This privacy notice is provided by Chiesi Farmaceutici S.p.A., including its affiliates (together “Chiesi Group“ or “Chiesi”) in compliance with the applicable privacy regulations and is aimed at informing the reporting individuals on how we process the information contained in their report.
If you are located in the European Union, or you are reporting a violation regarding a Chiesi Group company based in the European Union, your data will be processed according to Regulation (EU) 679/2016 (the “GDPR”). The independent data controller of your report is the company of the Chiesi Group that you select during the submission of your report. Reports will be received and assessed at local level (unless specifically escalated to the parent company in Italy or if there is no local affiliate) and only specifically trained people will have access and will be responsible for the reported data, based on the need-to-know principle.
“Personal Data” is any information that relates to an identified or identifiable living individual. It also constitutes different pieces of information, which taken together can lead to the identification of a person.
"Processing of Personal Data" covers a wide range of operations performed on personal data, including manual or automated means. It includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data.
"User" is the individual who submits a report through the platform (hereinafter “SpeakUp&BeHeard” or “Platform”).
(1) GENERAL INFORMATION
The SpeakUp&BeHeard platform is a web and phone-based system that allows any individual, including, but not limited to, Chiesi employees, contractors, and vendors, to report suspected violations or concerns regarding the infringement of laws, regulations, and internal policies. Reports may include conducts allegedly infringing the Group Code of Conduct, the Anti-bribery Policy, anti-bribery laws, criminal laws, and any other violation that may affect the business and financial integrity of the company (e.g., corruption, conflict of interest, unfair behaviors, frauds, insider trading, accounting issues), environmental safety or animal welfare.
Chiesi Group will process your Personal Data for the following purposes only:
- Enabling and managing the whistleblowing Platform and the related reports;
- Managing the lifecycle of the report, carrying out the investigations with the relevant stakeholders, including public authorities;
- Prevent and act against unlawful conducts, applying disciplinary measures if necessary;
- Safeguard the interests of the company, as well as the rights of its employees and third parties involved.
CATEGORIES OF PERSONAL DATA:
The provision of Personal Data is optional. The anonymous reporting option available on SpeakUp&BeHeard, allows you to submit a report without providing any Personal Data (be advised that, according to the local legal framework, investigating certain reports may require the disclosure of your Personal Data).
In case the User voluntarily decides to provide their personal data, the following categories of data may be processed by the relevant Data Controller:
- Identification data of the User: name, surname, and email address;
- Personal data of the reported person or other parties mentioned in the report or obtained by the Data Controller during the investigations;
- Information relating to the reported violation.
Please be mindful that the information included in some reporting may involve special categories of personal data. According to Article 9 of the GDPR “special data” is considered data that may reveal the racial or ethnic origin, religious, philosophical beliefs, political opinions, membership to parties or trade unions, data relating to health and sexual life.
LEGAL BASIS OF THE PROCESSING:
Legal obligation: to comply with applicable laws and regulations and fulfill the requests received by competent Authorities.
Legitimate interest: we will also retain your Personal Data based on the legitimate interest of the Chiesi Group companies (in particular of the relevant Data Controllers) to prevent and investigate the alleged violations outlined in the PURPOSES section, defend its rights in (or file) a legal proceeding accordingly.
(2) HOW WE PROCESS YOUR PERSONAL DATA
Your report will be processed only by specifically appointed internal and external personnel, based on the need-to-know principle.
The Personal Data may also be shared with, or accessed by other companies or individuals, including the service provider of the Platform. The provider will only access the data for system maintenance purposes or to provide technical support to the User.
Chiesi ensures the protection of your Personal Data and the legitimacy of such processing by appointing the relevant parties as data processors through appropriate data processing agreements. All our processors shall therefore comply with applicable privacy laws and implement appropriate security measures.
In certain circumstances, we might need to share the information of your report, including your Personal Data, to public authorities and courts requiring disclosure to investigate or decide on the case, and legal counsel providing support to Chiesi during the management of the report.
Be mindful that the identity of the User, acting as reporting individual, will be disclosed only upon legal obligation, disclosure request previously mentioned, or to guarantee the right of defense of the reported individual (this provision may vary based on the country-specific legislation).
How We Protect Your Personal Data
Chiesi implements appropriate security measures to safeguard your Personal Data against unauthorized access, disclosure, or loss, including:
- Reasonable measures to ensure that Personal Data is collected in compliance with the minimization and purpose limitation principles. We retain your Personal Data for a limited time as specified in the following section (3) unless an extension of the retention period is required or permitted by law;
- A range of technologies to ensure the confidentiality of Personal Data, ranging from encryption, strong passwords, and two-factor authentication, to firewalls and dedicated software to protect servers from external attacks;
- Selection of our business partners and service providers based on strict qualification criteria and obligation to comply with our data protection standards secured through specific contractually binding provisions. In addition, we perform audits and other assessments to verify their compliance with the above requirements;
- Privacy and data protection training tests to verify knowledge, and other activities to improve the awareness of privacy among employees and contractors.
International Data Transfers
Your Personal Data referred to in section (1) is stored on the Platform provider’s server (specifically appointed as a data processor) located in Italy or within the European Union. Based on the specific features and content of your report, your Personal Data may be transferred to other countries, including non-EU ones. Chiesi Group has assessed the impact of international transfers falling within the scope of reports and implemented appropriate guarantees, including signing the standard contractual clauses with the relevant stakeholders. Chiesi Group companies also entered into an intercompany agreement ruling transfers among the USA affiliate and the European ones.
