Our Company strives to conduct its business in accordance with our privacy values because we believe they demonstrate our unwavering commitment to ethical and responsible practices. We recognize that innovation and new technology drive continual change in risks, expectations and laws, so we follow privacy accountability standards and aim to promptly adapt how we apply them in response to those changes.
This Policy defines our standards for management and protection of Personal Information by or on behalf of our company that directly or indirectly originates from any country in the European Economic Area (“EEA”), Switzerland and is transferred to any other country, including transfers between the EEA. It applies to our operations in every country, to every activity involving information about people that we conduct in every subsidiary and every division (including by any successors to our business), including, but not limited to our research, manufacturing, commercial, corporate support and the data transfers necessary to carry out those activities, including, but not limited to:
- Research and Manufacturing: ; initiating, managing and financing research studies; evaluating and engaging researchers, scientific and ethics committee members and business partners to support our research studies and the development of our products; research study recruitment; evaluating the safety, efficacy and quality of our investigational and marketed products; meeting our product safety and product quality obligations, including handling and reporting adverse events and product quality complaints; filing for approval and registering our products with health regulatory authorities; and complying with associated legal, regulatory or ethical requirements;
- Commercial: evaluating the markets for our products; advertising, marketing, selling, distributing and delivering our products; communicating and engaging with customers and other end users of our products, sponsoring and conducting events; evaluating and engaging business partners to support our commercial activities; and complying with associated legal, regulatory or ethical requirements;
- Corporate Support: recruiting, hiring, managing, developing, communicating with, and compensating employees; administering benefits for employees and their dependents; conducting employee performance and talent reviews; providing training and other learning and development programs; conducting employee disciplinary and grievance proceedings; managing ethics and privacy concerns and conducting investigations; managing and securing our physical and virtual assets and infrastructure; procuring and paying for goods and services; meeting our environmental, health and safety and other corporate responsibility commitments; engaging with the media; and complying with associated legal, regulatory or ethical requirements.
This Policy also applies to all people about whom we process information, including, but not limited to, customers; prospective, current and former employees and their dependents, ethics committee members, business partners, investors and shareholders, government officials, and other stakeholders.
All Company Employees and Senior Leaders have core privacy responsibilities they must uphold.
We recognize that inadvertent errors and misjudgments related to protection of information about people can create privacy risks for individuals and reputational, operational, financial and compliance risks for our Company. Every employee of our company, and others who process information about people for our company, is accountable for understanding and upholding their obligations under this Policy and applicable Laws.
Our Privacy Values and Standards
We uphold our privacy values in everything we do involving people including how we apply our privacy standards. Our four privacy values include:
We recognize that privacy concerns often relate to the essence of who we are, how we view the world and how we define ourselves, so we strive to respect the perspectives and interests of individuals and communities and to be fair and transparent in how we use and share information about them.
We know that trust is vital to our success, so we strive to build and preserve the trust of our customers, employees, patients and other stakeholders in how we respect privacy and protect information about people.
We understand that misuse of information about people can create both tangible and intangible harms for individuals, so we seek to prevent physical, financial, reputational and other types of privacy harms to individuals.
We have learned that laws and regulations cannot always keep pace with the rapid change in technologies, data flows, and associated shifts in privacy risks and expectations, so we strive to comply with both the spirit and letter of privacy and data protection laws and regulations in a manner that drives consistency and operating efficiency for our global business operations.
1. We embed our privacy standards into all activities, processes, technologies and relationships with third parties that use Personal Information. We design privacy controls into our processes and technologies that are consistent with our privacy values and standards and applicable law. Our 8 privacy principles set forth below summarize our privacy standards and core requirements for processes, activities and their supporting technologies at a high level.
|Privacy Principle||Our Core Commitments|
|1. Necessity – Prior to collecting, using, or sharing Personal Information, we define and document the specific, legitimate business purposes for which it is needed.||
|2. Fairness – We don’t process Personal Information in ways that are unfair to the people to whom those data relate.||
|3. Transparency – We don’t process Personal Information in ways or for purposes that are not transparent.||
|4. Purpose Limitation –We only use Personal Information in accordance with the Necessity and Transparency principles.||
|5. Data Quality – We keep Personal Information accurate, complete and current consistent with its intended use.||
|6. Security – We implement safeguards to protect Personal Information and Sensitive Information from loss, misuse, and unauthorized access, disclosure, alteration or destruction.||
|7. Data Transfer – We are responsible for and we preserve the privacy protections for Personal Information when it is transferred to or from other organizations or across country borders.||(1) We only transfer Personal Information to or allow it to be processed by third parties if the following requirements are met and we are liable for ensuring that the third parties we engage meet these requirements:
(2) We transfer Personal Information across country borders by or on behalf of our company in accordance with this Policy. We will apply this Policy to transfers of Personal Information from any other country or territory with a law that restricts the transfer of Personal Information.
|8. Legally Permissible – We only process Personal Information if the requirements of applicable laws have been met.||
2. We will promptly address individual rights requests to access, amend, correct or delete Personal Information or to object to the processing of Personal Information about them.
- Access, Correction and Deletion – Under the Greek Laws individuals have a right to access Personal Information about themselves, and to amend, correct or delete Personal Information that is inaccurate, incomplete or outdated. We will honor all requests to access, correct and delete Personal Information from all individuals. If a request for access, correction or deletion is governed by an applicable Law that provides greater protection to individuals, we will ensure that the additional requirements of that Law are met.
