Website Privacy Policy
I. Purpose and scope of the Privacy Policy
Panpharma places the utmost importance and exercises the greatest care in protecting privacy and personal data, as well as complying with the provisions of the applicable laws and regulations.
Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “GDPR”) states that personal data must be processed in a lawful, fair and transparent manner. Therefore, this privacy policy (hereinafter the “Policy”) aims to provide you with simple and clear information about how we process your personal data when browsing and using the services on our website.
II. Data controller
As part of your activity on the https://www.panpharma.eu/fr website, we collect and use personal data relating to you as a natural person (hereinafter the “data subject”).
For all processing operations, Panpharma [a limited liability company with a board of directors, incorporated in the Rennes Register of Companies under no. 328 297 841, with a capital of €3,540,000, and whose registered office is located at Le Clairay, 35133 Luitré-Dompierre, France] determines the purposes and means of the processing operations. As such, we act as the controller in pursuance of personal data regulations, particularly Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
III. What types of personal data do we collect and how do we collect them?
By using our website or subscribing to our services, you provide us with a certain amount of information about yourself, some of which is likely to identify you (“personal data”). This is the case when you browse our website, complete an online form or simply become a customer.
The type and quality of personal data collected varies according to your relationship with Panpharma. The main types of personal data are as follows:
- Identification data: including all the information that would enable us to identify you, such as your surname, first name and telephone number. We also collect your email address and your postal address (in case of a payment, your postal address will be required to generate an invoice).
In case of a subscription, you may also be required to provide proof of your identity. - Login data: these are all the information that we need to access your personal account, such as your password, as well as any other information required to authenticate users and access an account.
We also collect your IP address for maintenance and statistical purposes. - Professional data: these are all the information that you provide when applying for one of our job vacancies or sending an unsolicited application. They relate to your work experience.
- Different types of documents (PDF, Office format, image, etc.) with headings, content and file names, or document-related information, such as comments written in the documents, and alert and reminder dates.
- Browsing information: by browsing on our website, you are interacting with our website. Therefore, certain types of information relating to your browsing history are collected.
- Data collected from third parties: the personal data that you have agreed to share with us, the personal data posted on publicly available social media and/or the personal data that we may collect from other publicly available databases.
IV. Why do we collect your personal data and how?
We collect your personal data for specified purposes and on different legal grounds.
When performing the contract or implementing pre-contractual measures, your data are processed for the following purposes:
- Order fulfilment and purchase management
- Contract management
- HR management
- Management of your customer account
- Management of working time and procedures for organising business activities
- Training management
- Payroll management
- Management of suppliers/service providers
Based on your consent, your data are processed for the following purposes:
- Management of cookies requiring your consent
- Management of recruitment campaigns
- Fulfilment of your information requests
As part of Panpharma’s legitimate interest, your data are processed for the following purposes:
- Management of pre-litigation and lawsuits
- Surveys & polls
- Management of logistics claims and disputes
- Audits
- Management of access to the premises
- Management of landline phones and smartphones
- Implementation of systems designed to ensure the security and proper performance of the IS
- Management of Wi-Fi access for visitors
- Invoicing
As part of Panpharma’s legal and regulatory obligations, your data are processed for the following purposes:
- Fight against fraud
- General ledger and subsidiary ledger management
- Pharmacovigilance
- Mandatory administrative declarations
- Management of individuals’ rights
- Management of personal data breaches
- Medical information
- Management of benefits
V. Do we share your personal data?
Your data are intended for authorised Panpharma employees who are responsible for managing and performing contracts and fulfilling legal obligations, depending on the purposes for collecting the data and to the extent permitted by their respective powers.
For some tasks relating to the purposes of processing, and to the extent permitted by their respective duties and permissions, your data may be transferred to the following recipients:
- Panpharma Group entities where activities are outsourced to another Group entity
- Service providers and subcontractors that we use to carry out a set of operations and tasks on our behalf, including OVH, Factory Santelli and Netsulting
- Duly authorised public authorities (courts, supervisory authorities, etc.) in pursuance of our legal and regulatory obligations
- Regulated professions (lawyers, bailiffs, etc.) who may be involved in implementing guarantees, leading collection procedures or managing disputes
When your data are sent to our service providers and processors, they are asked to refrain from using the data other than for the purposes for which they were originally intended. We use our best efforts to ensure that such third parties maintain the confidentiality and security of your data.
In any case, only the necessary data are provided. We endeavour to ensure that your data are communicated or sent using secure methods.
We do not sell your data.
VI. Are your personal data transferred to third countries?
Panpharma strives to store personal data in France, or at least within the European Economic Area (EEA).
However, the data that we collect when you use our platform or services may be transferred to other countries. For example, this may happen where some of our service providers are located outside the European Economic Area.
In such cases, we guarantee that data are transferred:
- To a country ensuring an adequate level of protection, i.e. a level of protection equivalent to what is required by European Regulations
- Under standard contractual clauses
- Under internal corporate rules
VII. How long do we keep your personal data?
We store your personal data only for as long as necessary to achieve the purpose for which we collected the data, in order to meet your needs or fulfil our legal obligations.
