1. Data Controller, Representative, and DPO
In compliance with Regulation EU 2016/679 (GDPR) we inform you that the Controller is:
Stemline Therapeutics Switzerland GmbH, with registered office at Grafenaustrasse 3, 6300 Zug, Switzerland (“Company” or “Controller”).
The Data Protection Officer (“DPO”) can be contacted at the following address: firstname.lastname@example.org.
If you decide to give consent for the purpose as described in Paragraph 3 of this Notice, or provide us with other information about yourself, the data you provide will be processed also by the Joint Controller, Stemline Therapeutics, Inc. with offices at 750 Lexington Avenue, 11th Floor, New York, NY 10022 United States (Stemline). Nominated European Representative pursuant to article 27 of the GDPR is A. Menarini Industrie Farmaceutiche Riunite S.r.l, with registered office in Firenze, Via Sette Santi, 1.
2. The Data We Process:
The following data can be processed:
1. As you navigate around the Site, certain information can be passively collected (that is, gathered without your actively providing the information), including your IP address, which is the number automatically assigned to your computer whenever you access the Internet and that can sometimes be used to derive your general geographic area; other unique identifiers, including mobile device identification numbers; your browser type and operating system.
2. If you utilize our “Contact us” section, you can provide your contact information (e.g., first name, last name, country, profession, institution/practice, e-mail address).
3. Why and How We Process Your Personal Data
The Company may process your ordinary personal data to enable you to benefit from the available services and functionalities and optimize their performance, to perform statistics on its usage, and to manage your registration to any restricted-access areas and initiatives, which may be present on the Website pursuant to Article 6.1.(b) of the GDPR. The Company may also process your personal data to fulfill obligations stemming from laws, regulations, and European Union law: the legal basis for the processing for this purpose is Article 6.1.(c) of the GDPR.
Furthermore, if you provide us with your data, we may use such data to fulfill your request regarding your interest in receiving scientific information and company communications. Please consider that your data may be processed by the Companies for the purpose of providing you with Scientific/Technical information or company information with Traditional Outreach, which may include by way of example, visits by our employees or agents, mailed invitations to conferences, training sessions on our product/services, the Company, or other related activities, etc. In this case the processing is based on the company’s legitimate interest to send the company information communications and to perform the Scientific/Technical Activities/Services described in this notice, pursuant to art. 6.1.f. of the Regulation, and specifically, the interest to maintain business relationship with healthcare professionals, organizing visits and activities related to scientific information, and to document it. In case our employees or agents visit you, we may also process the date and content of the visits, as well as preferred visiting times and other information relevant to the visit. This data is necessary to protect the following legitimate interests: maintaining our business relationship with you, managing our sales force, and for information and marketing purposes (legal basis: Art. 6 para. 1 p. 1 f) GDPR).
With your optional consent, we will process your data to send you scientific information and professional services and product offers tailored to your interests and needs, as well as offers to participate in further education and training events, by means of electronic media (e.g., email). In this case we use your contact details as well as the indication of your communication channels (e.g., email) and your usage behavior with regard to emails and our websites in order to adapt and personalize our advertising measures to your needs, to control our marketing and sales measures, and to send you targeted scientific information as well as information about our products and offers for participation in training and further education events. In doing so, the data on usage behavior with regard to emails and websites as well as participation in events will be analyzed and used for the personalization of future communications. The legal basis is your consent given to us (Art. 6 para. 1 p. 1 a) GDPR).
The legal basis for the processing is Article 6.1.(a) of the GDPR.
Finally, the Company may process your ordinary and sensitive personal data to protect its rights in legal proceedings (Articles 6.1.(f) and 9.2.(f) of the GDPR). All your data are processed using automatic and electronic instruments suitable to ensure full security and confidentiality.
