1. Processing necessary for compliance with our legal or regulatory obligations:
- To allow UCB to comply with applicable European or European Member State laws and regulations, including but not limited to pharmacovigilance, tax, accounting, health and safety legislation and other legal obligations and industry guidelines;read more
- To perform regulatory audits based on European or European Member State laws;
- To respond to any official request from a European public or judicial authority in compliance with European or European Member State legal requirements
2. Processing necessary for performance of a contract with you or in order to take steps at your request prior to entering into a contract (only applicable to suppliers who are natural persons, including the self-employed):
- To manage our contractual relationship with you;
- To organize requests for proposals (RFPs), take steps in preparation of a contract with you;
- To perform our obligations and exercise our rights under an existing contract with you (including e.g. proper invoicing, archiving and maintaining contractual records, contract management, etc.);
- To perform (standard) contractual audits;
3. Processing necessary for the purpose of the legitimate interests pursued by UCB, which include:
to (i) conduct its business; (ii) maintain a professional/business relationship with its suppliers; (iii) ensure compliance with UCB company policies; (iv) maintain the integrity of UCB property, assets and systems; (v) prevent criminal activities, fraud and misuse of our products, services, assets and IT network; (vi) allow a third party to acquire all (or part) of our business and/or assetsread more
To this end, UCB strives to maintain a fair balance between its need to process your personal data and the preservation of your rights and freedoms, including the protection of your privacy. For more information or if you have any questions regarding how we assess this balance, please contact us through any one of the channels set out under Section 1 above (“Who we are and how you can contact us”):
- To allow us to manage and maintain a commercial or professional relationship with our suppliers; (all suppliers)
- To organize requests for proposals (RFPs), take steps in preparation of a contract with our suppliers; (applicable to personnel of suppliers that are a legal entity)
- To perform our obligations and exercise our rights under existing contracts with our vendors (including e.g. proper invoicing, archiving and maintaining contractual records, contract management, etc.); (applicable to personnel of suppliers that are a legal entity)
- To monitor compliance with UCB policies, including but not limited to our IT (assets) and IT security policies, health and safety related policies, etc.; (all suppliers)
- To allow suppliers to participate in UCB trainings; (all suppliers)
- To implement camera surveillance at the entrance of UCB sites and at adjacent UCB parking lots for security purposes; (all suppliers).
- To manage our IT assets and infrastructure; (all suppliers)
- To monitor the use of our IT systems and network for IT security purposes, in accordance with and within the limits permitted by applicable law; (all suppliers)
- To manage M&A transactions involving UCB entities; (all suppliers)
- To safeguard UCB’s business interests (including but not limited to handling (alleged) reports of misconduct or fraud and defending against legal claims and in legal proceedings); (all suppliers)
- To perform (standard) contractual audits; (applicable to personnel of suppliers that are a legal entity)
- To perform regulatory audits based on non- European laws; (all suppliers)
- To comply with applicable Non- European laws and regulations; (all suppliers)
- To reply to any official request from a non- European public or judicial authority in compliance with local law legal requirements. (all suppliers)
Right of access
You have the right to obtain confirmation from us as to whether or not we process personal data about you, and where this is the case, access to your personal data. You have the right (as far as this does not adversely affects the rights and freedoms of others) to obtain a copy of your personal data from us.
For more information, please check section 4.B “How to exercise your rights
Right to rectification
You have the right to ask us to rectify without undue delay any inaccurate personal data concerning you. You can also ask us to complete incomplete personal data regarding you by providing us with a supplementary statement containing such additional information.
For more information, please check section 4.B “How to exercise your rights”.
Right to erasure
You have the right to ask us to erase without undue delay personal data concerning you, where one of the following grounds apply:
- Your personal data are no longer necessary in relation to the purposes for which they were processed;
- You object to the processing of your personal data (for more information on the right to object, see further below) and there are no overriding legitimate grounds for such processing;
- Your personal data have been unlawfully processed;
- Your personal data must be erased for compliance with a European or European Member State legal obligation to which UCB is subject;
Please note that your right to erasure will not apply to the extent that processing is necessary for:
- exercising the right of freedom of expression and information;
- compliance with a European or European Member State Law to which UCB is subject;
- reasons of public interest in the area of public health in accordance with article 9(2)(h) and (i) GDPR as well as article 9(3) GDPR- archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the relevant provisions of the GDPR;
- the establishment, exercise or defense of legal claims.
For more information, please check section 4.B “How to exercise your rights".
Right to restriction on processing
You have the right to obtain from UCB restriction of processing by UCB of your personal data where one of the following applies:
- You contest - in good faith - the accuracy of personal data regarding you and held by us, in that case the restriction of processing will apply for a period enabling us to verify the accuracy of your personal data;
- The processing is unlawful and you oppose the erasure of your personal data and request restriction of their use instead;
- We no longer need your personal data, but you require them for the establishment, exercise or defense of legal claims;
- You have objected to the processing of your personal data by UCB in accordance with the relevant GDPR provision, in that case the restriction of processing will apply for a period enabling us to verify if our legitimate grounds override yours.
Please note that notwithstanding the above, we are still allowed to continue storing your personal data (throughout the period of restriction) or to process your personal data for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person. If you have requested restriction of processing, we will inform you before the restriction of processing is lifted. For more information, please check section 4.B “How to exercise your rights”.