Storage periods vary according to several factors, such as:
- The needs of Panpharma’s business activities
- Contractual requirements
- Legal obligations
- Recommendations issued by the supervisory authorities
The storage periods for your data are as follows:
| Purpose | Storage period |
| Invoicing | Ten years |
| Management of suppliers/service providers | Five years from the end of the contractual relationship |
| Contract management | Five years from the end of the contractual relationship |
| HR management | Term of the contractual relationship and five years after the employee’s departure |
| Management of cookies requiring your consent | Six months |
| Recruitment – Production Department | Two years after the last contact with the unsuccessful candidate |
| Management of personal data breaches | Five years after notifying the supervisory authority (CNIL) |
| Management of past due invoices | Ten years |
| Mandatory administrative declarations | Six years for social security declarations and ten years from the end of the financial year |
| Management of pre-litigation and lawsuits | Ten years after closing the dispute |
| Pharmacovigilance | No more than seventy years from the date on which the drug, device or product was withdrawn from the market |
| Management of individuals’ rights | When exercising the right to access or rectify personal data, the data relating to the identity documents provided may be kept for one year When exercising the right to object, the data relating to the identity documents provided may be kept for three years |
| General ledger and subsidiary ledger management | Ten years |
| Management of working time and procedures for organising business activities | Throughout the term of employment and then three years after the employee’s departure |
| Training management | Training management data are kept during the year in which training is provided and then throughout the term of employment |
| Payroll management | One month for pay slips Then five years for paper versions Fifty years for electronic pay slips Six years for social security declarations Ten years from the end of the financial year for payment transfer orders |
| Management of suppliers/service providers | |
| • Management of recruitment campaigns | Two years after the last contact with the unsuccessful candidate |
| • Surveys & polls | Two years after the survey |
| • Medical information | Ten years |
| • Management of landline phones and smartphones | One year for data relating to the use of telephony services, including numbers called and incoming call numbers Then throughout the term of employment for the rest |
| • Management of access to the premises | Three months (history of all access events) |
| • Implementation of systems designed to ensure the security and proper performance of the IS | Variable depending on the device, but no more than a 12-month rolling period |
| • Management of Wi-Fi access for visitors | Logs stored for six months |
| • Invoicing | Ten years |
VIII. How do we guarantee the security of your personal data?
Panpharma is committed to protecting the personal data that we collect or process against any loss, destruction and alteration, as well as unauthorised disclosure and access.
Therefore, we take all appropriate technical and organisational measures, depending on the type of data and the risks involved in their processing. These measures must protect the security and confidentiality of your personal data. They may include such practices as restricted access to personal data for authorised persons only as required for their duties, pseudonymisation and encryption.
In addition, our practices and policies and/or physical and/or logical security measures (secure access, authentication process, backup copies, software, etc.) are regularly checked and updated if necessary.
IX. What are your rights?
The GDPR provides data subjects with a number of rights that they can exercise. Therefore, the following rights are provided for:
- Right of information: the right to have clear, precise and complete information on how Panpharma uses personal data.
- Right of access: the right to obtain a copy of the personal data that the controller holds on the data subject.
- Right to rectification: the right to have the personal data corrected if they are inaccurate or obsolete and/or have any incomplete personal data completed.
- Right to erasure / right to be forgotten: the right, subject to certain conditions, to have the data erased or deleted, unless Panpharma has legitimate grounds to retain the data.
- Right to object: the right to object to Panpharma’s processing of personal data for reasons relating to the data subject’s particular situation (subject to conditions).
- Right to withdraw consent: the right to withdraw consent at any time where Processing is subject to consent.
- Right to restriction of processing: the right, subject to certain conditions, to request that personal data processing activities be temporarily suspended.
- Right to data portability: the right to request that the personal data be transmitted in a reusable format for use in another database.
- Right not to be subject to automated decision-making: the right for the data subject to refuse fully automated decision-making and/or exercise the additional safeguards provided in this respect.
- Right to post-mortem privacy: the right for data subjects to provide guidelines on what should happen to their personal data after their death.
Data subjects may be entitled to additional rights under local legislation.
As such, Panpharma has implemented a procedure for managing the rights of data subjects in accordance with the requirements of applicable law. This procedure establishes the:
- Standards to be met to ensure transparent information for data subjects
- Legal requirements that must be fulfilled
- Means authorised for submitting a request to exercise each right, depending on the category of data subjects
- Operational processes for fulfilling requests in accordance with the above requirements
- Parties involved in the processes, as well as their roles and responsibilities
To exercise your rights, you can contact the Data Protection Officer (DPO) at privacy@panpharma.fr
When you submit a request to exercise your rights, you are asked to provide as much information as possible about the scope of the request, the type of right exercised, the personal data processing activity concerned, and any other useful elements to facilitate the fulfilment of your request. In addition, in case of reasonable doubt, you may be asked to prove your identity.
You also have the right to lodge a complaint with the CNIL (French data protection authority) at 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France, in relation to the way in Panpharma collects and processes your data.
X. Updates to this Privacy Policy
This Policy may be updated from time to time to reflect changes in personal data regulations.
Last updated on 07/06/2023.
