Privacy Statement

Thornton and Ross is based in Huddersfield, West Yorkshire. We develop, manufacture and supply a wide and growing range of branded OTC medicines, dermatological preparations, generic medicines and other pharmaceutical, healthcare and hygiene products.

Thornton and Ross puts priority on protecting your personal information. Acknowledging the importance of your personal information, we strive to secure and carefully process the information you share with us. We value your trust. We hence provide notice regarding how we collect, use and share your information. Our collection, use and sharing of your information is only based on your permission or where allowed by law.

By using this website, you are deemed to have agreed with the terms of this Privacy Policy. Whenever you submit information via this site, you therefore consent to the collection, use and disclosure of that information in accordance with this Policy.

Scope of this Privacy Notice

This Privacy Notice applies to personal data we collect through the Site. It describes how we use your data and your data protection rights, including a right to object to some of the processing which we carry out. 

Our Site may include links to other websites over which we have no control. Thornton and Ross is not responsible for the privacy policies or practices of other websites.

Personal data we collect

Personal Information is collected at several different points on this website with the informed consent of the visitor. The Information provided is used to improve the appropriateness of the information provided on the website, market research, and the provision of other services by the company, associated companies and other third parties.

Under the EU’s General Data Protection Regulation (GDPR) personal data is defined as:

“any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Personal Information You Provide To Us: We or our service providers (acting on our behalf) may collect "Personal Information" (which is information that, on its own or when combined with other information, identifies you or relates to you as an identifiable individual) that you provide to us, such as your first and last name, email, telephone number(s), address or post code and any Usage Personal Information (explained below), such as IP address, to the extent that this allows you to be identified.

Personal Information Collected Automatically: Whenever you visit or interact with the Site, we, as well as our third party service providers, may use a variety of technologies that automatically or passively collect information about how the Site is accessed and used (collectively, "Usage Personal Information"). Usage Personal Information may include:

IP address or other unique identifier ("Device Identifier") for the computer, mobile phone, tablet or other device you use to access the Site ("Device").

  • Device type
  • Demographics
  • Location
  • Language
  • Type of browser software and operating system you are using
  • Page(s) served, the time, and the preceding page views
  • Event type (pages viewed/documents downloaded)
  • Event date/time
  • Page URL
  • Downloaded item URL

Personal Information Collected when using our social media appearance

We may use the following social media platforms to provide you with information about our company and our products: Facebook, Twitter, Instagram, LinkedIn, TikTok and Pinterest. We may use the so-called two-click solution.
We have no influence on the collected data and data processing processes, nor are the full extent of the collection, the purposes of the processing and the storage periods known to us. We also have no information regarding the deletion of the collected data by the social media provider. The social media provider saves your personal data as user profiles and uses them for the purposes of advertisements, market research and/or the needs-oriented design of its website. Such analysis takes place (even for users that are not logged-in) for presentation of user-oriented advertisements and to inform other users of the social network about your activities on the website. You have the right to object to the generation of such user profiles, the exercise of which you need to contact the respective plug-in provider. Through these plug-ins, we offer you the opportunity to interact with social media and other users, to improve our offers and to make their design more interesting. Legal foundation for the use of the plug-ins is Art. 6 (1) 1 f) GDPR.

Further information on the purpose of the data collection and its processing by the social media provider can be found in the privacy statements of these providers. There you can also get more information about your rights and possibilities to protect your privacy by adjusting the user settings.


