Privacy Policy



General Privacy Policy

1. General

Medis Group, d.o.o. with its affiliate companies respects your right to privacy and endeavours to ensure the highest level of protection for your personal information. Therefore, when carrying out our activities, we are committed to acting in accordance with laws and regulations that govern the protection of Personal Data. In particular the Personal Data Protection Act, the Electronic Communications Act and the General Data Protection Regulation of the EU. The purpose of this Privacy Statement is to inform you of the purposes for which your personal information will be acquired and how it will be used, what your rights are in relation to the information we keep about you and how you can exercise those rights.

Medis Group, d.o.o. with its affiliate companies undertakes that the personal information which you submit will be used in accordance with this Privacy Statement and will not be sold, lent or otherwise transferred to any third parties, except in cases provided for in this Statement.

2. Data Controller

The controller of your Personal Data is Medis Group, d.o.o., Brnčičeva 3, 1000 Ljubljana , gdpr(at)medis.com, (01) 589 69 00.

As we value your privacy very highly, we have appointed an authorized Data Protection Officer for you to contact should you have any questions regarding the processing of your Personal Data. Our authorized Data Protection Officer is the JK Group d.o.o., Stegne 27, 1000 Ljubljana.

To contact the authorized Data Protection Officer, please send an e-mail to gdpr(at)medis.com or call us at (01) 589 69 00.

All the topics and content handled by the authorized Data Protection Officer will be subject to strict confidentiality.

This Privacy Statement applies to:

  • Users of our website,
  • Recipients of our newsletters,
  • Participants in our events,
  • Persons enrolled and participating in clinical trials,
  • End Users of our services (including the users of our on-line store, participants in our prize games, individuals who order free samples on our websites, members of the Novalac products loyalty club, members of the Defendyl loyalty club and members of the Medisplus.si loyalty club),
  • Participants of the Medis Awards competition,
  • Expert Public whom we engage in the direct marketing of our products,
  • Individuals who report adverse drug effects to us,
  • Candidates applying for our job vacancies.

3. Types of Personal Data

We only process your Personal Data on the basis of clearly stated and legitimate purposes, which are defined in this Policy. Medis Group is committed to the principle of data minimisation, which means that we collect, store and process only the data we need to fulfil the purposes for which they are collected.

We collect your personal information directly from you (e.g. you provide your personal information when ordering our services, participating in our events or making inquiries).

Your personal information may also be obtained from publicly available records. Personal Data that we process may include:

  • general information about you – e.g. name and surname (including prefix or title), gender, age and date of birth;
  • contact information – e.g. address, business address, e-mail address, telephone number, telephone number of your personal mobile phone;
  • information about your profession – e.g. information about your education, academic title, professional qualifications, employment / position / role, specialization, customer account reference number, medical interest, official ID, membership in some professional bodies, your CV;
  • technical information and interaction information – e.g.:
    • information about the device that you use to interact with us, information about previous interactions or information about given presentations;
    • information about your contact preferences or your preferred communication channel;
    • information about the time you spent interacting with us, the location of these interactions, and your response to the various interactions you have with our representative; and
    • details of any previous relations that you had with another healthcare organization.

4. Purpose of data processing and types of Personal Data

All the personal information you provide to us will be treated confidentially and will only be used for the purposes for which they were submitted. Should a need arise for any further processing of your information for another purpose, we will contact you in advance and ask for your consent.

To facilitate transparency, we have categorised the purposes for which we process your personal information into three sets:

  1. Processing purposes related to Expert Public
  2. General purposes of processing
  3. Processing purposes related to the on-line store
1. Processing purposes related to Expert Public

Below, we set forth the purposes for which the processing of Personal Data is carried out for individuals that are part of the Expert Public (please refer to the last Section of this Policy for a definition of who belongs to the category of Expert Public) and for participants in clinical trials.

Communication of professional information about Expert Public in the field of health and pharmaceutics about medicines, dietary supplements, medical devices and events

Name, surname, address and contact, education and work experience, and data on the job of healthcare and pharmaceutical professionals are collected for the purpose of providing professional information on medicines, dietary supplements and medical devices marketed by the company, and events the company organizes.

This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the Section titled “Your rights” for more information about your rights regarding the communication of professional information.

The communication of professional information is carried out on the basis of basic content customization according to your field of activity (healthcare, pharmaceutics) and depending on your responses to specific content and your preferences. This customization is carried out on the basis of our legitimate interest in providing up-to-date solutions when interacting with customers regarding medicines.

Processing of feedback from the Expert Public in the field of health and pharmaceutics for the purpose of personalized communication

Feedback collected by our representatives in the field and by means of a customer satisfaction survey is collected in order to customize the information to individual preferences. These include contact information preferences for contacting you, or your preferred communication channel; information about the time you spent interacting with us, the location of these interactions, and your response to the various interactions you have with our representative, and details of any previous relations you had with another health organization. This information is processed on the basis of our legitimate interests in facilitating efficient and successful administration and management of our business and providing up-to-date solutions when interacting with customers regarding medicines. Please refer to Section 6 of this Policy for more information on legitimate interest as a basis for the processing of Personal Data.

