Privacy Policy

PRIVACY POLICY FOR PERSONAL DATA OF THE INNOVATIVE PHARMACEUTICAL INITIATIVE (IF!)

Preamble

Given that the INNOVATIVE PHARMACEUTICAL INITIATIVE (hereinafter: IF!) respects the privacy of its employees, members, business partners, clients and associates, and bases its business operations and activities primarily on mutual trust and transparency; in order to align its activities with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: the Regulation) and the Croatian Act on the Implementation of the General Data Protection Regulation (Official Gazette 42/2018, hereinafter: the Act); whereas the main purpose of adopting this Regulation is to protect the rights and freedoms of natural persons and to restrict the processing of personal data of individuals without their knowledge; the Regulation applies to all controllers and processors of personal data established in the European Union (EU) who process personal data for the needs of the controller and/or processor of personal data. In addition, the Regulation also applies to all controllers outside the EU whose processing of personal data enables the offering of goods and services and/or monitoring the behaviour of personal data owners within the borders of the EU;

IF! as the controller and as an Association that consistently, promptly and fully implements legal regulations in all areas of its business operations and activities, especially in those segments that directly relate to the interests and satisfaction of its members, adopts and publishes this Privacy Policy; this Policy regulates the principles and rules that IF! and all its associates, contractual partners and other natural and legal persons working on behalf of IF! adhere to when collecting, processing and storing all categories of personal data, in order to meet high standards aligned with existing legal provisions.

Introduction

IF! is a non-governmental, non-profit, non-political and independent association founded in 1994, which brings together pharmaceutical companies, i.e. innovative medicine manufacturers present on the Croatian market. The Association was founded with the primary goal of promoting research and development of medicines and creating a favourable economic, administrative and political environment that enables the innovative pharmaceutical industry to meet the growing needs of healthcare and patient expectations. The strategy of the Association itself is aimed at ensuring modern, innovative medical products for Croatian citizens as well as educating healthcare professionals and the general population about the latest achievements in the field of medicines, vaccines and medical products.

The activities of IF! are focused on informing and educating all interested groups, by organising training, seminars and lectures in cooperation with the health administration. The Association, among other things, also deals with the development of a professional Code of the Association on the principles of ethical promotion of medicines and the transmission of information to the general population, as well as the improvement of transparent competition in the market.

The Regulation itself describes in its provisions the ways in which various entities, including the IF! Association, must collect, process and store personal data. The rules defined by the Regulation must be applied regardless of whether the data is collected and stored electronically, on paper or on other media. In order to comply with the Act, IF! must collect and use data fairly, store it securely, and it must not be unlawfully disclosed. The Regulation applies to all, partially or fully automated, personal data processing procedures, as well as to the processing of other personal data (e.g. in paper form) that are an integral part of the activities of IF!.

The processing of personal data at IF! occurs for the purpose of exercising rights and obligations towards the members of the controller, fulfilling legal obligations, fulfilling contractual rights and obligations, and for the purpose of exercising rights and fulfilling obligations towards employees (maintaining internal records of personal data of IF! employees).

Since the members of IF! consist exclusively of legal persons – pharmaceutical companies, and the Preamble of the Regulation in point 14 states the following: “This Regulation does not cover the processing of personal data which concerns legal persons, and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person,” therefore the majority of data held by IF!, and in particular those relating to the exercise of rights and fulfilment of obligations of the Association’s members, are not considered personal data in accordance with the Regulation.

For this reason, the personal data that the controller encounters and processes in its regular business are for the most part data about the employees of the controller.

The business and activities of the controller are not focused on the processing of personal data of natural persons (individuals) nor do they involve extensive processing of personal data of natural persons.

1.1. Key Terms

Headquarters

The main headquarters of the personal data controller in the EU is the place where the personal data controller makes key decisions about the purpose and manner of processing personal data. The main headquarters of the personal data processor in the EU is its administrative headquarters. If the personal data controller is registered outside the borders of the EU, it will have to appoint a representative within the borders of the EU. Its powers and competencies must enable it to act on behalf of the personal data controller, including all types of communication with supervisory authorities.

