Date of effectiveness: 25th of May, 2018
SCOPE & CHANGES
This is a general notice about how we process personal data of external data subjects, such as that for clients, consumers, and business partners.
Where relevant and appropriate, we will provide additional privacy notices in specific situations which may modify and/or supplement the information given here.
This notice may be updated from time to time, when this happens we will promptly provide an updated version which includes the relevant changes.
CONTROLLERS OF PERSONAL DATA & CONTACT DETAILS
ALK and its entities (the full list and contact details are available here) are joint controllers of personal data. As a general rule, our local ALK affiliates are the primary contact points for data subjects in the given region, also when individuals exercise their rights. Such rights can be, however, exercised in respect of and against each of the controllers.
Primary contact details for your language/region is: email@example.com.
The contact details of ALK Data Protection Officer(s), are available here.
PERSONAL DATA WE PROCESS
In general, we only process your data if they are needed for our legitimate business purposes, we are required to do so by relevant laws, or when you choose to voluntarily provide it.
We will only process sensitive data, such as health data, if authorised by relevant laws or if you provide explicit and informed consent. We do not knowingly collect online data about children through our websites and apps, and in other situations, we only collect such data when it is relevant and appropriate under relevant laws. In cases where we do so, we always involve the children’s parents or guardians.
We need a reason (‘purpose’) and a legal basis in order to process your data. Specific types of data and relevant details are as follows:
- Data necessary for the performance of the contracts with you (e.g., when you order our products or sign a business contract where you provide us or receive from us products or services) such as your contact details; contract relevant identifiers; financial payment details; order, shipment and delivery details; details of the contract and its performance parameters;
- Purpose: performance of the contract with you
- Legal basis: performance of the contract with you
- Retention period: as long as the contract is in force and for 2 years thereafter (the period may be extended, e.g., in case of a legal requirement or legal action)
- Source of data: typically data are obtained from you and via internal business processes
- Requirement to provide data and consequences of not providing: the data necessary for the performance of a contract are a condition for entering into the contract/placing an order, and receiving or providing relevant products and services.
- Data required to be processed to comply with legal requirements, such as financial tax data, relevant health, safety and working capacity data, anti-money laundering laws etc.
- Purpose: compliance with legal requirements
- Legal basis: compliance with legal requirements
- Retention period: as long as required by relevant laws
- Source of data: typically data are obtained from you and via internal business processes
- Requirement to provide data and consequences of not providing: you might be required to provide some data, such as your tax number, under relevant laws, and failure to provide such data may result in ALK’s inability to meet legal requirements and may result in consequences as per the relevant laws.
- Purpose: conducting our business in an efficient and secure way, including maintaining the security of data and of employees and patients, and ensuring an appropriate quality of products and services, direct marketing of similar ALK products or services to the ones you already purchase (you may always opt-out)
- Legal basis: our legitimate interests
- Retention period: data will be kept only for as long as relevant, and will be subject to periodical reviews and internal retention rules. Typically we will keep business data for a period of two years after our last interaction
- Source of data: data are typically obtained from you and interactions with you and with business partners, as appropriate
- Requirement to provide data and consequences of not providing: in most cases data are available through interactions and business activities you are involved in. On rare occasions you might be asked to provide some data, if it is justified to require such data for the purpose of relevant business activities. In such situations any applicable consequences, if any, will need to be communicated to you as appropriate
You can contact us at any time to obtain additional information about how we maintain balance our legitimate interests and your rights and freedoms.
- Data you consent to be processed,g., when you subscribe to our newsletter(s) or provide optional information when using contact forms
- Purpose: providing you with an ability to share information, and to receive information or services tailored to your needs
- Legal basis: consent
- Retention period: data will be kept only for as long as you wish, or as long as we feel is relevant in the context of the business situation or service, whichever is sooner
- Source of data: data are usually obtained from you directly
- Requirement to provide data and consequences of not providing: you are not required to provide the data.
Where possible, we will also make available to you more details, as about specific, relevant laws and retention periods.
WHO WILL WE DISCLOSE YOUR PERSONAL DATA TO (RECIPIENTS OF PERSONAL DATA)?
Where possible we will provide you with more details about specific third parties and processors.
