Quidel Privacy Notice for Distributors, Suppliers and Customers
PRIVACY NOTICE
Introduction
Quidel Ireland Limited (‘Quidel’, “Company”, ‘we’, ‘us’, ‘our’) are strongly committed to protecting the privacy of your personal data. This Privacy Notice (‘Notice’) has been developed to ensure all distributors, customers and suppliers feel confident about the privacy and security of personal data and to meet our obligations under the Data Protection Acts 1988 to 2018 and the General Data Protection Regulation ( Regulation (EU) 2016/679 (“GDPR”) (collectively the “Legislation”).
This Notice sets out how we use, collect and protect your personal data. This Notice has been developed to let you know: (1) who we are; (2) the kinds of personal data we may gather from you and through our interactions with you; (3) our basis for gathering your personal data; (4) how and why we process your personal data; (5) when we might disclose your personal data and to whom; (6) how your personal data is kept secure; (7) how long we will retain your personal data; and (8) certain rights you may have relating to your personal data.
To the extent we are a ‘data controller’, we must comply with the data protection principles set down in the Legislation and this Notice applies to all personal data collected, processed and stored by us in the course of our activities. The purpose of this Notice is to set out the procedures that are to be followed when dealing with personal data and to outline how we will collect and manage personal data in accordance with all relevant legislation and standards. The procedures set out herein must be followed by us, our employees, agency workers, contractors, distributors or other parties working on behalf of us.
This Notice extends to all personal data whether stored in electronic format or paper format which forms part of a filing system or is intended to form part of a filing system.
Identity and Contact details of the Controller
The Data Controller is:
Quidel Ireland Limited
2nd Floor, Merchants Square Merchants Road
Galway H91ETN2
Ireland
Data Protection Champion
The Contracts Manager is the data protection champion (the “Data Protection Champion”). The Data Protection Champion bears the overall responsibility for ensuring compliance with the Legislation. The HR Manager and HR department, Managers are also available to answer queries or deal with concerns about data protection.
Data Protection Principles
Anyone processing personal data must comply with six core principles of GDPR. These provide that personal data must be
-
obtained and processed fairly, lawfully and in a transparent manner;
-
collected only for one or more specified and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
-
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
-
accurate and up-to-date;
-
retained for no longer than is necessary for the purpose for which the data is processed; and
-
processed the data in a manner that is safe and secure.
We are responsible for compliance with, the above principles.
What personal data do we hold on distributors, customers and suppliers?
We only hold personal data that is directly relevant to our dealings with a given data subject. That data will be collected, held, and processed in accordance with the data protection principles and with this Notice in a reasonable and lawful manner. As distributors, customer and suppliers, we shall collect personal data from you in order to undertake business with you.
Information you provide to us:
DistrIbutors (including potential distributors):
-
name, business address, business email, fax number and phone number, credit limit, agreement, inco terms;
Customers (including potential customers):
-
name, business address, business email, fax number and phone number, credit limit, agreement; and
Suppliers (including potential suppliers):
-
name, business address, business email, fax number and phone number.
Distributors, suppliers and customers (including potential distributors, suppliers and customers):
-
We may obtain information about you through other sources such as google sources and linkedin, such as your:
-
name, business title, business email address, business phone number and fax number; business web address;
-
other contact information available on-line; and
-
details concerning interactions with Quidel representatives.
Processing Personal Data
Any and all personal data collected by us (as further detailed in this Notice) is collected in order to ensure that we can provide the best possible service to our customers and suppliers, and can work effectively with our partners, associates and affiliates and efficiently manage our distributors. We use your personal data in order to ensure we are able to undertake business with you and in our legitimate interests. We may also use personal data in meeting certain obligations imposed by law.
We may rely on the following legal bases under the Legislation in processing personal data in accordance with Article 6 GDPR:
Legal Basis
Example
Performance of a contract
We will process your personal data as required in order to undertake business with you and to adhere to our contract with you.
In order to provide our product to our customers, Quidel will process customers’ personal data to the extent required to deliver the requested product.
In order to receive goods and services from suppliers, Quidel will process suppliers’ personal data to the extent required to receive the goods and services requested.
In order to undertake business with distributors, we will process distributors’ personal data as required.
In compliance with legal obligations
We may need to disclose your identity and other personal data to comply with a request from law enforcement, or other government agencies.
We may need to process customers’, suppliers’ and distributors’ personal data to investigate any queries, complaints, adverse events and recalls relating to our products, as well as undertaking financial audits so as to comply with our legal and regulatory obligations.
Legitimate interests
We will rely on our legitimate interests in order to process your personal data for direct marketing purposes.
We have undertaken legitimate interest assessments (“LIA”) in relation to this processing and we have come to the conclusion that your fundamental rights and freedoms do not override our legitimate interest to process your personal data in these circumstances. You can obtain further information regarding the LIA by contacting us at
Consent
We may process your personal data where you provide your consent for the provision and use of same. If we process your personal data on the basis of your consent, you are free to withdraw this consent at any time and you can contact the Data Protection Champion
regarding same.
Accuracy
We shall employ reasonable means to keep personal data information accurate, complete and up to date in accordance with the purposes for which it was collected.
Distributors, customers and suppliers are responsible for ensuring that they inform Quidel of any changes in their personal details. We endeavour to ensure personal data held by us is up to date and accurate.
Direct Marketing
Quidel may wish to provide you with information about our product based on the information you have shared with us and through other sources, as outlined above. Quidel will take care to ensure that we communicate with you solely on information that is specifically relevant to your professional role and we will only contact you using your business email address.