Personal Data

All data relating to an individual whose identity has been established or can be established (data subject); an individual whose identity can be established is a person who can be identified directly or indirectly, in particular by means of an identifier such as a name, identification number, location data, online identifier or by means of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Special Category of Personal Data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data collected for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Controller

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU law or the law of a Member State, the criteria for the designation of the controller may be specifically defined by EU law or the law of a Member State.

Processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data Owner

Any living individual whose data held by an organisation is subject to some form of processing.

Processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, disclosure or otherwise making available, erasure, destruction and the like.

Profiling

Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Consent

In the context of the Regulation and this Policy, Consent means any freely given, specific, informed and unambiguous indication whereby the data subject, the owner of the personal data, gives their agreement to the processing of their personal data or the personal data of persons they represent.

Child

The Regulation defines a Child as any person under 16 years of age. Depending on the laws of individual Member States, the age limit ensuring child status may be at least 16 years. The processing of personal data of a child is permitted only if the consent of a parent or guardian has been obtained. The personal data controller must make reasonable efforts to verify that consent is given by the holder of parental responsibility over the child.

Third Party

A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Filing System

Any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

Reasons and Purpose of the Document

The protection of the rights and freedoms of individuals with regard to the processing of personal data requires the introduction of a Privacy Policy which aims to inform data subjects about the manner in which their data will be processed by IF!, as well as what their rights are and how they are exercised.

Adherence to the standards defined by this Policy ensures that the collection, processing and storage of personal data complies with the applicable Act and Regulation. This Policy primarily protects the rights of employees, members, service users and other partners of IF!, by transparently defining the methods of storage, processing and retention of data subjects’ data, and the Policy also protects the data subject from the risk of unlawful distribution of entrusted data.

In addition, this Privacy Policy enables the data subject to become familiar with the rights related to data processing.

This Privacy Policy also aims to provide information relating to how IF! handles personal data collected when using its website.

2.1. Objectives of the Privacy Policy

The objective of this Privacy Policy is to explain to our members, users, employees, business partners or other persons with whom IF! establishes business cooperation:

– which personal data we collect and process (and which we do not process),

– how we collect personal data, for what purposes and what our legal bases are;

– how long we store them and with whom we share them;

– what rights they have regarding data protection and how we protect them.

Personal Data and Responsibility for Their Protection

Personal data is any data relating to an individual whose identity has been established or can be established (“data subject”). An individual whose identity can be established is a person who can be identified directly or indirectly, in particular by means of an identifier such as: name, identification number, location data, online identifier or by means of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

When collecting personal data, IF! implements technical and organisational security measures that ensure the permanent confidentiality of all personal data, which also includes preventing unauthorised access to personal data and equipment used in data processing or their unauthorised use.

Personal data must be handled with special care and may only be used in accordance with the purpose for which it was collected.

IF! collects only those personal data that have been voluntarily provided or for which there is another lawful basis for processing.

3.1. Risks

This Privacy Policy also helps protect against real security risks related to the protection of personal data, including: breach of confidentiality (data is processed inappropriately), inability to choose the method of data processing (all individuals should be free to choose how IF! uses data relating to them), and damage to the company’s reputation (loss of reputation in the event of a successful hacker attack).

Principles of Protection During Data Processing

The principles of data processing are the basic rules that IF! adheres to when processing personal data of data subjects.

IF! processes personal data in accordance with the following processing principles:

Lawfully, fairly and transparently – with regard to data subjects and their rights, IF! will process personal data of data subjects in accordance with applicable laws and covering all rights of data subjects. IF! will ensure transparent processing of personal data and will provide data subjects with all necessary information and, upon request, ensure data subjects have access to data, explanations of processing, bases for processing and all other rights in accordance with relevant regulations. IF! will provide information to data subjects on how personal data relating to them is collected, used, disclosed or otherwise processed, as well as the extent to which such personal data is or will be processed. The data subject will be informed in a timely manner, i.e. before the actual collection of data, of all relevant information.

