Australia
Austria
Belgium
China
Czech Republic
Denmark
Estonia
Finland
France
Germany
Hungary
India
Ireland
Italy
Japan
Kazakhstan
Latvia
Lithuania
Malaysia
Netherlands
Norway
Poland
Singapore
Slovenia
Spain
Sweden
Switzerland
Thailand
UK
Ukraine
24 June 2025
Orion Corporation is committed to protecting your privacy in compliance with all applicable regulation and ensuring the security of your personal data. This privacy statement explains how Orion Corporation, and its group companies (together "Orion") collect, use, and protect your personal information.
Contact Details
Data Controller: Orion Corporation
Data Protection Officer (DPO): Jyri Wesanko, privacy@orion.fi
Representative (if applicable): Jukka Pesonen, Director, Global Pharmacovigilance and Patient Safety (QPPV), jukka.pesonen@orionpharma.com
1. What data do we collect about you?
We collect and process the following types of personal data:
- Clinical trial related data: Orion collects patient number, patient’s sex, date of birth, certain physical traits and habits, relevant medical history, investigator’s observations, pharmacodynamics, and information on the results of tests measuring efficacy and safety of a product as described in more detail in the clinical trial information leaflet or information notice.
o In the context of clinical trials sponsored by Orion and partners, which are performed according to a study protocol, patient data is collected from healthcare service systems based on a data subject’s freely given informed consent, and it is derived directly from the data subject or the investigator, or from the results of testing or examinations of said clinical studies.
- Authorised medicinal products, cosmetic products, food supplements and medical devices related data: Orion collects all necessary information which is provided to Orion by regulatory authorities, healthcare professionals, distributors, pharmacies, customers, patients or animal owners to ensure patient safety and pharmacovigilance related legal obligations.
o As regards authorised medicinal products, cosmetic products, food supplements and medical devices, Orion receives notifications of suspected adverse events and feedback on quality and complaints directly through its reporting channels, as well as through its affiliates or licensing partners, who have received reports from regulatory authorities, healthcare professionals or patients and/or consumers.
- Product complaint related data: For product quality, complaint handling and risk management purposes Orion collects names, addresses, e-mail addresses and telephone numbers of the complainant or the reporter of the complaint.
- Partner contact data: Contact details of pharmacists and the employees of its partners, suppliers and wholesalers.
- Product enquiry data: Orion collects all relevant information to ensure the fulfilling of legal obligations for collecting and processing pharmacovigilance and product quality related data. This includes contact information such as name, address, phone/fax/mobile phone, or email; profession if it's relevant for our answer; demographic data such as date of birth, age group, sex, weight, or height; information as being provided as part of the inquiry, such as health, racial or ethnic origin and sexual life; audio recording of our calls (based on your consent); your opinion about our medical information services.
- Risk minimisation data: As part of pharmacovigilance operations Orion may implement risk minimisation measures with aim to optimise the safe and effective use of a medicinal product throughout its life cycle. Risk minimisation measures may include e.g. direct health care professional communication (DHPC), educational programmes and materials, controlled access programmes or other risk minimisation measures. Additional risk minimisation measures can consist of one or more interventions that are implemented in a defined target group. Such distribution systems should be auditable and therefore various type of quantitative and qualitative data is collected concerning these actions. E.g. information on training dates and participants, measures of distribution of DHPC or other materials, information on receipt of such information are collected as basic information on implementation. Orion shall record and retain this information in line with the legal requirements.
- Third party contact data: Orion as a marketing authorization holder maintains pharmacovigilance system which needs to be documented in Pharmacovigilance System Master File (PSMF). PSMF include e.g. information on organizational structures, personnel, list of the site(s) where the pharmacovigilance activities are undertaken (including both headquarters and affiliates) and information on services subcontracted. Therefore Orion maintains also contact lists for service providers, consultants, affiliates, licensing partners and other third parties which are used as part of the pharmacovigilance system. Contact lists contain company names and addresses, names of responsible persons within those companies and their contact details (phone numbers and e-mail addresses).
2. How do we use your data?
We process your personal data for the following purposes:
- For analysing the safety and effectiveness of Orion’s products (data provided by you through Orion’s Patient Safety reporting channels).
- Pharmacovigilance and Patient Safety compliance
o To enable Orion Global Pharmacovigilance and Patient Safety to maintain its pharmacovigilance system as required by applicable pharmacovigilance legislation (e.g. by EU, UK and FDA).
o Pharmacovigilance means the science and activities relating to the detection, assessment, understanding and prevention of adverse reactions and other medicine-related problems. A pharmacovigilance system including safety databases is used to fulfil Orion’s legally binding obligations in relation to pharmacovigilance and to monitor the safety of medicinal products and detect any change in their risk-benefit balance. Similar safety surveillance principles and procedures are applied for medical devices and other non-medicinal products as required by applicable legislation.
- Product quality management
o Orion must also process your personal data due to its responsibilities in the field of product quality, complaint handling and risk management based on applicable product quality legislation (e.g. by EU, UK and FDA) for the purpose of investigating the quality defects and complaints and putting in place appropriate preventative actions.