- Choice – Consistent with our privacy values of “Respect” and “Trust,” we honor individual requests to object to Personal Information processing, including, but not limited to opting out of programs or activities in which they previously agreed to participate, processing of Personal Information about them for direct marketing communications, communications targeted to them based on Personal Information about them, and any evaluation of or decisions about them, which has the potential to significantly affect them, made by use of automation or algorithms.
- Except where prohibited by Law, we may deny the choice where a particular choice request would impede our company in its ability to: (1) comply with a Law or an ethical obligation including where we are required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, (2) investigate, make or defend legal claims, and (3) perform contracts, administer relationships, or engage in other permitted business activities that are consistent with the Transparency and Purpose Limitation principles and were entered into in reliance on the information about people in question. Within fifteen business days of any decision to deny a choice request in accordance with this Policy, we will document and communicate the decision to the requestor.
3. We will promptly respond to and escalate all privacy-related questions, complaints, concerns and any potential Privacy Incident or Security Incident.
- Any individual about whom we processes Personal Information within the scope of this Policy can raise a question, complaint or concern to our company at any time, including a request for a list of all subsidiaries of our company that are subject to this Policy. We expect that our employees, and others who work on behalf of our company, provide prompt notice if they have a reason to believe that an applicable Law may prevent them from complying with this Policy. Any question, complaint or concern raised by an Individual, or any notice provided by an employee or any other person who works on behalf of our company, should be directed to the company
- By e-mail to: firstname.lastname@example.org
- For complaints that cannot be resolved between our company and the individual who raised the complaint, our company has agreed to participate in the following dispute resolution procedures in the investigation and resolution of complaints to resolve disputes pursuant to this Policy, however, at any time, individuals resident in the EEA or individuals about whom Personal Information is subject to the data protection Law of the EEA and transferred outside of the EEA,
- All individuals residing in the EEA, or individuals about whom Personal Information is subject to the data protection Law of the EEA and transferred outside of the EEA, about whom information is processed pursuant to this Policy have the right under this Policy, at any time, to enforce the requirements of this Policy as third party beneficiaries, including the right to bring a judicial action to seek remedies for breach of his or her rights under this Policy and the right to receive an award for damages resulting from such breach. Individuals residing in the EEA or individuals about whom Personal Information is subject to the data protection Law of the EEA and transferred outside of the EEA (for the sake of clarity, including to the USA), may bring a claim under this Policy, against Systems Sunlight SA
- In the courts or with the data protection authority in the EEA country from which Personal Information about them was transferred, or
- In the courts of Greece or with the Hellenic Data Protection Authority.
- Our company will respond to the individual or entity that raised the question, complaint or concern to our company within thirty (30) calendar days unless a Law or the third party requestor requires a response in a shorter period of time or unless circumstances require a longer time period, in which case the individual or third party requestor will be notified in writing.
Terms You Need to Know
- Anonymized. The alteration, truncation, obliteration or other redaction or modification of Personal Information so as to render it incapable of being used to identify, locate or contact an individual.
- Law. All applicable laws, rules, regulations, and orders of opinions having the force of law in any country in which our company operates or in which Personal Information is processed by or on behalf of our company
- Our company. Systems Sunlight SA, its successors, subsidiaries and divisions, excluding joint ventures to which our company is a party.
- Personal information. Any data about an identified or identifiable individual, including data that identifies an individual or that could be used to identify, locate, track, or contact an individual. Personal information includes both directly identifiable information such as a name, identification number or unique job title, and indirectly identifiable information such as date of birth, unique mobile or wearable device identifier, telephone number as well as key-coded data.
- Privacy incident. A violation or breach of this Policy or a privacy or data protection law, and includes a Security Incident. Determinations of whether a privacy incident has occurred and whether it is material shall be made by the Data Protection Officer and the Legal/Compliance Department .
- Processing. Performing any operation or set of operations on information about people, whether or not by automatic means, including, but not limited to, collecting, recording, organization, storage, access, adaptation, alteration, retrieval, consultation, use, evaluation, analysis, reporting, sharing, disclosure, and dissemination, transmission, making available, alignment, combination, blocking, deleting, erasure or destruction.
- Security incident. Access by or our company’s reasonable belief of any access or use by, or any disclosure by or to, an unauthorized person to Personal Information. Access to Personal Information by or on behalf of our company without the intent to violate this Policy does not constitute a Security Incident, provide that the Personal Information accessed is further used and disclosed solely as permitted by this Policy.
- Sensitive information. Any type of information about people that carries an inherent risk of potential harm to individuals, including information defined by law as sensitive, including, but not limited to information related to health, genetics, race, ethnic origin, religion, political or philosophical opinions or beliefs, criminal history, precise geo-location information, bank or other financial account numbers, government-issued identification numbers, children who are minors, sex life, trade union affiliation, insurance, social security and other employer or government-issued benefits.
- Third party. Any legal entity, association or person that is not owned by our company, or in which our company does not have a controlling interest, or who is not employed by our company. Except as expressly set forth in this Policy, no subsidiary or division of our company shall be required to meet the requirements of a third party under this policy as all subsidiaries or divisions are required to process information about people in accordance with this Policy, including in circumstances where one of our company subsidiaries supports one or more other subsidiaries of our company in the processing.
Changes to this Policy
This Policy may be amended from time to time, consistent with the requirements of applicable Law