The purpose of this Privacy Policy is to inform Users about how their Personal Data are collected on the Site, how they are processed by the Data Controller and finally the rights that Users have with regard to this processing as defined below.

The following terms, whether used in the singular or plural in this Privacy Policy, shall have the meaning given to them in the GT&CU or shall have the following meaning:

In accordance with the Personal Data Regulation, the processing operations set out in this Privacy Policy are justified on a specific legal basis.

The Site has required that the User give their specific consent in order to carry out specific processing that is clearly explained upon obtaining the said consent.

For Professionals, this consent to receiving commercial and promotional communications is given when the Pro Access is created. Professionals may unsubscribe through an unsubscribe link in any communication sent by the Data Controller.

In order to use the Site and benefit from its services, in particular the benefit of Pro Access for Professionals, the Data Subject has accepted at least the GT&CU. These documents establish a formal contractual relationship between the Data Subject and the Data Controller and form in particular the legal basis on which the Data Controller collects and processes the Data Subject’s Personal Data.

These Data are required to perform a certain number of processing operations in the course of the contractual relationship between the Data Subject and the Data Controller, the purposes of which are detailed in paragraph 4 – The purposes of the processing.

The processing of Personal Data may also be necessary to comply with a legal obligation to which the Data Controller is subject, for example, the storage of Site access logs, in accordance with Decree No. 2021-1362 of 20 October 2021 on storing data that enable any person who has contributed to the creation of online content to be identified, adopted pursuant to Article 6(II) of Act No. 2004-575 of 21 June 2004 on trust in the digital economy enabling any person who has contributed to the creation of online content to be identified.

Compliance with the legal obligations incumbent on the Data Controller by the health vigilance provisions set down in particular in the French Public Health Code may also be used as the legal basis for the processing of Personal Data.

The Data Controller may have a legitimate interest justifying the processing of the User’s Personal Data, such as processing the subject of a contact made by a User.

In this case, the Data Controller ensures that the processing in question is indeed required to fulfil its legitimate interest and assesses the consequences of this processing on the User, in particular taking into account the nature of the Personal Data processed and the way in which they are processed.

The Data Controller ensures that it takes account of the interests or fundamental rights and freedoms of the User by allowing the User, at any time, to object to all or part of the processing described in this Privacy Policy, and to exercise their Specific Rights, under the conditions set down in paragraph 9 – Exercising Users’ Specific Rights.

The Personal Data of the Data Subject are necessary to enable the Site to be accessed, used and improved, and to enable the Data Controller to:

• send the relevant information emails to the Data Subject who subscribes to the “newsletter”;
• personalise its communication for Professionals, in particular to send them information emails based on their preferences and the use they make of the services and/or the Site;
• respond to the User’s requests for information;
• carry out commercial solicitation operations;
• measure the effectiveness and performance of advertisements displayed on the Site;
• develop business statistics, analyses and marketing tools (including classifications, scores, etc.);
• provide Professionals with access to the Pro Access section, in particular to those spaces on the Site reserved for Professionals;
• optimise the Professional’s navigation on the Site by storing their identifiers;
• manage requests to exercise Specific Rights under the conditions of paragraph 10 – Exercising Users’ Specific Rights;
• collect, record, analyse, monitor, document, send and store Personal Data relating to any adverse health events;
• manage contacts with the Data Subject who notified it of the adverse health event;
• preserve proof in the event of a dispute that is related to the use of the Site;
• comply with its legal obligations, in particular the health vigilance systems provided for by the provisions of the French Public Health Code.

The Site is hosted by the company whose contact details are available by clicking here <Legal notice>.

All precautions have been taken to store Users’ Personal Data in a secure environment and to prevent them from being distorted, damaged or accessed by unauthorised third parties. The information provided by the User will never be passed on to third parties for commercial purposes, nor will they be sold or exchanged.

When the User makes a request for information on the contact form <Hyperlink to the relevant section>, the Data Controller collects the following Personal Data entered by the Data Subject into the form and these data are kept in an active database for a period of three (3) years from the User’s last connection to the site, then for two (2) years in Intermediate Storage:

• Surname
• First Name
• Email address
• Telephone number
• The comment(s) accompanying the request for information
• The User’s connection data (date, time, IP address, pages viewed) when they browse on the Site.