3. Legal Basis
We process your data based on the following legal grounds:
| Consent of the data subject (EU General Data Protection Regulation Article 6.1.a) / 9.2.a) (special categories of data) | Clinical trial related data for Pharmacovigilance and Patient Safety compliance. |
| Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract / (EU General Data Protection Regulation Article 6.1.b) | N/A |
| Compliance with the controller’s legal obligations based on binding law / (EU General Data Protection Regulation Article 6.1.c) |
|
| Legitimate interests of the controller or a third party (the legitimate interest to be identified, such as direct marketing) (EU General Data Protection Regulation Article 6.1.f). | N/A |
4. How do we share your data?
Orion will not disclose the collected data for commercial purposes. However, we may share your data with the following recipients:
- Orion group companies: Data is shared within the Orion group in order to analyse and process a reported adverse event;
- Orion’s affiliates and third party service providers: Affiliates and those who assist us by performing technical operations such as data storage and hosting, if this is required for the purposes of analysing and reporting safety and quality information. We also use services of third party service providers for purposes of data collection and entry of adverse event reports for which purposes personal data is disclosed to a service provider. All these companies agree to process your personal data in accordance with this Privacy Statement.
- National competent authorities: We are obligated to submit the data to the national competent authorities as well as European Medicines Agency’s and other competent authorities’ databases for managing and analysing information on suspected adverse reactions.
- Licensing partners: Other pharmaceutical companies who are our co-marketing, co-distribution, or other licensing partners where pharmacovigilance obligations for a Orion product require the exchange of safety information. Orion has agreed on data privacy terms contractually with such Pharmaceutical companies.
- Possible M&A partners: If ownership or control of Orion Corporation or all or any part of our products, services or assets changes, we may transfer your personal data to any new owner, successor or assignee, in which case we would require the new owner, successor or assignee to treat your personal data in accordance with this Privacy Statement. Also, personal data may be disclosed to a third party such as a health authority if we are required to do so because of an applicable law, court order or governmental regulation, or if such disclosure is otherwise necessary in support of any criminal or other legal investigation or proceeding here or abroad.
Transfers of Personal Data
The personal data collected may be processed in your country of residence or transferred to another country where Orion, its affiliates, subcontractors or other recipients of personal data are located, both inside and outside the European Economic Area (EEA). Please find further information on the Orion affiliates on our webpages. We will ensure that your personal data will be processed in accordance with this Privacy Statement at all times even if it is being transferred outside the EEA. The personal data transferred outside the EEA is based on legal requirements and protected based on the adequacy decision made by the European Commission, or by appropriate contractual arrangements, such as, by the signing of the Standard Contractual Clauses by the controller and the recipient(s). For further information, please contact Orion.
5. How long do we store your data?
We will retain your personal data for no longer than is necessary for the purposes defined in this Statement.
| Type of data | Retention period |
| Authorised medicinal products, cosmetic products, food supplements and medical devices related data. | For minimum of ten (10) years after the end of the expiration of the marketing authorisation unless any local legislation requires a longer retention period. |
|
For eleven (11) years after the receipt of the feedback. |
|
For minimum of five (5) years after the system, as described in the PSMF, has been formally terminated by the marketing authorisation holder. |
6. What are your rights and options?
You have the right to:
- Access your data: You can request information and a copy of your personal data that we have collected and stored in connection with our pharmacovigilance and patient safety responsibilities.
- Rectify inaccurate data: In order to keep your data up-to-date and accurate, you can request us to modify your data by contacting us as descripted in chapter 10.
- Erase your data: You can contact us if you think the processing of your personal data in connection with clinical trial related personal data is unlawful and your data should be erased. We shall erase or anonymize your personal data without undue delay in accordance with the retention periods detailed in chapter 5 if the data in question is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing and is not required to be processed by any of our legal obligations. Please note that we may be required to process some of your clinical trial related data even after of your request for erasure.
- Restrict processing: If you want to restrict our processing of your personal data, please contact us.
- Withdraw consent: You can withdraw any consent that you may have given us in connection with clinical trial data processing activities. After withdrawing your consent, we will no longer process your personal data for purposes the consent was asked for. Please note that withdrawal of consent does not render the processing of personal data performed prior to such withdrawal unlawful, and we may be required to process some of your clinical trial related data even after withdrawing of your consent.
7. Cookies and Tracking Technologies
We use cookies and similar technologies on our websites. For more information on how use cookies, please read our Cookie Policy.
8. Security Measures
We hold your personal data in a combination of secure computer storage facilities and paper-based files.
We have implemented appropriate measures to ensure the level of security around your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage to it. In principle, when we transfer any pharmacovigilance and patient safety related personal data to other partner companies, the data is pseudonymized before the transfer, which means that the data in most cases no longer enables identification of the individual to whom it relates. Only certain identifiers are kept in order to ensure that duplicate reports can be detected.
We have put in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk of harm that might result from unauthorised or unlawful processing, accidental or unlawful loss, destruction or alteration, unauthorised (or disclosure of) access or damage to your personal data including:
- locks and security systems;
- encryption
- usernames and passwords;
- virus checking;
- auditing procedures and regular data integrity checks; and
- recording of file movements.
We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They must only process your personal data on our instructions and subject to the access controls listed above. They are also subject to a duty of confidentiality.
We have agreed on security-related measures with the third parties we share your personal data with to ensure that it is treated by those third parties in a way that is consistent with how we safeguard your personal data.
We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority where we are legally required to do so.
9. Changes to this Statement
We reserve the right to change this Statement from time to time. We will review this Statement periodically and update it accordingly if we change our processes materially. We may make changes to this Statement when we believe it is reasonable to do so e.g. to comply with legal or regulatory requirements.
10. Contact Us
If you wish to use your rights as a data subject described in chapter 6, or if you have any questions or concerns, please contact us at privacy@orion.fi.
Please note that we will contact you to verify your identity in order to proceed with your request if you wish to use your data subject rights.