Privacy Notice
1. Scope
This Privacy Notice (“this Notice”) describes how Samsung Epis Holdings Co., Ltd. ("Samsung Epis Holdings",“we”, “us” or “our” ) collects, uses, transfers, processes, and discloses your data and sets out our security practices. We respect your privacy and are committed to protecting your personal information. Please note, our privacy practices are subject to the applicable laws of the places in which we operate, including the General Data Protection Regulation as of May 25, 2018 ("GDPR"). We may change or update this Privacy Notice from time to time by posting a new privacy notice on this website. Please keep checking this notice occasionally so that you are aware of any changes.
2. Responsibilities
2-1 OurData Protection Officer (DPO) is responsible for ensuring that this Notice is made available to data subjects prior to the collection and/or processing of such data subject’s personal data by Samsung Epis Holdings.
2-2 All employees of Samsung Epis Holdings who interact with data subjects are responsible for ensuring that this Notice is drawn to the data subject’s attention and their consent to the processing of their data is secured.
3. Privacy Notice
3-1 Controller and Contact Details
Samsung Epis Holdings is the Data Controller and the contact details of our Data Protection Officer and Data Protection Representative are as below.
· Data Protection Officer(DPO) contact:
- E-mail: sbe.privacy@samsung.com
· Data Protection Representative:
- E-mail: sbe.dpr@samsung.com
3-2 Categories of Personal Data
We may collect your personal data. The applicable categories of personal data and data subject are as follows:
| Applicable Categories of Personal Data Collected | Applicable Categories of Data Subjects |
|---|---|
| Name, Contact information and Unique Identifiers: Identifiers, such as a real name, alias, postal address, telephone number, unique personal identifier, online identifier, device ID, internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers as well as demographic information such as date of birth, place of birth, country of residence, income, family size, marital status, etc. An individual’s written or digital signature. | - Employees - Candidates for employment - Contractors - Health Care Providers - Clinical Trial Investigators, Site Staff and Participants - Patients - Customers - Website Visitors - Caregiver - Authorized Representative |
| Financial Information: Bank account number, credit or debit card number, credit reports, background checks or other financial information. | - Employees - Candidates for employment - Contractors - Health Care Providers - Clinical Trial Investigators |
| Name, Contact information and Unique Identifiers: Identifiers, such as a real name, alias, postal address, telephone number, unique personal identifier, online identifier, device ID, internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers as well as demographic information such as date of birth, place of birth, country of residence, income, family size, marital status, etc. An individual’s written or digital signature. | - Employees - Candidates for employment - Contractors - Health Care Providers - Clinical Trial Investigators, Site Staff and Participants - Patients |
| Medical Information: Any information in possession of or derived from yourself, a healthcare provider, healthcare insurer, healthcare service plan, pharmaceutical company, or contractor regarding an individual’s medical history, mental or physical condition, or treatment. This includes an individual’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in the individual’s application and claims history (including prescription information). | - Employees - Candidates for employment - Contractors - Clinical Trial Participants - Patients - Customers - Caregiver - Authorized Representative |
| Biometric Information: Physiological, biological, or behavioral characteristics that can establish an individual’s identity, including DNA, face, iris or retina imagery, fingerprint, voice recordings and sleep, health, or exercise data that contain identifying information. | - Employees - Candidates for employment - Contractors - Clinical Trial Participants - Patients - Customers - Website Visitors - Caregiver - Authorized Representative |
| Name, Contact information and Unique Identifiers: Identifiers, such as a real name, alias, postal address, telephone number, unique personal identifier, online identifier, device ID, internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers as well as demographic information such as date of birth, place of birth, country of residence, income, family size, marital status, etc. An individual’s written or digital signature. | - Employees - Candidates for employment - Contractors - Health Care Providers - Clinical Trial Investigators, Site Staff and Participants - Patients |
| Special Categories of Personal Data Other than Medical Information and Biometric Information: Race, age, nationality, physical or mental disability, and religion. | - Employees - Candidates for employment - Clinical Trial Participants - Patients |
| Purchase History and Tendencies: Information regarding products or services purchased, obtained, or considered. | - Health Care Providers - Patients - Customers - Website Visitors - Caregiver - Authorized Representative |
| Network Activity: Internet or other electronic network activity information, such as browsing history, search history, and information regarding an individual’s interaction with an internet website, application, or advertisement. Includes analytics evaluation and cookies. | - Employees - Candidates for employment - Contractors - Health Care Provider - Clinical Trial Investigators and Site Staff - Patients - Customers - Website Visitors - Caregiver - Authorized Representative |
| Geolocation Data: Precise geographic location information about a particular individual or device, including geolocation information derived from your GPS, WiFi and Bluetooth signals, IP address, and other device information. | - Employees - Candidates for employment - Contractors - Health Care Providers - Patients - Customers - Website Visitors - Caregiver - Authorized Representative |
