Obligations to provide information in pharmacovigilance

Information on data protection according to Art. 13 of the GDPR (General Data Protection Regulation)

With the following information, we would like to inform you about the types of personal data we process in the context of pharmacovigilance and what purposes we use this data for.

The monitoring of adverse reactions or events (side effects) associated with the use of medicinal products is called pharmacovigilance. The statutory pharmacovigilance obligations relate to our medicinal products for human and animal use. Similar regulations exist for our medical devices and cosmetics. We therefore use the term pharmacovigilance hereinafter for the products stated above (Heel products).

In light of this, we need to process information that enables direct or indirect identification of a natural person ("personal data"), patient and/or the reporter of an adverse event that is brought to our attention.

Under certain circumstances, we must report these adverse events to the competent supervisory authorities.


I. Name and contact details of the controller and their representative

Biologische Heilmittel Heel GmbH („Heel“)

Dr.-Reckeweg-Str. 2-4

76532 Baden-Baden

Ralph Schmidt (Chairman)

Marc Deschler

Phone: 07221/ 501- 00

Fax: 07221/ 501- 210

Email: info@heel.com


II. Contact details of the Data Protection Officer

Biologische Heilmittel Heel GmbH

Data Protection Officer

Dr.-Reckeweg-Str. 2-4

76532 Baden-Baden

Email: dataprotection@heel.com


III. Handling of adverse events related to Heel products as part of pharmacovigilance management

We are required by law to collect, evaluate and, if necessary, report adverse events and other information relevant to pharmacovigilance to the corresponding authorities.

We use the data for the following purposes:

• To investigate the adverse event.

• To contact you, if necessary, to clarify any questions.

• To compare the information you provided with other adverse events reported to us.

• To submit the required information to the competent supervisory authorities.

We process the following types of personal data for these purposes:


1. About patients:

• Name (In relation to the identity of the patient, the notification to the authorities will only contain the patient’s initials and never the patient’s name.)

• Gender

• Date of birth/age

• State of health/medical history

• Details of the adverse event

• Information on the products used (Heel products and others)


2. About reporters:

• Name

• Contact details (telephone number, address, email, etc.)

• Profession-related data (e.g. medical specialist information)

• Relationship to the patient concerned

The legal basis for processing your personal data is the fulfilment of our legal obligations or the safeguarding of our legitimate interests, which consist, in particular, of ensuring high safety and quality standards of our products (Art. 9 Para. 2 Letter i of the GDPR, Art. 6 Para. 1 Letter c of the GDPR/Art. 6 Para. 1 Letter f of the GDPR in conjunction with Art. 22 Para. 1 Letter c BDSG (FDPA [Federal Data Protection Act]).

The personal data we collect will only be stored for as long as is necessary to achieve the purpose for which the data was collected. Pharmacovigilance data and records for the medicinal products or medical devices concerned are kept based on legal obligations for as long as the product has marketing authorisation and for at least 10 years after the expiry of the marketing authorisation/registration/notification.


IV. Forwarding of personal data

Your personal data are only forwarded if this is permitted based on the consideration of interests or we are legally obliged to forward these.

To fulfil our statutory pharmacovigilance obligations, we may forward personal data to the following recipients or categories of recipients:

  • EU subsidiaries of Heel and internal departments (e.g. Medicine Department).
  • Third party processing
    We sometimes use external IT service providers that provide IT plat-forms for the processing of personal data in terms of third party processing according to Art. 28 of the GDPR. These service providers have been carefully selected by us and are bound by our instructions.
  • Sales partners and, if applicable, other companies (within the EU/EEA), who are our co-distribution, co-sales, or other license partners of Heel where pharmacovigilance obligations for a Heel product require such an exchange of safety information.
  • Legal successor in the event that a therapeutic sector or a specific product is sold, relinquished, transferred or taken over by a third party. In which case we would require the third party to process personal data in line with applicable data protection laws.
  • Competent authorities.

If required, we publish information about adverse events (e.g. in case studies and summaries).
In such cases, we remove identifiers from any publication to keep the identity of individuals private.

Data may be transferred to third countries (outside of the EU/EEA) due to fulfilment of legal reporting obligations to the following recipients or categories of recipients:

  • Subsidiaries of Heel that are based in a third country
  • Sales partners and, if required, other companies (based in a third country) acting as co-distribution, co-sales or other licensing partners of Heel, provided that the pharmacovigilance obligations for a heel product require such an exchange of safety information.
  • Competent authorities.


V. Rights of data subjects

If we process personal data, data subjects have the following rights:

• Art. 15 of the GDPR Right of access
Right of access to your personal data that is stored by us.

• Art. 16 DS-GVO of the GDPR Right to rectification
Right to rectification of your personal data that is inaccurate.

• Art. 17 DS-GVO of the GDPR Right to erasure
Erasure of your personal data provided that no statutory retention periods exist.

• Art. 18 DS-GVO of the GDPR Right to restriction of processing
If certain conditions are met, you have the right to restriction of processing of your personal data and these will not be processed further.

• Art. 20 DS-GVO of the GDPR Right to data portability
Right to data portability of your personal data that you provided to us.

Please note, however, that these rights may be limited to meet our legal obligations. Your rights may not apply in full if there is a legal basis for the processing of your personal data (for example, information collected as part of adverse event reporting cannot be erased unless it is incorrect).

There is no automated decision-making including profiling according to Art. 22 Para. 1 and 4 of the GDPR.

Furthermore, data subjects have the right to lodge a complaint with a supervisory authority.