Addresses of the respective social media providers and URL to their privacy statements:

  1. a) Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; facebook.com/policy.php; further information on data collection: www.facebook.com/help/186325668085084www.facebook.com/about/privacy/your-info-on-othersowie www.facebook.com/about/privacy/your-info. Facebook acts under the EU-US-Privacy-Shield, www.privacyshield.gov/EU-US-Framework.
  2. b) Twitter Inc., 1355 Market St, Suite 900o, San Francisco, California 94103, USA; com/privacy. Twitter acts under the EU-US-Privacy-Shield, www.privacyshield.gov/EU-US-Framework.
  3. c) LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; linkedin.com/legal/privacy-policy. LinkedIn acts under the EU-US-Privacy-Shield, www.privacyshield.gov/EU-US-Framework.
  4. d) TikTok Inc., 10100 Venice Blvd., Culver City, CA 90232 , USA; https://www.tiktok.com/legal/privacy-policy?lang=en
  5. e) Pinterest Inc., 651 Brannan Street, San Francisco, CA 94103, https://policy.pinterest.com/de/privacy-policy. Pinterest acts under the EU-US-Privacy-Shield, privacyshield.gov/EU-US-Framework
    f) Instagram a corporation of Facebook Inc., 1601 S California Ave, Palo Alto, California 94304; https://help.instagram.com/519522125107875. Instagram acts under the EU-US-Privacy-Shield, www.privacyshield.gov/EU-US-Framework
  6. g) Integration of YouTube videos

We may include YouTube-videos in our online offer that are saved at www.YouTube.com and which can be played directly from our website.
By visiting the website, YouTube receives information, that you have visited the respective sub-site of our website. In addition, the data listed in section 3 is transferred. This takes place regardless of whether YouTube offers a user account that you are already logged-in to or if no user account exists. If you are logged-on at Google, your data is directly matched with your account.  If you do not wish the matching with your profile at YouTube, you need to log-out before using the button. YouTube saves your data as user profiles and uses them for purposes of advertisements, market research and/or user-oriented design of its website. Such an analysis takes place (even for users that are not logged-in) for displaying user-oriented advertisements and in order to inform other users of the social network about your activities on our website. You have the right to object regarding the generation of such user profiles. For the execution of this right, you need to contact YouTube.

3) Further information on the purpose and scope of the data collection and processing by YouTube can be found in the privacy statement. There you can also find further information on your rights and possibility to change the settings to protect your privacy: www.google.de/intl/en/policies/privacy/. Google processes your personal data also on US territory.

How we use your information

We process the personal data we collect for the following purposes:

With your consent to:

  • to provide you with information on Thornton and Ross’s business activities, products or services  
  • to send you email newsletters and notifications
  • to place cookies and similar technologies, as described in the Site’s cookie policy.
  • to track your usage and see which sections of our web sites you visit via Google Analytics

To allow us to pursue our legitimate business interests, in particular to:

  • to respond to your queries or other correspondence you have submitted through the site
  • to complete and fulfil any requests for products or services
  • analyse the use of our site in order to continuously improve content and measure performance
  • to tailor content, advertisements, and offers we serve you
  • to show you promotions and offers via our social media platforms relevant to your previous activity

To meet legal, regulatory, pharmacovigilance and compliance requirements, in particular to respond to requests for information from government authorities.

 

Will Thornton and Ross share my personal data with anyone else?

In general, Thornton and Ross Limited shares aggregated information and statistics about its customers, sales, traffic patterns and related website information with partners, third parties, marketing agencies, suppliers and advertisers.

We may pass your personal data on to third‐party service providers contracted to Thornton and Ross in the course of dealing with you, as explained in this Privacy Policy, as disclosed at the time you provide your information and in the following circumstances:

  • Third Party Service Providers: We instruct other companies and individuals to perform functions on our behalf. Examples may include sending e‐mail, managing training courses, analysing data, providing marketing assistance, hosting data, for tax and financial advice, for legal advice, accountancy or auditing services, website management and development and providing customer service. In connection with their performance of these functions on our behalf, we may share Personal Information with such companies and individuals as needed for them to perform their functions.
  • Legal Disclosure: We may transfer and disclose your Personal Information to third parties to comply with a legal obligation; when we believe in good faith that the law or a governmental authority requires it; to verify or enforce our Terms of Use or other applicable policies; to address fraud, security or technical issues; to respond to an emergency; or otherwise to protect our rights or property or the security of third parties, visitors to our Site, or the public

When they no longer need your data to fulfil this service, they will dispose of the details in line with Thornton and Ross’s procedures. If we wish to pass your sensitive personal data onto a third party we will only do so once we have obtained your consent, unless we are legally required to do otherwise.

