Supplemental Privacy Notice (EEA)

  • FIRST PUBLISHED: 1 April 2024
  • LAST UPDATED: 1 December 2025

We take your privacy very seriously. Please read this Privacy Notice carefully as it contains important information on how and why we collect, store, use and/or share your personal information, and explains your rights in relation to that information. When we handle your personal information, we are subject to the European Union General Data Protection Regulation (“GDPR”) and relevant laws.

Scope: This Privacy Notice is intended for clinical trial personnel, business partners (such as distributors, licensees, and other partners), and healthcare professionals (such as physicians, pharmacists, and administrative staff at medical institutions) in the European Economic Area (EEA). It explains how Sumitomo Pharma Co., Ltd., a company organized under the laws of Japan with its principal office at 6-8, Doshomachi 2-chome, Chuo-ku, Osaka 541-0045, Japan (“we”, “us”, “our”), collects, uses, discloses, and/or stores your personal data in the course of our business activities (including clinical trials, product distribution, and medical communications).

We may update this notice from time to time and will inform you of any material changes via our website or other contact methods (e.g. email).

1. How We Process Your Personal Data

We collect, use, store, generate, or disclose (“process”) your personal data only for specific purposes and legal reasons. Below we describe the purposes for processing, the categories of personal data involved, the lawful basis under GDPR, how long we retain the data, and who we may share it with in each context.

1) To prepare and maintain documentation for the conduct of clinical trials:

  • i. Categories of personal data: Your work affiliation and identity details (e.g. hospital or company name, your name), professional qualifications (e.g. CV/resumé), and financial disclosure information (including any relevant financial interests of you or your immediate family).
  • ii. Lawful basis: Necessary for compliance with our legal obligations as a trial sponsor (e.g. obligations under clinical trial regulations).
  • iii. Retention period: 25 years after the clinical trial ends (as required by clinical trial regulations).
  • iv. Recipients: Third parties involved in trial management, such as contract research organizations (CROs), electronic trial system providers, and regulatory authorities.

2) To communicate and coordinate with clinical trial sites and researchers:

  • i. Categories of personal data: Contact details of site personnel, investigators (doctors), and researchers (e.g. name, work address, telephone number, email) and organizational info (hospital or site name, role of the person in the trial).
  • ii. Lawful basis: Necessary for our legitimate interests in implementing and managing the clinical trial (efficient trial operations).
  • iii. Retention period: Until these communications are no longer needed after the trial concludes (e.g. promptly after trial closure and reporting).
  • iv. Recipients: Not applicable (these communications are internal or directly with you; we do not routinely disclose this data to external parties outside the trial except as needed for regulatory oversight).

3) To manage our relationships with business partners (distributors, licensees, suppliers, etc.):

  • i. Categories of personal data: Business contact information and identification details (e.g. your name, job title, company name, work address, telephone number, work email) and any information necessary for our business interactions or contracts. This may include records of our communications and contract performance (e.g. orders, inquiries, meeting notes).
  • ii. Lawful basis: Processing is necessary for performance of a contract (when you or your company have an agreement with us) or for our legitimate interests in managing business relationships and communications. We also process certain data to comply with legal obligations (e.g. record-keeping, anti-corruption laws).
  • iii. Retention period: For the duration of the business relationship and generally up to 7 years after its termination, unless a longer period is required by law. (For example, we may retain contracts or transaction records for statutory audit or tax retention periods.)
  • iv. Recipients: We may share your data with our affiliates (group companies) as needed for joint business operations, with service providers that assist us in business operations (such as IT systems providers, logistics providers, consultants), and with regulatory or government authorities if required by applicable law (e.g. for compliance or reporting purposes).

4) To engage with healthcare professionals for medical and commercial activities:

  • i. Categories of personal data: Identity and professional information (your name, professional qualifications, specialty, place of work, position), contact details (business address, phone number, email), and details of our interactions with you. This can include records of meetings or calls, inquiries you’ve made (e.g. medical information requests), your participation in our programs, surveys or clinical studies, and any services you provide to us (such as consulting or speaking engagements). We also may hold information on payments or transfers of value made to you (e.g. consultant fees, travel sponsorship) for transparency reporting purposes. Technical data about your use of our digital platforms (like visiting a HCP portal or receiving our emails) may be collected as well (e.g. IP address, device/browser info).
  • ii. Lawful basis: Necessary for our legitimate interests in managing communications and relationships with HCPs – for example, providing up-to-date product information, ensuring proper use of our medicines, and gathering feedback to improve our products (these activities are balanced against your rights). Additionally, certain processing is necessary for us to comply with legal obligations, such as pharmacovigilance laws (which require collecting and reporting adverse event information) and industry codes on transparency (reporting payments to healthcare professionals). In cases where we send you direct electronic marketing communications, we will rely on your consent where required by law or applicable regulations.
  • iii. Retention period: We retain HCP data for as long as we have an active relationship with you and for a period after our last interaction. Typically, personal data about HCPs is kept for 5 years after our last meaningful contact with you, unless we are legally required to keep it longer. For example, if you have received payments that must be reported, we may retain those records for the duration required by law or internal policy. After the retention period, we will either securely delete the data or anonymize it (and may retain anonymized data for aggregate analytics).
  • iv. Recipients: We may share your information with our group companies worldwide (for example, if other affiliates handle interactions with you) and with trusted third-party service providers who facilitate our HCP engagements (such as event organizers, marketing agencies, database providers). We also may disclose relevant data to regulatory bodies or healthcare authorities (e.g. reporting a pharmacovigilance case or disclosing HCP payment data to transparency registries). In some cases, we partner with other pharmaceutical companies or distributors to market or develop products – we may share HCP contact data with such business partners for those collaboration purposes. We will only share the minimum necessary information and ensure any such recipients are bound to protect your data.

