Effective date: 25 May 2018
SCOPE & AMEMDMENTS
This is a general statement on how we process personal data from external parties, including clients, consumers and business partners.
As far as relevant and appropriate, we will issue additional privacy statements in specific situations, which may change and/or supplement the information provided here.
This statement may be amended from time to time. When this happens, we will immediately issue an amended version including the changes in question.
DATA CONTROLLERS & CONTACT DETAILS
ALK and its entities (the complete list and contact details can be found here) are the joint data controllers. In general our local ALK offices are the first point of contact for involved parties in the region in question, also when they want to exercise their rights. However, these rights can be exercised for and against each data controller.
Primary contact details for your language/region: ALK Abelló BV ∙ Transistorstraat 25 ∙ 1322 CK Almere ∙ the Netherlands ∙ T +31 36 539 78 40 ∙ e-mail firstname.lastname@example.org.
The contact details of the ALK data protection officer(s) can be found here.
THE PERSONAL DATA WE PROCESS
In general we only process your data if this is necessary for our justified business purposes, if we are obliged to do so in accordance with legislation or when you choose voluntarily to provide your personal data to us.
We only process special category data, such as data about your health, if that is permitted under the relevant legislation or when you provide us with your express and informed consent. We do not consciously collect online data about children via our websites and apps and, in other situations, we only collect such data when these are relevant and appropriate in accordance with the relevant legislation. When we do this, we always involve the children’s parents or carers.
We must have a reason (‘purpose’) and a lawful basis to process your data. This concerns the following specific categories of data and relevant data:
- 1. Data that are necessary for the implementation of agreements with you (for example when you order our products, or sign a business agreement for the delivery or receipt of goods or services from or to us), such as contact details; identifiers that are relevant for the agreement; financial data; data about orders; shipment and delivery; data about the agreement and the performance parameters;
- Purpose: implementation of the agreement with you
- Lawful basis: implementation of the agreement with you
- Retention period: as long as the agreement is in force and for 2 years after this (this period can be extended, for instance in the event of a legal requirement or a legal claim).
- Data source: generally, data provided by you and via internal business processes.
- Obligation to provide data and consequences of not providing data: data that are necessary to implement an agreement include a condition for signing the agreement/placing an order and the receipt of delivery of the products and services in question.
- Data that are processed must comply with legal requirements, such as financial and tax data, relevant data about health, safety and employability, legislation to counter money laundering etc.
- Purpose: compliance with legal requirements
- Lawful basis: compliance with legal requirements
- Retention period: as long as required by the relevant legislation
- Data source: generally, data provided by you and via internal business processes.
- Obligation to provide data and the consequences of not providing data: you may be obliged, on the basis of certain legislation, to provide certain data such as your VAT or Chamber of Commerce number, and non-provision of these data can lead to ALK being unable to comply with legal requirements and to the consequences as determined by this legislation.
- Purpose: to manage our company in an efficient and secure way, including maintaining the security of data and of employees and patients, and safeguarding the good quality of products and services, direct marketing for ALK products or services that are comparable to those you have already purchased (you can always unsubscribe for this).
- Lawful basis: our legitimate interests
- Retention period: data are only retained for as long as these are relevant. Periodic reviews and internal retention policies apply to such data. In general, we retain business data up to two years after our last interaction.
- Data source: generally, these data are provided by you or via interactions with you and with business partners, if applicable.
- Obligation to provide data and consequences of not providing these data: usually data become available through interactions and business activities in which you are involved. In exceptional cases, you may be asked to provide certain data if there is a legitimate interest in requesting these data for our relevant business activities. In such situations you must be informed of any consequences.
You can always contact us for more information about how we aim to ensure a balance between our legitimate interests and your rights and freedoms.
- Data for which you give consent for processing eg. when you register for our newsletters or provide optional information via contact forms.
- Purpose: offer you the opportunity to share information and receive information or services that are tailored to your needs.
- Lawful basis: consent
- Retention period: data are only retained for as long as you wish or for as long as we consider these to be relevant based on the business situation or the service, whichever comes first
- Data source: generally, data provided directly by you.
- Obligation to provide data and consequences of not providing these data: you are not obliged to provide these data.
As far as possible we will provide you with more detailed information, such as the specific legislation in question and retention periods.
TO WHOM WE PROVIDE YOUR PERSONAL DATA (RECIPIENTS OF PERSONAL DATA)?