- ALK’S EMPLOYEES & EXTERNAL PROCESSORS
The recipients of your personal data will be employees of entities belonging to the ALK Group and external processors providing specific services and processing personal data on our behalf. They will receive your personal data only on a ‘need-to-know’ basis, being subject to the obligations of confidentiality and after signing appropriate legal documents.
- INDEPENDENT THIRD PARTIES
When needed, we may disclose your personal data to independent third parties, such as attorneys, public authorities or third party auditors. In other situations, such as when using external shipment or payment providers, you will be involved in the process and where relevant, be offered choices about the transaction or payment method.
- TRANSFERS OF DATA FROM EU/EEA TO THIRD COUNTRIES
If we share data from EU/EEA with a company or ALK affiliate in a third country, we will apply contractual clauses that match EU standards so that the receiving company must handle personal data appropriately, unless the country where the country operates is already deemed by the EU to offer an adequate level of data protection. More information about such clauses is available here. If data transfers are needed in other situations, we will inform you about the specific compliance measures that are in place to enforce EU law.
WHAT ARE YOUR RIGHTS?
If you wish to exercise any of your rights, please contact us using the contact details provided at the beginning of this notice or contact us the same way as when you provided your data and/or consent. In some situations, we will also be able to give you access to modify and download your data and to adjust your privacy preferences online via a secure connection.
If you have given consent to the processing of your personal data for one or more purposes, you are entitled to withdraw your consent at any time (without affecting the lawfulness of any data processing that took place before the withdrawal of consent).
ACCESS AND RECTIFICATION
Throughout the period when we are processing your data, you may access your data, as well as have inaccurate data corrected.
You are entitled to obtain a copy of your data, which will be provided to you in such a way as to respect the rights and privacy of other persons.
You are also entitled to ask us to provide you with any relevant details concerning the processing of your personal data.
Where based on your consent or as a result of a contract between you and our organisation, you have provided us with your data, such data are subject to the right of data portability.
This means that you are entitled to receive such data in a portable format (in a structured, commonly used and machine-readable format) and to have such data transferred to you or, when technically feasible, directly to another controller of your data (an entity or person of your choice).
Please note, that the data will be provided to you in such a way as to respect the rights and privacy of other persons.
THE RIGHT TO OBJECT
Whenever we process your data based on legitimate interests, you can object to the processing of your personal data by giving reasons relating to your situation. You can object without giving any reasons, when data is used for direct marketing purposes.
ERASURE (‘RIGHT TO BE FORGOTTEN’)
You may ask for your personal data to be deleted and no longer processed. However, if we still need and/or are legally required to keep such information, deletion of such data may be postponed. In such situations, you will be informed and told the reason for the postponement, and when the deletion will actually take place.
RESTRICTION OF PROCESSING
As an alternative to erasure, you may ask to have access to your data restricted. Further processing of restricted data may take place only with your consent or for reasons provided by applicable law(s).
If restriction of access is not possible, because we need to and are legally authorised or required to process the data, you will be informed and told the reasons why.
You will also be informed when the restriction is due to be lifted, so you can take any further action as necessary.
If you are not satisfied with the way your data is handled, with the information you receive, or with any other aspect relating to the protection of your personal data, please contact us. You may also reach out directly to ALK’s Data Protection Officer(s).
THE RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
If you believe that the processing of your personal data infringes EU law, you are entitled to lodge complaints with a supervisory authority in the EU Member State where you live, work or where the alleged infringement took place.
Each such authority should have a website available in its official language where all necessary details are explained. If you would have any problem in obtaining such information, please contact us to ask for assistance.
SECURITY & OUR VALUES
We take reasonable technical and organisational measures to protect your personal data and to ensure that such data is processed in accordance with applicable laws and standards. We have a number of relevant internal policies, procedures, and guidelines and we also make sure that we have appropriate non-disclosure, data processing and other appropriate agreements and provisions in place, so that your data is adequately protected.
We cherish privacy values and want to make sure your data is safe and, where appropriate, you will receive specific information about risks and any risk-mitigating actions that we take. To find out more, please read the ALK PRIVACY VALUES STATEMENT, which is available here.
AUTOMATED DECISION MAKING, INCLUDING PROFILING
In order to conduct our business effectively and provide high-quality products and services, we use a number of automatic tools and classifications that are relevant to the conduct of our business.
However, you will not be subject to any decisions based solely on automated processing (including profiling), which would affect your legal rights in any way.