PRIVACY NOTICE
A. INTRODUCTION
Teva Pharma (Thailand) Co., Ltd. (the “Company”) respects your privacy and is committed to protecting your personal data in accordance with the requirements of the Personal Data Protection Act B.E. 2562 (2019) and related notifications (the “PDPA”).
Scope of privacy notice
This privacy notice explains how and why the Company collects, uses, and/or discloses (“Processes”
or “Processing”) your personal data, and applies to:
(1) Employment Candidates
(2) Contractors, Suppliers, and Vendors
(3) Healthcare Professionals, Drug Store Owners, Patient, and Related Parties
(4) Office Visitors and Others
It is important that you read this privacy notice, together with any other notices we may provide, in relation to specific occasions on which the Processing of your personal data is carried out so that you are fully aware of how and why we are using your data. This privacy notice supplements any other notices and is not intended to override or replace them.
The Company’s website may include links to third-party websites. Clicking on these links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy standards. When you leave our website, we encourage you to read the privacy notice of every website you visit.
Controller and data protection officer
The Company is a data controller and is responsible for your personal data
We have appointed a data protection officer (the “DPO”) who is responsible for (among other things) overseeing questions and comments in relation to this privacy notice. If you have any questions or comments about this privacy notice, including any requests to exercise your legal rights, please contact the DPO, whose details are set out below.
Teva Pharma (Thailand) Co., Ltd., located at 689 Bhiraj Tower, 21st Floor, Rooms 1-2 and 7-14, Sukhumvit Road, Klongton Nua, Wattana, Bangkok
Phone: 02 302 3295
Email: Privacy.Thailand@tevapharm.com
Changes to privacy notice
This notice may be amended or updated from time to time, so please check back regularly for updates. This version was last updated on 1st March 2023.
It is important that the personal data we hold about you is accurate and up to date. Please keep us informed if your personal data changes during your dealings with us by contacting the DPO.
B. PERSONAL DATA COLLECTED BY THE COMPANY
We collect both general personal data and sensitive data from you. For more information on the specific types of personal data collected by the Company, please see Section D on the Purpose and Lawful Basis for the Processing of Personal Data.
Definition of personal data and sensitive data
Personal data means any information about an individual from which that person can be identified. It does not include data where that person’s identity has been removed (anonymous data) or the data of a deceased person.
Sensitive data (a special category of personal data) means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, criminal records, trade union membership, genetic data, and biometric data, as well as data concerning health, disability, sex life, or sexual orientation, in addition to any data which may affect an individual in a similar manner.
Collection of data on minors, incompetent persons, and quasi-incompetent persons
We may collect the personal data of, minors, incompetent persons, or quasi-incompetent persons, as defined by the PDPA and related laws If we do, we will comply with the requirement of the PDPA in collecting the personal data of such individuals.
Your failure to provide personal data
In the case that we need to collect your personal data, as required by law or under the terms of a contract, and you fail to provide your personal data when requested, we may not be able to perform our obligations by law or under the contract in which we are engaged, or with which we are attempting to engage, with you.
C. HOW PERSONAL DATA IS COLLECTED BY THE COMPANY
The Company obtains personal data in the following manners:
- Direct interactions
- You may provide us with your personal data by completing forms or corresponding with us by post, phone, email, or other methods. This includes personal data that you provide when you:
- complete forms (including application or inquiry forms) or supply other documents to the Company;
- request communication updates from the Company;
- complete surveys conducted by the Company; or
- send feedback to the Company or contact us for another specific
- Automated technologies or interactions
- The Company may automatically collect personal data concerning your computer equipment, browsing activities, and browsing patterns by using internet cookies and other similar
3. Third parties or publicly available
- The Company may receive personal data about you from various third parties and public sources. This includes personal data that you have provided when you:
- complete forms or supply other documents to the Company or a third party that has a relationship with the Company;
- use or request services from third-party service providers related to the Company, such as when applying for payment services from a company that has a relationship with the Company; or
- provide personal data publicly with your explicit consent.