More detailed information about specific third parties and processors is given below, as far as is possible.
i. ALK EMPLOYEES & EXTERNAL PROCESSORS
The recipients of your personal data are employees of entities that are part of ALK Group and external processors who provide specific services and process personal data. They only receive your personal data when they need to have these data, are subject to a confidentiality obligation and have signed appropriate legal documentation in advance.
ii. INDEPENDENT THIRD PARTIES
If necessary, we may provide your personal data to independent third parties, including lawyers, government agencies or external auditors. In other situations, such as when engaging external parties for shipment or payment, you are involved in the process and you can, where possible, make choices about the transaction and method of payment.
iii. TRANSFER OF DATA FROM THE EU/EER TO THIRD COUNTRIES
When we share data from the EU/EER with a company or an ALK affiliated company in a third country, we apply contract provisions that meet EU standards, so that the receiving company is obliged to process personal data in an appropriate way, unless the country in which the company is active is already considered by the EU to be a country with a suitable level of data protection. More information about such provisions can be found here. If the transfer of data is necessary in other situations, we will inform you of the applicable specific compliance measures for the enforcement of EU law.
WHAT RIGHTS DO YOU HAVE?
If you wish to exercise a right, please contact us. Our contact details can be found at the start of this statement. You can also contact us in the same way as you did when you gave us your data and/or your consent. Under certain circumstances we can also provide you with access to your data, to change and download these, and to modify your privacy settings online via a secure connection.
WITHDRAWAL OF CONSENT
If you have given us consent to process your personal data for one or more purposes, you have the right at all times to withdraw your consent (without this influencing the legality of data processing that took place prior to the withdrawal of consent).
ACCESS AND RECTIFICATION
During the period in which we process your data, you have the right to access your data and have incorrect data corrected.
You are entitled to be provided with of a copy of your data. This will be provided in such a way that the rights and privacy of other persons are not infringed.
You also have the right to ask us for relevant information about the processing of your personal data.
When you have provided your data based on your consent or in connection with an agreement between you and our organisation, the right to portability of these data applies.
This means that you are entitled to receive these data in a portable format (in a structured, commonly used and machine readable format) and to transmit these to you or, if technically possible, directly to another data controller (an entity or person of your choice).
We would like to point out that the data will be provided in such a way that the rights and privacy of other persons are not infringed.
RIGHT TO OBJECT
If we process your data on the basis of our legitimate interests, you have the right to object to the processing of your personal data specifying the reasons that relate to your situation. You have the right to object without giving reasons if the data are used for direct marketing.
ERASURE (‘RIGHT TO BE FORGOTTEN’)
You can request to have your personal data erased and no longer processed. However, if we still need these data and/or are legally obliged to store these, the erasure of data may be postponed. In such cases, we will inform you of this and explain way the erasure is being postponed and when this will take place.
RIGHT TO RESTRICT PROCESSING
Instead of erasure, you can request a restriction of access to your data. Further processing of restricted data may only take place with your consent or for reasons stated in applicable legislation.
If it is not possible to restrict access because it is necessary for us and we are legally authorised or obliged to process the data, we will inform you of this and the reasons for this.
You will also be informed if the restriction may be lifted so that you can take further steps where necessary.
If you are dissatisfied about the way in which we handle your data, about the information that you receive or about another aspect with respect to the protection of your personal data, please contact us. You can also approach the ALK data protection officers directly.
THE RIGHT TO SUBMIT A COMPLAINT TO A SUPERVISORY AUTHORITY
If you are of the opinion that the processing of your personal data is an infringement of EU law, you have the right to submit a complaint to a supervisory authority in the EU member state in which you live, work or where the alleged infringement took place.
Each supervisory authority must have a website in the country’s official language on which everything is explained. Should you experience problems with obtaining this information, please contact us for assistance.
SAFETY & OUR VALUES
We take reasonable technical and organisational measures to protect your personal data and to safeguard that these data are processed in accordance with the applicable legislation and standards. We have various relevant internal policy memoranda, procedures and guidelines and we also ensure that we apply appropriate confidentially, processing and other agreements and provisions so that your data are protected as they should be.
We take privacy values extremely seriously and aim to ensure that your data are secure. If applicable you will receive specific information about risks and risk-limiting actions that we take. For more information, the ALK’S STATEMENT ON PRIVACY VALUES can be found here.
AUTOMATED DECISION-MAKING INCLUDING PROFILING
For effective business operations and delivery of high-quality products and services, we use various automated resources and classifications that are relevant for our business operations.
You are, however, not subject to decisions that are based exclusively on automated processing (including profiling) that effect your legal rights in any way.