General Privacy Notice of Sumitomo Pharma Switzerland GMBH

What is this General Privacy Notice about?

This Privacy Notice (this “Notice”) is made available by Sumitomo Pharma Switzerland GmbH (referred to as “Sumitomo”, “we”, “us” or “our”), and is intended to assist you in understanding how we collect, process, secure, and transfer personal data. We also describe how you can contact us to learn more information about our privacy practices. The terms “you”, “your” or “user” refer to the person interacting with Sumitomo via this website or in any other capacity including as a professional adviser, employee or contractor, investor, vendor or any other entity interacting with us on behalf of another person.

Link with other Privacy Notices

It is important that you read this Privacy Notice together with any other Privacy Notices that we may provide you with so that you are fully aware of how and why we are using your data. This Privacy Notice supplements any other Privacy Notice that we may provide to you and is not intended to supersede them unless otherwise stated.

Who we are

Sumitomo Pharma Switzerland GmbH, with registered address at Aeschengraben 27, 4051 Basel, Switzerland is the Data Controller and is responsible for the processing of your personal data.

The data we collect about you

Sumitomo will collect and may utilize your personal data for the purposes described below:

Category of Data

Purpose for Data Processing

Contact details (Example, your name, nationality, postal address, telephone number, e-mail address)
  • Facilitating communications.
  • Communicating to provide you with information.
  • Responding to your requests or communications.
  • To monitor event attendance
  • To distribute post/event communications

Identification information such as passport ID, date of birth, other paper copies of identity
  • Verifying your identity as part of our vendor/employee onboarding process.
  • Facilitating compliance with applicable laws, regulations or other requirements.

Data about your directors, employees and/or agents
  • Maintaining, tracking, or interacting with marketing leads.

Relationship Data e.g. your connection/relationship with Sumitomo and your mode of interaction with Sumitomo.
  • Maintaining records of your relationship with Sumitomo, including  carrying out your instructions to us.
  • Assessing, analysing and improving our service and training our staff.
  • Managing our relationship with you - including (if you agree or unless you tell us otherwise) telling you about our pipeline products, or carrying out market research

Payment Transactions Data (e.g. bank account details, payment order or other financial data including information regarding your tax status or the source of your assets)
  • Preparing, providing and the provision of requested services.
  • Billing, maintaining accounts, and preparing invoices.
  • Managing and administering your accounts and holdings.
  • Facilitating compliance with applicable laws, regulations, or other requirements.

Investigations Data (Structured or unstructured personal information derived from investigations on internal Sumitomo business practices, processes and operations). Grey information e.g. allegations of wrongdoing, considered unproven or highly sensitive.
  • Managing our internal operations requirements for risk management purposes.

Information Security Risk Data as employee's email addresses in connection with potential data breaches
  • To manage the information security threat environment.

Other Financial Data including investment portfolio/fund details, investment fund details and Market Trades data including information about ownership by individuals or organisations.
  • Keeping track of all financial transactions connected to Sumitomo.

Communications Data e-mail information, third party information, chat information, instant messages, corporate and media broadcasts, disputes or litigation, correspondence between solicitors and stakeholders and transcripts or minutes.
  • Keeping track of our communication with you, managing our relationship with you.
  • Maintaining a technology-related log or monitoring significant events.
  • To check your instructions to us, assess, analyse and improve our service, train our staff, manage risk or to prevent and detect fraud and other crimes.

Internal investigations data including content and meta-data related to communication between and among individuals, organisations, workers, prospects, customers, other stakeholders and Sumitomo regarding any Sumitomo activity that is directly or indirectly supporting customer servicing, third-party relationship and fulfilment.
  • Investigating matters connected with you.

Complaints information including personal data contained in disputes/litigation case files, legal documents, legal billing and time booking information.
  • To investigate complaints involving Sumitomo.

We do not collect on our website or events, any Special Categories of Personal Data about you (example, details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health or about criminal convictions and offences) unless you give us specific permission to collect that information.

If you are a participant of a clinical trial where Sumitomo Pharma Switzerland GmbH is the Sponsor, please contact your lead physician for further information about how your data is processed for the purposes of the trial.

If you have further questions, please contact our Data Protection Officer or EU representative (for EU citizens) via contact options specified in Contact us section below.

Legal basis for processing your personal data

We process your Personal Data for the purposes described in this Privacy Policy, based on the following legal grounds:

  • To safeguard our own legitimate interests,
  • to perform our obligations under our contract with you;
  • to comply with legal and regulatory obligations;
  • to establish, exercise or defend our legal rights and/or for the purpose of (or in connection with) legal proceedings (including for the prevention of fraud); and
  • with your consent.

Right to lodge a complaint with a supervisory authority

You have the right of appeal to a data protection supervisory authority if you believe that the processing of your personal data violates applicable data protection law.

For Switzerland this is Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, 3003 Bern, Tel.: +41 (0)58 462 43 95  (https://www.edoeb.admin.ch/edoeb/en/home.html).

