Data Protection Officer
Schipholweg 73 – 75
P.O. Box 255, 2300 AG Leiden, The Netherlands
tel +31 (0)71 524 40 00 - fax +31 (0)71 524 40 01
Under the GDPR, Xendo has chosen to make use of “One-Stop-Shop”, meaning that the Dutch Data Protection Authority is our lead authority and our offices in Sweden and Germany make use of this.
- ‘Personal data’ means any information relating to an identified or identifiable natural person
- ‘Data subject’ is an identified or identifiable natural person
- GDPR is the General Data Protection Regulation, also known as EU Regulation 2016/679.
- site means this website and any other website owned or operated by Xendo B.V. or one of its Affiliates in the EEA or outside the EEA.
3 Forms of processing and their purposes
Where Xendo collects personal data directly from visitors to this site, job applicants, loaned staff, its customers and suppliers we act as a controller. Where we collect data from patients, caregivers and medical professionals we act as a processor. As a controller we inform data subjects about the purpose for which we collect and use their personal data with this policy. Where we are a processor we work with our customers to help them provide notice to their patients, caregivers and medical professionals concerning the purpose for which personal data is collected via our customers.
3.1 Visitors of our website
We only use your data for the benefit of our services. This means that the purpose of the processing is always directly related to the assignment you provide. We do not use your data for (targeted) marketing. Your information will not be shared with third parties, other than to comply with accounting and other administrative obligations. These third parties have all been kept confidential and pledged themselves to keep your data confidential based on the agreement between them and us or an oath or legal obligation.
Data that is automatically collected by our website is processed with the aim of further improving our services. Where appropriate, Xendo can be held based on a legal obligation to share your data in connection with governmental or government criminal investigation. In such a case, we are forced to share your data, but we will oppose this within the possibilities that the law offers us.
3.2 Job Applicants and Freelance Consultants
As part of our business model, Xendo provides consultancy services, project management and project execution for the biotechnology, (bio) pharmaceutical, food and health care industry. We receive CV’s and with such personal data from job applicants and freelance consultants. If you are rejected as a job applicant, we will delete your CV and personal data within 4 weeks in accordance with guidelines from the Dutch Data Protection Authority. We may request your consent in order to preserve your application data for up to one year. For freelance consultants, we will keep your CV and personal data on file, with your consent, for a period of up to 5 years. We perform this processing under a legitimate interest of Xendo and in order to be able to enter into a possible contract with relevant freelance consultants.
3.3 Client and Suppliers Data
For management of client, suppliers and its related contracts, we only collect names and professional personal data on the employees of our customers and suppliers. This information is stored in our systems in the EU and is not provided to any third party, except when necessary to perform our obligations under our contract with our customer or supplier.
3.4 Patients, Caregivers and Medical Professionals
We enter into agreements with our customers to provide them with our pharmacovigilance services, which includes the processing of information relating to patients and their medication. This may involve extensive special categories of personal data, such as location data, date of birth, biometric and genetic data, medical data and personal data of children. No initials are stored, unless other legal obligations apply. As for the information on caregivers and medical professionals, the information we process pertains primarily to contact information. In providing this service for our clients, we do not determine the purposes or the usage of patient information in our system and we are a data processor under the Regulation. This registration is required by law and we assist our customers in adhering to Good Pharmacovigilance Practices as stipulated by the European Medicines Agency as well as any other directive or regulation to which the responsible pharmaceutical company must adhere. As such Xendo has a legitimate interest and this is a large part of our business model.
In doing so, the information is provided to the relevant authorities for monitoring the use, side-effects, adverse effects of medications and interactions with other medication. Personal data will only be provided, to the relevant authorities, anonymized, when reporting on possible effects of medication.
4 Third Party Processing
Except as described in this Policy, Xendo will not give, sell, rent or loan any personal data to any third party. We may disclose such information under a legal requirement to do so or to exercise our legal rights (for example legal claims or to investigate, prevent, or take action regarding illegal activities).
4.1 Patients, caregivers and medical professionals
The personal data relating to patients, caregivers and medical professionals is stored within the EEA and the system and its server is maintained within the EEA. For this processing, we have entered into a so-called Data Processing Agreement with the company that does this maintenance for us.
5 Protection of Information
Xendo is committed to ensuring the security of your personal data. We take every precaution to protect the confidentiality and security of the personal data entrusted to us, by employing technological and organizational measures against unauthorized processing of such information and against loss, destruction of, or damage to, personal data:
- Security of the access to automated environments;
- authorizations within automated environments based on “need to know”;
- physical security access of data centers and offices;
- screening of employees and the maintaining of codes of conduct for the handling of confidential information;
- confidentiality provisions in employment contracts and for other staff;
- the use of encryption, pseudonymization/anonymization and Privacy by Design, where possible;
- continuity plans during crises (crisis management procedure, back-ups and recovery plans, secondary locations and other plans)
6 Your Privacy Rights under the GDPR
Under Xendo pharmacovigilance services for its clients we are a processor. As such, we have no direct relationship with patients, caregivers or medical professionals whose personal data we process. A data subject who would like to make use of their rights under the GDPR should direct their query to the Xendo customer with whom such individual interacts (the data controller or MAH). We will assist any such controller or pharmaceutical company in order for them to act in accordance with the requirements of the GDPR. Any request we receive in relation to patients, caregivers or medical professionals will be forwarded to the relevant client for further consideration.
7 Additional Information
- Xendo will retain personal data in general for a minimum of 7 years in accordance with legal obligations under Dutch law. When acting as a processor and our customers terminate any cooperation with Xendo, any information that we hold on behalf of that customer is either deleted or returned to the customer in accordance with our service agreement.
If we make any material changes to this Policy we will notify our job applicants, freelance consultants, customers and suppliers by email or by posting a notice on the site prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.