4. Necessary Processing and Optional Processing
The forms to be completed on this Website require you to confer personal data, which are strictly necessary to handle your requests. Such Data are marked with an asterisk [*]. If you do not wish to confer them, we will not be able to handle your request. Conversely, forms may also provide the possibility to confer personal data, which are not strictly necessary to handle your requests; providing such data is optional – failure to do so has no consequence.
5. Browsing Data
If you only visit the Website (i.e., without sending communications or using any of the available services/functions), the processing of your data is limited to browsing data, i.e., data whose transmission to the Website is necessary for the functioning of the computers that operate the Website and of the Internet communication protocols. This category includes, for example, IP addresses or computer domains used to visit the Website and other parameters pertaining to the operating system used to connect to the Website. The Company collects these and other data (such as, for example, number of visits and time spent on the Website) merely for statistical purposes and in anonymous form in order to monitor the functioning of the Website and improve its performance. Such data are not collected to be associated with other information regarding, or for the identification of, users; however, such information, by its very nature, may enable the Company to identify users through processing and association with data held by third parties. Browsing data are normally deleted following processing in anonymous form but can be stored and used by the Company to detect and identify perpetrators of any computer offences committed to the detriment of the Website or using the Website. Without prejudice to this possibility, the browsing data described above are stored only temporarily, in compliance with law.
6. Links to Other Websites
7. How We Store Data and for How Long
In compliance with Article 5.1.(c) of the GDPR, the computers and programs used by the Company are set up in such a way to reduce the use of personal and identifying data to a minimum. Such data are processed only to the extent required to achieve the purposes indicated in this Policy and will be stored for as long as strictly necessary for achievement of the specific purposes pursued – in any event, the criterion used to determine the storage period is based on compliance with time limits permitted by law and the principles of data minimization, storage limitation or rational management of our records.
8. Persons Who Have Access to the Data
Persons belonging to the following categories are authorized to process the user’s data: technical and administrative staff, IT staff, medical sales representatives, product managers, internal audit and compliance staff, as well as other staff members who require processing the data for performance of their job duties. In addition, pursuant to Articles 6 and 9, Recitals 48 and 52 of the Regulation, Data may be communicated to the Company’s parent company A. Menarini IFR Srl, based in Florence (Italy), as well as to other companies of the Menarini Group, including those located in non-EU Countries (“Third Countries”) for the same purposes or for organizational, administrative, financial, and accounting necessities.
Our websites may be maintained in Europe and/or the United States. Please note that your data may be transferred to and/or accessible to our affiliates, partners, and service providers outside of your country or region, including countries that may not provide a similar or adequate level of protection as provided by your country or region. By visiting our websites, or when you provide your consent, you agree to the transfer of information to countries outside of your country of residence, including to the United States, where Stemline Therapeutics, Inc. is based.
Additionally, the Data can be communicated, also in Third Countries, to: (i) institutions, authorities, and public bodies for their institutional purposes (based on the legal and regulatory provisions to which we are bound, we may communicate your Data to national and local Health Authorities, other health centers and universities, other public authorities, association bodies, as well as other recipients to whom your Data shall be disclosed pursuant to laws or regulations; (ii) professionals, independent consultants – working individually or in partnerships – and other third parties and providers who supply to the Company commercial, professional, or technical services required to operate the Website (e.g., provision of IT and Cloud Computing services) for the purposes specified above and to support the Company with the provision of the services you requested; (iii) third parties in the event of mergers, acquisitions, transfers of business – or branches thereof – audits or other extraordinary operations; (iv) company supervisory bodies in the pursuit of their activities (oversight over the enforcement of legal obligations, ethical standards, etc.). The mentioned recipients shall only receive the Data necessary for their respective functions and shall duly undertake to process them only for the purposes indicated above and in compliance with data protection laws. The Data can furthermore be communicated to the other legitimate recipients identified from time to time by the applicable laws. With the exception of the foregoing, the Data shall not be shared with third parties, whether legal or natural persons, who do not perform any function of a commercial, professional, or technical nature for the Controller and shall not be disseminated. The parties who receive the Data shall perform processing as Data Controller, Processor, or persons authorized to process personal data, as the case may be, for the purposes indicated above and in compliance with the applicable data protection law.
