Personal Data Protection
The State Institute for Drug Control, an organisational unit of the state, Organisation Identification Number (IČO): 000 23 817, with its registered office in Prague 10, Šrobárova 48, Postal Code: 100 41, (hereinafter referred to as “we” or “SÚKL”), pays much attention to personal data protection.
In this document, you will find information on what personal data we process, the legal reasons for their processing, the purposes we use the data for, and the rights you have in respect of personal data processing.
A. What personal data do we process?
The personal data of the respective data subjects, i.e. applicants or notifiers/reporters, who may be, in particular, doctors, pharmacists, representatives of distributors, representatives of manufacturers, representatives of healthcare service providers, and potentially also patients, are processed particularly in the scope in which they have been entered in the relevant application or form.
The categories of personal data we process in association with the aforementioned, are hence the following ones:
a) Identification data, specifically the birth number, date of birth, title, name and surname, and, where applicable, the Company/Organisation Identification Number (IČO) and VAT Identification Number (DIČ);
b) Contact data, specifically the address, e-mail address, and telephone number;
c) Data about the condition of health, specifically data about prescribed medicinal products, adverse reactions to medicinal products, incl. data from related medical records.
B. Why do we process personal data and what gives us the right to do so?
B.1.1 Processing required to meet legal obligations
Most often, we process personal data in order to fulfil a legal obligation of ours. Where we process personal data for this particular reason, we do not have to obtain the data subject´s consent with such data processing.
A significant personal data processing on our part is conducted within the scope of the Central Repository of Electronic Prescriptions (hereinafter referred to as the “CÚER”). In CÚER, we process particularly identification data, contact data, and data about the medical condition of patients in the form of data about prescribed medicinal products, for the purposes of issuance of an electronic prescription, dispensing of a medicinal product, and providing the patient access to their records in CÚER. For the same reason, the identification data of doctors and pharmacists are also processed in CÚER.
For these purposes, personal data shall be stored in CÚER for the maximum period of 5 years.
Furthermore, we process the identification and contact data of persons who file an application or a report with SÚKL as implied by the below listed legal regulations. With respect to our legal obligations, we also process personal data within the scope of other procedures or inspections conducted by SÚKL.
Other processing is carried out also for the purposes of record keeping and processing of suspected adverse drug reaction reports; for this purpose, we can also process the identification data, contact data, and data about the condition of health of the person by whom the adverse reaction was experienced; nevertheless, we do not store these data and we process them only until the respective source materials (such as medical documentation) evidencing such data are anonymised.
We perform the processing in order to meet the legal obligations set forth particularly by the following regulations:
- Act No 378/2007 Coll., on Pharmaceuticals;
- Act No 40/1995 Coll., on Advertising Regulation;
- Act No 48/1997 Coll., on Public Health Insurance;
- Act No 167/1998 Coll., on Dependency-Producing Substances;
- Act No 296/2008 Coll., on Tissues and Cells;
- Act No 372/2011 Coll., on Healthcare Services;
- Act No 272/2013 Coll., on Drug Precursors;
- Act No 268/2014 Coll., on Medical Devices;
- Act No 500/2004 Coll., the Code of Administrative Procedure;
- Act No 255/2012 Coll., on Control (the Control Code);
- Act No 250/2016 Coll., on Responsibility for Offences and Procedures Pertaining Thereto;
- Act No 499/2004 Coll., Archival and Documentary Services;
- Act No 106/1999 Coll., on Free Access to Information;
- Act No 134/2016 Coll., on Public Procurement;
- and decrees implementing the aforementioned acts.
For these purposes, we process personal data only for the period implied by the respective legal regulation.
B.1.2 Processing required to fulfil public interest tasks
Furthermore, SÚKL processes personal data in order to fulfil certain public interest tasks. The obligation to obtain the data subject´s consent with the processing does not apply to this case, either.
Within the scope of CÚER, we process identification and contact data for the purposes of identification and subsequent authentication of an applicant upon access to the CÚER information system.
In addition to CÚER, we can also process identification and contact data of applicants, enquirers or their representatives for the purposes of return communication when the application or query is cleared.
For these purposes we store the personal data as long as the defined purpose lasts; in the case of CÚER it is hence for the period over which the applicant is allowed access to CÚER and the applicant´s repeated authentication is required upon each login. You have the right to raise an objection to processing for the purposes of public interest task fulfilment.
We perform the processing to fulfil a public interest task, and these tasks of SÚKL are implied by the legal regulations listed under section Processing required to meet legal obligations.
C. Who processes your personal data and who do we forward them to?
We process all of the above-mentioned personal data as the data controller. This means that we determine the aforementioned purposes for which we collect your personal data, we define the means of processing and bear responsibility for the proper performance thereof. Such processing is hence carried out by the employees of SÚKL, specifically only those individuals for whom such data are essential for the fulfilment of the purpose for which the data are processed.