With purpose limitation – personal data is collected and processed only for specified, explicit and legitimate purposes and is not further processed in a manner that is incompatible with those purposes.

Data minimisation – IF! uses only those data of data subjects that are adequate and necessary to achieve a specific legitimate purpose;

With storage limitation – IF! ensures that personal data of data subjects is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed and then deletes it from all records.

Accurate, complete and up-to-date – IF! ensures fair and transparent processing of personal data and, in order to prevent possible misuse, personal data must be accurate, complete and up-to-date. It is extremely important that the data subject immediately notifies IF! of any change to their personal data. IF! applies a transparent process of communication with data subjects through which the correction or deletion of inaccurate data can be requested.

Ensures integrity and confidentiality – IF! collects and processes data in a secure manner, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. The data of data subjects is accessed by employees of the Association depending on their authorisations and job positions, as well as other legal persons exclusively on the basis of IF!’s legitimate interest and if necessary for the purpose of fulfilling contractual obligations, all in accordance with the specified purpose of collection and processing of personal data. IF! applies appropriate technical and organisational protection measures, has implemented systems aimed at detecting and preventing data leakage, methods of monitoring data access, etc.

5. Collection and Processing of Personal Data

The collection of personal data must be carried out exclusively in accordance with legal regulations and ethical principles. It is permitted to process personal data only when there is a clearly defined and documented legal basis or a basis based on a contractual relationship, while all other processing of personal data is permitted only with the clear documented consent of its owner or their authorised representative.

5.1. Purposes of Collection and Processing of Personal Data

IF! primarily collects personal data for the following purposes:

• exercising rights and obligations towards members;
• promotion of services, implementation of projects and various events (organisation of seminars, training, lectures and scientific conferences);
• expressing the intention to conclude a contract;
• concluding contracts with business partners;
• internal statistical data processing;
• maintaining internal records of personal data of employees and external associates of IF!;
• the possibility of sending publications, brochures, newsletters and other promotional materials;
• managing relationships with data subjects (website and/or service users) and other persons in conducting its business;
• selection of candidates for employment;
• research of the medicines market, etc.;
• fulfilment of legal and contractual obligations;
• legitimate interest.

IF! processes personal data only to the extent necessary to provide the service and achieve the above-mentioned purposes. When storing data, personal data is stored in the minimum possible number of locations where it is adequately protected.

5.2. Categories of Data Subjects and Personal Data Collected and Processed

Within the scope of its activities, IF! may collect the following categories of personal data according to categories of data subjects:

Interested parties:

contact details (e.g. name, surname, e-mail address, etc.), data required for concluding a contract (e.g. name, surname, address, personal identification number (OIB), etc.).

Members:

contact details (e.g. name, surname, e-mail address, etc.), data required for membership (e.g. name, surname, address, personal identification number (OIB), etc.), data required for research we conduct (e.g. what goods they sell, what payment methods they offer, etc.).

Job candidates:

contact details (e.g. name, surname, e-mail address, mobile phone number, etc.), CV data (e.g. data on education, previous employment, work experience, photograph, etc.), results of candidate/data subject testing conducted.

Former and current employees:

all data prescribed by positive regulations relating to employment law, accounting and bookkeeping regulations (e.g. name, surname, address, personal identification number (OIB), year of birth, personal identification number (JMBG), identity card number, number of dependants, salary data, registration number of vehicle owned by the data subject, etc.), data for internal communication within the company (e.g. business photographs, etc.), records of arrival and departure from the workplace, health data in the case of absence from the workplace, data required for performing job duties such as organising travel to a foreign country, obtaining job-related benefits, etc. (e.g. name, surname, employment, passport number, driving licence number, number of children, etc.).