| Electronic and Sensory Data: Audio, electronic, visual, or similar information (e.g., a recording of a customer service call, answers to a quiz/questionnaire or profile photograph). | - Employees - Candidates for employment - Contractors - Health Care Providers - Clinical Trial Investigators, Site Staff and Participants - Patients - Customers - Website Visitors - Caregiver - Authorized Representative |
| Education and Professional Information: An individual’s academic information and records, resume, professional credentials (such as field of expertise and specialization, institutional affiliations, and scientific activities, such as previous clinical trial experience, activity on social media platforms, and participation in past or current research studies with us or other companies), information related to your practice (such as license information and disciplinary history), publication of academic or scientific research and articles, membership in association and boards, information provided to participate in our sponsored initiatives (such as clinical research and development activities or promotional activities), and information about your professional experience and interactions with Samsung Epis Holdings, such as the kinds of meetings we have held and the topics covered. | - Employees - Candidates for employment - Contractors - Health Care Providers - Clinical Trial Investigators and Site Staff - Website Visitors |
| Inferences: Inferences drawn from any of the information listed above to create a profile about an individual reflecting the individual’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. We may combine the information we collect about you from different sources, including to draw these inferences. | - Employees - Candidates for employment - Contractors - Health Care Providers - Clinical Trial Investigators, Site Staff and Participants - Patients - Customers - Website Visitors - Caregiver - Authorized Representative - Households |
| Correspondence or communications you send to us. | - Employees - Candidates for employment - Contractors - Health Care Providers - Clinical Trial Investigators, Site Staff and Participants - Patients - Customers - Website Visitors - Caregiver - Members of the Media - Members of the Public - Authorized Representative |
We may pass on your personal data to third parties. The third parties are as follows:
· Samsung Epis Holdings’ affiliate companies, including its headquarters in the Republic of Korea;
· Public and government entities;
· Ethics committees; and
· Service providers
3-3Personal data collected from other sources
From time to time, Samsung Epis Holdings may process your personal data obtained from other sources, such as public databases, social media platforms and other third parties. For example, we may use such third-party data to confirm contact or financial information, to verify licensure of healthcare professionals or to better understand your interests by associating demographic information with the data you have provided.
3-4 Purposes of Processing
The personal data we collect will be used for following purposes:
· Compliance with legal and regulatory requirements (ICH E6 (R2): 5.18.2, 5.2.2, Clinical Trial Regulation 536/2014);
· Communication with speakers or consultants reasonably required for the performance of services related to the Symposium or other events;
· Communication with the third-party communications agency reasonably required for the performance of services related to the Symposium or other events;
· Compliance with a Good Pharmacovigilance Practice;
· To report any spontaneous adverse event;
· Communication with healthcare professionals, patients, consumers and reporters in good faith effort to further investigate any safety signal or adverse event;
· Communication with healthcare professionals, patients, consumers and reporters in good faith effort to further investigate any product quality complaint and possibly retrieve data of interest;
· Compliance with legal and regulatory requirements;
· Publishing necessary personal data for transparency requirements, including publishing compensation onto the Medicines for Europe's website;
· Storage in the Samsung Epis Holdings' databases to facilitate the selection of speakers;
· Storage in the clinical trial master file for regulatory inspection; and
· Supporting administration of Samsung Epis Holdings'(and its subsidiaries') employment contracts.
· Other purposes that may be detailed on an informed consent from, website or mobile application which will be described at the time the personal data is collected.
3-5 Legal Basis for Processing
The legal basis for the processing of the personal data shall be where:
· The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
· Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
· Processing is necessary for compliance with a legal obligation to which the data controller is subject;
· Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
· Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; and
· Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
3-6Cross-border transfers
The personal data you provide to Samsung Epis Holdings may be transferred outside the country in which your personal data has been collected. Where the cross-border transfer is necessary, Samsung Epis Holdings will transfer your personal data with your explicit consent or other legal basis under applicable laws.[1] When obtaining your consent for the cross-border transfer, Samsung Epis Holdings will notify you in advance of the following matters:
· Categories of the personal data to be transferred;
· The country to which the personal data is transferred, transfer date, and method;
· Name of the recipient (referring to the name of a corporation and the contact information of the corporation, if the recipient is a corporation);
· The purpose of using personal data by the recipient and the period of retention;
· The method and procedure for refusing the transfer of personal data and the effect of such refusal.
The country to which your personal data will be transferred may not guarantee the same level of protection of personal data as that of the country in which your personal data has been collected. In such case, Samsung Epis Holdings will take appropriate measures (e.g., Standard Contractual Clauses to safeguard the transfer of data outside of the EEA), in compliance with applicable law, to ensure that your personal data remains protected.