Thornton & Ross may processes your data additionally outside the European Union.
Thornton & Ross is a globally-active company. In the course of our business activities, we may potentially transfer your personal data also to recipients outside of the European Economic Area (“third countries”), where the applicable laws do not grant the same data protection safeguards as those in your home country. If this is the case, we will maintain the applicable data protection regulations and take appropriate protection measures to safeguard the security and integrity of our personal data, in particular through the conclusion of the EU standard contract clauses, which you can find at the following link: eur-lex.europa.eu/LexUriServ/LexUriServ.do

How long will Thornton & Ross save information about me

Purpose  of storage

Storage time

Web server logs

14 days

General inquiries

180 days / 6 months

Order information

180 days / 6 months

Newsletter subscription/unsubscription

As long as you subscribe to the newsletter. If you unsubscribe from the newsletter, you will be deleted directly.

Use of services and promotions

 

As long as active consent for long-term use is available. In the event of revocation, the data will be deleted.
In the case of one-time use of offers without active consent for permanent use, the data will be deleted after 6 months.

Faculty Login

As long as access is desired. In the event of revocation, the account will be deleted within 14 days.

 

Under what circumstances will Thornton and Ross contact me?

Our aim is not to be intrusive, and we undertake not to ask irrelevant or unnecessary questions. Moreover, the information you provide will be subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure.

Can I find out the personal data that Thornton and Ross holds about me?

 According to the provisions of the GDPR, you can exercise the following rights towards us:

  • Right to access
  • Right to rectification
  • Right to restriction of processing
  • Right to deletion / “right to be forgotten”
  • Right to data transferability
  • Right of appeal

In order to assert one of your rights listed mentioned above, you can contact us at any time.

If the processing of your personal data is based on your consent, you have the right to object / withdraw your consent at any time, with effect for the future. The legality of the processing based on your consent until the withdrawal of the consent remains unaffected. Given consent can of course be canceled under the following address at any time with effect for the future: data@thorntonross.com

How to contact us about your personal data or this privacy policy

If you have any questions about this privacy policy or about your personal data, please email us at dataprotection@thorntonross.com or write to us at the following address:

GDPR Representative
Thornton and Ross Limited
Manchester Road
Huddersfield
HD7 5QH

 Changes to this privacy policy

We aim to meet high standards and so our policies and procedures are constantly under review. From time to time we may change this privacy policy. Accordingly we recommend that you check this page periodically in order to review the latest version.

Where to make a complaint

If you have a complaint regarding any aspect of your personal data or this privacy policy, please write to us at the above address.

If you are still not satisfied with the outcome of your complaint, you may write to the Information Commissioner’s Office at the following address:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

You have also the right to file a complaint at the Information Commissioner’s Office using their online form: https://ico.org.uk/global/contact‐us/email/

The rapid development of the internet will make adjustments to our privacy regulations necessary from time to time. You will be info

Data Protection Notice

Data protection notice pursuant to the General Data Protection Regulation (GDPR)

This data protection notice is designed to inform you of what purposes Thornton & Ross Limited of Linthwaite, Huddersfield, HD7 5QH (henceforth “we” or “us”) process your personal data for. Personal data means any information relating to you personally. The following information explains how your personal data is processed and ensures transparency.

We process the following personal data for the following purposes:

Data from business partners / customer data / supplier data

This encompasses any data from customers or business partners processed during a business relationship with us. This applies to the following personal data: contact details of our business partners (name, position, business contact details, e-mail address, telephone and fax numbers and information about the business relationship).