D. PURPOSE AND LAWFUL BASIS FOR THE PROCESSING OF PERSONAL DATA
The Company has set out below a description of how we plan to use your personal data, and which legal bases we shall rely on to do so. We have also identified our legitimate interests where appropriate.
Note that the Company may Process personal data in accordance with more than one lawful basis, depending on the specific purpose for which the Company is using the data. Please contact the DPO for more details on the specific legal bases on which the Company is relying to Process your personal data in the case that more than one of the bases as set out in the table below are referred to.
|
Lawful basis for Processing general personal data |
Description |
|---|---|
|
Consent |
The Processing is based on consent obtained from you. |
|
Contract |
The Processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract. |
|
Legal compliance |
The Processing is necessary for compliance with a law to which we are subject. |
|
Legitimate interests |
The Processing is necessary to protect our legitimate interests or the legitimate interests of another person or entity. |
|
Research |
The Processing is necessary for achievement of the purpose relating to the preparation of the historical documents or the archives for public interest, or for the purpose relating to research or statistics. |
|
Vital Interests |
The Processing is necessary for preventing or suppressing a danger to a person’s life, body, or health. |
|
Lawful basis for Processing sensitive data |
Description |
|---|---|
|
Consent |
The Processing is based on explicit consent obtained from you. |
|
Legal compliance |
The Processing is necessary for compliance with a specific law to which the Company is subject. |
|
Legal claims |
The Processing is necessary for the establishment, exercise, or defense of, or compliance with, legal claims. |
|
Public disclosure |
The Processing is with regards to information that is disclosed to the public with the explicit consent of the data subject. |
|
Vital interests |
The Processing is to prevent or suppress a danger to the life, body, or health of a person in the case that the data subject is incapable of giving consent for whatever reason. |
1. Data of Employment Candidate
|
Purpose |
Type of data |
Lawful basis |
|---|---|---|
|
Application Form
|
Application Form
|
General data
|
|
Background check For background and pre- employment health check |
|
General data
|
|
Purpose |
Type of data |
Lawful basis |
|---|---|---|
| Consent to access criminal background check and health check information for assessment of working ability |
2. Data of Contractors, Suppliers, and Vendors
|
Purpose |
Type of data |
Lawful basis |
|---|---|---|
|
Contractors: Contracting and Payment ·For contracting/purchase order process ·For payment and records, including overtime. |
1.Name |
·Contract |
|
Contractor: Enterprise Resource Planning ·For user ID creation in Enterprise Resource Planning (ERP) system ·To input information into ERP system |
1.Name |
·Legitimate interests (create contractor and expense records in ERP system) |
|
Contractors: Monitoring and Coordination ·For monitoring working times and reports for contractors (security, housekeeper, gardener, driver) ·For coordinating all maintenance roles e.g., electrical, plumbing, air conditioning, furniture |
1.Name |
·Legitimate interests (monitoring and coordination) |
|
Vendors: Contracting For opening vendor form and making contract |
|
General Data
Sensitive Data
|
|
Vendors: Payments
|
|
|
|
Purpose |
Type of data |
Lawful basis |
|---|---|---|
|
·For issuing invoice and receipt |
8.CV of speaker |
|
|
Vendors: Enterprise Resource Planning ·For vendor ID creation in the ERP system ·To input information into the ERP system ·For vendor expense records in ERP system ·For creating data request form |
1.Name |
·Legitimate Interests |
|
Tax ·To submit withholding tax to Revenue Department |
1.Name |
·Compliance with law (withholding taxes and other Tax required under Tax law) |
|
Suppliers for facility management ·For creating purchase order in ERP program as facility service for operation ·For collaborating contract agreement and purchase order for supplier |
1.Name |
·Contract ·Legitimate Interests |
|
