ACCORDING TO ART. 13 REG. UE 2016/679 ("GDPR")
Dompé Farmaceutici S.p.A. (hereinafter referred to as "Dompé"), as the marketing authorisation holder for medicinal products, and distributor of medical devices, cosmetics, and food supplements, hereby provides information regarding the processing of personal data collected in connection with spontaneous reports of adverse reactions, special circumstances, accidents or incidents, undesirable effects, or effects described according to applicable local regulations (collectively referred to as "Undesirable Effect(s)"), which may arise following the consumption of a drug or the use of a medical device, cosmetic, or food supplement.
Identity and contact details of the Data Controller and the Data Protection Officer (DPO)
Dompé farmaceutici S.p.A., with registered office in via San Martino 12, 20122, Milan, Italy, is the data controller and can be contacted by email at the following address: privacy@dompe.com
The DPO can be contacted at the following e-mail address: dpo@dompe.com
Categories of data processed
As part of its Pharmacovigilance activities, the Data Controller processes the following categories of personal data:
of the reporter (pursuant to Article 4(1) GDPR)
- Identification data: initials or first and last name;
- Contact data: address, e-mail address and telephone number (landline or mobile);
of the subject to whom the report refers (pursuant to Articles 4, no. 1 and no. 15 and 9, GDPR)
- Identification data: initials or first and last name, gender, age or date of birth;
- Contact details: city of residence, telephone number (landline or mobile), e-mail address;
- Health data: health data and any other information contained in the report.
Purpose, legal basis of processing, data retention period
Purpose: The data collected will be processed solely to fulfill mandatory legal obligations related to pharmacovigilance and vigilance. Specifically, this includes identifying previously unknown undesirable effects, enhancing information on known undesirable effects, assessing the causal relationship between administration or use of drugs, medical devices, cosmetics, or food supplements and observed undesirable effects, and notifying the relevant authorities accordingly. These measures are undertaken to ensure that medicines, medical devices, cosmetics, and food supplements are used safely and maintain a favorable benefit-risk balance for the population.
Legal basis: Compliance with a legal obligation (Art. 6.1.c GDPR) and, for special categories of data, for reasons of significant public interest pursuant to Union law (Art. 9.2.g GDPR, Art. 2 sexies, 2, lit. z) Legislative Decree 196/2003), as well as under relevant regulations including but not limited to: EU Directive 2010/84, EU Regulation 1235/2010, EU Regulation 520/2012, and EU Regulation 2017/745, in addition to locally applicable laws.
Data retention period: All data pertaining to the reporting of Undesirable Effects will be retained for the duration of the product’s authorisation, and for up to 10 years following the expiry or withdrawal of the marketing authorisation in the final country of commercialisation, unless retention is required for defensive purposes by the Data Controller. Upon conclusion of this period, the data will be either deleted or anonymised to ensure that identification of data subjects is not possible, directly or indirectly, including through linkage with other databases.
Nature of the provision
Providing personal data for the report is required; without it, Dompé cannot meet its pharmacovigilance and surveillance obligations.
Methods of data processing
The Data will be processed for the period required to fulfil pharmacovigilance obligations and product safety surveillance, as mandated by law. For this purpose, personal data are retained in the secure database only for the duration necessary to manage the report and its subsequent follow-up.
In particular, personal data will be pseudonymized within three months following case closure, and no later than two years after the end of the financial year during which the initial report was made.
Authorised persons
The personal data provided in relation to the reports will be handled by authorized personnel who have received appropriate operational instructions relevant to their assigned responsibilities. Additionally, third parties who process data on behalf of the Data Controller, under contract and appointed as data processors according to Article 28 of the GDPR, may also process the data.
These third parties include:
a) Companies within the Dompé Group, including those located outside the European Union, such as in the United States and Albania;
b) Business partners;
c) Professionals and/or companies designated by the Data Controller to provide support activities for the purposes outlined in this policy;
d) IT service providers responsible for managing technological infrastructure, information systems, and telecommunications networks.
Recipients or categories of recipients
Personal data may be shared with the following categories of recipients, who will process the information as independent data controllers:
a) Regulatory authorities (both Italian and international), including AIFA, FDA, EMA;
b) Health oversight organizations, public administrative bodies, public security agencies, or judicial authorities.
Transfer of data outside the European Union
Personal data may be transferred outside the European Union, such as to Dompé group companies located in the United States or Albania, within the scope of intra-group services provided under intercompany agreements. These transfers are supported by safeguards in accordance with Art. 46 para. 2 letter c) GDPR, including the standard contractual clauses adopted by the European Commission.
Transfers of data to Regulatory Authorities occur based on exceptions under Article 49 GDPR for reasons of public interest, such as maintaining information about the safety of medicines. In these cases, the Data Controller applies minimization measures to prevent the identification of the data subject.
Rights of Data Subjects
You may exercise the following rights at any time by contacting the Data Controller at: privacy@dompe.com.
a) Right of access: You have the right to obtain confirmation from Dompé regarding whether your Personal Data is being processed and, if so, to access that data.
b) Right to rectification and erasure: You are entitled to request the correction of inaccurate Personal Data, the completion of incomplete data, or the deletion of such data for legitimate reasons.
c) Right to restriction of processing: You may request the suspension of processing where there are legitimate grounds.
d) Right to data portability: You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format, and to transmit this data to another controller.
e) Right to object: You may object to the processing of your Personal Data if there are legitimate reasons.
Right to lodge a complaint
If your rights are violated or your requests go unanswered, you may file a complaint with the appropriate data protection authority regarding unlawful processing of Personal Data.
Updated version: October 2025