[1] For your reference, Adequacy Decision to Republic of Korea has been adopted by EU Commission (https://commission.europa.eu/document/e9453177-f192-4416-a147-3c57adc468c4_en) and Information Commissioner’s Office of UK (https://www.gov.uk/government/publications/uk-data-adequacy-for-the-republic-of-korea-supporting-documents#full-publication-update-history). This term applies to cases other than cross-border transfers from UK or EEA (EU Member States, Iceland, Norway and Liechtenstein) to Republic of Korea.
3-7Retention Period
We will retain the personal data for as long as required under the applicable laws or the duration written on the informed consent form when collecting your consent.
3-8Destruction of Personal Data
We will destroy your personal data without delay when the retention period of your personal data ends or when the retention becomes unnecessary due the fulfillment of the purposes stated in Section 3.2. Nevertheless, if it is necessary to continue to process your personal data under relevant laws and regulations, we will transfer such data to a separate database (DB) or location.
The process and method of destruction are as below:
· Process of destruction – When the purposes stated in Section 3.2 are fulfilled, we will destroy your personal data without delay. Nevertheless, if it is necessary to process your personal data due to obligations under relevant laws, we will separately retain such data until such obligations are completed.
· Method of destruction – We will destroy personal data stored in the form of computer file in a manner that such file cannot be recovered, and destroy personal data recorded in the form of paper documents by shredding or incinerating.
3-9Entrustment of Processors
When entrusting the processing of your personal data, we will enter into a data processing agreement with the entrustee (“data processor” or “processor”) and inform you of the data processor(s) and the entrusted task. Under the applicable laws, the data processing agreement will include the purpose of entrustment, technical and administrative safeguards for protecting your personal data, conditions for re-entrustment, supervision of data processors, liabilities for the breach, and we will monitor whether the processor is processing your personal data compliant with the terms of the data processing agreement.
3-10Pseudonymized Data
We may aggregate and/or pseudonymize and use it for scientific research or statistical purposes. To the extent we pseudonymize any data originally based on your personal data, we will maintain and use such data only in pseudonymized form and will not attempt to reidentify the data.
3-11Your Rights as a Data Subject
At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
· Right of access – you have the right to request a copy of the information that we hold about you.
· Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
· Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
· Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
· Right of portability – you have the right to have the data we hold about you transferred to another organization.
· Right to object – you have the right to object to certain types of processing such as direct marketing.
· Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
· Right to judicial review – in the event that Samsung Epis Holdings refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in clause 3.7 below.
· Right to withdraw consent – you have the right to withdraw consent at any time by contacting our Data Protection Officer or Samsung Epis Holdings, without affecting the lawfulness of processing based on your consent before its withdrawal.
3-12 Security Measures
We seek to use the following technical, administrative, and physical measures to ensure safety of your personal data:
· Establishment and implementation of internal management plan for the safe processing of personal data
· Measures for Identification and authentication to verify access to personal data
· Measures such as installation of system to block unauthorized access to personal data
· Encryption to ensure safety of storage and transmission of personal data
· Measures for storage and prevention of forgery and alteration of access records
· Installation, periodic renewal and inspection of security programs
· Installation of access control and locking devices for safe storage of personal data
3-13Complaints
In the event that you wish to make a complaint about how your personal data is being processed by Samsung Epis Holdings (or third parties as described in 3.4 above), or how your complaint has been handled, you have the right to lodge a complaint directly with the lead supervisory authority and the Data Protection Officer described in Section 3.1. The lead supervisory authority is CNIL (Commission Nationale de l'Informatique et des Libertés), full contact details for which can be found at https://www.cnil.fr/en/contact-cnil. You may also complain to local supervisory authorities, contact details for which can be found at https://edpb.europa.eu/about-edpb/board/members_en.
3-14Obligation to Provide Data
For clarity, the provision of personal data is partly required by law (e.g. clinical trials regulations) or can also result from contractual provisions (e.g. information on the contractual partner). Sometimes it may be necessary to conclude a contract that the data subject provides us with personal data, which must subsequently be processed by us. The data subject is, for example, obliged to provide us with personal data when our company signs a contract with him or her. The non-provision of the personal data would have the consequence that the contract with the data subject could not be concluded.
3-15Automated Decision-Making & Profiling
We use cookies to analyze traffic of our website. Please refer to our Cookie Policy.
3-16Changes to this Privacy Notice
We may update this Privacy Notice from time to time. Any changes will be announced on our website with updated effective dates. effective immediately upon the posting of the revised Privacy Notice.
Effective date: 03 November 2025