We process this data for the purpose of conducting the business relationship, concluding contracts, processing orders, carrying out analyses and evaluations and for fulfilling our legal obligations, e.g. for the purpose of conducting screening-measures. Processing is carried out based on Article 6 (1) 1 b, c, f GDPR. If the basis for the processing is a legitimate interest within the meaning of Article 6 (1) 1 f GDPR, our legitimate interest lies in responding to inquiries and conducting business contact relationships. The provision of your personal data is required for the business relationship. This means that if you decide not to provide us with your personal data, it is not possible to conduct the business relationship.

We also receive personal data from the various sources and, under certain circumstances, from wholesalers from whom you purchase our products. These sources are not publicly available. Processing is carried out based on the “balancing of interests clause” of the GDPR. In addition to this, we may have received your personal data from publicly accessible sources on the Internet.

We transfer your personal data to the following categories of recipients: service providers and/or Thornton & Ross Limited companies as required to process your request. This includes both Thornton & Ross companies in UK and, if applicable, abroad. Categories of external service providers may be: IT service providers, waste disposal service providers, shipping services, auditors, consultants or authorities. In case of credit management, it may also concern credit agencies, debt collectors and credit insurers. In some cases, both the Thornton & Ross companies and potential service providers that we may transfer your personal data to may be located outside the UK.

Sales department, in particular field sales force

Our sales department processes personal data that is required to perform its tasks. This may include the personal data of doctors and pharmacists and, if applicable their employees who are contacted and visited by the field staff. The personal data processed includes name, position, business contact information, e-mail address, telephone and fax number.

We process this data in order to sell our products and to maintain the data in our CRM systems. The field sales force processes this data for the purpose of notification, execution and follow-up of field service visits or other kinds of sales activities such as maintaining lists of interest. Furthermore, the data may be used to conduct business analyses, for instance analysis of sales figures, trends, etc. Processing is based on Article 6 (1) 1 b, f GDPR. If the basis for the processing is legitimate interests within the meaning of Article 6 (1) 1 f GDPR, our legitimate interest lies in optimizing sales processes and marketing campaigns.

If data is collected directly: providing your personal data is not a legal or contractual requirement. This means that you are not obligated to provide us with your personal data. If you decide not to provide us with your personal data, the sales department will not be able to contact you.

If data was not collected directly: We received your personal data from the various sources such as wholesalers in some cases (see point 1). These sources are not publicly available. In addition to this, we may have received your personal data from publicly accessible sources on the Internet.

We transfer your personal data to the following categories of recipients: Affiliated companies for CRM maintenance, IT service providers, and in some cases disposal service providers, shipping services, consulting companies, analytical service providers or marketing services.

Your data is processed mainly in UK. However, it may also be possible for foreign affiliated companies to access the data, for example for the purposes of maintaining our IT systems.

Staging competitions/lotteries and surveys

We regularly stage competitions/ lotteries and surveys with different target groups. We process personal data on those participating in the competition or survey (in particular, name, position, business or private contact information, e-mail address and telephone number).

We process this data for the purpose of staging the competition or the surveys. The data is processed in accordance with Article 6 (1) 1 a GDPR.

You are not legally required to provide your personal data, but this is often necessary to participate in the competition/survey. This means that you are not legally obligated to provide us with your personal data. If you decide not to provide us with your personal data, usually it is not possible for you to participate in the competition or survey.

We may transfer your personal data to the following categories of recipients: Affiliated companies and, where applicable, external service providers (shipping companies, IT service providers, waste disposal services; publishers and web media producers) entrusted with processing or evaluating the competition or survey.

We only process your data within the UK.

E-mail correspondence

We process the following personal data in the scope of e-mail correspondence: Personal data of the senders and recipients of e-mails (in particular name, position, business or private contact information, e-mail address, telephone number and fax number) as well as other personal data you may disclose about yourself through your signature or in the text of the e-mail.

