Privacy Notice for Health Care Professionals

We (Galapagos NV, Generaal De Wittelaan 11 A3, 2800 Mechelen, “Galapagos”, “we,” or “us”) are committed to ensure the protection of personal data of all individuals who are currently collaborating with us, including Health Care Professionals (“HCPs” or “you”). Your personal data are handled and protected with the utmost care, in accordance with the requirements imposed by European and local data protection laws.

In this privacy notice we explain the principles that we apply, in our capacity as a controller, when we process HCPs personal data (“Privacy Notice”). It applies to all personal data that is collected and processed in any format, whether electronic or paper.

1. Our purposes, the personal data we collect and how long we keep it

We process your personal data for different purposes, all in the context of the professional relationship we have with you or we aim at having.

We usually collect personal data directly from you but we may obtain personal data such as your contact details from other sources such as IQVIA, public databases, social media platforms and other third parties.

We take adequate measures to ensure your personal data are not stored for longer than necessary to meet the below-mentioned purposes or as necessary in the context of a contract or a legal obligation. 

For each purpose, we list here the legal basis, the categories of personal data concerned and the retention period of the personal data:

Purpose and legal basis Categories of personal data concerned Retention period

Relationship Management:

- know and understand the professional history and professional qualification;

- build your profile and get a better understanding of your expertise and topics of interest;

- determine the possibilities to enter into a business relationship with you or renewal of the existing relationship, or with the healthcare organization you work for;

- respond to your queries;

- share non promotional information that might interest you e.g. send you disease awareness information;

Based on our legitimate interest to start and/or maintain a professional relationship with you 

Identification data and contact details: e.g. name, address, e-mail, telephone number, nationality, date of birth, gender, preferred language;

 

Professional Information: e.g. description of your function, professional title, practice, level of expertise, knowledge of our products, specialism and identification number, including your profile on a social media platform;

Notes made during our meetings.

As long as there exists a professional relationship between us 

Direct Marketing Communications:

- share promotional information about our products and activities.  

Based on your consent. 

Identification data and contact details As long as there exists a professional relationship between us (unless you withdraw your consent). You may unsubscribe from our emails at any time by using the unsubscribe link provided in each communication we send you.  

Administration of invoices:

- meet our accountant tax duties and

legal accounting obligations

Necessary to comply with accounting legal obligations 

Identification data and contact details;

Financial details: e.g. registration numbers, bank account number; invoices, tax and insurance information;

Transfer of Value details: e.g. contribution to costs related to educational events, registration fees, travel and accommodation expenses, fees for services, the funding and payment of research and development work.

As long as it is required by legal accounting obligations.

Organization of your attendance to fairs and events:

- organize your attendance to an event e.g. a meeting or manifestation, etc.

- organize travel and/or accommodation on your behalf.

Based on our legitimate interest to organize your attendance to fair and events

Event details: e.g. time and date of the event, registration details and fees, other costs related to the event, passport details;

Travel and accommodation details:  e.g. travel and accommodation expenses and preferences, fees for services.

1 month after the event took place, except when applicable legislation obliges us to keep this data longer, then the retention period stated in the law.

Trainings:

- Give and/or participate to trainings about Galapagos’ products or disease area

Identification data and contact details

Function and working place

As long as there exists a professional relationship between us

Transfers of Value:

- record the amount of direct and indirect payments made to you.

This includes donations and sponsorships.

Necessary to comply with national legal obligations or;

based on your consent. This depends on the legislation in your country of residence. If consent is required, your consent will be obtained accordingly.

Identification data and contact details;

Transfer of Value details;

Financial details.

As long as it is required by national laws (e.g. the Belgian sunshine act requires to keep personal data for transfer of value purposes for 10 years).

 

If the period is not defined by a national legal obligation, as long as necessary for us to comply with the EFPIA Code of Practice (unless you withdraw your consent). 

Clinical trials:

- if you are involved in conducting a clinical trial: to conduct clinical trials and to answer product complaints and adverse events.

Necessary to ensure compliance with a legal obligation to keep clinical trial related data

Identification data and contact details;

Professional Information;

Your answers to product complaints and adverse events.

We will keep your information for 25 years after the end of the clinical trial as provided by the Clinical Trial Regulation.

Market Research and other activities:

- if you are involved in conducting studies/surveys: to conduct research studies/surveys on the commercialization of our products.

Necessary to ensure compliance with pharmacovigilance laws or;

Based our legitimate interest to collect information about the commercialization of our products.

Identification data and contact details;

Professional Information including the information and relationship with regard to an “adverse event”;

Your input on market research.

As long as it is required by pharmacovigilance laws.

If the period is not defined by a national legal obligation, we will try to de-identify your data if possible.