Right to objection to processing
You have the right to object at any time, on grounds relating to your specific situation, to the processing of your personal data by UCB which is based on UCB’s pursuit of its legitimate interests as a controller. In that case UCB will no longer process your personal data, unless:
- UCB demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms; or
- For the establishment, exercise or defense of legal claims.
You have the right to object at any time to the processing of your personal data for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing. For more information, please check section 4.B “How to exercise your rights”.
Right to data portability
You have the right (insofar this does not adversely affects the rights and freedoms of others) to receive the personal data concerning you, that you have provided to UCB, in a structured, commonly used and machine-readable format and to transmit those data to another controller, without hindrance from UCB, where the processing is:
- based on your consent or on a contract; and
- carried out by automated means
For more information, please check section 4.B “How to exercise your rights”.
B. How to exercise your rights
If you wish to exercise any of the rights mentioned above, please contact UCB as set out under section 1 (“Who we are and how you contact us”). Please clearly identify the right(s) you wish to exercise and include your contact details (including a valid e-mail or postal address) so that we can respond to your request. Please note that you may be asked to provide proof of your identity for verification purposes.
When you contact us to exercise any of the rights mentioned above, we will respond to your request within one month following receipt of the request. This period may be extended by two additional months where necessary, but in that case we will inform you of any such extension within one month of receipt of your initial request together with the reasons for the delay.
Right to lodge a complaint with supervisory authority
In accordance with article 77 GDPR you have the right to lodge a complaint with a supervisory authority, in particular in the European Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that UCB’s processing of your personal data infringes the GDPR. Please visit the website of the relevant supervisory authority for more information on how to submit such a complaint.
5. MORE DETAILS ON HOW WE PROCESS YOUR PERSONAL DATA
A. Categories of personal data we collect about you and retention periods
|Processing activity||Personal data collected||Consequences of failure to provide data||Retention period (**)|
|Management of a professional relationship with suppliers||
||Failure to provide the personal data with an (*), prevents UCB from maintaining a commercial relationship with you/ your employer.||For the duration of the professional relationship between UCB and you/your employer, plus for  years thereafter.|
|Execution/performance of a contract with you/ your employer||
||Failure to provide this personal data prevents UCB from entering into and maintaining a contractual relationship (including receiving the services, allowing you access to UCB premises, handling billing and invoicing, etc.) with you/ your employer.||For the duration of the contractual relationship between UCB and you/ your employer, plus for  years thereafter.|
(**) We will retain your personal data in accordance with UCB’s data retention policy.
The retention periods included in our data retention policy are dictated by:read more
- Applicable statutory/legal requirements;
- Industry guidelines, and
- For those data categories for which no express statutory or legal requirements apply, certain other determining factors such as the need to prove or enforce a transaction or contract, enforce our policies, etc.
We will delete your personal data once the abovementioned retention periods will have expired, or if you object to our processing of your personal data, except where we need to hold on to such data for the establishment, exercise or defense of legal claims, for the protection of the rights of another natural or legal person or for compliance with a European or European Member State legal obligation which requires such further processing
B. Who we share your personal data with
We will disclose your personal data only as described in this Policy (including any updates to this Policy).
Subsidiaries/affiliated companies and third party processors
UCB transfers or discloses your personal data to its subsidiaries/affiliated companies and to third party service providers processing personal data on UCB’s behalf for the purposes set out above. Third party service providers include cloud service providers, IT services/ consulting/ outsourcing companies, database providers, event agencies, travel agencies, and banks and insurance companies that deliver service to us. These service providers provide their services from locations within and outside of the European Economic Area (EEA).
Finally, other third parties include regulatory and government agencies (see further below in this Policy), our advisors and external legal counsel, our auditors and potentially, third parties with whom UCB may merge or which may be acquired by UCB (see further below in this Policy).
Compliance with laws and legal proceedings
UCB will disclose your personal data where:
- UCB is required to do so by applicable law, by a governmental body or by a law enforcement agency;
- To establish or exercise our legal rights or defend against legal claims;
- To investigate, prevent or take actions against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our policies or as otherwise required by law.
If a third party acquires all (or substantially all) of our business and/or assets, we will disclose your personal data to that third party in connection with the acquisition. However, such disclosure will occur subject to and in accordance with applicable data protection laws.
C. International transfers
UCB will transfer your personal data to its affiliates, including our affiliates outside of the EEA. In that case UCB relies on UCB’s Binding Corporate Rules, which can be accessed through the following link.
The transfer of your personal data to third party service providers (as set out above under section 5B) in countries outside of the EEA that do not ensure an adequate level of (data) protection occurs on the basis of Standard Contractual Clauses that have been executed between UCB and the relevant third party service provider. You may - by exercising your rights set out below above under section 4.B (How to exercise your rights) - obtain a copy of the relevant safeguard UCB has put in place or ask UCB to redirect you to the place where they have been made available.
In the absence of the aforementioned appropriate safeguards, UCB may – to the extent permitted under and in accordance with applicable data protection laws (including the GDPR) - rely on a derogation applicable to the specific situation at hand (e.g. the data subjects’ explicit consent, the necessity for the performance of an agreement, the necessity for the establishment, exercise or defense of legal claims).