External associates and business partners:

contact details (for example: name, surname, title, position, employer name, e-mail address, mobile phone number, etc.), CV data (for example: data on education, previous employment, work experience, etc.), data required for contract performance (for example: name, surname, e-mail, IBAN, salary data, etc.), data required to meet legal conditions for entry into the Republic of Croatia or another country (name, surname, employment, passport number, etc.).

5.3. Personal Data Not Collected and Processed

IF! as a rule does not process data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, health data, data concerning sex life or sexual orientation of data subjects.

The processing of the above-mentioned special categories of personal data will be carried out by IF! under the following conditions:

• the data subject has given explicit consent to the processing of those personal data for one or more specified purposes
• processing is necessary for the purposes of carrying out the obligations and exercising specific rights of IF!
• processing is necessary to protect the vital interests of the data subject or of another individual
• processing relates to personal data which are manifestly made public by the data subject
• processing is necessary for the establishment, exercise or defence of legal claims

5.4. Methods of Collecting Personal Data

IF! may collect personal data in the following ways:

• through business processes and during the fulfilment of legal obligations or obligations under contracts;
• during monitoring of the operation of the IF! website, including e-mail communication directed to members, employees and associates of the Association;
• by data subjects completing surveys or online questionnaires,
• by downloading our online materials (e-books, guides, etc.)
• by responding to job advertisements, the Ecommerce Croatia Academy or other training
• by data subjects providing data in the form of publishing content on the website or platforms or during direct communication of data subjects with IF! members, including personal communication and online communication via the website or e-mail;

5.5. Legal Bases for Processing Personal Data

IF! processes personal data of data subjects on the basis of the following grounds:

• performance of a contract concluded between the data subject and IF!;
• legitimate interest for providing the website service and managing it, statistical purposes, for the purpose of establishing, resolving disputes and conducting proceedings between data subjects and IF!, as well as for sharing personal data with Association members and third parties in accordance with this Privacy Policy, for internal records of Association employees, for conducting the candidate selection process for the purpose of employment;
• explicit consent of the data subject to receive marketing messages, newsletters, e-mail notifications about IF! activities or surveys to measure satisfaction with services, also to process data subject enquiries
• for the fulfilment of IF!’s legal obligations, in particular on the basis of accounting and bookkeeping regulations, as well as labour law regulations, tax regulations and other legal obligations.

5.6. Place of Processing

Personal data is collected and processed at the IF! Headquarters, located at Florijana Andrašeca 18a, Zagreb.

Personal data collected at the Headquarters of the controller is, as needed and exclusively for the purpose of achieving the objective within the controller’s field of activity, transferred to the internal organisational units of the controller, for a limited time necessary to achieve the objective (organisation of professional conferences, assemblies, etc.)

5.7. Storage Period

IF! stores personal data only for as long as it is needed for the purposes for which it is collected, i.e. for the purpose of fulfilling a contractual relationship or legal obligations, and for no longer than according to the following criteria:

• Personal data collected for the purpose of fulfilling its legal and regulatory obligations, IF! stores according to prescribed deadlines,
• Personal data collected for the purpose of selling products and services, IF! stores for the duration of the contractual relationship;
• Personal data collected for the purpose of marketing activities, IF! stores until the data subject withdraws consent, cancels the subscription or requests deletion of the subscription, or after a certain period of inactivity.
• Personal data is deleted upon termination of the contractual or employment relationship, and at the latest upon expiry of all legal storage obligations, unless court or other similar proceedings have been initiated that require data retention.

Upon expiry of storage periods, IF! removes personal data from systems and archives or converts them into anonymous data so that data subjects can no longer be identified.

6. Data Subject Rights

IF! respects the right to privacy, collects and processes data only on the basis of lawful bases for processing, and data subjects retain certain rights at all times in relation to the processing of their data.