Disclosures of your personal data

Where necessary to fulfil the purposes described in this Notice, Sumitomo may disclose your personal data to certain third-parties, vendors and service providers or affiliated employees, contractors and entities as described below.

Whenever Sumitomo shares your personal data with companies acting as our authorized agents and service providers, these companies agree to use your personal data only for specified purposes. Furthermore, the recipient will implement and maintain reasonable security procedures and practices appropriate to the nature of your information to protect your personal data from unauthorized access, destruction, use, modification or disclosure.
We will transfer and disclose your personal data to the following categories of recipients where it is lawful to do so, and subject to the implementation of appropriate protections:

Category of Third-Party

Purpose for Disclosure

Subsidiaries and affiliated entities
  • Internal business requirements.
  • In connection with investment opportunities.
  • Internal research and statistical analysis purposes.

Service Providers
who work for, or provide services to us (including their employees, sub-contractors, directors, officers or any professional service provider, such as accountants, auditors, lawyers)
  • To support Sumitomo's commercial/business objectives.
  • To render professional advice where there is a dispute over a transaction.
  • IT performance-related monitoring, maintenance, or security.
  • Performing analytics to help in website or application planning and development.

Cloud storage solutions
  • To store Sumitomo data.
  • To ensure the safety and security of our data.

Vendors or suppliers
  • Billing, maintaining accounts, and preparing invoices.

Professional Consultants
  • To provide professional/expert advice in connection with Sumitomo's business objectives.

Other financial institutions, fraud prevention agencies, tax authorities, trade associations, credit reference agencies and debt recovery agents.
  • To meet our legal, regulatory and compliance obligations.

Any prospective or new Sumitomo companies (e.g. if we restructure, or acquire or merge with other companies) or any businesses that buy part of or all of a Sumitomo company.
  • In relation to compliance / due diligence / Transfer of Undertakings Protection of Employees (TUPE).

Companies that do marketing or market research for us (where required, with your permission)
  • To market Sumitomo’s pipeline products.
  • In connection with the commercialisation of Sumitomo’s assets.

Data retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

Your rights

You have the following rights in relation to our data processing, depending on the applicable data protection law:

  • The right to request information from us as to whether and what data we process from you;
  • The right to have us correct data if it is inaccurate;
  • The right to request erasure of data;
  • The right to request that we provide certain personal data in a commonly used electronic format or transfer it to another controller;
  • The right to withdraw consent, where our processing is based on your consent;
  • The right to receive, upon request, further information that is helpful for the exercise of these rights;

If you would like to exercise this right, please contact us at: privacy@ch.sumitomo-pharma.com.

Security

Data security is of great importance to us. We have put in place appropriate technical and organisational measures to prevent your Personal Data from being accidently lost, used, or accessed in an unauthorised way, altered, or disclosed.

We take security measures to protect your information including:

  • Limiting access to our buildings and resources
  • Managing a data security breach reporting and notification system which allows us to monitor and communicate information on data breaches with you or with the applicable regulator when required to do so by law;
  • Implementing access controls to our information technology; and,
  • Deploying appropriate procedures and technical security measures (including strict encryption, anonymization and archiving techniques) to safeguard your information across all our computer systems, networks, websites, mobile apps, offices, and stores.

International transfers

We will need to transfer and use your Personal Data outside of the country where we collect it from you. Your data will be processed in the US as all our core business systems are held within the US.

Where we transfer Personal Data to our Affiliates or other third parties outside of Switzerland, we will ensure that those transfers take place in accordance with the applicable data protection laws designed to ensure the privacy of your Personal Data, including by entering into data transfer agreements with recipients.

We rely on the applicable EU standard contract clauses of the EU Commission as approved by the Swiss Federal Information and Data Protection Commissioner available here, or legally accepted set of rules to ensure data protection). Standard Contractual Clauses (SCCs) means the modules of the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as set out in the Annex to Commission Implementing Decision (EU) 2021/914 and the same as amended to cover data subjects from Switzerland.

If you would like more information about how your Personal Data may be transferred, please contact us at privacy@ch.sumitomo-pharma.com.

What happens if our business changes hands?

We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use that data only for the purposes for which it was originally collected by us.

Contact us

If you would like to exercise one of your rights as set out in this Privacy Notice, or you have a question or a complaint about this Privacy Notice or the way your Personal Data is processed, please contact our Data Protection Officer (DPO) by one of the following means:

Our EU Representative is DP-Dock, who can be contacted by:

  • Post: DP-Dock GmbH
    C/O: Arno Schlösser
    Attn: Sumitomo Pharma America, Ballindamm 39, 20095
    Hamburg, Germany
  • Email: smpa@gdpr-rep.comsmpa@gdpr-rep.com

Changes to our Privacy Notice

We may change this Privacy Notice from time to time (for example, if the law changes). We recommend that you check this Privacy Notice regularly to keep up to date.