We may forward your personal data also to other entities acting as data controllers, specifically profession chambers when verifying the membership in any of the profession chambers.
Furthermore, in some cases we may also avail of the services of other processors for the purposes of personal data processing. These processors process personal data solely in accordance with our instructions and for purposes which are described under section Why do we process personal data and what gives us the right to do so?.
D. What sources do we obtain personal data from?
In most cases, we process personal data that you provide to us as part of a particular application, form or procedure. In case you are a patient experiencing an adverse drug reaction, we can obtain the data from your treating doctor who has reported the adverse drug reaction. In case of CÚER, your data as a patient are obtained via your doctor who has prescribed medicinal products for you on an electronic prescription.
Furthermore, we can obtain personal data about doctors, pharmacists, and representatives of healthcare service providers from public registries and from profession chambers.
E. What are your rights in personal data processing?
Right of access
In simplified terms, you have the right to know what data about you we process, for what purpose, for how long, where we obtain your personal data from, who we forward them to, who, in addition to us, processes them, and what other rights associated with the processing of your personal data you have. All of this is explained in document “Customer Personal Data protection”. However, if you are uncertain as to what personal data of yours we process, you can ask us to confirm whether the personal data pertaining to you are processed by us or not and if they are, you have the right to gain access to these personal data. As part of your right of access, you can ask us for a copy of the personal data being processed. The first copy will be provided free of charge, while any further copies are provided for consideration.
Right of correction
To err is human. Should you find out that the personal data we process in respect of you are inaccurate or incomplete, you have the right to require that we correct or amend them without unnecessary delay.
Right of deletion
In some cases, you have the right to require that we delete your personal data. We will delete your personal data without unnecessary delay if any of the following reasons is met:
– we no longer need your personal data for the purposes for which we have been processing them;
– you avail of your right to raise an objection to processing (section Right to object to processing below refers) in respect of personal data we have been processing in order to fulfil public interest tasks, and we find the objection justified; or
– you think that the personal data processing performed by us no longer complies with generally binding regulations.
Nevertheless, please bear in mind that even where one of these reasons is concerned, it does not mean that we will immediately delete all of your personal data, as this right shall not apply in case the processing of your personal data continues to be necessary for the fulfilment of a legal obligation of ours or for the determination, exercise or defence of our legal claims (section Why do we process personal data and what gives us the right to do so? refers).
Right of restricted processing
In addition to your right of deletion, in some cases you may also exercise the right to restrict the processing of your personal data. This right allows you to request – in certain cases – that your personal data be flagged and excluded from any further processing operations – in this case, however, it will not apply indefinitely (as in the case of the right of deletion), but for a limited period of time. We are obliged to restrict personal data processing when:
– you deny the accuracy of personal data, until we agree what data are correct;
– we process your personal data without an adequate legal basis (e.g. above the scope of what we are obliged to process), but you prefer to impose merely a restriction on such data rather than to have them deleted (e.g. if you expect to provide us with such data in the future anyway);
– we no longer need your personal data for the aforementioned purposes of processing, but you require them for the determination, exercise or defence of your legal claims; or
– you raise an objection to processing. The right of objection is described in greater detail below, under section Right to object to processing. For the period when we assess whether your objection is justified, we are obliged to restrict the processing of your personal data.
Right to object to processing
You have the right to raise an objection to personal data processing which is performed in order to fulfil public interest tasks (please refer to section Why do we process personal data and what gives us the right to do so?). We will terminate the processing of the data as long as there are no serious and justified reasons for us to continue such processing.
Right to file a complaint
The exercise of rights in the manner mentioned above shall be without prejudice to your right to file a complaint with the concerned surveillance authority. You can exercise this right particularly in case you believe that our processing of your personal data is unauthorised or contrary to generally binding legal regulations. You can file your complaint against our processing of your personal data with the Office for Personal Data Protection residing at the following address: Pplk. Sochora 27, 170 00 Prague 7.
F. How can individual rights be exercised?
You can exercise your rights with us either in documentary form or electronically. However, for us to be able to adequately check your identity and avoid doubts as to who actually exercises the rights, your documentary request has to bear an authenticated signature, your electronic request has to be sent from a data mailbox, or you need to evidence your identity personally in our office.
We shall address your request without unnecessary delay, no later than within one month. In exceptional cases, particularly if your request is a complex one, we are authorised to extend this timeline by two more months. We will certainly inform you of any such extension, if applicable, and provide an explanation thereof.
G. Data protection officer
In any matters pertaining to the processing of your personal data, our data protection officer is available to you.
You can contact our data protection officer by e-mail at: poverenec@sukl.gov.cz