Information notice

Persons exposed to or reporting an adverse health event

17/07/2025

Version 1.0

 

ProductLife Group is committed to protecting your personal data. The purpose of this information notice is to inform you about the processing of your personal data, mainly in connection with the management of pharmacovigilance cases and the management of medical information on behalf of our customers.

These data processing operations are carried out by Groupe ProductLife, a simplified joint stock company a simplified joint stock company registered with the Company Registry of Nanterre under the number 392 639 266, whose head office is located at 8-14, avenue de l’Arche, 92400 Courbevoie, France and its affiliates (hereafter « ProductLife Group »).

We, ProductLife Group, act as a Data Processor and process personal data on behalf of our clients acting as Data Controllers. This notice is made available as part of our voluntary commitment to transparency. If you have any general questions about the processing of your personal data in connection with a healthcare product, or if you wish to exercise your rights, please contact the Data Protection Officer of the concerned organisation, who acts as Data Controller.

 

Why do we process your personal data?

First of all, we would like to remind you that we process your personal data exclusively on the instructions of our customers and partners, and for legitimate purposes that enable us to comply with the legal obligations incumbent on all pharmaceutical laboratories.

These purposes mainly concern health vigilance management activities (in this mainly including pharmacovigilance, but also the other types of health vigilance mentioned in the Order of February 27, 2017), as well as medical information management.

Pharmacovigilance is an obligation aimed at reporting information about possible adverse events (side effects) occurring when taking a medicine. Its aim is to ensure your safety when taking medication, by alerting you to possible dangers (interactions with other drugs, contraindications in pregnancy, etc.).

The vigilance accorded to the use of medicines is also extended to other product categories, such as medical devices, cosmetics, herbal products, etc.

Medical information is an obligation aimed at providing complete, up-to-date information about medicines and related therapeutic areas in response to people who may need it, such as healthcare professionals in the context of a prescription, or patients and their relatives with questions about a particular use.

Under no circumstances will your personal data be used for purposes other than those listed below.

The purposes for which we may process your data are :

As part of the management of undesirable health events:

  • Collecting, recording, analyzing, monitoring, documenting, transmitting and storing data relating to all adverse health events.
  • Management of contacts with the person who notified us of the undesirable health event, in order to obtain details of the reported undesirable health event, while respecting medical confidentiality.
  • Reporting undesirable events to the competent authorities, in line with the legal obligations of our partners and customers.

As part of medical information management:

  • Collecting, recording, analyzing, tracking, documenting, transmitting and storing data relating to medical information requests.
  • Responding to requests for medical information received from persons contacting us.

 

Who are the data subjects?

The persons concerned by the processing of personal data that we set up are :

  • Persons exposed to an undesirable health event;
  • Persons who have notified us of an undesirable health event.
  • Persons contacting us for medical information.

 

What categories of personal data do we process about you?

As part of the data processing operations we carry out, we ensure that we only collect the data that is strictly necessary to achieve the above-mentioned purposes. This data is therefore essential for the smooth running of our business.

Here are the categories of personal data we may need to process about you:

Are you reporting an adverse event?

  • Identification and contact data: surname, first name, postal address, e-mail address, telephone number, fax number.
  • Professional details: job title.

Are you a patient exposed to an adverse event?

We would like to point out that when you report an adverse event, you are identified by an alphanumeric code, a “pseudonym”, in order to guarantee the confidentiality of your identity. However, when you, as the person exposed to an adverse health event, are directly responsible for the notification, we must have access to your directly identifying data in order to meet legal and regulatory obligations. In this case, we pay particular attention to the security of this data, and only keep the link between the data collected and your identity for the time necessary to meet these legal obligations.

  • Indirect identification data: identification number/code, date of birth, gender, weight, height, etc.
  • Health data: data relating to the occurrence of the adverse event, data relating to the product concerned by the adverse event report, health data relating to pathologies and associated treatments (treatments administered, test results, personal and family history, etc.).

In addition to this personal data, we may also process other categories of data if they are relevant and necessary to the assessment of the adverse event. Such data may, for example, concern your professional life (current or previous occupation), lifestyle habits (tobacco, alcohol and drug consumption), behavior and lifestyle (addiction, sex life, etc.), racial or ethnic origin, or data relating to your ancestry or descent, particularly in the case of pregnancy or breast-feeding.

