Information from The Danish Medicines Verification Organisation ApS to Marketing Authorization Holders (MAHs) in connection with the EU General Data Protection Regulation
In May 2018 a new EU-regulation regarding the protection of personal data comes into effect, known as the General Data Protection Regulation (GDPR). At the Danish Medicines Verification Organisation ApS (DMVO) we have of course acquainted ourselves thoroughly with the legislation and the requirements of the law for us.
Among other things, this means that DMVO must meet the enhanced requirements in the GDPR in regards to informing data subjects about the collection, storage, and use of data. This applies, even though it only concerns data related to the professional work of the MAHs.
What types of data does DMVO process
DMVO stores and process the data necessary to live up to our purpose: to establish, administer and operate a national data storage system in accordance with the requirements of EU legislation. This concerns data about contact persons and authorized signatories at MAHs in Denmark.
The processing concerns personal data including name, title, work related contact information, company, whether the person in question is authorized signatory, login information related to our contract management system, as well as data related to the invoicing of fees.
What is the purpose of DMVO’s data processing
The purpose of DMVO is to establish, administer and operate a national data storage system in accordance with the requirements of EU legislation. We store and process data for this statutory purpose. In connection with this, we process data amongst other things to enter into contracts with MAHs, assign secure access to our contract management system, administer this system, and handle communication with data subjects. Furthermore, we can process data as part of our duty to enable the competent authority to keep control etc.
We are obliged to implement and maintain security precautions that can protect data. I.e. prevent unauthorized access to IT-systems (hacking), prevent the receipt or distribution of malware, block denial-of-service attacks etc. Should a security breach despite this happen, we can be obliged to report to the authorities and the affected data subjects.
Data must also be stored in order for us to provide the authorities and other official inspection bodies with the necessary information if they wish to carry out inspections or inquiries.
We must also store and process data, to ensure availability should a dispute with data subjects or third parties arise.
The legal basis for collection, processing and disclosure of data in DMVO
Our collection, processing and disclosure of data must be consistent with the GDPR. Therefore, DMVO has had a legal analysis done, to ensure that we have a legal basis for the use of data to comply with a legal obligation, as well as legitimate additional interests.
Our legal basis is that the processing is necessary for compliance with a legal obligation to which we are subject. The legal obligation is found in the EU regulation (EU/2016/161) which lays down detailed rules for the safety features appearing on the packaging of medicinal products for human use and the establishment of the repositories system in connection with this as well as the Danish Medicines Act (cf. EU directive 2011/62/EU).
Referring to this, amongst other things MAHs shall ensure that repositories system is established and administered and that a number of information related to the medicinal products of the MAHs is uploaded in the repositories system. We must likewise ensure that we can grant access to the repository and to the information contained therein, to competent authorities, e.g. in case of inspections or investigations of potential incidents of falsification.
In addition to this, part of the data about MAHs that DMVO process is necessary for the purpose of legitimate interests pursued by us. To ensure a balance of interests, we apply the principles that:
- Data is limited to what is strictly necessary to carry out the purposes of DMVO.
- DMVO is a non-profit organization that process data with the purpose of establishing, administering, and operating a national data storage system in accordance with the requirements of EU legislation.
- The data relates to the professional work of the data subject and not the data subject as a private individual.
- MAHs have an interest in the processing of their data for the purpose of i.a. correctly signing of an agreement and handling communication with the data subjects in this relation as part of observing the legal requirements of the EU-regulation.
- Furthermore, we place emphasis on our legitimate interest in securing data with all the necessary security measures and being able to communicate and cooperate with the data subject and the relevant public authorities.
- Finally, we have placed emphasis on our legitimate interest in determining and defending legal rights and invoking them in relation to any disputes that might arise.
What is the DMVO’s data sources
Personal data is collected from MAHs and may be supplemented with data from the organization of the MAH in question.
Who can process data
DMVO can make use of one or more data processors. Typically, these are companies that process data on behalf of the DMVO. DMVO use Danish Pharmaceutical Information A/S (Dansk Lægemiddel Information, DLI) and The Danish Association of the Pharmaceutical Industry (Lægemiddelindustriforeningen, Lif) in Denmark and their subcontractors as data processors in regards to IT-operation and –security as well as invoicing. Furthermore, DMVO use an IT-system supplier and legal consultant in regards to contract formation, as well as selected consultants and their subcontractors who assists us with the operation of DMVO.
Transfers to third countries
We or our data processors do not currently transfer personal data to countries outside the EU/EEA as part of our processing activities, but reserve the option of doing so in the future. If transfers outside the EU/EEA will take place in the future, DMVO must ensure that we inform data subjects about it.
How long is data stored
DMVO retains the stated personal data as long as needed to fulfil the stated purposes mentioned above, to comply with the legal obligations to which we are subject, and to attend to the relation to the MAHs. In addition we retain personal data in relation to expiry of statutory limitations on criminal liability and liability for damages (absolute time limits), if relevant.
What are our rights in regards to your personal data
As the data subject you have certain rights within statutory limitations. E.g., you have the right to access personal data stored about you as an MAH. You have the right to rectification of inaccurate data. You have the right to data erasure, i.a. if data is processed against regulations or is no longer necessary for the stated purposes. You have the right to object to processing of your personal data. Finally, you have the right to complain to a competent supervisory authority, including the Danish Data Protection Agency. However, you should be aware that according to the GDOR we are only bound to meet such requests on certain conditions.
Who is the Data Controller
The Danish Medicines Verification Organisation ApS, Lersø Park Allé 101, 2100 København Ø
 Delegated regulation (EU) 2016/161 of 2 October 2015.
Separate objection text regarding legitimate interest
Version: 1.0, Date: May 2018
You have the rights to – by reasons that concern your special situation - object to processing of personal data where the lawful basis is of legitimate interest. The data controller may subsequently no longer process your personal data, unless the data controller proves weighty lawful reasons for processing that precede your interests, fundamental rights or freedoms, or the processing is necessary to determine, defend legal rights and/or invoke them.