Data protection notice suppliers | UCB
UCB's Global Corporate Website

UCB Data protection notice for suppliers


 

1.  WHO WE ARE AND HOW YOU CAN CONTACT US

UCB” or “we” means UCB S.A., a Belgian company with registered office at 60, Allée de la recherche, 1070 Anderlecht and its affiliates. For more information on the contact details of the UCB affiliate in your jurisdiction, please visit the ‘UCB Worldwide’ overview and select your country.

As controller, i.e. the legal entity that decides on the why and how information relating to you (“personal data”) is collected and processed by us in the context of your or your company/employer’s commercial relationship with UCB, we respect your right to privacy. We will only process your personal data as described in this UCB Data Protection Notice for Suppliers (the “Notice”) and in accordance with the relevant data protection legislation, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “GDPR”).

At UCB we have a data protection officer (DPO), who can be contacted by any of the following means for any privacy-related questions, including regarding how we collect, store and use your personal data:

  • Regular mail:  To the attention of the (global) Data Protection Officer, Allée de la recherche 60, 1070 Anderlecht or to the attention of the local UCB Data Protection Officer at the postal address of the UCB affiliate in your jurisdiction. For more information, please visit 'UCB Worldwide' and select your country.

2.  THE REASON BEHIND THIS PRIVACY POLICY

The Notice governs the collection, use and retention by UCB of personal data relating to (i) employees, workers, agents, delegates, and representatives of any third party vendors or suppliers (legal entities) delivering services to UCB, and (ii) UCB suppliers and service providers that are natural persons, including self-employed individuals.

The Notice consists of five main components and informs you about:

  1. Who we are and how you can contact us;
  2. The reason behind this Notice;
  3. The purposes for which we process your personal data and the related legal basis under the General Data Protection Regulation (GDPR);
  4. What your rights are in relation to the personal data we hold about you and how you can exercise them; and
  5. Further details on how we process (including share and retain) your personal data.
     

This Policy may be updated periodically to reflect changes in our personal data processing practices. In that case we will inform you of any significant changes through the same channel we normally communicate with you.

3.  THE PURPOSES FOR WHICH WE PROCESS YOUR PERSONAL DATA AND APPLICABLE LEGAL BASIS

 

UCB collects and processes your personal data for the purposes mentioned below. This information will either be obtained directly from you or provided by the company you work for. Above each set of purposes, you will also find the legal basis for processing required under GDPR.

 

1. Processing necessary for compliance with our legal or regulatory obligations:

- To allow UCB to comply with applicable European or European Member State laws and regulations, including but not limited to pharmacovigilance, tax, accounting, health and safety legislation and other legal obligations and industry guidelines;

read more

- To perform regulatory audits based on European or European Member State laws;
- To respond to any official request from a European public or judicial authority in compliance with European or European Member State legal requirements

close

2. Processing necessary for performance of a contract with you or in order to take steps at your request prior to entering into a contract (only applicable to suppliers who are natural persons, including the self-employed):

- To manage our contractual relationship with you;
- To organize requests for proposals (RFPs), take steps in preparation of a contract with you; 

read more

- To perform our obligations and exercise our rights under an existing contract with you (including e.g. proper invoicing, archiving and maintaining contractual records, contract management, etc.);
- To perform (standard) contractual audits;

close

3. Processing necessary for the purpose of the legitimate interests pursued by UCB, which include:

to (i) conduct its business; (ii) maintain a professional/business relationship with its suppliers; (iii) ensure compliance with UCB company policies; (iv) maintain the integrity of UCB property, assets and systems; (v) prevent criminal activities, fraud and misuse of our products, services, assets and IT network; (vi) allow a third party to acquire all (or part) of our business and/or assets

read more

To this end, UCB strives to maintain a fair balance between its need to process your personal data and the preservation of your rights and freedoms, including the protection of your privacy. For more information or if you have any questions regarding how we assess this balance, please contact us through any one of the channels set out under Section 1 above (“Who we are and how you can contact us”):
- To allow us to manage and maintain a commercial or professional relationship with our suppliers; (all suppliers)
- To organize requests for proposals (RFPs), take steps in preparation of a contract with our suppliers; (applicable to personnel of suppliers that are a legal entity)
- To perform our obligations and exercise our rights under existing contracts with our vendors (including e.g. proper invoicing, archiving and maintaining contractual records, contract management, etc.); (applicable to personnel of suppliers that are a legal entity)
- To monitor compliance with UCB policies, including but not limited to our IT (assets) and IT security policies, health and safety related policies, etc.; (all suppliers)
- To allow suppliers to participate in UCB trainings; (all suppliers)

- To implement camera surveillance at the entrance of UCB sites and at adjacent UCB parking lots for security purposes; (all suppliers).