This collection is not systematic and may vary according to the event reported and the healthcare product in question. To obtain details of the categories of personal data processed in your specific case, please contact the Data Controller concerned.

Are you requesting medical information?

  • Identification and contact data: surname, first name, postal address, e-mail address, telephone number.
  • Professional data: specialty (if healthcare professional).
  • Data concerning the request for information: title of request, product concerned, response given, date and status of request.

Who can access your personal data?

We do our best to share your personal data with as few people as possible, ensuring that each access is necessary.

Your data may be shared with various stakeholders, both internal to ProductLife Group and external. These recipients are

Internal to ProductLife Group:

  • The person in charge of vigilance, as well as his collaborators and agents involved in the health vigilance management and medical information process.
  • The ProductLife Group Quality Department.
  • Authorized personnel in charge of claims management, depending on the cases they handle.
  • ProductLife Group affiliates involved in the management of adverse events or medical information management ;

External to ProductLife Group:

  • Healthcare professionals concerned by the report;
  • The laboratory holding the marketing authorization or sponsor of the clinical trial in which you are participating;
  • The operating laboratory and, where applicable, the person responsible for pharmacovigilance;
  • National, European or foreign public bodies responsible for pharmacovigilance in the course of their duties;
  • Legal councils, auditors and consultants in the context of their attributed missions.
  • Legal and administrative authorities, in accordance with applicable laws.
  • Third-party laboratories whose products may be implicated;
  • Our processors responsible for improving the processing and security of your personal data, in particular :
    • The provision of software dedicated to the management of adverse events or medical information management tool ;
    • Data hosting company and back-up management providers ;
    • Telephony management company.

ProductLife Group is a multinational organization with subsidiaries, partners and processors located in many countries around the world.

In order to manage cases of undesirable health events, we may transfer your personal data outside the European Union, or outside the country in which you reside. In this case, we make sure that the transfers of personal data respect the requirements of section V of GDPR, by transferring data to adequate countries, or by implementing Standard Contractual Clauses.

However, in order to comply with legal obligations concerning the reporting of information to the competent pharmacovigilance authorities, we may transfer your personal data outside the European Union on the instructions of the Data Controller. These transfers are made to national health authorities (NHS, FDA, etc.), or to the Data Controller’s local partners.

 

How is your personal data protected?

We take IT security very seriously, and pay particular attention to the protection of your personal data, especially those of a sensitive nature.

We have therefore put in place a number of practical measures to reinforce the protection of our IT environment, such as

  • The use of HDS-certified hosting solutions offering a high level of security;
  • Multi-factor authentication and a strong password policy to secure access to our applications;
  • Staff training and awareness-raising on data integrity issues;
  • Regular backups.

We do our utmost to maintain state-of-the-art system security, as part of a continuous improvement process.  

 

How long do we keep your personal data?

We have put in place measures to ensure that the retention of your personal data does not exceed the periods strictly necessary to meet legal retention obligations.

We retain personal data collected in the course of our business for the duration of the contract with our customers and partners.

 

What are your rights and how can you exercise them?

You have various rights enabling you to maintain control over your personal data:

  • The right of access: you can obtain information concerning the processing of your personal data as well as a copy of the personal data concerning you
  • The right of rectification: you can request rectification of personal data that is incorrect or incomplete.
  • The right to erasure: you may request the deletion of your personal data.
  • The right of limitation: in certain cases you can request the limitation of data processing (cf. article 18 of the RGPD)
  • The right to object: the right to object to data processing.
  • The right to portability: the right to request a copy of your personal data in a machine-readable format
  • The right to define directives concerning the fate of your data following your death.

For further information on the processing of your personal data, or in order to exercise your rights, you can contact the Data Controller directly concerned by the implementation of the processing activities. This will generally be the laboratory or company responsible for marketing the concerned product.

If we have been asked to process your personal data on behalf of a Data Controller with whom you have exercised your rights, we are committed to assisting them in respecting these rights.

If you are not satisfied, you have the right to file a complaint with the Commission Nationale Informatique et Libertés (CNIL).

 

Contact

For more information about our data processing operations, please contact our Data Protection Officer (DPO) at the following address:

Data Protection Officer ProductLife Group

  • Email: [email protected]
  • Postal address: 8-14, avenue de l’Arche, 92400 Courbevoie, France

Last update: 17/07/2025