9. Your Rights
You may at any time exercise the rights afforded by Articles 15-22 of the GDPR, including the right to obtain confirmation of the existence of personal data that relate to you, check its content, origin, correctness, location (also with reference to any Third Countries), request a copy, request correction and, in cases provided by law, restriction of processing, deletion, or change to direct contact activities, change to direct marketing (also limited to particular means of communication by writing to email@example.com. Likewise, you may always withdraw consent and/or make observations on specific issues regarding processing operations of your personal data that you regard as incorrect or unjustified by your relationship with the Company, or lodge a complaint with the Data Protection Authority.
You may contact the Controller (contact us or contact mail address) and/or at the addresses displayed above or the DPO at firstname.lastname@example.org, to make any requests regarding personal data processing by the Company, to exercise your legal rights, and to obtain an updated list of the parties who have access to your data.
The Site is intended for European users. This section of the document is addressed to worldwide users and provides information on how the personal data collected by the Company through this Website (“Website”) are processed.
1. Collection of Personal Information
The types of Personal Information we may collect (directly from you or from third party sources) and our privacy practices depend on the nature of the relationship you have with Stemline and the requirements of applicable law. Below are some of the ways we collect information and how we use it.
Information we collect from or about, customers, visitors, and guests includes information that may be deemed personal information, such as title, name, address, phone number, e-mail address, user name, and internet protocol (“IP”) address (collectively, “Personal Information”). We may also collect other information that is not considered Personal Information, such as demographic information you choose to provide to us, such as your business/company information, professional experiences, educational background, nationality, ethnic origin, gender, interests, preferences, and answers to a security question and password.
Additionally, if you participate in any of our programs or services, we may collect information regarding your medications, medical history, and other healthcare-related information, including, but not limited to, protected health information, from individuals or a third party. Any protected health information that is tied to an individual’s Personal Information will be treated as Personal Information, provided that any protected health information will be protected in accordance with the requirements of HIPAA.
Some of the ways that we may collect Personal Information includes:
- through surveys and during business/marketing events.
- when you use our website, we may provide you with opportunities to sign up to receive information or services and may ask for your contact information (e.g. name, home address, home phone number or personal e-mail address), and other information (for healthcare professionals we may collect information about name, age, gender, home address, home phone number, work address, work phone number, medical specialization, professional qualifications, license number and/or medical society membership number) so that we can send you information related to Stemline and its affiliates, that may be of interest to you.
- when you contact us or enroll in a program that we offer, we may obtain your contact information, and other personal information you may provide to us.
- if you report any adverse effects when using our products, we are required to collect certain Personal Information in order to comply with regulatory requirements.
It is not necessary to provide Personal Information in order to view our websites. However, to take advantage of certain features available on our websites, it may be necessary to provide Personal Information. If you do not want to provide us with Personal Information, you can choose to not use those features on our websites.
To the extent permitted by applicable data protection laws, we may also receive Personal Information from other sources, which could include commercially available sources, such as public databases and data aggregators. If applicable data protection law requires it, we will obtain your consent before using Personal Information for our business purposes.
2. Other Ways We Collect Personal Information
- your IP address, which is the number automatically assigned to your computer whenever you access the Internet and that can sometimes be used to derive your general geographic area.
- other unique identifiers, including mobile device identification numbers.
- your browser type and operating system.
- websites you visited before and after visiting our websites.
- pages you view and links you click on within our websites.
- information collected through cookies, web beacons, and other technologies.
- information about your interactions with e-mail messages, such as the links clicked on and whether the messages were received, opened, or forwarded; and
- standard server log information.