- To manage our IT assets and infrastructure; (all suppliers)
-  To monitor the use of our IT systems and network for IT security purposes, in accordance with and within the limits permitted by applicable law; (all suppliers)
- To manage M&A transactions involving UCB entities; (all suppliers)
- To safeguard UCB’s business interests (including but not limited to handling (alleged) reports of misconduct or fraud and defending against legal claims and in legal proceedings); (all suppliers)
- To perform (standard) contractual audits; (applicable to personnel of suppliers that are a legal entity)
- To perform regulatory audits based on non- European laws; (all suppliers)
- To comply with applicable Non- European laws and regulations; (all suppliers)
- To reply to any official request from a non- European public or judicial authority in compliance with local law legal requirements. (all suppliers)

close

4.  YOUR RIGHTS AND HOW YOU CAN EXERCISE THEM

 

A.    Your rights

Right of access

 

You have the right to obtain confirmation from us as to whether or not we process personal data about you, and where this is the case, access to your personal data. You have the right (as far as this does not adversely affects the rights and freedoms of others) to obtain a copy of your personal data from us.

For more information, please check section 4.B “How to exercise your rights

close

Right to rectification

 

You have the right to ask us to rectify without undue delay any inaccurate personal data concerning you. You can also ask us to complete incomplete personal data regarding you by providing us with a supplementary statement containing such additional information.

For more information, please check section 4.B “How to exercise your rights”.

close

Right to erasure

 

You have the right to ask us to erase without undue delay personal data concerning you, where one of the following grounds apply:
- Your personal data are no longer necessary in relation to the purposes for which they were processed;
- You object to the processing of your personal data (for more information on the right to object, see further below) and there are no overriding legitimate grounds for such processing;
- Your personal data have been unlawfully processed;
- Your personal data must be erased for compliance with a European or European Member State legal obligation to which UCB is subject;

Please note that your right to erasure will not apply to the extent that processing is necessary for:
- exercising the right of freedom of expression and information;
- compliance with a European or European Member State Law to which UCB is subject;
- reasons of public interest in the area of public health in accordance with article 9(2)(h) and (i) GDPR as well as article 9(3) GDPR- archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the relevant provisions of the GDPR;

- the establishment, exercise or defense of legal claims.

For more information, please check section 4.B “How to exercise your rights".

close

Right to restriction on processing

 

You have the right to obtain from UCB restriction of processing by UCB of your personal data where one of the following applies:
- You contest - in good faith - the accuracy of personal data regarding you and held by us, in that case the restriction of processing will apply for a period enabling us to verify the accuracy of your personal data;
- The processing is unlawful and you oppose the erasure of your personal data and request restriction of their use instead;
- We no longer need your personal data, but you require them for the establishment, exercise or defense of legal claims;
- You have objected to the processing of your personal data by UCB in accordance with the relevant GDPR provision, in that case the restriction of processing will apply for a period enabling us to verify if our legitimate grounds override yours.

Please note that notwithstanding the above, we are still allowed to continue storing your personal data (throughout the period of restriction) or to process your personal data for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person. If you have requested restriction of processing, we will inform you before the restriction of processing is lifted. For more information, please check section 4.B “How to exercise your rights”.

close

Right to objection to processing

 

You have the right to object at any time, on grounds relating to your specific situation, to the processing of your personal data by UCB which is based on UCB’s pursuit of its legitimate interests as a controller. In that case UCB will no longer process your personal data, unless:
- UCB demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms; or
- For the establishment, exercise or defense of legal claims.

You have the right to object at any time to the processing of your personal data for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing. For more information, please check section 4.B “How to exercise your rights”.

close

Right to data portability

 

You have the right (insofar this does not adversely affects the rights and freedoms of others) to receive the personal data concerning you, that you have provided to UCB, in a structured, commonly used and machine-readable format and to transmit those data to another controller, without hindrance from UCB, where the processing is:
- based on your consent or on a contract; and
- carried out by automated means

For more information, please check section 4.B “How to exercise your rights”.

close

B.    How to exercise your rights

If you wish to exercise any of the rights mentioned above, please contact UCB as set out under section 1 (“Who we are and how you contact us”). Please clearly identify the right(s) you wish to exercise and include your contact details (including a valid e-mail or postal address) so that we can respond to your request. Please note that you may be asked to provide proof of your identity for verification purposes.

When you contact us to exercise any of the rights mentioned above, we will respond to your request within one month following receipt of the request. This period may be extended by two additional months where necessary, but in that case we will inform you of any such extension within one month of receipt of your initial request together with the reasons for the delay.

