1. Whose and what data do we have
In connection with our business (such as scientific research, development, manufacturing, marketing and sales, sponsorships etc.), we may collect the following personal data either directly from you or indirectly such as through the use of technologies that automatically collect information when you visit our sites or through third parties, such as our vendors, suppliers, contractors, and business partners.
The categories of data subject
- Healthcare Professionals (HCP): Doctors, nurses, other health care professionals, etc.
- Business Partners: Vendors, Contractors, suppliers, other business partners along with their representatives or staff members, etc.
- Patients: Patients (former or current), potential patients, parents or guardians and caregivers, etc. and members and staff of patient advocacy groups.
- Members of the Public: users of public-facing websites, mobile apps, other online platforms, etc or who attend our business events or premises.
The categories of personal data
- Personal details: name, address, phone number, e-mail address, gender, country of birth/residence, nationality, citizenship, employment status, and family status, etc.
- Financial details: bank account information, payment card details, payment details, income tax details, transaction data, billing information, tax numbers, tax administrative data, etc.
- Voice or Image Data: photographs, videos, recordings, etc.
- Technical and Usage Data: including information collected during your visits to our website(s), the Internet Protocol (IP) address, login data, browser type and version, device type, time zone setting, browser plug-in types and versions, operating system and platform, your preferences in receiving marketing information from us, your communication preferences and information about how you use our websites(s) and services, including the services you viewed or searched for, page response times, download errors, length of visits and page interaction information (such as scrolling, clicks, and mouse-overs).
- Professional Data including occupation, place of work, professional registration number, professional background and interests, medical specialization, professional memberships and affiliations.
- Employment and business information: your position and employer, your work contact details and your interaction with us in your role, including information provided in the course of the contractual relationship between you or your organisation and us, or otherwise voluntarily provided by you or your organisation.
- Communications content: any other information you may provide in your communications with us.
The category of sensitive data
- Health and medical records: family medical history, diseases and illnesses, disability, health statistics such as blood pressure, smoking status, alcohol intake, type of dialysis treatment, current therapies, prescriptions and medications, patient type, consumption and usage of equipment and medications, record of hospitalization, laboratory results and adverse reactions to treatment.
- Medical photographs and Images: the images including radiology scans and other such visual representations.
- Physiological and physical data: the activity data gathered through self-report in dedicated apps, wearables, or other technology.
- Others: sexual history, sexual orientation, and ethnicity.
Please note that the definition and scope of categories of sensitive data may vary in different jurisdictions, and we will determine the scope of sensitive data based on the legal and regulatory requirements and industry practices in each jurisdiction and provide the corresponding protection accordingly. Where local law of a jurisdiction of which you are a resident defines certain types of personal data as sensitive data (or equivalent meaning), such definitions and the corresponding rights you are entitled to shall apply in relation to our processing of your sensitive data.
2. How do we collect your data
Depending on your relationship with us, we may collect your personal data from you, companies or organizations to which you belong, or websites or other media to which you have registered to disclose information. We may also collect your data from the following sources:
- Your engagements with other Kyowa Kirin entities, or Kyowa Kirin websites or services. In this case we will have informed you when we collected that data that it may be shared internally and combined with data collected on this site.
- Healthcare professionals or pharmacies, particularly in relation to safety/adverse event reports or engagements through clinical trials or early access programs or where there has been a complaint.
- Other organizations you have provided permission to share with us.
- Third parties we work with including business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics, providers, search information providers, credit reference agencies, etc. If you are a health care professional, we receive information about your professional life (such as medical specialisation and professional background) from third party sources, including Clinical Research Organisations.
- Publicly available sources (where possible) to keep your information up to date (such as any professional registration database).
- We may receive information about you if you apply for a vacancy at Kyowa Kirin, particularly from any third party recruitment agency or website you have engaged with for this purpose.