Direct marketing of pharmaceutical products to employees in pharmacies and wholesale drugstores

Name, surname, address and contact, education and work experience, and data on the job of pharmaceutical professionals are collected for the purpose of direct marketing of medicines, dietary supplements and medical devices marketed by the company.

This information is processed on the basis of our legitimate interest in efficient and successful administration and management of our business. Please refer to Section 6 of this Policy for more information on legitimate interest as a basis for the processing of Personal Data.

Implementation of clinical trials in various fields of medicine

Name, surname, gender, age, contact, and medical condition are used for the purpose of carrying out clinical trials and providing information regarding ongoing clinical trials. This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the Section titled “Your rights” for more information about your rights regarding the communication of professional information.

Conclusion and implementation of education and copyright agreement

Name, surname, address, contact, bank account, and tax number, are used for the purpose of concluding and implementing education and copyright agreements.

This information is processed on the basis of an agreement. Please refer to Section 6 of this Policy for more information about agreement as a basis for processing personal information.

2. General purposes of processing

This section sets forth processing purposes that may be relevant for both groups; the Expert Public and the End Users.

Compliance with requirements laid down by laws and regulation

In certain cases, laws and regulations may require us to process or communicate your personal information. In such cases, we process your personal information on the basis of the law; such processing or communication of Personal Data is mandatory.

Retention of unsuccessful recruitment information submitted by candidates.

Name, surname, e-mail, address, mobile phone, and CV are used for the purpose of carrying out recruitment and providing notice about current vacancies. This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the Section titled “Your rights” for more information.

Implementation of prize games organized by Medis Group d.o.o.

Name, surname, gender, age, e-mail, and address are used for the purpose of carrying out prize games. This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the Section titled “Your rights” for more information.

Mailing free samples to subscribers

Name, surname, gender, age, e-mail, and address are used for the purpose of mailing free samples. This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the Section titled “Your rights” for more information.

Enabling access and use of the Medisplus.si loyalty club

Name, surname, gender, age, e-mail, address, history of purchases and prize items are used for the purposes of the loyalty club. This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the Section titled “Your rights” for more information.

Enabling access and use of the Novalac loyalty club

Name, surname, gender, age, e-mail, address and child’s age are used for the purposes of the loyalty club. This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the Section titled “Your rights” for more information.

Enabling access and use of the Defendyl/Imunoglukan loyalty club

Name, surname, gender, age, e-mail and address are used for the purposes of the loyalty club. This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the Section titled “Your rights” for more information.

Communicating with users based on your request, regardless of the request channel (e-mail, completing the contact form on our website, phone call, etc.)

Name, surname, gender, age, e-mail and address are used for the purposes of responding to your request. This information is processed on the basis of our legitimate interest in familiarizing our customers with additional information and presentations for the purpose of improving our services. Please refer to Section 6 of this Policy for more information on legitimate interest as a basis for the processing of Personal Data.

Implementation of the Medis Awards competition

Name, surname, address and contact, education, work experience, and data on the job of healthcare professionals are used for the purpose of carrying out the Medis Awards competition. This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the Section titled “Your rights” for more information.

Distribution of newsletters to End Users

Name, surname, gender, age, e-mail and address are used to distribute newsletters. This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the Section titled “Your rights” for more information.

Distribution of newsletters is carried out on the basis of basic content customization according to the products you have expressed interest in or purchased in our on-line store. Such customization is carried out on the basis of our legitimate interest in familiarizing our customers with additional information and presentations in order to improve our portfolio of services.

Distribution of newsletters to our partners and potential partners

Name, surname and e-mail are used to distribute newsletters. This information is processed on the basis of our legitimate interest in facilitating efficient and successful administration and management of our business. Please refer to Section 6 of this Policy for more information on legitimate interest as a basis for the processing of Personal Data.

3. Purposes related to the provisioning of the on-line store service:

This category comprises processing purposes related to the use of the on-line store.

Enabling user access and use of the Medis Group d.o.o. internet account available within the www.medisplus.si on-line store (the use of on-line store with registration)

Name, surname, gender, e-mail, and address are used to fulfil the on-line purchase. This information is processed on the basis of your consent. You may at any time withdraw the consent to receiving promotional messages. Please refer to the Section titled “Your rights” for more information.

Statistical analyses of customer data, orders and prospective buyers

This information is processed on the basis of our legal interest in the optimization of advertising and operations of Medis Group d.o.o.

Should Medis Group d.o.o. identify a need for further processing of Personal Data for purposes that are incompatible with the above stated purposes, we will provide prior notice and ask for your consent regarding such processing.

