PRIVACY NOTICE

1. Data controller

Data controller: Béres Pharmaceuticals Private Limited Company

registered office: 1037 Budapest, Mikoviny utca 2-4.

Represented by: Chief Executive Officer Ferenc Major

email: [email protected]

website: beres.hu

(hereinafter: the “Data Controller”)

 

2. The various forms of data processing

2.1. Newsletters and other advertising materials

We only send you newsletters or advertising materials in any other manner with your prior consent. You can subscribe to the newsletter via the following channels, by entering your name and email address: 

  • On the www.beres.hu website;
  • On the Béres Health Club Facebook page;
  • On the Béres Egészség Instagram page;
  • When filling in questionnaires at our events; and
  • You can indicate this intent when you submit the Béres Magazine quizzes. 

Legal basis of the data processing: Your consent, which you give by subscribing. [GDPR Article 6(1)(a)]

Purpose of the data processing: To inform you about the latest information, our latest, products and of news about us, and to send you educational articles and materials.

Duration of the data processing: We will only send you our newsletters and advertising materials for as long as you request it. If you do not wish to receive any more newsletters (or advertisements), you can unsubscribe at any time and, if you change your mind, you can subscribe again at any time. When you unsubscribe, we will not send you any more emails and we will delete your personal information. Please be advised that the withdrawal of your consent will not affect the lawfulness of any data processing that took place based on this consent before it was withdrawn. 

You can unsubscribe from the newsletters in the following ways:

  • By clicking on the link at the bottom of the email containing the newsletter;
  • By sending a letter asking to unsubscribe, to Béres Gyógyszergyár Zártkörűen Működő Részvénytársaság 1037 Budapest, Mikoviny utca 2-4.

Data processors:

  • The newsletters are sent by Mailchimp as data processor (The Rocket Science Group, LLC; 675 Ponce de Leon Ave NESuite 5000, Atlanta, GA 30308 USA; Compliance of data transmission is guaranteed by the application of the Standard Contractual Clauses: https://mailchimp.com/help/mailchimp-european-data-transfers/
  • The website is maintained by Laboratory Ideas Kommunikációs Szolgáltató Korlátolt Felelősségű Társaság (registered office: H-1027 Budapest, Kacsa utca 15-23.);
  • The website is hosted by Websupport Magyarország Kft. (registered office: H-1132 Budapest, Victor Hugo utca 18-22.). 

Rights: 3.1.-3.6.

2.2. Facebook, Instagram, YouTube and LinkedIn 

You can find us on Facebook as Béres Egészségklub (Béres Health Club) and Béres Gyógyszergyár (Béres Pharmaceuticals), on Instagram as Béres Egészség, and on LinkedIn as Béres Pharmaceuticals Ltd. You can also follow us via our YouTube channel.

Legal basis of the data processing: Your consent, which you give by following us. [GDPR Article 6(1)(a)]

Purpose of the data processing: To inform you about the latest information, our latest, products and of news about us, and to send you educational articles and materials.

Duration of the data processing: Our news will only be displayed for you for as long as you want it to be. You can withdraw your consent by unsubscribing. The withdrawal of your consent will not affect the lawfulness of any data processing that took place based on this consent before it was withdrawn.

Data processor: 

The Béres Egészségklub Facebook page and Béres Egészség Instagram page are edited by Positive by Hinora Group Korlátolt Felelősségű Társaság (registered office: H-1062 Budapest, Délibáb utca 29.).

Rights: 3.1.-3.6.

The companies operating the social media pages are other data controllers; you can find information about the data processing of those sites in the following places: 

 

2.3. Reporting of side effects

You can report the side effects of a marketed product manufactured by us directly to our company or through your doctor or pharmacist or the pharmaceutical state administrative body (National Institute of Pharmacy and Nutrition).

Categories of data processed: Name and contact information of the person reporting (email address or phone number or mailing address), monogram, age, gender of person experiencing the side effect (where the reporting person is not the person experiencing the side effect), name of legal representative (in the case of a child), side effect (adverse symptom or effect noticed), other relevant healthcare and medical history data, name or active ingredient of the suspected medication.

Source of data: The person making the report. 

Legal basis of the data processing: Fulfilment of a legal obligation. [GDPR Articles 6(1)(c) and 9(2)(h)] Pursuant to Section 18/B of Act XCV of 2005 on Medicinal Products for Human Use and on the Amendment of Other Regulations Related to Medicinal Products, and based on Article 28(3) of Implementing Regulation (EU) 520/2012. The provision of the data is a prerequisite for the investigation and reporting of a side effect.

Purpose of the data processing: Legal compliance in the context of an investigation of an adverse reaction (side effect).

Duration of the data processing: Ten years following expiry of the product’s marketing authorisation, based on Article 12(2) of Implementing Regulation (EU) 520/2012/EU.

Category of recipients: 

The side effects you have described will be forwarded anonymously (specifying only the initials of the name and the gender or age of the person that has experienced the side effect) to a common European database (the EudraVigilance system).

