a phased manner to ensure it is updated and inaccuracies are discovered and corrected.
Facilities are in place, through the general contact section of the website and a designated account manager, to easily and securely communicate any changes to a customer's data.
6. Customer Information Shared with Third-Party Vendors
P.A.C. does not share information with third parties in any way. The information may, however, be shared with a third party directly related to a service provided by a division of the company.
P.A.C. uses verified third parties for services not managed internally. These services include payment processing
A full detailed list of providers that apply to a customer's data is available on request from the Data Protection Officer.
7. Risks related to data protection
This policy aims to cover broader protection against the direct risks to which the company is generally exposed as follows:
Privacy violations
Failure to offer choice
Damage to Reputation
8. Data collection
P.A.C. collects a certain amount of data either by direct means, requested as part of the provision of any type of service within the company, or through standard commercial procedures. Our websites use cookie technology, which is a section of text that our servers place on your device to help improve the performance of our sites for our customers and visitors.
To meet our legal obligations as PSST and comply with current data protection regulations (GDPR), we collect certain information. This information will also be kept up to date and retained, but will be deleted/disposed of appropriately once it is no longer required.
No data collected should be unnecessarily logged or passed informally between employees.
When data is collected/obtained, the individual must be informed of the following:
P.A.C., in any of the forms listed above, is the overall data controller in all cases.
Why the data is obtained/collected. By which parties, internal or external, the data will be processed.
Any or all other relevant information that can be provided to add to the information relating to it should be provided.
In all cases, the customer has the right to a full and transparent explanation of why the data is collected and the intended use of the data in question.
The data must only be used for the purposes for which it was acquired.
The company will have high standards in all cases when it comes to data protection. Alongside the requirements as a PSCT, appropriate protection must be in place to prevent unauthorized access to information in any way.
In all cases, access to data should only be granted to employees who need it to carry out their duties.
P.A.C. will also ensure:
All departments conduct regular reviews of administrative and IT processes to ensure data security.
Reviews of this nature should apply to both data or employees, data samples should be taken by the DPO and updated annually as appropriate.
Examine the amount of data obtained regarding each department/job during the same period
All staff and the company as a whole will ensure that the data collected is useful and relevant to the service provided. Where data is not applicable, it should not be collected or destroyed if provided inadvertently by an individual.
As a service provider, we are legally required to retain files and personal information throughout a continuous service period and for five years after a customer cancels services with the company.
As soon as the appropriate retention period has expired, all data must be destroyed and/or made unusable.
In accordance with the legislation, P.A.C. has established a data request process on the subject, with additional information below. Requests can be directed to the DPO at “contact.mpi.com”
9. Employee and Prospective Employee Data
As part of the standard recruitment process, P.A.C. may collect CVs, personal information from online sources and social media, proof of identity/address and proof of qualifications where applicable. Once a position has been filled, personal information collected about an unsuccessful candidate is destroyed using external shredding facilities.
As a direct report, all of the above is collected where necessary and stored within the company in the safe located at the P.A.C. head office. As with all information, the company is required to retain the data for five years after it becomes inactive e.g. e.g., she stops working. Once this information is no longer required, it will be destroyed as above.
10. Internal processes
Although a general overview of staff responsibilities is discussed below, there are some relevant key positions:
Board of directors
Ultimately responsible for ensuring that P.A.C. complies with its legal obligations. All practicing directors must be considered representatives for the purposes of data protection legislation.
Data Protection Officer (DPO)
Responsible for keeping the Board of Directors informed of data protection regulations and renewing data protection procedures and related policies. Organize training and handle staff requests in this regard. Process requests from employees who wish to access data held by P.A.C. about them – called “subject access requests”.
IT Department
Ensure systems, services and equipment meet acceptable data storage standards. P.A.C. regularly performs checks and updates to confirm that all security software and hardware are working properly. Evaluating any third-party data storage provider.
Sales department
Review of any data protection declaration attached to any communication. Respond to requests for information on data protection from the media, etc. Assist in implementing marketing initiatives as necessary, working with other employees to ensure compliance.
Staff
In all cases, staff must undergo comprehensive training in accordance with this policy and their assigned role. Staff will not be permitted to process information subject to the Data Regulation Policy until they have completed full training.
11. Consent
Once information has been provided to P.A.C. with appropriate consent, marketing materials of legitimate interest, including related products or services as originally requested, may be sent. If a customer does not wish to receive these materials, they can simply click the “unsubscribe” link in any email or communication. Please note, we do not consider subscription to be cancellation of services – this must be communicated separately.
Where appropriate consent has not been obtained through a web portal, customers may be asked by telephone whether they wish to receive marketing materials, offers and other content from P.A.C. before they are sent.
In all cases, a customer or potential customer will not be contacted with marketing materials, etc. when consent due to being classified as a permanent or professional client, legitimate interest in the services or direct authorization cannot be established.
12. Data storage
Questions regarding data storage security can be directed to the DPO or IT Manager, as appropriate.
Paper copy
The data collected in paper format will be stored in a secure location with access limited to employees who need it as part of their duties only and the room will be locked when access is not required.
When documents/files are not needed, they are stored in locked/secure areas.
Where applicable, documents containing any type of customer information should be disposed of using approved shredding services.
Electronic data
Electronic data is secured and maintained by our external IT partners and further information on how this data is managed is available upon request.
Internal policies are also in place to ensure security is maintained when handled by employees.
13. Use of data
Computers with access to personal data; Each employee must ensure that screens are properly locked before leaving machines unattended.
Personal data should not be shared informally. Where applicable, data must be encrypted before being transferred electronically.
14. Filing a complaint
If a customer has any concerns about the use of their information, a staff member may be notified in person and by telephone or email. All complaints or concerns will be fully investigated and reviewed. We simply ask that as much information as possible be provided to enable us to resolve the complaint as quickly as possible.
15. Internal communication
All staff communicate internally via email services provided by our IT Support Services. Where avoidable customer information should not be shared via email and under no circumstances should information of a sensitive nature be sent in this manner.