Reporting adverse effects of medicines and medical devices

Data about the patient (date of birth, information about health, medical history) and data about the person reporting adverse effects (name and surname, contact, profession) are used for the purposes of monitoring the safety of medicines and medical devices. As a pharmaceutical company we are legally obliged to monitor the safety of all Medis products around the world, which we develop or market in any country. The purpose of monitoring the safety of medicines and medical devices is to enable us and the competent regulatory public authorities (e.g. the European Medicines Agency and other authorities) to manage the adverse events, as well as protect the public health and ensure the high standards of quality and safety of the products. Under our obligations of monitoring the safety of medicines and medical devices also belongs the processing of certain data, from which we can directly or indirectly identify the person reporting the adverse event (“personal data”), in order to fulfil our strict obligations regarding the constant assessment of benefits and risks of products, and to report to the competent regulatory public authorities about the suspected adverse effects or events.

5. Data Users

The Controller may transfer your personal information to third parties. The access of third parties to the information, and the processing of data by these parties are limited to the purposes for which such data were collected. All third parties to whom we may provide your Personal Data are bound to comply with applicable laws and regulations as well as the provisions of this Privacy Statement.

We may provide your personal information to:

Our affiliated companies listed below:

  • Medis, d.o.o., Brnčičeva 1, 1000 Ljubljana, Slovenia
  • Medis GmbH, campus 21, Europaring F15/301, A-2345 Brunn am Gebirge, Austria
  • Medis Pharma Bulgaria EOOD, Sofia 1700, 31, Prof. Atanas Ishirkov street, office № 6, Bulgaria
  • Medis International d.o.o. Sarajevo, Ahmeda Muratbegovića 2, 71000 Sarajevo, Bosnia and Herzegovina
  • Medis Adria d.o.o., Buzinska cesta 58, 10000 Zagreb, Croatia
  • Medis Hungary Kft., VIV Center, Hosszúrét u. 1., 2045 Törökbálint, Hungary
  • MEDIS MAKEDONIJA DOOEL Skopje, Ul. Naum Naumovski Borče 50/2–11, 1000 Skopje, North Macedonia
  • Medis Poland Sp. z o.o., Ul. Aleksandra Wejnerta 21/23 lok. 8, 02- 619 Warszawa, Poland
  • Medis RO S.R.L., Bucuresti Sectorul 1, Intrarea GHEORGHE SIMIONESCU, Nr. 19, Ap. B26, 077190 Bucharest, Romania
  • Medis Pharma d.o.o. Beograd, Milutina Milankovića 11b, 2 sprat, 11070 Novi Beograd, Serbia
  • Medis Pharma Slovakia s.r.o., Europeum City Center, Regus - 1st floor, Suche myto 1, Bratislava 81103
  • Medis Pharma Lithuania UAB, Kuršių g. 7-23, LT-48107 Kaunas, Lithuania
  1. Companies that provide supporting services needed for the normal functioning of our company (postal services, shipping providers, file destruction and data carrier destruction services, IT service providers in the context of servicing and maintenance of software, providers of on-line tools for distribution of newsletters and other e-mail (Dotdigital), CRM service providers (VEEVA), legal service providers, administrators and webmaster, etc.).
  2. We provide data to the public administration bodies and courts when laws and regulations require us to (for example, tax authorities, court requests, etc.).
  3. Wholesale drugstores and pharmacies, where we perform direct marketing.
  4. We provide Personal Data to organizations or healthcare institutions when so required by law (for example, informing the Agency for Medicinal Products and Medical Devices of the Republic of Slovenia on adverse drug reactions – pharmacovigilance).
  5. Due to fulfilling our obligations in the area of monitoring the safety of medicines and medical devices, we may forward and/or disclose the personal data:

  • in the scope of Medis due to an analysis and processing of the reported adverse event;
  • to the competent regulatory public authorities regarding the suspected adverse event;
  • to third parties, service contractors for Medis; these service contractors may include the safety databases operators, call centre operators and our marketing researchers, in case that you have disclosed the details about your suspected adverse event to the latter. Please bear in mind that we have ensured appropriate security measures for thepersonal data protection with the service contractors, to which Medis forwards personal data and which carry out services or functions in our name;
  • to other pharmaceutical companies with which we cooperate in marketing or distribution, and other licensed partners of Medis, when the obligations for a Medis product demand such exchange of safety information. Please bear in mind that we have ensured appropriate security measures for the personal data protection with those business partners to which Medis forwards personal data and which carry out services or functions in our name;
  • to third parties as legal successors in case of sale, resignation or transfer of a certain Medis product, project or therapeutic area connected to the above; in such case we will demand that the buyer, transferee or acquirer deals with personal data in compliance with the applicable legislation about personal data protection;
  • when we publish the information about adverse events (such as case studies or summaries); in such cases we will remove the identification markers from all publications and preserve the secrecy of your identity.