Catering and transportation ·For collaborating with catering and transportation providers to support business functions and meetings |
1.Name |
·Legitimate Interests |
3. Data of Healthcare Professionals (“HCPs), Drug Store Owners, Patient, and Related Parties
|
Purpose |
Type of data |
Lawful basis |
|---|---|---|
|
Speaker ·For selection as a speaker at a Company event ·For sharing speaker’s details ·For payment |
1.Name |
·Legitimate Interests ·Contract |
|
Purpose |
Type of data |
Lawful basis |
|---|---|---|
|
Direct Marketing ·To communicate Company’s information ·For events and activities |
1.Name |
·Consent |
|
Account Creation ·To create new a purchase account with our affiliate so that HCPs and drug store owner can purchase medicine via the account. |
1. Name |
·Legitimate Interests ·Contract |
|
Investigators ·To retain CVs of healthcare professional investigators in order to comply with regulatory requirements on the conduct of Bioequivalence studies |
Curricular Vitae of investigators |
·Legitimate Interests |
|
MITR LINE ·To facilitate and allow HCPs to report Pharmacovigilance/ Drug Safety Report via MITR LINE · for disclosure of Pharmacovigilance/ Drug Safety Report to foreign countries |
Name/abbreviated name, LINE ID, |
·Legitimate Interests ·Consent |
|
Drug Safety Report (HCPs) ·To use and disclose Pharmacovigilance/ Drug Safety Report by HCPs |
Name/abbreviated name, LINE ID, [occupation, phone number] |
·Legal Compliance |
|
Tiering of HCPs · To tier HCPS who are our business partners for business reason |
CVs of HCPS, including date of birth, nationality, location, education, employment information and work experiences |
·Legitimate Interests |
|
Approval in Dealing with HCPs ·For our employees to obtain approval for activities that they perform with HCPs. |
Name, hospital name |
·Legitimate Interests |
|
Purpose |
Type of data |
Lawful basis |
|---|---|---|
|
Patients · For usage as part of drug safety report as required by law for submission to the food and drug safety administration and other government agencies. |
Name, hospital name, HN (hospital number), medical diagnosis, co-morbid diseases, medication use, [ID card number, title, gender, nationality, age, weight, drug allergy history, disease history and health status] |
·Legal Compliance |
|
Patients ·For sharing data as part of clinical studies |
Name, hospital name, HN (hospital number), medical diagnosis, co-morbid diseases, medication use |
·Consent |
4. Office Visitor and Others
|
Purpose |
Type of data |
Lawful basis |
|---|---|---|
|
Building Management ·For coordinating with Bhiraj management for any operational issues |
1.Name/Nick name |
·Legitimate Interests |
|
Transferring Calls ·For operator to pick up and transfer incoming telephone calls |
1. Name/Nick name |
·Legitimate Interests |
|
For Safety ·For recording CCTV footage on Company’s premises |
CCTV footage |
·Legitimate Interests |
Note that we may also elect to process your personal data in accordance with another lawful basis under the PDPA as the situation requires.
Change of purpose
The Company will only use your personal data for the purposes for which we have collected it, as set forth above, unless we reasonably consider that we need to use it for another reason, and that reason is compatible with the original purpose. If you wish to be provided with an explanation as to how the new purpose is compatible with the original purpose, please contact our DPO.
If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so
E. DISCLOSURE OF PERSONAL DATA
Subject to the purposes above, the Company may disclose your personal data to the entities set out below.
- Persons that we have legal relationships with, including our employees and staffs,.
- The Company’s business partners and representatives or other organizations (such as independent auditors, information and document service providers, personal data processing service providers, and other service provider platforms that have a legal relationship with the Company and/or you).
- Contractors, Suppliers, and
- Government agencies and/or the agencies responsible for regulating the business of the Company
- Courts, organizations, or any other entities to which the Company is ordered or consents to disclose personal data in compliance with the law and/or relevant rules.