6.1. Availability of Information

Availability of information ensures that individuals become aware that their data is being processed and that they understand:

• How the data is used
• How they can exercise their rights

At the time of collecting information from the data subject, IF! will provide the following applicable information:

• the identity and contact details of the controller,
• the contact details of the data protection officer,
• the purposes of processing for which the personal data are used as well as the legal basis for processing,
• the legitimate interests,
• the recipients or categories of recipients of personal data,
• the intention to transfer personal data to third countries (if any),
• the period of data storage or the criteria defining that period,
• rights related to consent,
• and the existence of the rights listed below.

In case the data is not collected directly from the data subject, in addition to the above data, the source of the personal data is also stated.

6.2. Rights Regarding the Processing of Data Relating to the Data Subject

IF! enables the exercise of all rights of data subjects. Thus, at any time, the data subject has the following rights:

• The data subject has the right to request from the controller access to data being processed about them
• To object to the processing of personal data relating to them and to processing that may cause harm to the data subject.
• To prevent the processing of personal data relating to them that is processed for marketing purposes
• To be informed about the methods and algorithms in the case of automated data processing
• To seek compensation for damages through the courts if such damage has been caused
• To take actions resulting in the correction, deletion or destruction of inaccurate personal data or data for which consent to processing has been withdrawn where there is no other legal basis for processing
• To request an assessment from the supervisory authority of a breach of any provision of the Regulation
• To request the transfer of data to other controllers
• To stop any automated profiling, unless consent has been given for such profiling

Data subjects also have the following rights guaranteed by the Regulation:

Right to erasure (“right to be forgotten”) – the data subject has the right to obtain from IF! the erasure of personal data concerning them, and IF! is obliged to erase the personal data of the data subject without delay if one of the following conditions is met:

The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed

The data subject withdraws consent on which the processing is based and there is no other legal ground for the processing

The data subject objects to the processing and the legitimate reasons for exercising the right to erasure outweigh the legitimate interest of the Association for processing and/or storing personal data

The personal data have been unlawfully processed

The personal data have to be erased for compliance with a legal obligation

Right of access to data – the data subject has the right to obtain from IF! confirmation as to whether or not their personal data is being processed, and, where such personal data is being processed, access to the personal data and the purpose of processing, categories of data, potential recipients to whom the personal data will be disclosed, etc.

Right to rectification – the data subject has the right to obtain from IF! without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement. Additionally, data subjects have an obligation to update their personal data in their business relationship with the Association.

Right to data portability – the data subject has the right to receive personal data concerning them, which they have provided to IF!, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller. It should be noted that the right to portability relates exclusively to the personal data of the data subject.

Right to object – the data subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them. In such a situation, IF! shall no longer process the personal data unless it demonstrates that there are legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Furthermore, where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Right to restriction of processing – the data subject has the right to obtain from IF! restriction of processing where they contest the accuracy of the personal data, where they consider that the processing is unlawful and oppose the erasure of the personal data and instead request the restriction of their use, and where the data subject has objected to processing and is awaiting verification whether the legitimate grounds of the controller override those of the data subject. The data subject has the right to request the exercise of any of the above rights at any time.

7. Consent

IF! considers that Consent means any freely given, specific, informed and unambiguous indication whereby the data subject, the owner of the personal data, gives their agreement to the processing of their personal data or the personal data of persons they represent.

For IF!, giving Consent means that the data subject is fully informed about the intended processing of personal data. Any Consent obtained under duress or based on error is not valid and cannot be a basis for processing personal data of the data subject by IF!.

Obtaining Consent from the data subject requires active communication between both parties (controller and data subject).

Passive behaviour of the data subject, inaction, i.e. failure to respond to a posed question, will not be considered given Consent by IF!. Also, giving Consent cannot be presumed. Since IF! as the controller of personal data must be able to demonstrate that it has obtained consent for the processing of personal data, Consents of data subjects whose personal data IF! processes will be obtained in written form.

If there is an alternative legitimate basis for processing personal data, giving consent is not mandatory or does not have to be given in written form.