We exchange certain personal information with the third parties described above. We will ensure that access will be granted to third parties only for the purposes set out in this Statement. We will take appropriate measures to ensure that access to your Personal Data will be granted only to the employees of the above listed third parties who need access to Personal Data to carry out their work.

We limit the access to Personal Data both to Medis Group and to employees in our affiliated companies. All employees who have access to Personal Data are liable to protect the Personal Data they process.

Your Personal Data may also be processed by Medis Group and the above listed third parties outside the European Economic Area, including countries that may not provide such Personal Data protection as is in force within the European Economic Area.

In accordance with applicable data protection and privacy regulations, we will take appropriate measures to ensure that your Personal Data will remain secure and safe in every transfer. We will define these measures by concluding appropriate contractual frameworks that will determine the protection of Personal Data.

6. Legal grounds for the use of Personal Data

The grounds on which we use your personal information:

  • Your express consent – we may occasionally ask for your consent to use your Personal Data for one or more purposes. Please refer to the section titled Your rights for more information regarding the rights that you have when we process your data on the basis of your consent;
  • Legitimate interests – the use of your Personal Data helps us to manage and improve our operations and reduce interference in the provisioning of services. Moreover, the use of your Personal Data allows us to make our communication more relevant and personalized to you, and renders your experience with our services and products effective and successful. Legitimate interests may include:
    • facilitating effective and efficient administration and management of our business;
    • enabling our customers to have quick and easy access to products;
    • maintaining compliance with our internal procedures and customer relationship management policies;
    • providing up-to-date solutions when interacting with clients regarding medicines;
    • familiarizing our customers with additional information and presentations for the purpose of improving our services.

Whenever we process your Personal Data on the basis of legitimate interests, we will explicitly indicate this in this Policy or inform you in advance on a special form.

  • Contractual or pre-contractual relationship – your Personal Data is processed when needed for the purpose of concluding and implementing an agreement with you. We process your Personal Data for the duration of the contractual term, including warranty or any other terms arising from the concluded contract (e.g. fulfilment of your orders in the on-line store).
  • The law – your Personal Data is processed when required by law (e.g., tax legislation).
  • Medis processes personal data which is important from the point of view of monitoring the safety of medicines and medical devices, including special kinds of personal data, in accordance with the GDPR:

    • for studying the adverse event;
    • for ensuring compliance with legal obligations which are defined by the applicable laws and regulations in the area of monitoring the safety of medicines and medical devices, and due to their legal interests in ensuring the purposes of monitoring of the safety of medicines and medical devices (Article 6 of the GDPR), when following, that the European and national legislation of the EU member states in the area of monitoring of the safety of medicines and medical devices was accepted due to the important public interest in the area of public health and safety of medicines and medical devices (Article 9 of the GDPR).

You are obligated to provide personal information that we collect and process pursuant to laws and regulations. You communicate your personal information for the purpose of conclusion (and implementation) of an agreement on a voluntary basis. Nevertheless, we would like to point out that if you fail to provide us with personal information which we need in order to provide a specific service, we will not be able to provide that service (e.g. it is necessary that you provide your e-mail when making a purchase in our on-line store in order for us to fulfil your order).

With regard to Personal Data processing on the basis of your consent, the provision of personal information is always voluntary and without any negative consequences for you. Nonetheless, we would like to point out that we will not be able to provide certain services without your consent, or after you withdraw your consent (e.g. using Novalac loyalty club).

7. Retention period

We store all the Personal Data that we process in accordance with laws and regulations and only for the time required to achieve the purposes for which the data were collected.

When the Personal Data retention period is prescribed by law, data are kept in accordance with the provisions of the applicable law.

When the grounds for the collection and processing of Personal Data is an agreement, the retention period lasts for the entire contractual term, including warranty or any other period arising from the concluded agreement.

When collecting and processing your personal information on the basis of your express consent, we keep your personal information permanently or until revocation. In the event that the purpose for which we have processed your information will be fulfilled, we will delete your information even if you do not withdraw your consent. For example, when we organize a prize game, the purpose of the collection and processing is fulfilled when the prizes are awarded, so we will delete all the participants' data (with the exception of those needed for legal reasons), even if you do not submit the revocation, because the purpose of the collection is fulfilled (i.e. prizes were awarded).

8. Data protection methods

Medis Group, d.o.o. commits to protecting the personal information you provide to us. Medis Group, d.o.o. will do everything to protect Personal Data from any violation and misuse.

We store Personal Data in paper or digital form. All paper documents with your Personal Data are stored in protected areas, our computer systems are protected by technical and organizational measures that prevent any accidental or deliberate destruction, loss, damage, alteration and unauthorized disclosure or access to your Personal Data.

Technical and organizational measures that we use to protect your Personal Data include, but are not limited to:

  • Regular backups that are properly protected,
  • Restriction of access to Personal Data,
  • Regular employee training on the subject of Personal Data protection and supervision over the work of employees,
  • Password system,
  • Use of appropriate software protection.