When creating a Pro Access, the Data Controller collects the following Personal Data that the Professional enters or spontaneously communicates during browsing and which are kept in an active database for a period of three (3) years from the Professional’s last connection to the Site, then for two (2) years in Intermediate Storage:

• Email address
• Telephone number
• City
• Country
• Professional number
• Professional expertise
• Specialisation
• The Professional’s connection data (date, time, IP address, pages viewed) when they browse on the Site.

The Data collected and processed to manage health vigilance operations are kept in an active database for the duration of the current use of the Personal Data, then they are kept in intermediate storage for the legal or regulatory period applicable to each health vigilance operation up to a maximum of seventy years from the date the product is withdrawn from the market if no other legal or regulatory period exists.

Only the Data Controller’s authorised employees may, under the responsibility of the Data Controller, access Personal Data relating to an adverse health event, within the limits of their respective duties.

In the event of a transfer of Personal Data to a recipient located in a country that is not on the territory of the European Union and which has not been the subject of an adequacy decision by the European Commission, the Data Controller undertakes to provided appropriate safeguards to ensure the transfer is perfectly lawful and that enforceable Data Subject rights and effective legal remedies for Data Subjects are available in accordance with the Personal Data Regulation.

The Data Controller undertakes to protect the confidentiality of the Personal Data. In this respect, the Data Subject is informed that the Personal Data are not sold or transferred to third parties or to the Data Controller’s business partners . The Personal Data are only used by the Data Controller for the purposes for which they are collected, as described in Article 4.

In accordance with the Personal Data Regulation, the Data Subject may, at any time, benefit from the following Specific Rights:

• access,
• rectification,
• deletion,
• restriction of processing,
• portability,
• objection,
• post-mortem guidelines.

Insofar as the processing related to managing an adverse health event is based on compliance with a legal obligation, Data Subjects have neither the right to object nor the right to erasure of the Data, nor the right to data portability.

The User can obtain confirmation from the Data Controller that their Personal Data are being processed or not and, if so, access to said Personal Data and to the following information:

1. the purposes of the processing;
2. the categories of Personal Data concerned;
3. the identity of the recipients or recipient categories to whom the Personal Data have been or will be disclosed;
4. where possible, the planned storage period of the Personal Data or, where this is not possible, the criteria used to determine this period;
5. the right to request that the Data Controller rectify or erase Personal Data, or restrict the processing of Personal Data, or the right to object to such processing;
6. the right to lodge a complaint with the supervisory authority for personal data (in France, the CNIL);
7. where the Personal Data are not collected from the User, any available information as to their source;
8. the existence of automated decision-making, including profiling, and, at least in such a case, useful information about the underlying logic, as well as the importance and expected consequences of such processing for the User;
9. the possible transfer of Personal Data to a country outside the European Union or to an international organisation.

When Personal Data is transferred to a third country or to an international organisation, the User has the right to be informed of appropriate safeguards, with respect to such transfer.

The Data Controller shall provide a copy of the Personal Data being processed.

The Data Controller may require the payment of reasonable fees based on administrative costs in the event of a request for the transmission of Personal Data on paper and/or physical media or for any additional copies requested by the User.

When the User submits their request electronically, the information shall be provided in a commonly used electronic form, unless they request otherwise.

The User’s right to obtain a copy of their Personal Data must not affect the rights and freedoms of others.

The User may have the Data Controller rectify inaccurate Personal Data concerning them without undue delay. They can also ask that incomplete Personal Data be completed, including by providing a supplementary statement.

The User can have the Data Controller erase Personal Data concerning them without undue delay for one of the following reasons:

1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Data Controller;
2. The User has withdrawn their consent to the processing of their Personal Data and there is no other legal ground for the processing;
3. The User exercises their right to object under the conditions set out below when there are no overriding legitimate grounds for the processing;
4. The Personal Data have been unlawfully processed;
5. The personal data have to be erased for compliance with a legal obligation;
6. Personal Data were collected from a child under the age of 15.

The User shall have the right to obtain from the Data Controller restriction of processing where one of the following applies:

1. The Data Controller verifies the accuracy of the Personal Data when the User disputes the accuracy of the Personal Data;
2. The processing is unlawful and the User opposes the erasure of the Personal Data and requests the restriction of their use instead;
3. The Data controller no longer needs the personal data for the purposes of the processing, but they are required by the User for the establishment, exercise or defence of legal claims;
4. The User has objected to processing in the conditions stated below and the Data Controller checks whether the Data Controller’s legitimate grounds override those of the User.