Right to lodge a complaint with supervisory authority

In accordance with article 77 GDPR you have the right to lodge a complaint with a supervisory authority, in particular in the European Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that UCB’s processing of your personal data infringes the GDPR. Please visit the website of the relevant supervisory authority for more information on how to submit such a complaint.

5.  MORE DETAILS ON HOW WE PROCESS YOUR PERSONAL DATA

A.    Categories of personal data we collect about you and retention periods

Processing activity Personal data collected Consequences of failure to provide data Retention period (**)
Management of a professional relationship with suppliers
  1. Your contact details: your full name (*); company e-mail address (*); company postal address; your business landline/GSM number;
  2. Your professional background: organization/company name, your job title/position
Failure to provide the personal data with an (*), prevents UCB from maintaining a commercial relationship with you/ your employer. For the duration of the professional relationship between UCB and you/your employer, plus for [2] years thereafter.
Execution/performance of a contract with you/ your employer
  1. Your contact details: your full name, company e-mail address; company postal address; your business landline/GSM number
  2. Your identification information: your gender, date of birth, nationality, your national ID number or passport number, your license plate number (insofar required for the delivery of the services to UCB, including onsite access to UCB premises, and in accordance with applicable laws)
  3. Your professional background information: your job title, position, CV (insofar required for performance of contract), company name;
  4. Your financial information (for suppliers who are natural persons): bank account details;
  5. Your electronic identification information (insofar required for the delivery of services to UCB): login details including passwords, your access level and rights, badge number, IP address, online identifiers, cookies, logs, metadata (including access and connection times), photographs (e.g. on company badge), CCTV or image recordings
Failure to provide this personal data prevents UCB from entering into and maintaining a contractual relationship (including receiving the services, allowing you access to UCB premises, handling billing and invoicing, etc.) with you/ your employer. For the duration of the contractual relationship between UCB and you/ your employer, plus for [2] years thereafter.

(**) We will retain your personal data in accordance with UCB’s data retention policy.

The retention periods included in our data retention policy are dictated by:

read more

- Applicable statutory/legal requirements;
- Industry guidelines, and
- For those data categories for which no express statutory or legal requirements apply, certain other determining factors such as the need to prove or enforce a transaction or contract, enforce our policies, etc.

We will delete your personal data once the abovementioned retention periods will have expired, or if you object to our processing of your personal data, except where we need to hold on to such data for the establishment, exercise or defense of legal claims, for the protection of the rights of another natural or legal person or for compliance with a European or European Member State legal obligation which requires such further processing

close

B.    Who we share your personal data with

Principle
We will disclose your personal data only as described in this Policy (including any updates to this Policy).

Subsidiaries/affiliated companies and third party processors
UCB transfers or discloses your personal data to its subsidiaries/affiliated companies and to third party service providers processing personal data on UCB’s behalf for the purposes set out above. Third party service providers include cloud service providers, IT services/ consulting/ outsourcing companies, database providers, event agencies, travel agencies, and banks and insurance companies that deliver service to us.  These service providers provide their services from locations within and outside of the European Economic Area (EEA).
Finally, other third parties include regulatory and government agencies (see further below in this Policy), our advisors and external legal counsel, our auditors and potentially, third parties with whom UCB may merge or which may be acquired by UCB (see further below in this Policy).  

Compliance with laws and legal proceedings
UCB will disclose your personal data where:

  •  UCB is required to do so by applicable law, by a governmental body or by a law enforcement agency;
  •  To establish or exercise our legal rights or defend against legal claims;
  •  To investigate, prevent or take actions against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our policies or as otherwise required by law.


Other
If a third party acquires all (or substantially all) of our business and/or assets, we will disclose your personal data to that third party in connection with the acquisition. However, such disclosure will occur subject to and in accordance with applicable data protection laws.

C.    International transfers

UCB will transfer your personal data to its affiliates, including our affiliates outside of the EEA. In that case  UCB relies on UCB’s Binding Corporate Rules, which can be accessed through the following link.

The transfer of your personal data to third party service providers (as set out above under section 5B) in countries outside of the EEA that do not ensure an adequate level of (data) protection occurs on the basis of Standard Contractual Clauses that have been executed between UCB and the relevant third party service provider. You may - by exercising your rights set out below above under section 4.B (How to exercise your rights) - obtain  a copy of the relevant safeguard UCB has put in place or ask UCB to redirect you to the place where they have been made available.

In the absence of the aforementioned appropriate safeguards, UCB may – to the extent permitted under and in accordance with applicable data protection laws (including the GDPR) - rely on a derogation applicable to the specific situation at hand (e.g. the data subjects’ explicit consent, the necessity for the performance of an agreement, the necessity for the establishment, exercise or defense of legal claims).