Boehringer Ingelheim (Malaysia) Sdn Bhd (hereinafter “BI Malaysia”, “BI”, “we”, “our”, “us”) takes the protection of your personal data seriously.
With this Privacy Notice we inform our customers and other stakeholders how we will use, store and disclose (hereinafter“process”) personal data collected in the context of their engagement with BI Malaysia.
As used in this Notice:
(a) “customers and/or other stakeholders” means an individual, including healthcare professionals (HCPs), veterinarians, consultants, and other service providers-
- “personal data” means data, whether true or not, about a customer who can be identified from that data; or from that data and other information to which we have or are likely to have access.
- may or have entered into a contract with us for the supply of any goods or services to us or by us; or
- who reported to an Adverse Event to us in the context of Pharmacovigilance reporting.
(b) “personal data” means data, whether true or not, about a customer who can be identified from that data; or from that data and other information to which we have or are likely to have access.
The personal data we collect depends on the nature of your interaction with us as discussed in Section 4.
We will only process your personal data in accordance with the Malaysia Personal Data Protection Act (PDPA).
As part of Boehringer Ingelheim Group of Companies, we also have other policies, which deal with data protection that may be in connection with specific functions or business activities.
(a) Data Privacy Notice for applicants is accessible here.
(b) Data Privacy Notice for websites, social media platforms and applications is accessible here.
(c)For specific Privacy Notice for Pharmacovigilance, see Section 15.
1. Data Controller
The data controller described herein refers to BI Malaysia.
We will collect, use or disclose personal data (a) for reasonable business purposes only; (b) if there is consent or deemed consent from the individual; and (c) the individual is notified of the purpose(s) for which the personal data is collected, used or disclosed.
We may also collect, use or disclose personal data if it is required or authorised under applicable laws and regulations.
3. Collection of Personal Data
We generally do not collect your personal data unless:
(a) The personal data is provided to us voluntarily by you directly (g., through filled-out forms, during face-to-face meetings, email messages, telephone conversations, or through our websites) or via a third party who has been duly authorised by you to disclose your personal data to us (your “authorised representative”)
- after you (or your authorised representative) have been notified of the purposes for which the data is collected; and
- you (or your authorised representative) have provided written consent to the collection and usage of your personal data for those purposes.
(b) The collection and use of personal data without consent is permitted or required by the laws or regulations. In this case, we shall seek your consent before collecting any additional personal data and before using your personal data for a purpose which has not been notified to you (except where permitted or authorised by law).
Notice to intermediaries and persons acting on behalf of a third party individual:
(a) If you are acting as an intermediary or acting on behalf of a third party individual, or supplying us with information regarding a third party individual, you undertake that you are an authorised representative or agent of such third party individual and that you have obtained all necessary consents from such third party individual to the collection, processing, use and disclosure by us of their personal data.
(b) Furthermore, you undertake to make the third party individual aware of all matters listed in this policy preferably by distributing a copy of this policy to them or by referring them to our website.
4. What are the Personal Data We Collect?
We only collect Personal Data that is necessary for business purposes or to meet the purposes for which the individuals have submitted the information.
Personal Data may include your name, date of birth, work experience and professional qualifications, specialization/s, and contact data (phone, fax, email, and business address).
In course of your engagement with us, we may also collect you opinions evaluations, usage status, opinions of the company’s products, services, and managers regarding circulatory system diseases, respiratory system diseases, cancer, central nervous system diseases, and immune disease treatments), treatment areas and activities of interest.
If we engaged you as speaker, consultant, or participants to educational/scientific meetings/activities/events, we may ask you to provide your professional license number, resume and educational background, photo and bank details. In addition, we may ask you to provide your passport details to assist you in your travel arrangements.
5. Sensitive Personal Data
We do not intentionally collect sensitive personal data, unless necessary (e.g., in context of Pharmacovigilance reporting).
“Sensitive personal data” means the various categories of personal data identified by applicable data privacy laws as requiring special treatment. These categories can include data relating to ethnic origin or race, marital status, political opinions or affiliations, ideological views or activities, trade union membership, religious beliefs, physical or mental health, biometric or genetic data, sexual orientation, information on social security measures, or administrative or criminal proceedings or records.
We therefore suggest that you do not provide sensitive personal data of this type to us.
