Data Sharing for a Pharma Company
Challenge
We were contacted by an EU-based pharmaceutical company with several subsidiaries in the Balkans region.
For HR purposes, the holding company and its subsidiaries share employee personal data. Besides this, the group shares sensitive personal data including information from medical trials.
The client wanted to be sure these data transfers were compliant with local regulation, as well as with the GDPR.
Solution
All existing data transfers between companies were assessed. The client was provided with Art. 28 Data Sharing Agreement which was signed by all companies involved in cross-border transfers of personal data.
In addition, we updated the existing or drafted new data protection policies for the client: HR Privacy Policy, Data Retention Policy, Data Access Policy, Information Security Policy, and the Data Breach Notification Procedure.
Transfers
All internal and external data transfers were assessed to comply with Articles 44-50 GDPR.
Data Sharing
To clarify controller/processor obligations, an Article 28 Data Sharing Agreement was drafted.
Policies
Set of policies was drafted for this client to complement already existing legal framework.
Data Breach
Data breach notification procedure was created to address the Article 33 GDPR requirements.
