This website is intended for patients who have been prescribed Evenity®▼ (romosozumab) and have signed up to the support programme.
Information placed on this digital platform is not intended as a substitute for consultation with your doctor.

'My Bones & Me' Website Privacy Policy

1. WHO WE ARE AND HOW YOU CAN CONTACT US

UCB or we means UCB Pharma Ltd., a company incorporated under the laws of England and Wales with its registered office at 208 Bath Road, Slough, Berkshire SL1 3WE (United Kingdom).

As the controller, i.e. the legal entity that decides why and how information relating to you (personal data) is collected and processed in the context of this My Bones & Me website (the Website), dedicated to patients participating to the My Bones & Me Patient Support Programme (the Patients), we respect your right to privacy.

We will only process your personal data as described in this Privacy Policy (the Policy) for the Website and in accordance with the relevant data protection legislation, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation or GDPR).

We have a data protection officer (DPO), who can be contacted by any of the following means for any privacy-related questions, including regarding how we collect, store and use your personal data:

  • E-mail:                 dataprivacyuk@ucb.com; or
  • Regular mail:      UCB Pharma Ltd
    To the attention of the data protection officer
    208 Bath Road
    Slough, Berkshire SL1 3WE (United Kingdom)

2. THE REASON BEHIND THIS PRIVACY POLICY

The Policy governs the collection, use and retention by UCB of your personal data when you access and browse the Website.

If you are a healthcare professional (HCP) or a member of the general public who wishes to receive more information about osteoporosis and its treatment, you will be redirected to our UCB Evenity® website dedicated to HCPs www.evenity.co.uk, respectively to the relevant page on our general website (UCB.com), both subject to separate privacy policies which we encourage you to read as it contains information about the processing of your personal data on these websites.

The Policy consists of five main components and informs you about:

  1. Who we are and how you can contact us;
  2. The reason behind this Policy;
  3. The purposes for which we process your personal data, the related legal basis under data protection legislation and applicable retention periods;
  4. What your rights are in relation to the personal data we hold about you and how you can exercise them; and
  5. Further details on how we process (including share) your personal data.

This Policy may be updated periodically to reflect changes in our personal data processing practices. In that case, we will inform you of any significant changes via an appropriate channel, e.g. by posting a prominent notice on the Website.

3. THE PURPOSES FOR WHICH WE PROCESS YOUR PERSONAL DATA AND APPLICABLE LEGAL BASIS

The table below indicates per purpose (i) the categories of personal data we collect and process concerning you, (ii) the source, (iii) how long we retain your personal data, (iv) who we share it with, and (v) the relevant legal basis.

 

1. In order to make the Website and its content available to you, UCB:

Collects the following personal data about you:

  • *Electronic identification data: IP address;
  • *Information collected through cookies.
Failure to provide the personal data with an (*) may result in (some features of) the Website not being accessible.

 

Obtains this personal data from:

  • You (through the device you use to access the Website);

Retains (**) your personal data for:

  • IP addresses are deleted after 6 hours;
  • For cookies, see our Cookie Policy for more information.

Shares your personal data with:

  • UCB affiliates and third party processors (as detailed in section 5.A).

Relies on the following GDPR legal basis:

  • Processing necessary for the  performance of a contract with you;
  • For cookies, processing based on your consent except for functional cookies (see our Cookie Policy for more information).
 

2. In order to maintain our Website security, we deploy cookies and log files to monitor access to and traffic on our Website in order to detect and prevent malicious activity or invalid traffic. In this context, UCB:

Collects the following personal data about you:

  • *Electronic identification data: IP address;
  • *Information collected through cookies.
Failure to provide the personal data with an (*) may result in (some features of) the Website not being accessible.

Obtains this personal data from:

  • You (through the device you use to access the Website).

Retains (**) your personal data for:

  • IP addresses are deleted after 6 hours;
  • For cookies, see our Cookie Policy for more information.

Shares your personal data with:

  • UCB affiliates and third party processors (as detailed in section 5.A).

Relies on the following GDPR legal basis:

  • Processing necessary for the purpose of the legitimate interests pursued by UCB to protect its IT infrastructure and the data it holds. To this end, UCB strives to maintain a fair balance between its need to process your personal data and the preservation of your rights and freedoms, including the protection of your privacy. For more information or if you have any questions regarding how we assess this balance, please contact us through any one of the channels set out under section 1 above (“Who we are and how you can contact us”).
  • For cookies, processing based on your consent except for functional cookies (see our Cookie Policy for more information).
 

3. In order to improve our Website functionality, we use cookies to support and improve the Website and to better understand usage patterns relating to our Website, including by retaining and evaluating information on recent use you made of our Website and how you access different features of our Website for analytics purposes so that we can make our Website more intuitive. In that context, UCB:

Collects the following personal data about you:

  • *Electronic identification data: IP address;
  • *Information collected through cookies.
Failure to provide the personal data with an (*) may result in (some features of) the Website not being accessible.

Obtains this personal data from:

  • You (through the device you use to access the Website).

Retains (**) your personal data for:

  • IP addresses are deleted after 6 hours;
  • For cookies, see our Cookie Policy for more information.