6. Purposes and Bases for Collecting and Processing Personal Data
We will process your personal data for the following purposes:
(a) For legitimate Business Purposes
We process your personal data to determine the appropriate engagement we will have with you. Our engagement will depend on specific activities you have requested, consented to, or deemed to have consented, such as but not limited to the following activities:
- Follow-up Email
- Follow up Call
- Adobe Campaign
- Product Sample Distribution
- Other Marketing and Digital Engagements such as messenger applications, chats, etc.
- Invitation to Educational and/or Scientific events and/or meetings
- Invitation as Speaker or Consultant to Educational and/or Scientific events and/or meetings
- Customer Accreditation and Maintenance
(b) Fulfilling Contractual Obligations
We process your personal data in accordance with the contract/agreement you have signed with us. Relevant processing activities to fulfill these contractual obligations include but are not limited to the following:
- Vendor creation
- Conducting third party due diligence
- Processing and payment of fees (as speaker or as consultant);
- Booking for travel, accommodation and other relevant arrangements;
- Preparing, signing and archiving of contracts/agreements
(c) Legal and Regulatory Requirements
We processes your data to fulfill legal and regulatory requirements, such as:
- Preparation of Transparency Reports for transfers of value including support to medical/educational/scientific meetings, professional fees, sponsorship, grants, donation, etc.
- Adverse Event Reporting
- Other relevant regulatory requirements that may arise
(d) Other legitimate business interests
We may also process your data as result of process integrations, system migrations and/or updates, and the other day-to-day operations:
- for internal purposes such as auditing, data analysis and research to help us deliver and improve our digital platforms, content and services;
- to monitor and analyse trends, usage and activities in connection with our products and services to understand which parts of our digital platforms and services are of the most interest and to improve the design and content of our platforms;
- to improve our products and services and our communications to you; and
- (where applicable) to ensure we have up-to-date contact information for you
7. Sharing of Personal Data
To fulfil the purposes described above, we may share your personal data internally or externally as follows:
(a) Reporting obligations to regulatory authorities and enforcement of rights
As a pharmaceutical company, we are subject to specific regulations, such as pharmacovigilance and reporting of transfers of value. Some of these laws require us to send your reports to regulators or other authorities outside your home country.
Rest assured that we only provide authorities with personal data, if we are legally obliged to do so.
In order to protect our rights or the rights of third parties, we may also disclose data to rights holders, consultants and authorities in accordance with law.
(b) Boehringer Ingelheim Companies
As part of a global group of companies using global systems and platforms, we involve other Boehringer Ingelheim companies that support us in data processing such as but not limited to:
- Master Data Management and payment systems
- Data Hub, Data Capture in Websites, Data Analytics and Customer Relationship Management (CRM)
- Creation of unique identification for each vendor (including healthcare professionals or HCPs)
- Adobe Campaign
These group companies process the data exclusively for the purposes stated in this data protection declaration. These group companies may engage third party vendors to help process the data.
Boehringer Ingelheim has a Group Data Transfer Agreement to ensure the protection of personal data shared among its affiliates. List of our affiliates is available here.
(c) Service Providers
We engage service providers to process your personal data for the purposes described in Section 6, including but not limited to:
(i) Travel Agencies, events management agencies, hotels, airline companies and the like to assist in us in managing events and booking your transportation, accommodation, and other logistical needs for events and meetings
(ii) Distributors for processing requests for product samples
These service providers process the data only on our behalf, in accordance with our instructions and under our control in accordance with this data privacy declaration.
(d) Cross-Border Transfer of Personal Data
Some of these service providers and Boehringer companies process personal data outside the data subject’s country. In these cases, we ensure an adequate level of data protection to comply with applicable local laws and regulations.
8. Collection of Log Data and Cookies Using BI Websites
Complete privacy notice on website use can be found in this link: https://www.boehringer-ingelheim.com/data-privacy.
9. Websites that we do not own or control
From time to time, we may provide links to websites or mobile applications that are not owned or controlled by us.
This Privacy Notice does not apply to those websites. If you choose to use those websites, please check the legal and privacy statements posted on each website or mobile application you access to understand their privacy practices.
10. Withdrawing your consent
The consent that you provide for the collection, use and disclosure of your personal data will remain valid until such time it is being withdrawn by you in writing or in certain instances, by clicking the unsubscribe button to specific to activities, platforms or applications.
You may withdraw consent and request us to stop using and/or disclosing your personal data for any or all of the purposes listed in Section 6 by submitting your request in writing or via email to our Data Protection Officer at the contact details provided in Section 16.
Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process your request within ten (10) business days of receiving it.
While we respect your decision to withdraw your consent, please note that depending on the nature and scope of your request, we may not be in a position to continue providing our goods or services to you and we shall, in such circumstances, notify you before completing the processing of your request. Should you decide to cancel your withdrawal of consent, please inform us in writing in the manner described above.
Please note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data where such collection, use and disclose without consent is permitted or required under applicable laws.
11. Access and Correction of personal Data
If you wish to make an access request for access to a copy of the personal data which we hold about you or information about the ways in which we use or disclose your personal data, or a correction request to correct or update any of your personal data which we hold about you, you may submit your request in writing or via email to our Data Protection Officer at the contact details provided below.
We will respond to your request as soon as reasonably possible. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing within thirty (30) days of the time by which we will be able to respond to your request.
If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so.
12. Deletion of Personal Data
You may request the deletion of your personal data. If applicable, we will take reasonable steps to inform other controllers that are processing the personal data that you have requested the erasure of any links to, copies or replication of it.
13. Retention of Personal Data
We processes your personal data for as long as necessary for the purpose of the processing, which mainly is the provision of our services requested by you. This means for example that we send you emails, sms, or messenger app messages for as long as you did not withdraw your subscription or that we store your user account data (login, profession, name etc.) for as long as you maintain a user account with us. If you revoke your consent, delete user accounts or object to data processing, we will delete the data collected in a timely manner.
BI has document retention policy that keeps track of the retention scheduled of personal data you provide us, in paper or electronic forms. We will not retain your any of your personal data when it is no longer needed for any business or legal purposes. We will dispose of or destroy such documents containing your personal data in a proper and secure manner when the retention limit is reached.
In some cases we are obliged to keep data to comply with statutory retention periods (e.g. in the context of pharmacovigilance). In such a case, we will ensure that your data will only be used to comply with the retention obligations and not for other purposes.
14. Protection of Personal data
To safeguard your personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, we have introduced appropriate administrative, physical and technical measures such as up-to-date antivirus protection, encryption and the use of privacy filters to secure all storage and transmission of personal data by us, and disclosing personal data both internally and to our authorised third party service providers and agents only on a need-to-know basis.
You should be aware, however, that no method of transmission over the Internet or method
of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures.
15. Specific Privacy Notice for Pharmacovigilance
If you report adverse events or other pharmacovigilance relevant information to a Boehringer Ingelheim product we will use and share this data solely for pharmacovigilance purposes. (Pharmacovigilance is the detection, assessment, understanding and prevention of adverse effects or any other medicine-related problem.)
All reports will be shared with Boehringer Ingelheim International GmbH who is operating the global pharmacovigilance database.
Boehringer Ingelheim is obliged to report pharmacovigilance relevant information to health authorities worldwide (including to countries that may have another level of data protection compared to the EU). Legal basis: Art. 6 (1) c), and for transfers outside EU Art. 6 (1) f) and Art. 49 (1) e) GDPR.
The reports will contain details about the incident but only limited personal data:
- For Patients, the report will only contain, age, gender and initials as provided, but never the patient’s name.
- For the reporting individuals, the report will include the name, profession (e.g. physician, pharmacist), initials or address, e-mail and phone number as provided. The contact information is required to be able to follow-up with the reporter to gain high quality and complete information on adverse events. If the reporter does not wish to provide his contact details to Boehringer Ingelheim or authorities, “Privacy” is entered in reporter’s names field.
Where your data is shared with other Boehringer Ingelheim companies, business partners or service providers outside of the EU, we will provide an adequate protection of personal data.
As reports about adverse events are important for public health reasons, reports are kept for minimum of 10 years after withdrawal of the product in the last country where the product is marketed.
16. Contact Us
If you have concerns, or specific requests (e.g., correction or deletion of your personal data) or questions in relation to our processing of your personal data, kindly contact:
Boehringer Ingelheim Malaysia
Data Protection Officer
Contact number: +603-2092 0025
17. Effect of Notice and Update to Notice
This Notice applies in conjunction with any other notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us.
We may revise this Notice from time to time without any prior notice. You may determine if any such revision has taken place by referring to the date on which this Notice was last updated. Your continued use of our services constitutes your acknowledgement and acceptance of such changes.
Effective Date: 10 July 2018
Last Updated: 1 October 2020