- In the case of business rehabilitation, merger, business transfer — in whole or in part, sale, purchase, joint venture, or the delivery, sharing, or distributing, whether in whole or in part, of shares of business assets or other similar transactions, the Company may have a legitimate reason to disclose personal data to the third party which is on the receiving end of the transaction or which is the intended recipient of the transferred rights of the Company and their advisors.
- Other service providers of the Company, including, but not limited to:
- debt collectors;
- internet service providers;
- information technology service and support providers;
- local or international cloud storage service providers;
- lawyers, consultants, auditors, and/or other professionals who support or assist the business operations of the Company;
- payment service providers and payment systems service providers;
- printing service providers;
- security providers;
- storage service providers and/or document destruction service providers;
- telecommunication and communication service providers; and
- website
Note that we may also be required to share your personal data with third parties by law.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to Process your personal data for the purposes specified and in accordance with our instructions.
F. INTERNATIONAL TRANSFER OF PERSONAL DATA
The Company may transfer personal data outside of Thailand on an as-needed basis.
Included below are the most common scenarios in which the Company will transfer your personal data outside of Thailand and the lawful basis upon which the Company relies for the benefit of compliance with the requirements of the PDPA.
| Lawful basis for transfer of personal data | Description |
|---|---|
|
Adequacy of data protection standards |
The destination country has adequate data protection standards, and the transfer is carried out in accordance with the rules for the protection of your personal data as prescribed by the Personal Data Protection Committee. |
|
Consent |
The transfer is based on consent obtained from you. |
|
Compliance with a contract to secure the interests of the data subject |
The transfer is necessary for compliance with a contract between us and another entity to secure your interests. |
|
Compliance with the law |
The transfer is necessary for compliance with the law. |
|
Necessary for the performance of a contract or in order to take action prior to entering into a contract |
The transfer is necessary for the performance of a contract or in order to take action prior to entering into a contract. |
|
Purpose |
Lawful basis |
|---|---|
|
Clinical Study Sending name of HCPs as well as the name, hospital name, HN (hospital number), medical diagnosis, co-morbid disease and medication use of patients to foreign countries for Pharmacovigilance/Drug Safety Report as part of a clinical study. |
·Consent |
G. SECURITY OF PERSONAL DATA
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in any unauthorized way and to prevent it from being altered or disclosed. In addition, we limit access to your personal data to employees, agents, contractors, and other third parties, on a need-to-know basis. These entities may only Process your personal data in accordance with our instructions, and they are subject to a duty of confidentiality.
We have security programs and procedures in place for any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
H. RETENTION OF PERSONAL DATA
Personal data is retained by the Company for as long as necessary for the purposes associated with the data.
In determining the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of the personal data, the purposes for which we Process the personal data, and whether we can achieve these purposes through other means, as well as the applicable legal requirements.
Below are general estimates of the periods for which personal data is retained by the Company.