After expiry of the retention period or the revocation of obtained consent, the data (including any copies thereof) are immediately, irretrievably and permanently deleted. Any Personal Data carriers where such data are located are also permanently destroyed or deleted.

Should a violation of Personal Data protection occur, we will immediately inform the competent supervisory authority. For Slovenia, the competent authority for Personal Data protection is the Information Commissioner. To find out more about the function of the competent authority, please refer to their website. Should a criminal offence be suspected in the event of a violation of Personal Data protection, we will immediately notify the police or the competent prosecutor's office.

Should a high risk violation of Personal Data protection occur involving the rights and liberties of individuals whose Personal Data we process, we will inform you of such violation without any undue delay.

9. Your rights

Medis Group, d.o.o. ensures that you can exercise all the rights that you have in relation to the processing of your Personal Data.

Termination of subscription to product newsletters

If you no longer wish to be informed about the products marketed by Medis Group, d.o.o. and its affiliated companies, you can contact us at gdpr(at)medis.com or call us at (01) 589 69 00, or inform our professional associate upon their visit (if you are a healthcare or pharmaceutical professional).

The Data Subject may at any time request Medis Group, d.o.o. to:

  • Confirm whether the data relating to the Data Subject are processed or not.
  • Be granted access to the Personal Data:
    Access to Personal Data will be granted only when we confirm that your Personal Data are processed. You have the right to request information about what data is being processed and what the source of this information is.
  • Enable the correction of inaccurate or incomplete Personal Data relating to the Data Subject:
    Please make sure to inform us of any change in your personal information as soon as possible, as this is the only way to ensure the accuracy and integrity of the Personal Data that we keep. You can notify us of any changes by use of the contacts listed in Section 10 of this Policy.
  • Enable the printout of Personal Data provided to us by the individual in a structured, generally used, machine-readable form.
  • Allow the right to have the Personal Data deleted (i.e. the right to be forgotten):
    The right to have Personal Data deleted is limited as we cannot delete the Personal Data that we process on the basis of law and regulations or on the basis of a contractual relationship between us (including any warranty and other periods that may arise from a particular contract).
  • Enable the right to restrict processing (e.g., the request to restrict processing is possible when running the integrity check on the Personal Data that we process).
  • Allow the right to object to the processing:
    The right to object to the processing of Personal Data is limited to processing that is based on a legitimate interest (cases when a legitimate interest is the basis for the processing of your personal information are listed in this Policy or we will inform you accordingly in advance) and processing for the purposes of direct marketing, including profiling.
  • Make the data transferable and provide the Data Subject with data in a structured, generally used and machine-readable form or directly communicate them to another Controller.
  • Allow the right to withdraw consent, when Personal Data are processed on the basis of consent, whereas withdrawal of consent does not affect the lawfulness of data processing that was carried out prior to such withdrawal.

Consent may be withdrawn by an individual in any manner specified in Section 10 of this Policy. Withdrawal of consent does not create any negative consequences for you. After you withdraw your consent, we will not offer certain services if these services are of such a nature that we cannot perform them without you providing your personal information (e.g., without the processing of your e-mail address we cannot provide you with e-mail notification services). Every individual to whom data relates has the right to file a complaint against us with the Information Commissioner.

You can exercise your rights by contacting us by e-mail at: with subject of the message Personal Data protection or by calling us at:.

Medis Group, d.o.o. commits to respond to the Data Subject’s requests without undue delay, and at the latest within the statutory deadlines.

10. Contact

The person responsible or Data Protection Officer at Medis Group, d.o.o. will answer your questions about the confidentiality of your information, the way in which data is collected and processed, or your requests to exercising the rights relating to your information. To contact the authorized Data Protection Officer, please send an e-mail to gdpr(at)medis.com or call us at (01) 589 69 00.

11. Definitions

This Section sets forth the definition of terms used in this Policy.

Personal Data is any information that refers to a specific or identifiable individual, specifically: name, identification number, web identifiers as well as factors that are characteristic of the individual's physical, physiological, genetic, mental, economic, cultural or social identity.

Processing is any act or set of actions that is carried out with Personal Data and includes, in particular, the collection, editing, storing, modifying, viewing, retrieval and deletion of such data.

Controller is a natural or legal entity who, alone or jointly with others, determines the purposes and means of processing. For the purposes of this Policy, Medis Group d.o.o. is the Controller.

Processor is a natural or legal entity as well as a public authority or agency or other body that processes Personal Data on behalf of the Controller.

Expert Public means natural persons working in a medical or pharmaceutical profession (such as medical institutions, pharmacies) as well as people employed in wholesale drugstores with whom we cooperate.

End user is any natural person who uses our services (including on-line store users, members of loyalty clubs, etc.).