The User shall have the right to receive the personal data concerning them from the Data Controller in a structured, commonly used and machine-readable format when:

1. The processing of the Personal Data is based on consent; and
2. Processing is carried out by automated means.

When the User exercises their right to data portability, they shall have the right to have the Personal Data transmitted directly from one Data Controller to another designated by them, where this is technically feasible.

The right to portability of the User’s Personal Data shall not adversely affect the rights and freedoms of others, whose data are contained within the data transmitted as a result of a request for portability.

The User shall have the right to object, on grounds relating to their particular situation, at any time, to processing of Personal Data concerning them based on the legitimate interest of the Data Controller. The Data Controller shall no longer process the Personal Data unless the Data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or the Data Controller may keep these data for the establishment, exercise or defence of legal claims.

The Professional may object, at any time, to the sending of commercial solicitations in accordance with the terms and conditions set out in Article 9 of this Privacy Policy or by clicking on the link provided for this purpose in the last commercial solicitation sent by email.

The User can give the Data Controller instructions relating to the storage, erasure and disclosure of their Personal Data after their death, said instructions may also be registered with “a certified digital trusted third party”. These instructions, a type of “digital will”, may designate a person responsible for executing them; failing this, the User’s heirs will be designated.

In the absence of any instructions, the User’s heirs may contact the Data Controller in order to:

• access the processing of Personal Data enabling “the deceased’s estate to be organised and settled”;
• receive communication of “digital assets” or “data related to family memories, transferable to heirs”;
• have the Professional’s Account closed on the Site and object to the further processing of their Personal Data.

In any event, the User has the option of informing the Data Controller, at any time, that they do not wish, in the event of death, that their Personal Data be disclosed to a third party.

Cookies are used on the Site.

A cookie is information stored on the Terminal.

Cookies are related to the User’s navigation on the Site and help determine the pages they have consulted, the date and time they were consulted.

At no time do these cookies enable the Data Controller to personally identify the User.

Through the cookies listed in the table below, the Data Controller collects and processes all or part of the following Data for the purposes set out below:

• Information related to the User’s Terminal:
  • Their type of Terminal (Smartphone, tablet, computer, etc.);
  • The operating system of their Terminal (Mac OS, iOS, Android, Windows, BlackBerry, etc.);
  • The categories and plug-in versions of their Terminal;
  • Their Internet access provider (Orange, SFR, Bouygues, Free, etc.);
  • The browser they use (Safari, Chrome, Internet explorer, etc.);
  • The IP address of their Terminal;
  • The keywords entered when the User accesses the Site from a search engine;
• Information about their browsing and behaviour on the Site:
  • Statistics on their viewing of the different pages of the Site, the duration of the session;
  • The full URL routing to, through and from the Site;
  • Number of ad views, traffic sources;
  • Demographic data.

The User is informed, on their first visit, of the presence of the following cookies by a banner and invites them to indicate their choice:

These Specific Rights may be exercised, at any time, with the Data Controller:

• By email to the following address:
• dpo@ydes-avocats.com
• By post to the following address:
• Laboratoires FILLMED
  Service en charge des données personnelles
  38, cours Albert 1^er
  75008 Paris

In order to assert their Specific Rights according to the conditions set out above, the Data Controller may ask the User to prove their identity by providing their surname, first name, email address and by accompanying their request with a copy of a valid identity document, as well as any information or documents enabling the Data Controller to verify their identity.

A response will be sent to the Data Subject within a maximum of one (1) month following the date of receipt of the request.

If necessary, this period may be extended by two (2) months by the Data Controller who will alert the Data Subject, taking into account the complexity and/or number of requests.

The User may also lodge a complaint with the competent supervisory authority (in France, the CNIL).

The Data Controller shall take all useful precautions to ensure the Professional’s password used to access their Pro Access is securely stored.

However, the security of this password also depends on how it is formed.

The Professional is asked to choose a complex password, composed for example of 8 characters, at least 3 of the following 4 types: upper case, lower case, numbers, special characters.

Complex passwords can be created using mnemonic means, such as:

• • • Keep only the first letters of the words in a sentence; for example, the sentence “Un Mot de Passe se retient!” corresponds to the password 1mdp@sr!
    • By capitalising it if the word is a name (e.g. word)
    • By keeping punctuation marks (e.g.!)
    • By stating the numbers using digits from 0 to 9 (e.g.: One ->1)