3. Why and how will we use your data
We are required to have a lawful basis to process your data. We explain each of these legal bases below. We also set out the purposes for which we process your data. For each purpose, we explain the legal bases for that processing, the processing operations that we carry out and the categories of data that we process. Please note that the legal bases under data protection laws may vary from jurisdiction to jurisdiction. We will only process your data in accordance with the applicable legal bases required by the laws and regulations in your jurisdiction.
Legal bases relied on by Kyowa Kirin for processing described in this privacy notice
Consent – sometimes we ask for your consent to use your data.
Contract – if we have an agreement in place with you, we may process your data where it is necessary for us to meet our obligations or enforce our rights under the contract.
Legitimate interest – we can process your data when this is necessary for us to achieve a legitimate business purpose, or where this is necessary for someone else to achieve their legitimate purpose. We explain below what interests we, or others, are trying to achieve when we process your data. Where we process personal data on the basis of a legitimate interest, then we consider what the impact of the processing will be on affected individuals and to determine whether those individuals’ interests outweigh our interests in the processing taking place.
Legal obligation – we have obligations to comply with legal and regulatory requirements under various applicable laws. In certain cases, we have to use your data to meet these obligations.
Publicly-available data – where permitted by applicable laws, we may use your data already publicly disclosed either by you or otherwise legally publicized in a reasonable manner as prescribed by the applicable law.
We process your personal data for the following purposes described in the following chart, relating to your online and offline interactions with us regarding our services, products and wider business activities. Data that is mandatory is indicated on relevant forms that you complete or communicated by us separately. Where provision of data is mandatory, if relevant data is not provided, then we will not be able to fulfil your requests. All other provision of your information is optional.
You can see this table by scrolling horizontally.
|Main Purposes||Data subject||Items of personal data|
|Carrying out clinical studies, sponsoring clinical trials and wider research studies and carrying out our own clinical research and engaging with necessary regulatory inspections, audits and reporting obligations connected with clinical research.||HCPs, Patients, Business Partners||Personal details, professional data (of HCPs), employment and business details, communications content, health and medical records, photographs and medical images, physiological and physical Data (of Patients).|
|Medical affairs work, including organization of Advisory Boards, communicating scientific and clinical information to the medical community, maintaining external relationships with key leaders within the scientific community, patient groups, and other authorities and carrying out market research and other research studies.||HCPs, Patients, Business Partners||Personal details, Professional Data (of HCPs), Employment and Business Details, communications content, Health and medical records, Photographs and medical images, Physiological and Physical Data (of Patients).|
|Pharmacovigilance work, including collecting information on adverse events, investigating the adverse event, complying with regulatory reporting requirements, corporate drug safety, quality assurance and pharmacovigilance obligations, managing complaints, and complying with any other connected pharmacovigilance, drug safety and other applicable regulations.||HCPs, Patients, Business Partners||Personal details, professional data (of HCPs), employment and business Details communications content.
Health and medical records, photographs and medical images, physiological and physical data (of Patients).
|Entering into and performing a contract with you, including processing payments and transactions.||HCPs, Patients, Business Partners||Personal details, financial details, communications content.|
|Managing our business, site and services, engaging with and understanding our customers and the medical community.
Organising events and conferences, including international events and webinars.
Marketing and advertising campaigns.
Tracking statistics and trends on our website as well as through other digital and offline interactions.
Investigating any complaints received from you or from others, about our website or our products or services.
|HCPs, Patients, Business Partners, Members of the Public||Personal details, professional data, employment and business details, communications content, technical and usage data.|
|Managing security concerns, both on our website and at our premises and in relation to our staff.||HCPs, Business Partners, Members of the Public, Patients||Personal details, technical and usage data, employment and business details|
|Processing your job or role application.||Members of the Public||Personal Details, professional data, employment data.|
|Protecting our business interests, and legal rights, including in connection with legal claims, compliance, regulatory, auditing, investigative and disciplinary purposes and ethics and compliance reporting requirements. We may also use your information where necessary to protect the security of our premises, assets, systems, and intellectual property and enforce company policies, including protecting ourselves from fraud and verifying the individuals with which we interact as appropriate.||All data subjects mentioned in this privacy notice||All personal data mentioned in this privacy notice.|
4. Recipients of Personal Data
We will only disclose your personal data as necessary to achieve the purposes set out in this privacy notice, including to the following recipients:
- A member of our group where we have a legal basis for doing so. Global Network
- Companies who provide services to us or on our behalf, answering questions about products or services, sending mail and emails, patient analysis, assessment and profiling and when using auditors or other professional advisors.