It is the right of the data subject to withdraw their Consent to the processing of their personal data at any time. Withdrawal of given Consent to the processing of personal data can be given in writing in person or through an authorised representative, and the withdrawal procedure is described in the document entitled Consent Withdrawal Procedure, available by sending an enquiry to info@ifi.hr in electronic form or in written form at the controller’s headquarters. Consent may be withdrawn in an approximately equally simple manner as it was given.

Revocation of Consent does not affect the lawfulness of processing of personal data based on Consent in the period before revocation. After Consent is revoked, processing of data based on Consent ceases immediately, and personal data is kept for the time required to delete personal data in accordance with the technical capabilities of the information system.

The controller does not condition the giving or revocation of Consent in any way, and the data subject who decides to revoke Consent does not suffer adverse consequences or costs because they have revoked it.

8. Sharing Personal Data of Data Subjects

IF! may, on the basis of its legitimate interest, share personal data among its members, who may also process it for the fulfilment of legal obligations, prevention of abuse, improvement of products and services or on the basis of consent.

IF! members exchange personal data with each other only if there is a need based on the lawful grounds stated in this document.

8.1. Sharing Data with Third Parties

IF! may share personal data of data subjects with third parties, exclusively in the following cases:

• if there is a legal obligation or explicit authorisation under law;
• if it engages a processor for the performance of certain tasks or activities, who acts exclusively on the instructions of IF! and whereby IF! ensures all data protection measures as if it were performing these tasks itself;
• if data needs to be forwarded to third parties for the performance of a contract with the data subject;
• on the basis of the data subject’s consent.

Such third parties include:

• Legislative, supervisory and regulatory bodies within and outside the territory of the Republic of Croatia;
• Various institutions, state bodies and bodies of state administration with which IF! cooperates;
• Pharmaceutical companies – members of the Association with headquarters within and outside the territory of the Republic of Croatia;
• Other associations, agencies, institutions, and commercial companies that are partners with whom IF! has concluded business cooperation agreements.

When transferring data of IF! data subjects, the principle of processing limitation is strictly observed, with the transfer of the minimum amount of data necessary to realise the requested service, and with respect for all other relevant data protection principles.

All relationships with partners are regulated by data processing agreements, whereby partners are required to maintain at least the same level of personal data protection as within the Association’s members.

8.2. Transfer of Data to Third Countries

IF! as a rule processes personal data in the Republic of Croatia and does not transfer it to third countries.

However, it may occasionally process them in other countries, usually in European Union Member States.

Exceptionally, IF! will also process personal data in countries outside the European Union (EU) or the European Economic Area (EEA), which may reduce the level of data protection compared to that in Europe.

It should be noted that any transfer of data from the European Economic Area to third countries is unlawful unless there is an adequate level of protection of the fundamental rights of data subjects.

The European Commission assesses third countries, territories and/or specific sectors within third countries to assess whether there is an adequate level of protection of the rights and freedoms of natural persons. In the case of the transfer of personal data to countries that meet the security criteria, authorisation from the supervisory authority is not required for the transfer of personal data to those countries/territories. A country that is a member of the European Economic Area, although not a European Union country, meets the required conditions.

IF! may adopt its own rules on the transfer of personal data to third countries. In that case, the rules need to be reported to the competent supervisory authority, which will issue an opinion and approve or reject the rules.

If none of the above conditions are met, the transfer of data to third countries or an international organisation can only be made under one of the following conditions:

• The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfer;
• The transfer is necessary for the performance of contractual obligations between the data subject and the controller/processor or the implementation of pre-contractual measures taken at the request of the data subject;
• The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller/processor and another natural or legal person;
• The transfer is necessary for important reasons of public interest;
• The transfer is necessary for the establishment, exercise or defence of legal claims;
• The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is incapable of giving consent.

Therefore, IF! will as a rule conclude contractual clauses at EU standard level with its partners, in order to be able to guarantee an adequate level of data protection, or will seek the explicit consent of the data subject for such processing of personal data.