1. Employment Candidate
|
General purpose |
Retention period |
|---|---|
|
Employee candidates |
Employee candidate data is kept for one year after application cycle period ends |
|
Contractor (General) |
Contractor information is kept for ten years from end of contract |
|
Contractor (IT) |
IT contractors’ data is kept for two years after the end of the contract. |
2. Contractors, Suppliers, and Vendors
|
General purpose |
Retention period |
|---|---|
|
Vendors’ data as part of enterprise resource management program |
Data are kept for ten years after end of relationship with the vendor |
|
Signatories of vendors (for opening vendor form and making a contract |
Data of the signatories are kept for five years after end of contract |
3. Healthcare Professionals, Drug Store Owners, and Related Parties
|
General purpose |
Retention period |
|---|---|
|
HCPs (for a speaker at a Company event) |
Data of the speaker is kept for three years |
|
HCPs, drug store owner (create purchase account with affiliate) |
Data received by email is deleted after sending it to affiliate |
|
HCPs, drug store owner or contact person |
Data is kept for five years |
|
HCPs data for reporting Pharmacovigilance/Drug Safety |
Personal data relating to HCPs reporting of Pharmacovigilance/Drug Safety are kept for five years. If the data is part of a clinical study, it is kept for ten years |
|
HCPs data for our employee to obtain approval before conducting activities with HCPs |
Data is kept for ten years after last engagement with HCPs |
|
Participant in clinical studies |
Data is kept for ten years after study concludes |
4. Office Visitor and Others
|
General purposes |
Retention period |
|---|---|
|
Callers to company (to transfer incoming phone calls from the individuals to the right department and person) |
Caller data is cleared out every month |
|
CCTV image for safety |
CCTV footage is kept for thirty days. |
|
Catering and transportation data (for collaboration to support business) |
Data is kept for one year from end of service agreement |
|
Building manager (for coordinating) |
Until building management contact person changes |
I. LEGAL RIGHTS
Your legal rights
You have the following rights under the PDPA in relation to your personal data collected by the Company:
- insofar as the processing is taking place on the basis of your consent, to revoke your consent at any time with effect for the future (this does not affect the legality of the data processing which occurred prior to the revocation on the basis of consent);
- to request access to your personal data, allowing you to receive a copy of the personal data we hold about you, additionally, you can request the disclosure of any personal data obtained without your consent;
- insofar as the personal data is in a machine-readable format, to demand from us that we issue your data in such format and transfer it to another entity.
- to demand that we restrict the processing of your personal data or delete it;
- insofar as the processing is taking place on the basis of legitimate interest, for the purpose of direct marketing, or for scientific, historical, or statistical research, to opt out of the processing by us;
- to demand that we correct incorrect, out-of-date, misleading, or incomplete personal data; and
- to file a complaint with the expert committee under the PDPA concerning our processing of your personal data.
Please note that your rights are not absolute, and we reserve the right to reject your requests in accordance with the PDPA.
Exercising your legal rights
If you wish to exercise any of the rights set out above, please contact us via our DPO.
You will generally not have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request as permitted by law.
We may also need to request specific information from you to help us confirm your identity and ensure that you have the right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
The DPO will request additional information if the Officer determines that you are unable to act with legal independence.
Finally, we try to respond to all legitimate requests as soon as possible and within 30 days. Occasionally, however, it may take us longer than 30 days if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you informed of any updates.
J. COOKIES POLICY
The Company uses cookies to collect information about you and store your online preferences. Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the website when you return to it: this is useful because it allows the website to recognize your device. To find out more about cookies please visit www.allaboutcookies.org
The Company uses the following categories of cookies on the website:
Category 1: Strictly Necessary Cookies
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the website will not then work.
Category 2: Performance Cookies
These cookies collect information on how people use the website. For example, the Company uses these cookies to help us understand how customers arrive at the website, browse or use the website and highlight areas where we can improve areas such as navigation, user experience and marketing campaigns. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how the website works.
Category 3: Functionality Cookies
These cookies are set to enhance functionality and personalization on the website. These cookies remember choices you make (such as language choices). These can then be used to provide you with an experience more appropriate to your selections and to make your visits to the website more tailored. The information these cookies collect may be anonymized and they cannot track your browsing activity on other websites.
If you want to delete any cookies that are already on your computer, please refer to the help and support area on your internet browser for instructions on how to locate the file or directory that stores cookies.
Information on deleting or controlling cookies is also available at www.allaboutcookies.org. Please note that by deleting our cookies (or disabling future cookies) you may not be able to access certain areas or features of the website.
Retention period of Cookies
Where we place cookies directly on the website, we typically keep information collected from such cookies for a maximum period of 6 months.
Use of Web Beacons
Some pages of our website and e-mails we may send may contain electronic images known as web beacons (sometimes known as clear gifs) that allow us to count users who have visited these pages or read our e-mails. Web beacons collect only limited information which includes a cookie number, time and date of a page view, and a description of the page on which the web beacon resides. These beacons do not carry any personal data and are only used to track the effectiveness of a particular campaign.