China: in compliance with the local regulation, your Personal Data will be transferred outside China upon your express consent. Be advised that by submitting your report (clicking the “send” button) you are providing your consent to transfer your personal information.
Specific personnel of Chiesi Farmaceutici S.p.A., the parent company based in Italy, may have access to reports to coordinate their management among the Chiesi Group.
(3) RETENTION PERIOD OF YOUR PERSONAL DATA
We retain your Personal Data for the time necessary and consistent with the necessities that may arise during the management of your report (e.g., lawsuit, proceeding before the public authorities), in compliance with the minimization, purpose limitation principles, and according to the country-specific regulations that may apply to each affiliate.
Report assessed/closed will be anonymized by replacing personal data through specific key words no later than two (2) months after the end of the investigation.
If the internal checks on the report do not raise any concern (unfounded report), your data will be immediately erased.
Your Personal Data will be processed according to the terms set out above or for a shorter period if you decide to exercise one of the rights listed in the following section (4). Upon the expiration of the term, your Personal Data will be deleted or anonymized in accordance with our internal procedures, unless otherwise required by legal obligations or in case your Personal Data are necessary to protect our rights before any judicial or other relevant authority.
Be advised that if you ask to delete your Personal Data, we may not be able to address your report or conclude the investigation.
(4) DATA SUBJECT RIGHTS
Access, rectification, cancellation, data portability, restriction of processing, objection to processing, and revocation of consent.
Chiesi provides dedicated contacts for the enforcement of your right to access, modify, object, or limit the processing of your Personal Data, to request their cancellation, portability (if applicable), or revoke your consent in situations specified in the GDPR or other relevant regulations.
We invite you to contact the Data Protection Officer (DPO) of the parent company to obtain additional information and require the enforcement of your rights at firstname.lastname@example.org or the local Data Protection Officer, the contact information of which can be found on the local affiliate website. You can find more information on our affiliates at the following link: https://www.chiesi.com/en/about-us/our-affiliates/, or in the list below.
If you believe that Chiesi is not processing your Personal Data in accordance with the principles explained in this notice or with the applicable laws, be advised that you have the right to lodge a complaint with a Data Protection Authority.
(5) INFORMATION ON AUTOMATED DECISION MAKING AND UPDATES TO THIS NOTICE
Your Personal Data are not subject to the automated decision-making process (including profiling).
This notice may be updated from time to time. Any update to this notice will become effective at the time of its publication on the Platform.
|Chiesi Pharmaceuticals GmbH||Gonzagagasse 16/16, 1010 Wien - Austria|
|Chiesi Poland Sp. z.o.o.||Al. Solidarności 117 – 00-496 Warsaw – Polon|
|Chiesi SA/NV||Telecomlaan 9, 1831 Diegem, Belgium|
|Chiesi España S.A.||Plaça d’Europa 41-43 Planta 10
08908 L’Hospitalet de Llobregat Barcelona
|Chiesi S.A.S.||17, avenue de l’Europe 92277 Bois-Colombes CEDEX|
|Chiesi Hellas Pharmaceuticals S.A.||Geroulanou sq. & 1 Renou Poggi Str. - GR – 174 55 Alimos, Athens|
|Chiesi Pharmaceuticals B.V.||Evert van de Beekstraat 1-120 ,1118 CL Schiphol - The Netherlands|
|Chiesi Pharma AB||Kungstensgatan 38 SE-113 59 Stockolm - Sweden|
|Chiesi Limited||333 Styal Road – Manchester Green – M22 5LG - UK|
|Chiesi GmbH||Gasstraße 6 (Postfach 50 01 52, 22701 Hamburg) – D-22761 Hamburg – Germany|
|Chiesi Farmacêutica Ltda.||Rua Dr. Giacomo Chiesi, 151 – km 39,2 da Estrada dos Romeiros Santana de Parnaiba – SP 06500-000 – Brasil|
|Chiesi İlaçTicaret Limited Sirketi A.Ş||Büyükdere Cad. No:126, Özsezenİş Merkezi C Blok Kat:3, Esentepe-Şişli 34394, Istanbul|
|Chiesi USA Inc.||1255 Crescent Green Drive, Suite 250, Cary, North Carolina 27518|
|Chiesi Pharmaceuticals LLC||Chiesi Pharmaceuticals LLC, Lesnaya str. 43, 127055, Moscow - Russia|
|Chiesi Pharmaceutical (Shanghai) Co., Ltd||Unit 2603-2606, City Point, No. 666 West, Huaihai Road, Shanghai 200052|
|Chiesi México||Av. Coyoacán No. 1622, Edificio 2, Piso 1 Oficina 208, Col. Del Valle, Del. Benito Juárez, CP 03100, Ciudad de México, Distrito Federàl|
|Chiesi Italia S.p.A.||via Giacomo Chiesi 1, 43122 – Parma (Italy)|
|Chiesi Pharmaceuticals (Pvt) Limited||60/1A – XX, Phase III, Commercial Zone, Khayaban-e-Iqbal, D.H.A., Lahore 54000|
|Chiesi Canada Corp||44 Chipman Hill, Suite 1000 Saint John, New Brunswick E2L 2A9|
|Chiesi Australia Pty Ltd||Suite 3, 22 Gillman Street, 3123 Hawthorn East VIC|
|Chiesi SA||Route de Moncor 10 1752 Villars – Sur Glâne Suisse|