We process this data to communicate with all stakeholders. The legal basis for processing this data is Article 6 (1) 1 a, f GDPR. If the basis for the processing is legitimate interests within the meaning of Article 6 (1) 1 f GDPR, our legitimate interest lies in responding to inquiries and conducting business communication.

You are not legally required to provide your personal data, but this is necessary in order to communicate by e-mail. This means that you are not legally obligated to provide us with your personal data. If you decide not to provide us with your personal data, communication by e-mail is not possible.

 

Where necessary, we transfer your personal data to the following categories of recipients: employees of affiliated companies as well as external service providers assisting us in responding to the request, such as IT service providers, consulting firms or auditors.

In some cases, affiliated companies and service providers that we may transfer your personal data to are located outside the UK.

Contact initiated using Thornton & Ross’ digital channels

When responding to enquiries received at Thornton & Ross Limited’s functional mailboxes, such as customerservices@thorntonross.com, via social media channels or via our contact pages on the Internet, we process all the data provided by the sender of the inquiry (name, company, position, business or private contact information, e-mail address, telephone number and fax number) as well as additional personal data you may disclose about yourself in writing or orally in the text of the message or in the further course of processing of the enquiry. This may also be health data.

We process this data in order to be able to answer your enquiry. If you report side effects to us through these channels, the enquiry is immediately forwarded to the responsible colleagues at the drug safety department.

The legal basis for this is our legitimate interest under Article 6 (1) f GDPR.

You are not legally or contractually required to provide your personal data. This means that you are not obligated to provide us with your personal data. If you decide not to provide us with your personal data, this has the following consequences: it will not be possible to process your request.

We transfer your personal data to the following categories of recipients: recipients entrusted with processing your request or inquiry. These may be employees of affiliated companies as well as external service providers, e.g. IT service providers, consulting firms and partner laboratories. Cases which might be of relevance for insurance cases will be forwarded to the respective insurance company, which might then directly contact you.

If your enquiry involves a foreign country, your data may also be transmitted to affiliated companies abroad. Some of these are located outside the EU.

Business cards policy

Business cards are exchanged routinely in the scope general business contacts, trade fairs or similar events.

We process the personal data contained on the business card in order to possibly initiate contact later, or to update our data and may enter the data into our Outlook address book or our CRM system.

You are not contractually or legally required to provide your personal data. This means that you are not obligated to provide us with your personal data. If you decide not to provide us with your personal data, this has the following consequences: We do not receive and consequently do not use your business cards.

The legal basis for this is our legitimate interest under Article 6 (1) f GDPR.

We may transfer your personal data to the responsible contact person in the Group.

If the matter relates to something abroad, your data may also be transmitted to affiliated companies abroad. Some of these are outside the UK.

Video surveillance

Some areas of our sites are under video surveillance. In this context, footage data as well as time and geographical data on persons on our premises is processed.

We process this data to ensure security at our sites. The legal basis for this is our legitimate interest within the meaning of Article 6 (1) f GDPR in the safety of our sites.

You are not legally or contractually required to provide your personal data. This means that you are not obligated to provide us with your personal data. If you decide not to provide us with your personal data, however, it is not possible for you to visit Thornton & Ross Limited’s sites.

We transfer your personal data to the following categories of recipients: security service providers, IT service providers and in some cases, if there are substantiated grounds for suspicion, to external authorities.

Processing takes place exclusively in the UK.

Ordering drug samples

Certain groups of people can order samples from us. If you request samples from us we process the following personal data: Name, business contact information, position, number of samples sent to you so far.

The legal basis for this processing is Article 6 (1) b GDPR.

You are not legally obligated to provide your personal data, but this is required for the conclusion of the contract. This means you are not legally obliged to provide us with your personal data. If you decide not to provide us with your personal data, this has the following consequences: it is not possible to order samples.

We transfer your personal data to the following categories of recipients: shipping service providers, affiliated companies and analysis service providers.