Shares your personal data with:

  • Google Analytics;
  • UCB affiliates and third party processors (as detailed in section 5.A).

Relies on the following GDPR legal basis:

  • Processing necessary for the purpose of the legitimate interests pursued by UCB to conduct its business and to improve upon its services and products. To this end, UCB strives to maintain a fair balance between its need to process your personal data and the preservation of your rights and freedoms, including the protection of your privacy. For more information or if you have any questions regarding how we assess this balance, please contact us through any one of the channels set out under section 1 above (“Who we are and how you can contact us”).
  • For cookies, processing based on your consent except for functional cookies (see our Cookie Policy  for more information).
 

4. In order to enable you to participate in polls/quizzes on our Website, UCB:

Collects the following personal data about you:

  • No personal data is processed other than the personal data collected from you via cookies and log files when visiting the Website.

Obtains this personal data from:

  • You via cookies and log files when visiting the Website (see explanation set out above).

Retains (**) your personal data for:

  • No identifiable data is stored after the visitor completes the poll/quiz.

Shares your personal data with:

  • UCB affiliates and third party processors (as detailed in section 5.A).

Relies on the following GDPR legal basis:

  • For cookies, processing based on your consent except for functional cookies (see our Cookie Policy for more information).
 

5. In order to enable UCB to comply with its legal (including pharmacovigilance) obligations, UCB:

Collects the following personal data about you:

  • *Patient’s details as legally required;
  • *Information regarding adverse event (seriousness, date and unique identification number) or any other information that may be legally required.
Failure to provide the personal data with an (*) will prevent UCB from complying with its legal obligations, including but not limited to reporting an adverse event in accordance with applicable laws.

Obtains this personal data from:

  • You;
  • Your treating healthcare professional.

Retains (**) your personal data for:

  • 10 years after the end of the marketing authorisation in any country where Evenity was placed on the market.

Shares your personal data with:

  • Competent regulatory and government agencies;
  • UCB affiliates and third party processors (as detailed in section 5.A).

Relies on the following GDPR legal basis:

  • Compliance with our legal obligations (including but not limited to pharmacovigilance/ adverse event reporting legislation) and processing necessary for reasons of public interest in the area of public health.
     For more information about adverse event reporting, please follow this link: https://www.ucbpharma.co.uk/Adverse-Event-Reporting

(**) We will retain your personal data in accordance with the retention periods set out in the table above. These retention periods, included in our data retention policy, are dictated by:

  • applicable statutory/legal requirements;
  • industry guidelines; and
  • for those data categories for which no express statutory or legal requirements apply, certain other determining factors such as the need to prove or enforce a transaction or contract, enforce our policies, etc.

We will delete your personal data once the abovementioned retention periods will have expired or if you object to or withdraw your consent in relation to our processing of your personal data (to the extent such processing is based on your consent), except where we need to hold on to such data for the establishment, exercise or defense of legal claims, for the protection of the rights of another natural or legal person, for compliance with a legal obligation of the European Union, a European Union Member State or the United Kingdom which requires such further processing or where we need to prove or enforce a transaction or contract, or enforce our policies.

4. YOUR RIGHTS AND HOW YOU CAN EXERCISE THEM

4.A Your rights

Right to access
You have the right to obtain confirmation from us as to whether or not we process personal data concerning you, and if so, the right (as far as this does not adversely affect the rights and freedoms of others) to obtain a copy of your personal data from us. For more information, please check section 4.B “How to exercise your rights”.

Right to rectification
You have the right to ask us to rectify without undue delay any inaccurate personal data concerning you. You can also ask us to complete incomplete personal data regarding you by providing us with a supplementary statement containing such additional information. For more information, please check section 4.B “How to exercise your rights”.

Right to erasure
You have the right to ask us to erase without undue delay personal data concerning you, where one of the following grounds applies:

  • your personal data are no longer necessary in relation to the purposes for which they were processed;
  • you have withdrawn your consent - for those processing activities based on your consent – and we have no other legal ground for such processing;
  • you object to the processing of your personal data (for more information on the right to object, see further below) and there are no overriding legitimate grounds for such processing;
  • your personal data have been unlawfully processed;
  • your personal data must be erased for compliance with a legal obligation of the European Union, a European Union Member State or the United Kingdom to which UCB is subject.

Please note that your right to erasure will not apply to the extent that processing is necessary for:

  • exercising the right of freedom of expression and information;
  • compliance with a legal obligation of the European Union, a European Union Member State or the United Kingdom to which UCB is subject;
  • reasons of public interest in the area of public health in accordance with article 9(2)(h) and (i) GDPR as well as article 9(3) GDPR;
  • archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the relevant provisions of the GDPR;
  • the establishment, exercise or defense of legal claims.

For more information, please check section 4.B “How to exercise your rights”.

Right to restriction of processing
You have the right to obtain from UCB restriction of processing by UCB of your personal data where one of the following applies:

  • you contest - in good faith - the accuracy of personal data regarding you and held by us, in that case the restriction of processing will apply for a period enabling us to verify the accuracy of your personal data;
  • the processing is unlawful and you oppose the erasure of your personal data and request restriction of their use instead;
  • we no longer need your personal data, but you require them for the establishment, exercise or defense of legal claims;
  • you have objected to the processing of your personal data by UCB in accordance with the relevant GDPR provision, in that case the restriction of processing will apply for a period enabling us to verify if our legitimate grounds override yours.