Rights: 3.2., 3.3., 3.5.

2.4. If you get in touch with us

You can get in touch with us using any of our contact details (by email, via Facebook, via Instagram, by phone, or by post). If you do, you consent to the processing of the personal data that you share with us.

Legal basis of the data processing: Your consent, and in the case of providing health data, your specific consent, which is given by sending the inquiry. [GDPR Article 6(1)(a) and, in the case of a product information service, GDPR Article 9(2)(a)], also taking into account Act on the processing and protection of health data and related personal data.] You can also withdraw your consent at any time by notifying us at one of our contact details specified in point 1, but this will not affect the lawfulness of the data processing that took place prior to the withdrawal.

Purpose of the data processing: To communicate with the person sending the inquiry and answering the question/request/comment/other, as described below. Once the answer has been given, the purpose of retention is traceability, in order to be able to address any future needs and feedback.

Rights: 3.1.-3.6.

2.5 Data of contact persons

As part of the contractual or non-contractual relationships with each of our business partners, we share the contact information of our contacts and process the contact persons’ names and contact information (position, email address, telephone number) provided by our business partners.

Legal basis of the data processing: Our legitimate interest in maintaining contact. [GDPR Article 6(1)(f)]. You may object to the data processing at one of our contact addresses or numbers indicated in point 1.

Purpose of the data processing: Maintaining contact, including, e.g. communication related to the fulfilment of a contract, sending greetings messages, etc. 

Duration of the data processing: The contact information will be processed during the existence of the business relationship until our business partner notifies us of a change in the contact person. 

Rights: 3.2., 3.3., 3.5., 3.7.

We proceed in the same way as above when processing the personal data of members of the press.

2.6. Contracts and the personal data included in them

We sign contracts with our contractual partners, which, as the document on which the invoice is based, are retained even after the termination of the contract, and so the personal data contained in the contracts is also retained. 

Legal basis of the data processing: Fulfilment of a legal obligation. Following invoicing, retention is required due to the tax and accounting regulations. It is not possible to conclude the contract without providing the data. [GDPR Article 6(1)(c)]

Purpose of the data processing: Fulfilment of a legal obligation.

Duration of the data processing: We retain the signed contracts for 8 (eight) years following the expiry of the contract.

Rights: 3.2., 3.3., 3.5.

3. Rights:

In connection with the data processing, you have the rights described in points 3.1.-3.7. If you would like to exercise any of these rights, please write to us at one of the addresses below:

 

address: 1037 Budapest, Mikoviny utca 2-4.

email address: [email protected]

Identification

We must always verify your identity before fulfilling your request. If we are unable to verify your identity, unfortunately we will be unable to fulfil your request. 

Replying to requests

Following identification, we will provide information related to the request in writing, electronically or, at your request, verbally. Please note that if you have submitted your request electronically, we will respond via e-mail. Naturally, here too, you have the option of requesting another method.

Administration deadline

We will inform you about the measures taken in response to your request no later than 1 (one) month from the receipt of your request. If the complexity of the request and the number of requests involved warrant it, this deadline may be extended by an additional 2 (two) months, which we will inform you about within the 1 (one) month administration deadline. 

We are also obliged to inform you of any failure to take action within the one-month administration deadline. You may lodge a complaint against this with the NAIH (point 4.1) and turn to the court (point 4.2).

The fee for administration

The requested information and measure(s) taken are free of charge. An exception is where the request is clearly unjustified or – especially due to its repetitive nature – excessive. If this is the case, we may charge you a fee for the work, or refuse to fulfil the request. 

3.1. You may withdraw your consent

In the case of data processing based on your consent, you may withdraw your consent at any time. As soon as we receive such notification from you, we will delete your personal data related to the data processing concerned. 

3.2. You may request information (access)

You may request information on whether your personal data is being processed and, if so:

  • What the purpose of such processing is
  • What particular data is being processed
  • Who we forward (transmit) this data to
  • How long we keep this data
  • What your rights and legal remedies are in relation to this
  • Who we received your data from
  • Whether we make an automated decision about you by using your personal data In such cases, you may also ask for information about what logic (method) we use and what the significance and likely consequences of such data processing are.
  • If you have found that your data has been transferred to an international organisation or a third country (non-EU Member State), you can request to know what safeguards are in place to ensure the adequate processing of your personal data.
  • You may request a copy of your personal data (additional charges may apply for any additional copies).

3.3. You may request rectification

You may request that we rectify or supplement any of your personal data that was recorded inaccurately or incompletely.

3.4. You may request the deletion of your personal data (“the right to be forgotten”)

You may request that your personal data be deleted if:

  • The personal data is no longer necessary for the purpose for which we have been holding (“processing”) it;
  • In the case of data processing based exclusively on your consent;
  • If your objection has been successful;
  • If it is found that we are processing the personal data unlawfully;
  • An EU or local statutory provision requires it.