Research Funding:

- when you introduce via Galapagos ISR Portal a request for research funding

Based on our legitimate interest to invest in the research

Identification data and contact details (phone email, cv, job position and medical ID)

Financial details and financial transactions related to the research

As long as it is necessary for us to assess the possibility to fund the study

We believe that the above-mentioned purposes for processing your personal data are within anyone’s reasonable expectations. However, for all of the personal data we have collected in the aforementioned circumstances, we wish to make it clear that we will also process your personal data to: (a) comply with legal obligations or to comply, insofar we are legally allowed to do so, with any reasonable request from competent law enforcement agents or representatives, judicial authorities, governmental agencies or bodies, including competent data protection authorities; (b) inform a third party in the context of a possible merger with, acquisition from/by or demerger by that third party, even if that third party is located outside the EU, in which case we rely on our legitimate interest to engage in corporate transactions.

2. Accuracy

We take all appropriate steps to ensure that personal data are accurate, up to date and reliable for the purposes intended. Please be aware that you are partly responsible for the accuracy of your personal data. Should certain information we hold about you change, please notify us promptly. 

3. Disclosure to third parties

We may obtain assistance or use third parties for the abovementioned purposes. These third parties will be required to process your personal data only in accordance with our instructions and to maintain reasonable security of such personal data. These third parties may include but are not limited to, as the case may be: payroll organization, social secretariat, health insurance provider, group insurance provider, HR-system provider or another software supplier, cloud service solution provider, banking institution and an authorized medical entity. In addition, personal data may be disclosed to authorized persons dealing with claims and investigations, law enforcement authorities, legal advisors and public authorities if needed to comply with a request or for the establishment, exercise or defense of legal claims.

It may occur that data about you is shared within the Galapagos group of companies if this is necessary to achieve specific purposes. We take appropriate measures to ensure that all the entities of the Galapagos group are submitted to the same or equivalent data protection rules. If the entity is located outside the EEA we will take the necessary measures to ensure the equivalent protection as within the EEA.

As a general rule, the data that we collect from you is not transferred outside the EEA. If we, in exceptional circumstances, do transfer data outside the EEA, we will ensure it is protected employing the following safeguards:

  • transfer the data to a non-EEA country which has been awarded an adequacy decision by the European Commission;
  • put in place appropriate contractual measures, including standard contractual clauses, with the third party or the Galapagos entity to ensure that the third party or the Galapagos entity protect the personal data to the same standards as those required within the EEA.

4. Security of processing

We acknowledge our responsibility to ensure an appropriate level of security with regard to your personal data. Therefore, we have implemented appropriate technical and organizational measures in order to protect the personal data against loss, alteration, accidental or unlawful destruction, unauthorized disclosure of, or access to the personal data. 

5. Your rights

When we collect and use your personal data, you can exercise the following rights:

  • right of access: you can request a copy of your personal data undergoing processing and/or demand access to your personal data;
  • right to rectification: you are entitled to have incorrect personal data corrected or completed;
  • right to erasure (right to be forgotten): you have the right to have your personal data removed from our files. However, this right is not absolute, and some conditions must be met for this right to apply;
  • right to restriction of processing: you have the right to request for the restriction of the processing of your personal data. Requests to restrict processing will only be granted where the requesting data subject has legitimate grounds to make such request;
  • right to data portability: for personal data that you have provided to Galapagos, you have the right to receive your personal data, processed by Galapagos, in a structured, commonly used and machine-readable format and/or to transmit those data to another controller;
  • right to object: under certain circumstances, you have the right to object to the processing of your personal data. Please note that this request may be refused if the data is necessary to be processed by Galapagos for compelling legitimate reasons, or the establishment, exercise or defense of legal claims;
  • automated individual decision-making: you have the right not to be subject to a decision based solely on automated processing including profiling;
  • right to withdraw consent: with regard to the processing of personal data for which you have given your consent (e.g. direct marketing), you may withdraw your given consent at any time. However, this withdrawal does not affect any processing operations previously carried out on the basis of your consent;
  • right to lodge a complaint: if, at any time, you are of the opinion that we infringe your privacy, you have the right to lodge a complaint with the Belgian Supervisory Authority (https://www.dataprotectionauthority.be/citizen/actions/lodge-a-complaint). The contact details of the supervisory authorities in Europe, can be found here: Members | European Data Protection Board (europa.eu).

Unless specified otherwise above, you can exercise those rights by sending a request to dpo@glpg.com. After verifying your identity and applicability criteria, we will as a general rule, provide you with information on action taken within one month of receipt of the request.

6. Changes to this Privacy Notice

Changes to this Privacy Notice can be made from time to time, in accordance with European and local data protection laws. When we change the content of this Privacy Notice, we will change the date and version number of the ‘last update’ of this Privacy Notice. 

7. Contact

If you have any questions or comments with regard to the contents of this Privacy Notice or if you want to exercise one of your rights in relation to the data processed by us, you can contact our Data Protection Office by sending an email to dpo@glpg.com.