Your data will be processed in the UK. However, it may also be possible for foreign affiliated companies to access this data, for example for the purposes of maintaining our IT systems.

Advertising by fax, telephone and e-mail

We conduct advertising and information measures to make our customers aware of current offers, information and services. We process the following personal data in this context: Name, position, business contact information, e-mail address, telephone number and fax number.

The legal basis for this processing is your consent (Article 6 (1) a GDPR) or our legitimate interest (Article 6 (1) f GDPR).

You are not legally or contractually required to provide your personal data. This means that you are not obligated to provide us with your personal data. If you decide not to provide us with your personal data, it is not possible to receive information/advertising through the above-mentioned channels for which you have not given your consent or for which Thornton& Ross Limited cannot claim a legitimate interest.

 

We transfer your personal data to the following categories of recipients: call centres, shipping companies, printers and IT service providers.

Your data will be processed mainly in the UK. However, it may also be possible for foreign affiliated companies to access the data, for example for the purposes of maintaining our IT systems.

Registering for events

We invite individuals to events directly or indirectly through third parties. In the scope of staging such events, we process the following personal data of the participants: Name, position, contact information, e-mail address, telephone number, fax number.

The legal basis for processing your personal data is your consent (Article 6 (1) a GDPR). You are not legally required to provide your personal data, but this is required in order to register for the event. This means that you are not obligated to provide us with your personal data. If you decide not to provide us with your personal data, you will not be able to participate in the event.

If data is not collected directly, then we receive your personal data from the place where you registered for the event. Depending on the type of event, the data may or may not be publicly available.

We transfer your personal data to the following categories of recipients: service providers assisting us in organising the event, shipping services for the purposes of sending invitations and/or information material and IT service providers.

Your data will be processed in UK. It is possible that your data may also be processed abroad.

Newsletters

We offer different ways to subscribe to newsletters. In the scope of sending newsletters, we process the following personal data of newsletter recipients: Form of address, title, name, institution, position, address, telephone number, e-mail address and possibly your SAP customer number and online shop customer number.

The legal basis for this processing is your consent (Article 6 (1) a GDPR) or our legitimate interest (Article 6 (1) f GDPR). You are not legally required to provide your personal data. This means that you are not obligated to provide us with your personal data. If you decide not to provide us with your personal data, you will not be able to receive our newsletters.

We transmit your personal data to agencies in order to send the newsletter.

Your data will be processed mainly in the UK. However, it may also be possible for foreign affiliated companies to access the data, for example for the purposes of maintaining our IT systems.

Reporting side effects (health data)

If you inform us of suspected adverse reactions, a suspected lack of efficacy, exposure during pregnancy and lactation or other incidences relating to our products which are required to be documented, we process your personal data for the purpose of verification and investigation, to ensure safe use of our products and to fulfil our statutory documentation and reporting obligations. For this purpose, we process the following personal data from you in our central database, which we are legally obligated to maintain:

The person submitting the report to us: name, contact details, e-mail address, telephone number, medical qualification.

The person affected by suspected adverse reactions, lack of efficacy, exposure during pregnancy and lactation or other incidents requiring documentation: Initials, date of birth, age, age group, gender and the health-related information that you provide and that is necessary to document and evaluate the incident.

This means health-related data is generally collected in a pseudonymised form, unless you, as the person concerned, report the incident yourself. The legal basis for processing is the relevant legislation on the safety of drugs and medical devices of the European Union, the member states and third countries. We collect and process this data only to the extent that we are legally obligated to.

You are not legally required to provide your personal data, so you are not obligated to provide us with your personal data. If you decide not to provide us with your personal data, this has the following consequences: data is recorded in anonymous form. This in turn means that we cannot contact you, for example if we have any follow up questions.