We may also use Google Analytics and Google Analytics Demographics and Interest Reporting to collect information regarding visitor behavior and visitor demographics on our websites and to develop content. For more information about Google Analytics, please visit www.google.com/policies/privacy/partners/. You can opt out of Google’s collection and processing of data generated by your use of our websites by going to http://tools.google.com/dlpage/gaoptout.
3. Where Personal Information Is Processed and Stored
Although our websites are maintained in the United States, Personal Information may be transferred to and/or accessible to our affiliates, partners, and service providers outside of your country or region, including countries that may not provide a similar or adequate level of protection as provided by your country or region. If you visit our websites from a country other than the United States, your communication with us will result in the transfer of information across international borders.
All Personal Information collected may be stored anywhere in the world, including, but not limited to, in the United States, in the cloud, on our servers, on the servers of our affiliates, or on the servers of our service providers.
Your use of our websites indicates your consent to the collection, storage, and processing of Personal Information in the United States and in any country to which we may transfer Personal Information in the course of our business operations.
4. Use of Personal Information
We respect your privacy and will only use Personal Information for limited purposes, including:
- to operate and improve our websites, products, information, and services.
- to understand you and your preferences so that we may enhance our websites, as well as our products and services.
- to process employment applications.
- to provide you with customer service, including responding to your comments and questions.
- to provide and deliver products, information, and services that you request.
- to send you related information, including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages.
- to communicate with you about upcoming events, news, information, related to Stemline or our affiliate companies and our selected partners.
- to protect, investigate, and deter against fraudulent, unauthorized, or illegal activities; and/or
- as otherwise described to you at the point of collection or pursuant to your consent.
5. Disclosure of Personal Information
We are committed to maintaining your trust and will share Personal Information only under limited circumstances, such as:
- with our affiliate companies.
- with service providers that perform certain functions or provide services on our behalf (such as to host our websites, fulfill orders, provide products and services, manage databases, perform analyses, provide customer service, or send communications).
- as part of a business transaction, including a sale of assets, merger, bankruptcy, business reorganization, or similar event.
- with third parties for business purposes, subject to applicable data protection laws; and
- with other organizations, in order to provide aggregate information, such as demographic and usage statistics.
6. Updating Personal Information
7. California Privacy Rights
For California residents only. Pursuant to California’s “Shine the Light Act,” California residents are permitted to request and obtain information about what Personal Information is disclosed to third parties for the third party’s direct marketing purposes. We do not share information that we collect with third parties for the third party’s direct marketing purposes.
8. Data Retention and Storage
9. Security of Personal Information
We take commercially reasonable steps to protect Personal Information from unauthorized access, use, or disclosure. However, no method of security or transmission over the Internet or storage of information can be guaranteed to be 100% secure. As a result, while we strive to protect Personal Information, we cannot ensure or warrant the security of information you transmit to us, and you do so at your own risk.
10. Children’s Online Privacy
Our websites are directed to a general audience. We do not knowingly collect, use, maintain, process, or disclose Personal Information from persons we know to be under 13 years of age, without prior parental or guardian consent, except as permitted by the Children’s Online Privacy Protection Act (“COPPA”). If you are the parent or guardian of a child under the age of 13 who you believe may have provided Personal Information to us, please contact us and we will promptly delete such Personal Information from our database.
11. Links to Other Websites
Our websites may contain links to other websites or online services that are operated and maintained by third parties and that are not under our control or maintained by us. Such links do not constitute an endorsement by us of those other websites, the content displayed therein, or the persons or entities associated therewith. We provide these links to you only as a convenience, and any information you provide to those third parties will be used as described by the third parties in their own privacy policies.
12. Company Communications
We may periodically send you e-mails to provide information about our products, relevant scientific or clinical developments, company events, and other related information. If applicable law requires it, we will obtain your consent before sending such e-mails. If you wish to stop receiving all communications or only certain types of communications from us, please contact us at email@example.com.