We cannot delete personal data if it is needed: 

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation that stipulates the processing of the personal data, applicable under EU or Member State law to which the controller is subject, or for purposes of public interest;
  • on the basis of public interest concerning public health; 
  • for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes, where deletion (“erasure”) would be likely to make this data processing impossible or seriously jeopardise it; or
  • for the establishment, exercise or defence of legal claims.

3.5. You may request that we restrict the data processing

You may request that we restrict your data processing if one of the following is true:

  • You contest the accuracy of the personal data, in which case restriction applies to a period enabling us to verify the accuracy of the personal data;
  • The processing is unlawful but you oppose the erasure of the personal data and request the restriction of their use instead;
  • We no longer need the personal data for the purposes of the processing, but it is required by you for the establishment, exercise or defence of legal claims; 
  • You have objected to processing; in this case, the restriction applies pending the verification of whether the legitimate grounds of the controller override yours.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest in the EU or a Member State. We will inform you in advance of any lifting of the restriction. 

3.6. You may request the transfer of your personal data (right to data portability)

You have the right to receive the personal data we process in a machine-readable format, and you have the right to transfer or – upon your request – to have us transfer this data to another data controller if the data processing is based solely on your consent or on a contract with you, or signed in your interest, and is automated. 

That right shall not apply in cases where the processing is necessary for the performance of a task carried out in the public interest. It shall not infringe the right to erasure and shall not adversely affect the rights and freedoms of others.

3.7. You may object to the processing of your personal data

You may object to the processing of your personal data if: 

  • The processing is necessary for the performance of a task carried out in the public interest, or 
  • The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child;
  • The data is processed in the interest of direct marketing (and as a part of this, you may also protest against profiling);
  • The personal data is processed for scientific and historical research purposes or statistical purposes.

If you object to the processing of your personal data, we will delete your personal data. An exception is where the processing is justified for compelling legitimate reasons, including the public interest or where the processing is necessary for the establishment, exercise or defence of legal claims.

4. Legal remedies available

4.1. You may lodge a complaint with the NAIH

If you believe that the processing of your personal data is contrary to the provisions of the General Data Protection Regulation, you have the right to lodge a complaint with the National Data Protection and Information Security Authority (NAIH).

NAIH

President: Dr. Attila Péterfalvi

postal address: H-1363 Budapest, PO Box 9

address: 1055 Budapest, Falk Miksa utca 9-11.

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

web: http://naih.hu

email: [email protected]

4.2. You may turn to the courts

If you believe that the processing of your personal data is contrary to the provisions of the General Data Protection Regulation (GDPR), and that your rights specified in the GDPR have been violated, you have the right to take the matter to court. 

The case falls within the jurisdiction of the regional courts. The matter may – depending on the choice of the data subject – be filed at the regional court with authority at the permanent address or the temporary (registered) address of the data subject. A party who does not otherwise have legal capacity to sue may also be a party to the lawsuit. The Authority may choose to intervene in the case in support of the data subject.

The court proceedings will be governed by the provisions of the GDPR, as well as Act V of 2013 on the Civil Code, Book Two, Part Three, Title XII (Sections 2:51–2:54) and other legal provisions applicable to court proceedings.

4.3. Compensation for loss and compensation for distress

If the Controller causes damage or violates the data subject’s privacy through any unlawful processing of his or her data, aggravated damages may be demanded from the Controller. The data controller shall be exempt from liability for any loss caused and from the obligation to pay compensation for distress if it can prove that the loss was caused or the data subject’s privacy rights were violated for an unavoidable reason outside the scope of the data processing.

5. Data security

We do everything we can, taking into account the latest developments in science and technology, the costs of implementation and the nature of the data processing concerned, as well as the risk presented to the rights and freedoms of the natural persons involved, to implement adequate technical and organisational measures so as to ensure a level of data security appropriate for the risk. 

We always treat the personal data confidentially, restricting access to it, using encryption and maximising resilience, ensuring it can be recovered in the event of a problem. We regularly test our systems to guarantee security. In assessing the appropriate level of security, we take into account the risks that are presented by data processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed.

We do everything we can to ensure that any natural person acting under our authority who has access to personal data does not process it except on our instructions unless he or she is required to do otherwise by EU or Member State law.

We use access control and camera systems as physical security measures, and we apply logical security measures as follows: firewall, use of antivirus and security software (workstation, file server protection, web monitoring, device monitoring, application monitoring, patch management, WSUS, NAC), software updates, creating backups, access control, automatic device locking, encryption of portable devices, secure remote access over a VPN connection. In the case of the website: We use an SSL-encryption, CDN and WAF (Web Application Firewall) service. 

6. Miscellaneous

The Data Controller is entitled to amend the contents of this Data Privacy Notice at any time. Any change will take effect at the same time as it is published on the website, and the change will be announced in a pop-up window on the website.

Last updated: 01 October 2022