Personal data protection

KRKA UK Ltd (hereafter: „Krka“) encourages the respect of fundamental rights and gives special attention to the protection and processing of personal data.

Krka's commitment

Krka is committed to safe and confidential processing of personal data concerning its employees, shareholders, contracting parties, website users and other interested parties. At the same time, Krka ensures that personal data is processed lawfully, fairly and in a transparent manner – and with respect to the rights of data subjects.

Personal data protection policy

To implement its commitment, Krka adopted new Rules on personal data protection, which comply with the General Data Protection Regulation, GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council) and other applicable legislation. Non EU Krka Group Companies which do not process personal data of data subjects who are in the EU comply with local personal data protection legislation. These new Rules, together with several other internal rules and measures, represent the policy of the Krka Group, which ensures that personal data are collected and processed for specified purposes, complies with the principle of data minimisation, and ensures that personal data will only be stored for the time period necessary to achieve the purpose for which they were collected.

Scope

Our policy applies to all persons submitting any personal information to us: Krka employees, candidates for employment, shareholders, customers, suppliers, etc.

Who is bound by this policy

This policy is binding for any person or entity Krka cooperates with, or who acts in Krka's name and occasionally requires access to personal data. All employees at Krka and its subsidiaries must comply with it, and it is also binding for contractors, advisers and other external processors of personal data.

Policy elements

In order to be able to execute our processes, we also need to collect and process personal data. These include any data enabling the identification of a data subject, such as names, addresses, usernames and passwords, digital footprints, photographs, personal ID numbers, financial data, etc.

Krka collects such data in a transparent manner and only on the basis of full cooperation and awareness of interested parties. Once such data is obtained, the following rules apply:

Personal data collected by Krka shall be:

  • Collected fairly and exclusively for legitimate purposes;
  • Accurate and up-to-date;
  • Processed within legal and moral frameworks;
  • Protected against any unauthorised or unlawful access by internal or external parties.

Personal data collected by Krka shall not be:

  • transferred outside of Krka without legal basis;
  • Stored for a period longer than specified;
  • Transferred to organisations or countries that do not have appropriate rules on data protection in place;
  • Transferred to any party other than the one the data subject agreed to (with the exception of legitimate requirements made by law enforcement authorities).

Apart from appropriate data handling, Krka also has a direct obligation to data subjects. In accordance with the GDPR and other applicable legislation on personal data protection, Krka shall ensure, among others, the following:

  • Information for every interested individual about personal data concerning them, i.e. the categories of personal data we are collecting, the purpose of collecting their personal data, the storage period for their personal data, whether we are transmitting their personal data to another party, etc.;
  • Rectification of inaccurate personal data;
  • Erasure of all personal data where conditions for erasure are met, e.g. upon withdrawal of consent by data subject;
  • Procedures in case of lost, damaged or compromised data.

Activities

We hereby undertake to execute the following personal data protection activities:

  • Restriction and control of access to special categories of personal data;
  • Development and implementation of transparent procedures for data collection;
  • Training of employees for the implementation of personal and technical safety precautions;
  • Establishment of a secure network for the protection of personal data against cyber attacks;
  • Establishment of clear procedures for reporting privacy violations or data fraud;
  • Inclusion of contractual clauses or clear instructions about our data processing;
  • Establishment of best practices related to data protection (clean desk and clear screen policy, document shredding, secure locking, data encryption, regular generation of backup copies, access authorisations, etc.).

Krka is ISO 27001 certified, which means that it implements good data protection practices in accordance with ISO 27001 – Information security management systems.

Krka's provisions on data protection are defined in the following documents:

  • Special policy for the protection of personal data on our website;
  • Rule book on personal data protection, which describe in detail the personal data protection system;
  • Appendix to General procedures of personal data protection, which includes a short description of technical and organisational precautions for personal data protection;
  • Personal data processing records – descriptions of personal data filing systems.

Disciplinary consequences

Krka employees must strictly adhere to all principles described within this policy. The violation of rules on data protection may lead to disciplinary and other measures.