12. Changes

We reserve the right to periodically amend this Privacy Statement to adjust it according to current conditions and Personal Data protection legislation. For this reason, we ask you to check the updated version before providing any personal information, so that you will be aware of any changes or updates.

Privacy Policy for the Purposes of Monitoring the Safety of Medicines and Medical Devices, Answering Medical Questions About Medicines, Product Quality Assurance Purposes

1. General

Medis Intago, d.o.o. with its affiliate companies respects your right to privacy and endeavours to ensure the highest level of protection for your personal information. Therefore, when carrying out our activities, we are committed to acting in accordance with laws and regulations that govern the protection of Personal Data. In particular the Personal Data Protection Act, the Electronic Communications Act and the General Data Protection Regulation of the EU. The purpose of this Privacy Statement is to inform you of the purposes for which your personal information will be acquired and how it will be used, what your rights are in relation to the information we keep about you and how you can exercise those rights.

Medis Intago, d.o.o. with its affiliate companies undertakes that the personal information which you submit will be used in accordance with this Privacy Statement and will not be sold, lent or otherwise transferred to any third parties, except in cases provided for in this Statement.

2. Data Controller

The controller of your Personal Data is Medis Intago, d.o.o., Brnčičeva 3, 1231 Ljubljana - Črnuče, gdpr(at)medis.com, (01) 589 69 00.

As we value your privacy very highly, we have appointed an authorized Data Protection Officer for you to contact should you have any questions regarding the processing of your Personal Data. Our authorized Data Protection Officer is the JK Group d.o.o., Stegne 27, 1000 Ljubljana.

To contact the authorized Data Protection Officer, please send an e-mail to gdpr(at)medis.com or call us at (01) 589 69 00.

All the topics and content handled by the authorized Data Protection Officer will be subject to strict confidentiality.

This Privacy Statement applies to:

  • Individuals who report adverse drug effects to us.
  • Individuals who ask a medical question about medicines marketed and distributed by Medis.
  • Individuals who ask questions related to the quality of products marketed and distributed by Medis.

3. Types of Personal Data

We only process your Personal Data on the basis of clearly stated and legitimate purposes, which are defined in this Policy. Medis Intago is committed to the principle of data minimisation, which means that we collect, store and process only the data we need to fulfil the purposes for which they are collected.

We collect your personal information directly from you (e.g. you provide your personal information when ordering our services, participating in our events or making inquiries).

Your personal information may also be obtained from publicly available records. Personal Data that we process may include:

  • general information about you – e.g. name and surname (including prefix or title), gender, age and date of birth;
  • contact information – e.g. address, business address, e-mail address, telephone number, telephone number of your personal mobile phone;
  • adverse effects reported by an individual.

4. Purpose of data processing and types of Personal Data

All the personal information you provide to us will be treated confidentially and will only be used for the purposes for which they were submitted. Should a need arise for any further processing of your information for another purpose, we will contact you in advance and ask for your consent.

Reporting adverse effects of medicines and medical devices

Data about the patient (name and surname, date of birth, information about health, medical history) and data about the person reporting adverse effects (name and surname, contact, profession) are used for the purposes of monitoring the safety of medicines and medical devices. As a pharmaceutical company we are legally obliged to monitor the safety of all Medis products around the world, which we develop or market in any country. The purpose of monitoring the safety of medicines and medical devices is to enable us and the competent regulatory public authorities (e.g. the European Medicines Agency and other authorities) to manage the adverse events, as well as protect the public health and ensure the high standards of quality and safety of the products. Under our obligations of monitoring the safety of medicines and medical devices also belongs the processing of certain data, from which we can directly or indirectly identify the person reporting the adverse event (“personal data”), in order to fulfil our strict obligations regarding the constant assessment of benefits and risks of products, and to report to the competent regulatory public authorities about the suspected adverse effects or events.

Answering Medical Questions About Medicines

Data about healthcare professionals and the general public (name and surname, contact, profession) is used for the purpose of answering questions related to medicines of pharmaceutical companies with which we collaborate in marketing or distribution and with other licensed partners of Medis.

Answering Questions Related to Product Quality

The data about healthcare professionals and the general public (name and surname, contact, profession) is used for the purpose of answering questions related to the quality of products marketed and distributed by Medis.

5. Data Users

The Controller may transfer your personal information to third parties. The access of third parties to the information, and the processing of data by these parties are limited to the purposes for which such data were collected. All third parties to whom we may provide your Personal Data are bound to comply with applicable laws and regulations as well as the provisions of this Privacy Statement.