- Business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you.
- Analytics and search engine providers that assist us in the improvement and optimization of our site.
- IT service providers.
- Clinical Research Organizations.
- Healthcare Professionals.
- Other organizations, including universities, when we run an event in partnership with such other organizations. In such case, your personal data may need to be shared. We will be very clear about what will happen to your personal data when you register for such events.
- A new entity or purchaser, in the case we merge with another organization or form a new entity. In such case, your personal data may be transferred to that new entity and/or purchaser, including their professional advisors.
- Appropriate third parties where this is necessary to:
- Comply with any court order or other legal obligation or when data is requested by our regulators or by government agencies or law enforcement agencies or is required by any stock exchange rules where a member of the Kyowa Kirin Group is listed.
- Protect the rights, property, or safety of us, our employees or others. This may include exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.
5. International Data Transfer
When your country of residence is EU/EEA or United Kingdom, depending on the way your personal data is processed, your personal data may also be transferred outside the EU/EEA or United Kingdom. In these cases, we ensure that an adequate level of data protection exists before transferring your personal data. This means that via EU or United Kingdom standard contractual clauses or an adequacy decision or other valid adequacy mechanism, a level of data protection is achieved that is comparable to the standards within the EU or United Kingdom. A copy of the relevant mechanism can be provided for your review on request by contacting us using the details set out below.
6. Retention of your data
Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data indefinitely so that we can respect your request in the future.
7. Control and Security of Personal data
As for control of your Personal data, we will assign one or more person(s) in charge for the control and security of your Personal data and keep all of your personal data under strictly controlled and secured environment. We will take necessary and appropriate measures to prevent all your Personal data from not only leakage, but also unauthorized outside access.
8. What are your data protection rights?
We would like to make sure you are fully aware of all your data protection rights. Depending on where you live, you may be entitled to the following:
- The right to access – You have the right to request that we provide copies of your personal data. We may charge you a small fee for this service.
- The right to rectification – You have the right to request that we correct any information you believe is inaccurate. You also have the right to request us that we complete any information you believe is incomplete.
- The right to erasure – You have the right to request that we erase your personal data, under certain conditions.
- The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain conditions.
- The right to object to processing – You have the right to object to our processing of your personal data, under certain conditions.
- The right to data portability – You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
- Right to lodge a complaint with a supervisory authority - You might have the right to lodge a complaint with a supervisory authority against the processing of your personal data if you believe that the processing of your personal data violates data protection regulations.
- Other rights under applicable data and privacy laws and regulations.
In addition, you have the right to object to the processing of your personal data at any time:
- if we process your personal data for direct marketing purposes; or
- insofar as we process your personal data for the pursuit of our legitimate interests and there are grounds based on your particular situation.
These rights may be limited, for example if fulfilling your request would reveal personal data about another person, where it would infringe the rights of a third party (including our rights) or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in applicable national laws, and we will inform you or applicable exemptions in our response to your request.
9. Withdrawal of Consent
Where consent is our legal basis for processing your personal data, you have the right to withdraw your consent at any time, and the withdrawal does not affect the lawfulness of processing or transferring based on consent before such withdrawal. If you wish to withdraw your consent, please contact us at the details below.
11. How to contact us
Kyowa Kirin Malaysia Sdn Bhd
Email us at: firstname.lastname@example.org
Or write to us at: Data Protection Officer,
A501 West Wing, Wisma Consplant 2, Jalan SS 16/1, Subang Jaya, 47500 Selangor, Malaysia