Alternatively, as the person affected, you can also ask your doctor, your pharmacist, another healthcare professional with whom you are undergoing treatment, or a third party, to report the incident for you – in this case we will only receive pseudonymous data on you that does not allow you to be identified. You also have the option of sending a corresponding notification directly to the responsible authorities. If you, as a doctor or pharmacist, for instance, are subject to legal or professional obligations to report the above events, you can also fulfil your obligation by reporting directly to the responsible authorities.

If data was not collected directly, then we received your data from the following sources:

Your doctor, pharmacist or other healthcare professional with whom you are undergoing treatment, or a relative, your lawyer or other person to whom you have disclosed this information about you. We also receive data of this kind from competent supervisory authorities inside and outside the EU, either directly or via the central European database. These sources are not publicly available. In all such cases, we receive health-related personal data solely in the same pseudonymised form in which we would collect it ourselves. We only receive data in assignable form from the individuals reporting the information themselves and to the same extent to which we would collect it ourselves.

We transfer your personal data to the following categories of recipients: To fulfil our statutory obligations with regard to ensuring drug and medical device safety, we make the data available within our central drug safety database to a closed user group consisting of the employees of Thornton & Ross Limited, STADA Arzneimittel AG and its subsidiaries and external service providers directly entrusted with tasks relating to the safety of drugs and medical devices. Other employees of Thornton & Ross Limited, its subsidiaries and external service providers only receive anonymous evaluations of this data as needed, for instance of the frequency of certain events within certain patient groups. To the extent that external parties have access to the data, appropriate agreements exist to ensure an appropriate level of data protection.

Moreover, we transmit the data in accordance with our statutory reporting obligations to supervisory authorities inside and outside the EU as well as to contractual partners inside and outside the EU, to the extent that this is necessary to fulfil our statutory documentation and reporting obligations relating to the safety of drugs and medical devices, we make the data available within our central drug safety database to a closed user group consisting of the employees of Thornton & Ross Limited, its subsidiaries and external service providers directly entrusted with tasks relating to the safety of drugs and medical devices. Other employees of Thornton & Ross Limited, its subsidiaries and external service providers only receive anonymous evaluations of this data as needed, for instance of the frequency of certain events in certain patient groups. To the extent that external parties have access to the data, appropriate agreements exist to ensure an appropriate level of data protection.

Furthermore, we transmit the data in accordance with our statutory reporting obligations to supervisory authorities inside and outside the EU as well as to contractual partners inside and outside the EU, to the extent that this is necessary to fulfil our statutory documentation and reporting obligations. To the extent that data is transferred to contractual partners, corresponding protection agreements exist.

Special Products

We may be required by a regulatory authority to document which doctor or pharmacy prescribed or requested a certain preparation.

For this purpose, we process the personal data of the pharmacy placing the order, which is communicated by the pharmacy stamp on the order fax. With regard to the prescribing doctor, the following personal data is collected and processed: Name, hospital/outpatient clinic, contact address and doctor identifier number.

The legal basis for this processing is Article 6 (1) c GDPR. This means you are legally required to provide this personal data. This means you are obligated to provide us with your personal data if you prescribe or order such medication.

We transmit your data to authorities if requested.

Your data will be processed mainly in the UK. However, it may also be possible for foreign affiliated companies to access the data, for example for the purposes of maintaining our IT systems.

Visitor book/visitor management system

When visiting our locations, visitors (employees of external companies or other visitors) are requested to register in our visitor book/visitor management system or they are entered in such a system.

We process this data to ensure security at our sites. The legal basis for this is our legitimate interest within the meaning of Article 6 (1) f GDPR in the safety of our locations.

You are not legally required to provide your personal data, but this is necessary to ensure security at our sites. This means that you are not legally obligated to provide us with your personal data. If you decide not to provide us with your personal data, you cannot enter our locations.

If needed, we transfer your personal data to the following categories of recipients: security service providers, IT service providers, waste disposal services, possibly to auditors and, in the event of substantiated suspicions, possibly to external authorities.

Processing takes place exclusively in the UK.