Due to fulfilling our obligations in the area of monitoring the safety of medicines and medical devices, we may forward and/or disclose the personal data:

  • in the scope of Medis companies due to an analysis and processing of the reported adverse event or question;
  • to the competent regulatory public authorities regarding the suspected adverse event;
  • to third parties, service contractors for Medis; these service contractors may include the safety databases operators, call centre operators and our marketing researchers, in case that you have disclosed the details about your suspected adverse event to the latter. Please bear in mind that we have ensured appropriate security measures for the personal data protection with the service contractors, to which Medis forwards personal data and which carry out services or functions in our name;
  • to other pharmaceutical companies with which we cooperate in marketing or distribution, and other licensed partners of Medis, when the obligations for a Medis product demand such exchange of safety information. Please bear in mind that we have ensured appropriate security measures for the personal data protection with those business partners to which Medis forwards personal data and which carry out services or functions in our name;
  • to third parties as legal successors in case of sale, resignation or transfer of a certain Medis product, project or therapeutic area connected to the above; in such case we will demand that the buyer, transferee or acquirer deals with personal data in compliance with the applicable legislation about personal data protection;
  • when we publish the information about adverse events (such as case studies or summaries); in such cases we will remove the identification markers from all publications and preserve the secrecy of your identity.

We exchange certain personal information with the third parties described above. We will ensure that access will be granted to third parties only for the purposes set out in this Statement. We will take appropriate measures to ensure that access to your Personal Data will be granted only to the employees of the above listed third parties who need access to Personal Data to carry out their work.

We limit the access to Personal Data both to Medis Intago and to employees in our affiliated companies. All employees who have access to Personal Data are liable to protect the Personal Data they process.

Your Personal Data may also be processed by Medis Intago and the above listed third parties outside the European Economic Area, including countries that may not provide such Personal Data protection as is in force within the European Economic Area. 

In accordance with applicable data protection and privacy regulations, we will take appropriate measures to ensure that your Personal Data will remain secure and safe in every transfer.  We will define these measures by concluding appropriate contractual frameworks that will determine the protection of Personal Data.

6. Legal grounds for the use of Personal Data

Medis processes personal data which is important from the point of view of monitoring the safety of medicines and medical devices, including special kinds of personal data, in accordance with the GDPR:

  • for studying the adverse event;
  • for ensuring compliance with legal obligations which are defined by the applicable laws and regulations in the area of monitoring the safety of medicines and medical devices, and due to their legal interests in ensuring the purposes of monitoring of the safety of medicines and medical devices (Article 6 of the GDPR), when following, that the European and national legislation of the EU member states in the area of monitoring of the safety of medicines and medical devices was accepted due to the important public interest in the area of public health and safety of medicines and medical devices (Article 9 of the GDPR).
  • In order to meet our obligations in monitoring the safety of medicines and medical devices, we may forward and/or disclose personal information:
  • For preparation of answers to questions from the professional and general public;
  • For fulfilling contractual obligations towards the companies with which we cooperate in marketing or distribution of products.

You are obligated to provide personal information that we collect and process pursuant to the law.

The personal data which we collect and process on other basis is needed so that we can answer the question you have asked us. 

With regard to Personal Data processing on the basis of your consent, the provision of personal information is always voluntary and without any negative consequences for you. Nonetheless, we would like to point out that we will not be able to provide certain services without your consent, or after you withdraw your consent.

7. Retention period

We store all the Personal Data that we process in accordance with laws and regulations and only for the time required to achieve the purposes for which the data were collected.

When the Personal Data retention period is prescribed by law, data are kept in accordance with the provisions of the applicable law.

When the grounds for the collection and processing of Personal Data is an agreement, the retention period lasts for the entire contractual term, including warranty or any other period arising from the concluded agreement.

When collecting and processing your personal information on the basis of your express consent, we keep your personal information permanently or until revocation. In the event that the purpose for which we have processed your information will be fulfilled, we will delete your information even if you do not withdraw your consent. For example, when we organize a prize game, the purpose of the collection and processing is fulfilled when the prizes are awarded, so we will delete all the participants' data (with the exception of those needed for legal reasons), even if you do not submit the revocation, because the purpose of the collection is fulfilled (i.e. prizes were awarded).

8. Data protection methods

Medis Intago, d.o.o. commits to protecting the personal information you provide to us. Medis Intago, d.o.o. will do everything to protect Personal Data from any violation and misuse.

We store Personal Data in paper or digital form. All paper documents with your Personal Data are stored in protected areas, our computer systems are protected by technical and organizational measures that prevent any accidental or deliberate destruction, loss, damage, alteration and unauthorized disclosure or access to your Personal Data.

Technical and organizational measures that we use to protect your Personal Data include, but are not limited to:

  • Regular backups that are properly protected,
  • Restriction of access to Personal Data,
  • Regular employee training on the subject of Personal Data protection and supervision over the work of employees,
  • Password system,
  • Use of appropriate software protection.

After expiry of the retention period or the revocation of obtained consent, the data (including any copies thereof) are immediately, irretrievably and permanently deleted. Any Personal Data carriers where such data are located are also permanently destroyed or deleted.

Should a violation of Personal Data protection occur, we will immediately inform the competent supervisory authority. For Slovenia, the competent authority for Personal Data protection is the Information Commissioner. To find out more about the function of the competent authority, please refer to their website. Should a criminal offence be suspected in the event of a violation of Personal Data protection, we will immediately notify the police or the competent prosecutor's office.

