Information notice


General Data Protection Regulation (2016/679), Articles 13 and 14

Date of drafting: November 14th, 2018

We may update or revise this Information Notice at any time, with any notice to you as may be required under applicable law.

1. Controller / Company

Orion Corporation (Company Identification Number: 1999212-6)
Orionintie 1, 02200 Espoo, Finland
Tel. +358 10 4261

2. The person in charge / contact person

Contact person: Satu Weber (Digital Marketing Specialist)
Orion Corporation, Orionintie 1A, 02200 Espoo, Finland
Tel. +358 10 4261
e-mail: satu.weber (at) orionpharma.com

Data Protection Officer:  Heidi Arala
e-mail: privacy (at) orion.fi  

3. Name of the data file

Orion product website (www.simdax.com) data file

4. The purpose for processing the personal data / recipients (or categories of recipients) of personal data / the legal basis for processing the personal data

The purpose for processing the personal data in this data file is to enable the controller:

  • To manage users´ accounts, such as access/password requests/expirations/changes and other maintenance matters related to users´ accounts.
  • To identify the individuals requesting access as healthcare professionals
  • To manage feedback and contact requests from www.simdax.com
  • To inform website visitors about webinars or other educational training events
  • To direct market controller´s products and services, including electronic direct marketing (such as, sending electronic newsletters or other information regarding products/services), performing direct advertising regarding prescription medicines solely to individuals allowed to prescribe and supply medicines.
  • To develop, maintain, administer and monitor client relationships and to otherwise create and develop its business
  • To analyse data to develop the website, marketing measures and campaigns accordingly and to identify usage trends.

Company will not disclose or transfer the collected data for commercial purposes to third parties. We may share your information with third parties, such as those who assist us by performing technical operations such as data storage and hosting.

The controller may transfer the data to service providers and partners selected by the controller for fulfilling the purposes of the register. Company uses an internet browser-based customer relationship management platform, technically maintained by a service provider called Interactive Medica for which purposes personal data is disclosed to Interactive Medica.

If ownership or control of Orion Corporation or all or any part of our products, services or assets changes, we may transfer your personal data to any new owner, successor or assignee.

The legal basis for processing of the personal data is consent of the data subject or legitimate interests of the controller (direct marketing & customer relationship maintenance purposes). We only process personal data based on our legitimate interests, in case we have deemed, based on the balancing of interest test, that the rights and interests of the data subject will not override our legitimate interest.

5. Content of the data file

The data file contains the following groups of personal data of website visitors and registered individuals:

  • Full Name
  • Occupational e-mail address
  • Occupation and specialty area
  • Employer and employer’s address including country
  • Direct marketing objection
  • Possible question or contact request from the data subject

6. Sources of information 

Information is only collected from the data subject.

7. Retention period of the personal data

The data files are periodically updated to include only data which is relevant for the purpose of processing. The personal data shall be retained only for the period necessary to fulfil the purposes outlined in this data file. In addition, the controller stores the information for as long as is necessary in order for the controller to satisfy legal or contractual obligations, or in order to establish, exercise or defend legal claims. When the personal data are no longer necessary for these purposes, the personal data will be securely deleted.

8. The principles how the data file is secured

CGI Suomi Oy shall be responsible for the maintenance of the data file. The connection from a user’s browser to the server of CGI Suomi Oy is encrypted with SSL technology. Technical data protection is being used in the application, by which the entered information shall remain unchanged and is available only for the authorized persons.

The data file is located on a web server in a private hosting environment protected with personal username and password. The server is protected technically and physically in a way that third party individuals cannot gain access to it. Access to the data file shall be granted only to those Orion and CGI Suomi Oy employees who need it based on their role.

9. Right of access and realization of the right of access, and right to data portability

The data subject shall have the right of access, after having supplied sufficient search criteria, to the data on himself/herself in the data file, or to a notice that the file contains no such data. The controller shall at the same time provide the data subject with information on the sources of data, on the uses for the data in the file, and the destinations of disclosed data.

The data subject has the right to data portability, i.e. the right to receive his or her personal data, which the data subject has provided to the controller and that is being processed by automated means, in a structured and machine-readable format and the right to transmit those data to another controller, where the basis for processing is consent or the fulfilment of a contract between the controller and the data subject.

The data subject who wishes to have access to the data on himself/herself, or use his/her right to data portability as referred to above, shall make a request to this effect to the person in charge at the controller by a personally signed or otherwise comparably verified document and by verifying his or her identity by attaching a copy of an official identification document.

10. Right to withdraw consent / Right to object to processing

The data subject has the right to withdraw the consent he/she has given for the processing of his/her personal data. Data subject shall make a request to this effect to the contact person in charge at Orion Corporation named under section 2. above by a personally signed or otherwise comparably verified document in writing.

In case the legal basis for processing the personal data is the legitimate interests of the controller, the data subject has the right to object to processing on grounds relating to his or her particular situation. The data subject always has the right to object to processing of the personal data for direct marketing purposes.

Withdrawal of consent does not render the processing of personal data performed prior to such withdrawal unlawful.

11. Rectification, restriction of processing and erasure

A controller shall, on its own initiative or at the request of the data subject, without undue delay rectify, erase or supplement personal data contained in its personal data file if it is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing.

Under specific circumstances, the data subject has the right to obtain from the controller restriction of processing of his or her personal data.

If the controller refuses the request of the data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal. In this event, the data subject may bring the matter to the attention of the Data Protection Ombudsman.

The controller shall undertake reasonable measures to notify the erasure to the controllers to whom the data has been disclosed and who are processing the data. However, there is no duty of notification if this is impossible or unreasonably difficult.

Requests for the above uses of data subject’s rights shall be made by contacting the representative of the controller named under section 2 hereof.