 

 

Requests for samples (health data in some cases)

We offer the possibility of receiving samples of our products in the scope of marketing campaigns.

If you decide to order these samples, we will process the following personal data on you: Name, title, contact details, e-mail and possibly your telephone and fax numbers and, if applicable, data on your illness for the purpose of processing the sample requests.

The legal basis for processing is our legitimate interest pursuant to Article 6 (1) a GDPR.

You are not legally or contractually required to provide your personal data. This means that you are not obligated to provide us with your personal data. If you decide not to provide us with your personal data, however, it will not be possible to process your request or, in turn, to send the requested samples.

We transfer your personal data to the categories of recipients assisting us in this process; this includes IT service providers and shipping services.

Your data will be processed mainly in the UK. However, it may also be possible for foreign affiliated companies to access the data, for example for the purpose of maintaining our IT systems.

Publication of photos and videos

At internal and external events, we may take photos and videos. This involves processing the footage or images of the persons concerned and possibly the names of the persons depicted. The purpose of this processing is to carry out internal and external communication measures.

The legal basis for this processing is your consent (Article 6 (1) a GDPR). In certain cases, which are defined by the exceptions within the UK Copyright Design and Patents Act 1988 the legal basis can be our legitimate interest under Article 6 (1) f GDPR.

You are not legally or contractually required to provide your personal data. This means that you are not obligated to provide us with your personal data. If you decide not to provide us with your personal data, no photos of you will be taken or published.

We transfer your personal data to the categories of recipients assisting us in this process; this includes IT service providers.

Your data will be processed mainly in the UK. However, it may also be possible for foreign affiliated companies to access the data, for example for the maintenance of our IT systems.

Facebook

We publish news and information via this media portal and invite interaction and comments. Any conversation or participation within the media platform is voluntary! The legal basis for the processing of your data in this regard is your consent. You can withdraw your consent anytime with effect for the future (for details regarding exercising your rights, please see below).

Addresses and Links to the data privacy information of Facebook:

Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; https://www.facebook.com/policy.php; further information on data collection: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications as well as http://www.facebook.com/about/privacy/your-info#everyoneinfo.

If individual service providers or affiliated companies are located outside the EU, there may not be an adequate level of data protection compared to the level of data protection within the European Union. This means that the data protection laws in this country, to which your data may be transferred, do not offer the same protection as the UK.

We have therefore taken appropriate protective measures to ensure data protection: a global Group-wide Code of Conduct, standard contracts for contract processing or standard contract clauses within the STADA Group and with external service providers.

The Code of Conduct can be downloaded from https://www.stada.de/stada-deutschland/ueber-stada/compliance.html

Contracts for contract data processing have been concluded in accordance with Article 28 GDPR, the standard contractual clauses in accordance with EU requirements.

In the above cases, there is no automatic decision-making based solely on automated processing, including profiling, and which has legal implications or would affect you in any similar way.

Nextgen360 Ltd deletes personal data based on the following:

  • Based on statutory or contractual deletion periods
  • If processing is based on your consent, we process this data until you revoke your consent
  • If we process the data in the context of a legitimate interest, we process the data until the time at which our legitimate interest no longer exists.

 Under the rules of the EU General Data Protection Regulation you can assert the following rights vis-à-vis us:

  • right to information
  • right to rectification
  • right to restrict processing
  • right to erasure/right to be forgotten
  • right to data portability
  • right to object.

 To exercise one of the rights listed above, you can contact us at any time: compliance@nextgen360.com

Our Data Protection Officer (DPO) can be contacted at: Thornton & Ross, Linthwaite Labs, Manchester Road, Linthwaite, Huddersfield HD7 5QH or at data@thorntonross.com

Should you be of the opinion that we are processing your personal data in a non-compliant way, please contact us at legal@thorntonross.com. You also have the right to contact the data protection supervisory authority. The following link takes you to the relevant supervisory authority: https://ico.org.uk/make-a-complaint/your-personal-information-concerns/.