All transfers to affiliated pharmaceutical company members of IF!, with headquarters outside the EEA, will be carried out on the basis of binding corporate rules.

For the transfer of data to countries for which the EU has determined that they provide an adequate level of data protection, IF! is not required to obtain additional authorisation or consent.

9. Cookies

In order for the IF! website to work properly and for the IF! Association to be able to make further improvements to the site, for the purpose of improving the browsing experience, the site must store a small amount of information (Cookies) on the data subject’s computer.

A cookie is information stored on a computer by a website that the data subject visits. Cookies usually store the data subject’s settings and settings for the website, such as preferred language or IP address. Later, when the data subject opens the same website again, the internet browser sends back the cookies belonging to that site. This mechanism allows the website to display information tailored to the needs of the data subject.

Cookies can store a wide range of information including personal information (such as personal name, e-mail address, IP address of the data subject’s computer). However, this information can only be stored if the data subject enables it – the IF! website cannot access information that data subjects have not granted access to. Although the default activities of storing and sending cookies are not visible to the data subject, the data subject can change their internet browser settings so that they can choose whether to approve or reject requests to store cookies, and so that stored cookies are automatically deleted when closing the internet browser.

Also, the data subject has the right to disable cookies. Internet browsers are usually programmed so that accepting cookies is the default setting, but the data subject can easily adjust this by changing their browser settings.

By disabling cookies, the data subject independently decides whether to allow cookies to be stored on their computer. If they disable cookies, the data subject will not be able to use some of the functionalities on the websites.

More information can be found at the following link: http://www.aboutcookies.org/ or by sending an enquiry to info@ifi.hr

Additional Information for the Data Subject

If you believe that the processing of personal data we carry out is contrary to personal data protection regulations, please notify us of this in writing to the address of the IF! Association headquarters, Florijana Andrašeca 18a, Zagreb, or via e-mail address: info@ifi.hr.

You can also submit your complaint to the supervisory authority – the Personal Data Protection Agency, at Martićeva 14, Zagreb, and to a supervisory authority within the EU.

In the event of refusal to provide personal data necessary for concluding and exercising rights under a contract or providing our services, there is a possibility that the contract cannot be concluded or the service provided, i.e. that the data subject who refuses to provide their personal data will not be able to access certain content, competitions, seminars or training.

You can revoke the consent you have given for a particular processing purpose at any time, in which case we will no longer use your personal data collected on the basis of Consent for the stated purposes.

You can change your consent as well as exercise your other rights free of charge, electronically, by sending an e-mail to: info@ifi.hr.

Exceptionally, if the data subject requests that a certificate for the transfer of personal data be issued in a form other than electronic form, IF! reserves the right to charge a reasonable fee for administrative costs for issuing an additional copy of personal data.

Incident Management

In order to protect the personal data it collects, IF! implements appropriate physical, technical and organisational protection measures, taking into account the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of data subjects.

IF! updates and tests its security technologies on an ongoing basis and continuously improves them at the Association level. Advanced tools for data protection and prevention of data leakage are used, critical systems within the Association are permanently monitored, data is protected from unauthorised access, alteration, loss, theft and any other breach and misuse of data.

Access to data within IF! is limited only to those data necessary for performing individual business tasks and exclusively to authorised persons who directly work on the performance of the Association’s activities, in accordance with clearly defined roles and responsibilities within the Association. All IF! employees are bound by data confidentiality agreements and we engage exclusively partners with whom we agree appropriate protection measures.

IF! cannot guarantee 100% security of data transmission over the internet, websites, mobile applications, computer systems or any other public network.

In the event of a personal data security breach that could cause significant harm to the data subject, IF! will notify each data subject of the same without delay, and take all necessary measures in accordance with the Regulation, in order to eliminate the damage and to limit or mitigate the adverse consequences resulting from the breach of personal data security.

Final Provisions

This version of the IF! Association Privacy Policy has been in effect since 25 May 2018.

You will be notified of any changes to the Privacy Policy on our website: https://ifi.hr/hr/