Policy - Acarpia Farmaceutica

Thank you for deciding to share with Acarpia Farmaceutici S.r.l. the potential problems encountered in the
use of one of our medicines.
If you are not the interested party, this information is provided to you on the assumption that you are
entitled to communicate the issues in question on behalf of the interested party, in accordance with the
provisions of Regulation (EU) 2016/679 – also known as “GDPR” – and we inform you of the following.
Subject of the Policy
Acarpia Farmaceutici S.r.l. Srl with registered office in Via Saluzzo, 100 – 10126 TORINO [P.IVA
11607280010](hereinafter “Controller”), acting as Data Controller, informs you that it will process personal
data provided by you – both identifying (eg name, surname, address, telephone, email etc.) and pertinent to
your state of health (hereinafter “Data”).
Use of Data
The Data Controller informs you that your data will be processed for the following purposes:
• to fulfil the pharmacovigilance obligations placed on us by the Italian and European legislation for the
safety and efficacy of medicines. This legislation requires us to transmit to the competent health authorities
information on possible adverse reactions resulting from the use or exposure to one of our medicines.
• to fulfil requests made by the competent health authorities;
• with reference only to contact data, to contact you if it is necessary to obtain additional information
regarding your state of health after use or exposure to one of our medicines or to respond to your further
requests;
• where necessary, to ascertain, exercise or defend a legal or administrative right.
The processing of data for the aforementioned purposes will take place without your express consent when
necessary to fulfil legal obligations pursuant to Articles 6, c. 1, lett. c) and 9, c. 2, lett. b) of the GDPR or to
pursue the legitimate interests of the Data Controller, pursuant to Articles 6, c. 1, lett. f) and 9, c. 2, lett. f)
of the GDPR.
Data processing methods
• The processing of your data will be carried out by means of the operations indicated in Art. 4 no. 2) GDPR
and precisely: collection, registration, organisation, structuring, storage, consultation, processing,
modification, selection, extraction, comparison, use, interconnection, communication, cancellation and
destruction of data.
• Your personal data may undergo a pseudonymisation (separate storage of personal data identified by
personal data relating to state of health).
• Data processing can be both paper and electronic.
• Your data will be stored in protected mode and accessible only to authorised personnel with logic strictly
related to the purposes for which the data was collected and in any case, eligible to guarantee its
confidentiality and security as required by Art. 32 of the GDPR.

Recipients or categories of recipients
• Your data will be processed by subjects (employees or third parties) who operate in the field of
pharmacovigilance for our company and who have been specifically appointed, authorised and instructed
to process your data for the purposes and with the methods provided by this Policy.
• Your data will be processed by the company Proge Medica Srl with a registered office in Largo Donegani
4/a, 28100 Novara, Fiscal Code and VAT Number 01728220037, acting as the External Data Processing
Manager appointed by the Data Controller, for the sole purposes set out in this Policy.
• If used to ascertain, exercise or defend a legal or administrative right, your data will also be
communicated to consultants, doctors, experts, insurers and to those who require the data within the
context of the proceedings or any consequent obligations.
Transfer of data to third party countries
• Transfers of your Data to third party countries may occur, even to non-EU countries, for the purposes of
pharmacovigilance described above.
• Your data will be processed on servers located in Italy, of the Controller and/or third-party companies
appointed and duly appointed as data processors. In any case, it is understood that the Controller, if
necessary, will have the right to move the location of the servers in Italy, within the European Union or to
non-EU countries.
• The Data Controller ensures that the transfer of your non-EU data will take place in accordance with
Articles 44 ss. of the GDPR and the provisions of applicable laws, stipulating, if necessary, agreements that
guarantee an adequate level of protection.
Retention period
• Your data will be stored, by implementing the security measures provided by law, in our archives or at our
pharmacovigilance service provider (Proge Medica Srl) and its providers, whose archives could also be
located abroad.
• The retention period will be determined according to individual circumstances and the type of data, but
in any case, cannot exceed 30 years.
Access rights, cancellation, limitation and portability
As an interested party, your rights are recognised in Articles from 15 to 20 of the GDPR. By way of example,
you may therefore:
• obtain confirmation that personal data is being processed;
• if data processing is in progress, obtain access to relevant personal data and information and request a
copy of the personal data;
• obtain the correction of inaccurate personal data and the integration of incomplete personal data;
• obtain the cancellation of relevant personal data according to the conditions provided by Art. 17 of the
GDPR;
• limit the processing of data according to the conditions provided by Art. 18 of the GDPR;
• receive relevant personal data in a structured format, commonly used and readable by an automatic
device and request the transmission of this data to another Data Controller, if technically feasible.

Right to object
You, as an interested party, have the right to object at any time to the processing of your data carried out
for the legitimate interest of the Controller. In the event of opposition, your data will no longer be
processed, provided that there are no legitimate reasons to proceed with the processing that prevail over
the interests, rights and freedoms of the interested party or for the assessment, exercise or defence of a
right in court.
Right to lodge a complaint with the Guarantor
As an interested party, you may lodge a complaint with the Guarantor for the Protection of Personal Data if
you believe that your rights pursuant to the GDPR have been violated, in the manner indicated on the
Guarantor’s website: www.garanteprivacy.it
Contacts
For the exercising of your rights mentioned above, you can contact:
• the Data Controller by e-mail: Info@Acarpia.com
• the Manager by email: Farmacovigilanza@progemedica.it
In addition, you can request an updated list of data controllers by e-mail: Info@acarpia.com