Personal data protection policy
I. SCOPE
The present "Personal Data Protection Policy" applies to all
activities involving the processing of personal data carried out by
MICHELL Y CIA S.A. (hereafter "Michell").
It also applies to individuals from whom Michell requires any
processing of their personal data, for which the company is
responsible.
II. DEFINITIONS
"ANPDP": National Authority for Personal Data Protection.
"Data Bank": The organized set of personal data referring to an identified or identifiable person, which will be subject to processing.
"Personal Data": Any information about a natural person that identifies or makes them identifiable through means that can be reasonably used. Personal Data includes private data referred to by Law No. 29733 - Personal Data Protection Law (hereafter the Law) and its Regulations.
"Sensitive Personal Data": Personal data consisting of biometric data that can identify the holder by themselves; data related to racial and ethnic origin; economic income, political, religious, philosophical, or moral opinions or beliefs, union membership, and information related to health or sexual life (article 2, ordinal 5 of the Law).
"Processor": The natural or legal person, public or private, who by itself or in association with others, carries out the Processing of personal data on behalf of Sanofi. "Holder": The person to whom the Personal Data being processed belongs.
"Transfer": Any national or international transmission, provision, or communication of personal data to a private legal entity, a public entity, or a natural person other than the personal data holder.
"Processing": Any operation or technical procedure, automated or not, that allows the collection, registration, organization, storage, preservation, processing, modification, extraction, consultation, use, blocking, deletion, communication by transfer or dissemination, or any other form of processing that facilitates the access, correlation, or interconnection of personal data.
This Policy shall be reviewed at least every 2 years or earlier if business conditions and the regulatory environment warrant it. Sanofi reserves the right to modify the content of the Policy without prior notice in order to reflect any legislative, technical, technological changes or changes in the pharmaceutical industry. Once the Policy is updated, it will be available for consultation, and Holders will be notified of the changes indicating the date the modifications took effect.
II. GENERAL INFORMATION
Michell processes personal data in compliance with Law 29733 –
Personal Data Protection Law, its Regulation, approved by Supreme
Decree 003-2013-JUS, and its complementary and modifying norms (all
these hereafter defined as the "Personal Data Protection
Normative").
The personal data that we process are stored in personal data banks owned by Michell.
III. OBJECTIVE
This Policy aims to inform the public about our commitment to personal
data protection, as well as the guidelines under which we carry out
the processing of the same in the exercise of our commercial
activities, the purpose for which we do so, and the procedures for the
holders of the same to exercise their ARCO rights (access,
rectification, cancellation, and opposition) mentioned in the Personal
Data Protection Normative.
IV. PURPOSE OF PROCESSING PERSONAL DATA
Michell processes personal data of employees, customers, suppliers,
and all those who have some relationship with our company, with the
purpose of complying with current legislation, executing the legal
relationship that the holders of personal data maintain with our
company, as well as any other lawful purpose previously informed to
the holders of personal data.
V. GOVERNING PRINCIPLES
Michell commits to respecting the governing principles established in
the Personal Data Protection Normative. These are:
Principle of legality: The processing of personal data is carried out in accordance with the law, and the collection of personal data by fraudulent, unfair, or illicit means is prohibited.
Principle of consent: The consent of the holder is required for the processing of personal data.
Principle of purpose: Personal data must be collected for a specific, explicit, and lawful purpose, and their processing should not extend to a different purpose than for which they were collected.
Principle of proportionality: The processing of personal data must be adequate, relevant, and not excessive in relation to the purpose for which they were collected.
Principle of quality: The personal data to be processed must be truthful, accurate, and, as far as possible, updated, necessary, relevant, and appropriate concerning the purpose for which they were collected.
Principle of security: The owner of the personal data bank and the processor must adopt the necessary technical, organizational, and legal measures to ensure the security of personal data.
Principle of recourse availability: The holder of personal data must have the necessary administrative or judicial means to claim and enforce their rights when they are violated by the processing of their personal data.
Principle of adequate protection level: For the cross-border flow of personal data, a sufficient level of protection for the personal data to be processed must be guaranteed, or at least, comparable to that provided by the Personal Data Protection Law or by international standards in the matter.
VI. CONSENT
Michell requires the free, prior, express, unequivocal, and informed
consent of the holder of the personal data for their processing,
except in cases of exemption expressly established by Law. Michell
does not require consent to process personal data obtained from
publicly accessible sources, whether free or not; likewise, it may
process personal data from non-public sources, provided that these
sources have the consent to process and transfer said personal data.
VII. TRANSFER OF PERSONAL DATA
Michell may transfer personal data locally and internationally to
Michell and Cía. Companies for any of the purposes indicated in
section IV of this Policy in cases where it is legitimized to do so.
Michell may transfer personal data to legally empowered public entities within the scope of their competencies in compliance with current or future regulations or at their request.
VIII. RIGHTS OF THE HOLDERS
Mechanisms must be implemented so that the Holder of the data or the
representatives of minors can make requests regarding:
Right to Information:
The purpose for which their data will be processed. Who are or can be
their recipients. The identity and address of the owner of the
personal data bank. The transfer of personal data. The consequences of
providing their personal data and their refusal to do so. The time of
data conservation.
Right of Access:
To obtain information, free of charge, about oneself that is the
subject of processing in data banks. How their data was collected. The
reasons that motivated their collection. At whose request the
collection was made. Transfers made or foreseen to be made.
Right to Rectification, Cancellation, and Opposition:
When an omission, error, or falsehood has been noticed. When they are
no longer necessary or relevant for the purpose for which they were
collected. When the established term for their processing has expired.
The company reserves the right to maintain the information in order to
comply with special regulations on money laundering prevention. Any
request for rectification must be accompanied by the corresponding
supporting documentation.
IX. PROCEDURE FOR THE EXERCISE OF THE RIGHTS OF THE HOLDER OF PERSONAL DATA Holders may revoke their consent or exercise their legal rights by presenting their ID or another official identity document and completing the ARCO Rights Form.
1. The Holder must first send an email to LPDP@michell.com.pe indicating that they wish to make a claim.
2. The Personal Data Protection Committee will forward an email with a link, which will redirect to a virtual ARCO Rights Form.
Note: All Holders must scan their ID or another official identity document. And in case the personal data holder requires to exercise their rights through a representative, they must present a notarized power of attorney scanned that empowers them as such and their identity document scanned.
Note: The attention to requests and claims by the holders of personal data must consider the following deadlines:
Information | 08 days counted from the day after the submission of the request. |
Access | 20 days counted from the day after the submission of the request. |
Rectification, Cancellation, and Opposition | 10 days counted from the day after the submission of the request. |
Protection of rights. (APDP) | 15 days counted from the notification of the request by the APDP (National Authority for Personal Data Protection). |
XI. SECURITY OF PERSONAL DATA
In compliance with current regulations, Michell adopts the appropriate
legal, organizational, and technical measures to ensure the security
of personal data, avoiding their alteration, loss, improper
processing, or unauthorized access. For this purpose, it makes
available all necessary human and technological resources, applying
them in proportion to the nature of the stored data and the risks to
which they are exposed. Michell will only carry out processing on
personal data that are stored in repositories that meet the security
conditions required by the current regulations on personal data
protection.
XII. MODIFICATIONS
This Policy has been updated on July 13, 2018, and may be modified by
Michell. Should there be any modification to this Policy, it will be
published on our website: (www.michell.com.pe)