Should a high risk violation of Personal Data protection occur involving the rights and liberties of individuals whose Personal Data we process, we will inform you of such violation without any undue delay.

9. Your rights

Medis Intago, d.o.o. ensures that you can exercise all the rights that you have in relation to the processing of your Personal Data.

Termination of subscription to product newsletters

If you no longer wish to be informed about the products marketed by Medis Intago, d.o.o. and its affiliated companies, you can contact us at gdpr(at)medis.com or call us at (01) 589 69 00, or inform our professional associate upon their visit (if you are a healthcare or pharmaceutical professional).

The Data Subject may at any time request Medis Intago, d.o.o. to:

  • Confirm whether the data relating to the Data Subject are processed or not.
  • Be granted access to the Personal Data: 
    Access to Personal Data will be granted only when we confirm that your Personal Data are processed. You have the right to request information about what data is being processed and what the source of this information is.
  • Enable the correction of inaccurate or incomplete Personal Data relating to the Data Subject:
    Please make sure to inform us of any change in your personal information as soon as possible, as this is the only way to ensure the accuracy and integrity of the Personal Data that we keep. You can notify us of any changes by use of the contacts listed in Section 10 of this Policy.
  • Enable the printout of Personal Data provided to us by the individual in a structured, generally used, machine-readable form.
  • Allow the right to have the Personal Data deleted (i.e. the right to be forgotten):

The right to have Personal Data deleted is limited as we cannot delete the Personal Data that we process on the basis of law and regulations or on the basis of a contractual relationship between us (including any warranty and other periods that may arise from a particular contract).

  • Enable the right to restrict processing (e.g., the request to restrict processing is possible when running the integrity check on the Personal Data that we process).
  • Allow the right to object to the processing:

The right to object to the processing of Personal Data is limited to processing that is based on a legitimate interest (cases when a legitimate interest is the basis for the processing of your personal information are listed in this Policy or we will inform you accordingly in advance) and processing for the purposes of direct marketing, including profiling.

  • Make the data transferable and provide the Data Subject with data in a structured, generally used and machine-readable form or directly communicate them to another Controller.

Allow the right to withdraw consent, when Personal Data are processed on the basis of consent, whereas withdrawal of consent does not affect the lawfulness of data processing that was carried out prior to such withdrawal. Consent may be withdrawn by an individual in any manner specified in Section 10 of this Policy. Withdrawal of consent does not create any negative consequences for you. After you withdraw your consent, we will not offer certain services if these services are of such a nature that we cannot perform them without you providing your personal information (e.g., without the processing of your e-mail address we cannot provide you with e-mail notification services). Every individual to whom data relates has the right to file a complaint against us with the Information Commissioner.

You can exercise your rights by contacting us by e-mail at: with subject of the message Personal Data protection or by calling us at:.

Medis Intago, d.o.o. commits to respond to the Data Subject’s requests without undue delay, and at the latest within the statutory deadlines.

Please bear in mind that these rights may be limited due to fulfilling the pharmacovigilance obligations. Your rights are limited if there is a legal basis for processing your personal data, for example, we cannot delete the information that was collected in the scope of an adverse event report, except if the information is incorrect. We may demand you appropriately identify yourself before we consider any demands to access or correct your personal data.

11. Contact

The person responsible or Data Protection Officer at Medis Intago, d.o.o. will answer your questions about the confidentiality of your information, the way in which data is collected and processed, or your requests to exercising the rights relating to your information. To contact the authorized Data Protection Officer, please send an e-mail to gdpr(at)medis.com or call us at (01) 589 69 00.

12. Definitions

This Section sets forth the definition of terms used in this Policy.

Personal Data is any information that refers to a specific or identifiable individual, specifically: name, identification number, web identifiers as well as factors that are characteristic of the individual's physical, physiological, genetic, mental, economic, cultural or social identity.

Processing is any act or set of actions that is carried out with Personal Data and includes, in particular, the collection, editing, storing, modifying, viewing, retrieval and deletion of such data.

Controller is a natural or legal entity who, alone or jointly with others, determines the purposes and means of processing. For the purposes of this Policy, Medis Intago d.o.o. is the Controller.

Processor is a natural or legal entity as well as a public authority or agency or other body that processes Personal Data on behalf of the Controller.

Expert Public means natural persons working in a medical or pharmaceutical profession (such as medical institutions, pharmacies) as well as people employed in wholesale drugstores with whom we cooperate.

End user is any natural person who uses our services (including on-line store users, members of loyalty clubs, etc.).

13. Changes

We reserve the right to periodically amend this Privacy Statement to adjust it according to current conditions and Personal Data protection legislation. For this reason, we ask you to check the updated version before providing any personal information, so that you will be aware of any changes or updates.