If at any time you decide not to receive any promotional information related to our product from us, please email us at dataprotection@quidel.com and mention “OPT-OUT” in the subject of your email. Alternatively, you may also unsubscribe from our marketing communications by clicking on the “unsubscribe” link located on the bottom of all our e-mails.
Please note that if you opt not to receive promotional messages from us, we may still continue to send you relevant information for other lawful purposes, such as to respond to your requests, or to provide you with information that Quidel is required by law to provide, e.g. regarding product recalls.
Do we disclose information about you to anyone else?
Personal data may be disclosed internally when passed from one department to another in accordance with the data protection principles and this Notice. Personal data will also be shared with Quidel’s parent Company, Quidel Corporation which is based in the United States, our affiliates and other group companies. Personal data is not shared to any internal department or Quidel’s group companies if they does not reasonably require access to that Personal data with respect to the purpose(s) for which it was collected and is being processed.
Personal data may be shared with external third parties only when it is necessary and we have a legal basis to do so. Such third parties may include, but are not limited to:
-
-
payroll, bank in order to pay distributors and suppliers;
-
vendors or Suppliers in order to to ship products to customers.
-
legal advisors
Whenever we disclose personal data to third parties, we will only disclose that amount of personal data necessary to meet such business needs or legal requirements. Third parties that receive personal data from us must satisfy us as to the measures taken to protect the personal data such parties receive.
Appropriate measures will be taken to ensure that all such disclosures or transfers of personal data to third parties will be completed in a secure manner and pursuant to contractual safeguards.
We may provide information, in response to properly made requests, for the purpose of the prevention and detection of crime, and the apprehension or prosecution of offenders. In the case of any such disclosure, we will do so only in accordance with the Legislation.
We may also provide information when required to do so by law, for example under a court order. We may also disclose data to legal counsel where same is necessary for the defence of legal claims.
If there is any change in the ownership of Quidel or any of its assets, we may disclose personal data to the new (or prospective) owner. If we do so, we will require the other party to keep all such information confidential.
How do we protect data about you when it is transferred out of Europe?
Your personal data may be processed by Quidel, its group companies, its affiliated companies and Quidel trusted third party suppliers outside of the European Economic Area (“EEA”). If you are a located in the EEA you should be aware that your personal data may be transferred to Quidel’s group companies and affiliates outside of the EEA in particular the United States of America. Data privacy laws in the countries to which your personal data is transferred may not be equivalent to, or as protective as, the laws in the EEA.
The transfer of such data is necessary for the management and administration of your contract with us. Quidel relies on the derogation in Article 49(1) (b) of GDPR to transfer your personal data outside of the EEA however we may implement further appropriate measures to ensure that your personal data continues to remain protected and secure when it is transferred outside of the EEA by way of an adequacy decision or other appropriate safeguards.
How long do we keep personal data?
The period for which we retain information varies according to the use of that information. In some cases, there are legal requirements to keep data for a minimum period of time. Unless specific legal requirements dictate otherwise, we will retain personal data for
-
no longer than is necessary for the purposes for which the data were collected and processed;
-
for as long as needed to provide you with access to services you have requested; or
-
where you have contacted us with a question or request, for as long as necessary to allow us to respond to your question or request.
How do we protect personal data about you?
We employ reasonable appropriate administrative, technical, personnel procedural and physical measures to safeguard personal data against loss, theft and unauthorised uses access, uses or modifications.
Security and testing are performed on systems containing personal data to verify control effectiveness. Security of these systems are monitored continuously.
While we have procedures and security features in place to keep the data secure once we receive it, the transmission to us of information via the internet or mobile phone network connection may not be completely secure and any transmission is at your own risk.
The following principles apply:
Confidentiality - that only people who are authorised to use the personal data can access it. The Company will ensure that only authorised persons have access to distributors, suppliers and customers’ personal data held by the Company. Distributors, suppliers and customers are required to maintain the confidentiality of any personal data to which they have access, including all personal data relating to fellow customers, suppliers and distributors.
Integrity - that the personal data is accurate and suitable for the purpose for which it is processed.
Availability - that authorised users should be able to access the data if they need it for authorised purposes.
How can you exercise your rights in respect of personal data we hold about you?
We shall vindicate all your rights under the Legislation. These rights are as follows:
-
your right to request from us access to personal data, and to have any incorrect personal data rectified;
-
your right to the restriction of processing concerning you or to object to processing, in certain circumstances;
-
your right to have your personal data transferred to another employer;
-
your right to have personal data erased (where appropriate); and
-
your right to obtain information on the existence of automated decision-making, if any, as well as meaningful information about the logic involved, its significance and its envisaged consequences.
Vindication of your rights shall not affect any rights which we may have under the Legislation.
If you want to know what personal data we hold about you or exercise any of the above rights, you can do so by making your specific request in writing to the Data Protection Champion at dataprotection@quidel.com
We will confirm your request within 21 days of receipt and process your request within 30 days of receipt. If the information we hold about you is inaccurate, we request that you advise us promptly so that we can make the necessary amendments and confirm that these have been made within 30 days of receipt of your request.
How can you make a complaint to us about the use of your personal data?
Complaints on the use, retention and disposal of personal data can submitted via e-mail to the Data Protection Champion at dataprotection@quidel.com You also have the right to lodge a complaint with the Data Protection Commission.
Review
This Notice will be reviewed and updated from time to time to account for changes in the law and the experience of the Notice in practice. Any and all changes will be advised to distributors, suppliers and contractors.