”Personal Data” refers to personally identifiable information about you, such as for example your name, personal identification number, address, phone number, e-mail address and other contact information together with any other information which is linked directly or indirectly to you.
”Services” means any services provided by Galenica to you or any other stakeholder, including without limitation all services related to a search or consultancy assignment or similar.
Purposes and lawful bases of our processing
Below, we describe the main purposes for us handling your Personal Data, please note that this list is not exhaustive, and we may provide you with supplementary information (e.g., if you partake in a specific project). Under each section, we have specified which lawful bases we support our purpose with.
We have summarized the lawful bases which we may utilize below. Please consult Regulation (EU) 2016/679 (N.B., abbreviated title) the “GDPR” for a comprehensive description of each lawful basis:
- Contract – Our Processing of Personal Data is necessary to conclude or complete an agreement entered with you and/or the entity you represent.
- Compliance with legal or regulatory requirements – Where we are required to handle your Personal Data due to a legal or regulatory obligation.
- Legitimate interest – A processing activity where we have assessed that your interests, rights, and freedoms do not outweigh our interest, or that of a third party.
- Consent – Processes of Personal Data where you have given your consent, and which you may revoke at any time.
- Establishment, exercise or defence of legal claims – a lawful basis relied on when we handle any special (sensitive) categories of data in situations where processing is required to bring a claim or defend against a claim in court, such as in civil litigation or an administrative procedure.
If you want to become or are a client or customer to us, we may come to collect your name, address, telephone number, email address, and payment information, as to be able to interact with you, and to provide you and your organisation with our Services.
- Lawful bases: Contract, Consent or Legitimate Interest
Information and marketing of our activities
We may process your Personal Data such as name and contact details when we seek to inform you or market our Services to you.
- Lawful bases: Contract, Consent or Legitimate Interest
Compliance with legal and regulatory obligations
As with any company, we may need to handle your Personal Data, such as your name and payment information when administering our accounting and ensuring that we adhere to applicable bookkeeping laws.
Some of our Services require us to collect Personal Information regarding your health, as we may be subject to mandatory medicinal and/or pharmaceutical laws, by which we e.g., are required to illustrate that we have taken the necessary safety precautions and/or correctly documented eventual test results.
- Lawful bases: Compliance with legal or regulatory requirements
Protecting our legal interests
We may handle your Personal Data to establish, exercise, or defend our legal interests. E.g., in the event of a dispute.
- Lawful bases: Legitimate Interest and/or the establishment, exercise or defence of legal claims.
Our collection or receival of Personal Data
From you directly
Your actions may cause us to process your Personal Data, as your data may be provided by you by many means of communication, e.g. through our website galenica.se, by submitting us written material, or when being in direct contact with us, or through your interactions with our various partners from time to time. This collection also occurs when you communicate with us by e-mail, phone, regular mail, or any other form of communication such as social media.
From third parties
As a way of operating and run our services as a services firm, we might also collect Personal Data available on the internet, e.g., social media, from sources and through contacts with other individuals such as references provided by you.
We may also manage your Personal Data when we collect such Data from private or public registers e.g., from authorities.
We normally do not transfer your Personal Data to another country outside the EU or EEA. However, due to the nature of your activities and/or relationship with us, it may be necessary to transfer Personal Data to such a country.
Such transfers will always be executed in a safe and legal way. We will not transfer your Personal Data to an external party outside the EU or EEA without, prior to the transfer, having entered into an agreement or having ensured that the country is approved by the European Commission.
Alternatively, we will ensure that appropriate safeguards are in place between us as data exporter and the third country data importer. Such appropriate safeguards are, subject to the transfer itself, constituted of us having entered into an agreement containing either contractual clauses or standard contractual clauses which are binding between us and the third country data importer and in accordance with the relevant provisions of the GDPR and other applicable data protection provisions. A copy of such standard contractual clauses can be found here.
We may also employ an approved code of conduct in accordance with art. 40 GDPR and the requirements set out in art. 46.2 (e) GDPR or utilize an approved certification mechanism pursuant to article 42 GDPR in accordance with the requirements set out in art. 46.2 (f) GDPR.
In specific situations where neither an adequacy decision nor any of the above appropriate safeguards are applicable for such a transfer, we may also conduct a third country data transfer in accordance with an applicable derogation as stated within art. 49 of the GDPR. If such derogations are actualized for a specific transfer, we may inform you further about this separately.
If you would like to know more about the requirements on transfers of Personal Data to a country outside the EU or the EEA with support of the European Commission’s decision on standard clauses for the transfer of Personal Data to controllers or processors established in so-called third countries you can read more here.
The specific retention period of Personal Data shall be determined by considering the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the Personal Data, and whether we can achieve these purposes through other means.
Upon expiration of the retention period, Galenica shall securely delete or anonymize the Personal Data in accordance with industry standards and applicable laws.
Please note that our retention periods may be prolonged if the Personal Data is required to be kept for a longer period to comply with a legal obligation or to defend against legal claims.
On our website galenica.se we utilize cookies, which in some instances may qualify as Personal Data. For more details on our cookies, please see our cookie-policy on the website www.galenica.se.
Galenica is responsible for all Personal Data (see definition below), which we are processing as a firm. We are fully committed to the privacy of any information provided to us by you.
We have relevant systems in place to prevent unauthorised access or disclosure of your Personal Data and we continuously train our personnel in the management of Personal Data. This Policy outlines our current practices as regards Personal Data gathered by us from you directly and/or through third parties.
Rights you may have regarding our handling of your Personal Data
In accordance with the provisions of the GDPR, as well as related privacy legislation, you may depending on the circumstances have rights regarding our handling of your Personal Data which you may exercise. Please note that these rights may be limited in some circumstances by applicable law. If you wish to exercise any of these rights, or have any questions, please see our contact details below.
You may have the right to:
- Access: access and receive a copy of your Personal Data that we hold.
- Correction: request correction of any inaccuracies in your Personal Data.
- Deletion: request deletion of your Personal Data under certain circumstances.
- Portability: receive a copy of your Personal Data in a commonly used format and the right to transmit this data to another controller.
- Objection: object to the processing of your Personal Data for certain purposes.
- Restriction: request the restriction of the processing of your Personal Data under certain circumstances.
- Automated decision-making: not to be subject to a decision based solely on automated processing of your Personal Data, including profiling, unless this is necessary for entering into, or the performance of, a contract between you and us, or you have given your explicit consent thereto.
If you have any concerns about the way in which your Personal Data is being processed by our organization, you have the right to make a complaint to the relevant supervisory authority. The supervisory authority in Sweden is Integritetsskyddsmyndigheten, IMY.
Please note that making a complaint to the supervisory authority is a separate process from any complaint that you may make to our organization directly. Before making a complaint to the supervisory authority, we encourage you to contact us first to try to resolve any issues that you may have with the processing of your Personal Data.
IMY’s contact details:
Postal address: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, Sweden
Phone: +46 (0)8 657 61 00 // Email: email@example.com // Website: https://www.imy.se/en/
Our contact details
For questions and/or other matters related to your Personal Data held by us, please contact our firstname.lastname@example.org.
We always strive to improve the way we interact with our stakeholders, and therefore encourage you to reach out to anyone of us with feedback on how we could further improve the way we handle and manage your Personal Data.
[Policy last updated 1st of march 2023]