Please note that notwithstanding the above, we are still allowed to continue storing your personal data (throughout the period of restriction) or to process your personal data for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person. If you have requested restriction of processing, we will inform you before the restriction of processing is lifted. For more information, please check section 4.B “How to exercise your rights”.

Right to data portability
You have the right (insofar this does not adversely affect the rights and freedoms of others) to receive the personal data concerning you, that you have provided to UCB, in a structured, commonly used and machine-readable format and to transmit those data to another controller, without hindrance from UCB, where the processing is:

  • based on your consent or on a contract; and
  • carried out by automated means.

For more information, please check section 4.B “How to exercise your rights”.

Right to objection to processing
You have the right to object at any time, on grounds relating to your specific situation, to the processing of your personal data by UCB which is based on UCB’s pursuit of its legitimate interests as a controller. In that case UCB will no longer process your personal data, unless:

  • UCB demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms; or
  • for the establishment, exercise or defense of legal claims.

You have the right to object at any time to the processing of your personal data for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing. For more information, please check section 4.B “How to exercise your rights”.

Right to withdraw consent
Where the processing is based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

For more information, please check section 4.B “How to exercise your rights”.

4.B How to exercise your rights

If you wish to exercise any of the rights mentioned above, please contact the local UCB Data Protection Officer by e-mail at dataprivacyuk@ucb.com or otherwise reach out to us by postal mail at UCB Pharma Ltd., To the attention of the data protection officer, 208 Bath Road, Slough, Berkshire, SL1 3WE (United Kingdom). Please clearly identify the right(s) you wish to exercise and include your contact details (including a valid e-mail or postal address) so that we can respond to your request. Please note that you may be asked to provide proof of your identity.

When you contact us to exercise any of the rights mentioned above, we will respond to your request within one month following receipt of the request. This period may be extended by two additional months where necessary, but in that case we will inform you of any such extension within one month of receipt of your initial request together with the reasons for the delay.

Right to lodge a complaint with supervisory authority
You have the right to lodge a complaint with a supervisory authority, in particular in the United Kingdom or the European Union Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that UCB’s processing of your personal data infringes the relevant data protection legislation. Please visit the website of the relevant national supervisory authority for more information on how to submit such a complaint.

5. MORE DETAILS ON HOW WE PROCESS YOUR PERSONAL DATA

 5.A Who we share your personal data with.

Principle
We will disclose your personal data only as described in this Policy, as may be updated from time-to-time.

Affiliates and third party processors
UCB transfers or discloses your personal data to its personnel, affiliates, and to third party service providers processing personal data on UCB’s behalf for the purposes set out above.

Third party service providers include IT services and website hosting companies, (internet) connectivity providers, providers of data analytics (including Google) and other tracking services, service providers that provide technical and administrative support for the Website and underlying IT systems as well as providers that assist us with adverse event reporting (for more details, please refer to the table above). These service providers provide their services from locations both within the European Economic Area (“EEA”) and outside the EEA (including India and the USA).

Other third parties include regulatory and government agencies (see further below in this Policy), and potentially, third parties with whom UCB may merge or which may be acquired by UCB (see further below in this Policy). 

Compliance with laws and legal proceedings
UCB will disclose your personal data where:

  • UCB is required to do so by applicable law, by a governmental body or by a law enforcement agency;
  • to establish or exercise our legal rights or defend against legal claims;
  • to investigate, prevent or take actions against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our policies or as otherwise required by law.

Other
If a third party acquires all (or substantially all) of our business and/or assets, we will disclose your personal data to that third party in connection with the acquisition. However, such disclosure will occur subject to and in accordance with applicable data protection laws, including the GDPR.
 

5.B International transfers

UCB will transfer your personal data to its affiliates, including our affiliates outside of the UK and the EEA. In that case UCB relies on UCB’s Binding Corporate Rules, which can be accessed through the following link: https://www.ucb.com/UCB_BCRs.pdf.

Your personal data will be hosted in the European Union (EU) as well as in the UK, but may have to be transferred to certain third party service providers both within and outside the UK and/or the EEA, including for processing, storage, back-up and to allow for adverse event reporting. Such countries may not offer the same level of personal data protection as the UK and EEA countries. We will therefore put in place suitable safeguards to ensure such transfer is carried out in compliance with the applicable data protection rules.

You may request additional information in this respect and obtain a copy of the relevant safeguard by exercising your rights as set out above. 

The transfer of your personal data to (other) third party service providers outside of the UK or the EU (as set out above under section 5.B) occurs on the basis of Standard Contractual Clauses that have been executed between UCB and the relevant third party service provider. For more information on these Standard Contractual Clauses, please reach out to us as set out above under section 4.B (How to exercise your rights).

For more information on how Google processes your personal data within the framework of Google Analytics, please consult How Google uses data when you use our partners' sites or apps.