In all cases above, if we plan to process your personal data for a new purpose that is incompatible with the original purposes, we will inform you in advance and, if required, seek your consent.

2. Security of Personal Data

We have implemented appropriate technical and organizational security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered, or disclosed. Access to personal data is restricted to personnel and third parties on a need-to-know basis and under confidentiality obligations.

We maintain procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority of a breach where legally required.

3. Transfers of Data Outside the EEA

As a Japan-headquartered company, we may engage third-party contractors or share data within our corporate group, including transfers of your personal data to countries outside the European Economic Area (EEA), such as Japan or other jurisdictions where our partners operate. When transferring personal data to Japan, your data is protected under the Japanese Act on the Protection of Personal Information; note that the European Commission has recognized Japan as providing an adequate level of data protection, allowing transfer without additional authorization. For transfers to any country not covered by an adequacy decision, we will ensure appropriate safeguards are in place, typically through EU Standard Contractual Clauses or equivalent legal mechanisms, to protect your information and ensure it remains secure and subject to GDPR-level protections.

4. Data Subjects’ Rights

Under the GDPR, you have various rights regarding the personal data we hold about you. These include:

  • - Right to Information and Access: You have the right to be informed about how we process your data (which this Notice provides) and to request access to your personal data and obtain a copy.
  • - Right to Rectification: If any of your personal data is incorrect or incomplete, you have the right to have it corrected or completed without undue delay.
  • - Right to Erasure: You can ask us to delete your personal data in certain circumstances (for example, if the data is no longer necessary for the purposes it was collected, or if you withdraw consent and no other legal basis applies).
  • - Right to Restrict Processing: You can request that we limit processing of your data (e.g. while a complaint about accuracy or legality of processing is being resolved).
  • - Right to Object: You may object to processing of your personal data where we rely on legitimate interests, including profiling based on those interests. We will honor objections unless we have compelling legitimate grounds to continue or the processing is needed for legal claims. You also have an absolute right to object to any direct marketing communications, which we will always respect.
  • - Right not to be subject to Automated Decisions: We do not currently make decisions about you solely by automated means with legal or similarly significant effects. In the event we ever do, you would have the right not to be subject to such decisions without human involvement.
  • - Right to Data Portability: When feasible, you have the right to receive your personal data that we process by automated means, in a structured, commonly used, machine-readable format, and to transmit that data to another controller.
  • - Right to Withdraw Consent: If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of any processing done prior to withdrawing.

To exercise any of your rights, please contact us using the information in the “Contact Us” section below. We will respond in accordance with applicable law. Please note that these rights are not absolute; in some cases, legal requirements or exemptions may mean we cannot comply with a specific request (for example, we might not erase data that we are required by law to keep). We will inform you if any such limitations apply when responding to your request. You also have the right to lodge a complaint with a supervisory authority (such as an EU data protection authority in your country of residence or work) if you believe we have infringed your data protection rights. We would, however, appreciate the chance to address your concerns first, so please do reach out to us with any complaint.

5. EU Representative

In accordance with GDPR Article 27, since we are not established in the EU, we have appointed an EU representative to act on our behalf regarding data protection matters. Our designated representative is DataRep.

You may contact DataRep by email at datarequest@datarep.com (please include “Sumitomo Pharma Co., Ltd.” in the subject line) or through their online webform. You can also reach DataRep by postal mail at designated addresses in the EU as follows:

  • - DataRep, 15 Piaţa Charles de Gaulle, nr. 1-T, Bucureşti, Sectorul 1, 011857, Romania
  • - DataRep, Place de L'Université 16, Louvain-La-Neuve, Waals Brabant, 1348, Belgium
  • - DataRep, Viale Giorgio Ribotta 11, Piano 1, Rome, Lazio, 00144, Italy
  • - DataRep, 72 rue de Lessard, Rouen, 76100, France
  • - DataRep, Calle de Manzanares 4, Madrid, 28005, Spain
  • - DataRep, Laugavegur 13, 101 Reykjavik, Iceland

Please mark correspondence with “DataRep” and clearly refer to Sumitomo Pharma Co., Ltd., or your mail may not reach them. DataRep will ensure that any queries or requests from EU data subjects are forwarded to us for resolution.

6. Contact Us

If you have any questions about this Privacy Notice or how we handle your personal data, or if you wish to exercise your rights, please contact our Data Protection Officer (DPO).
You can reach the DPO by email at sumitomopharma-dpo-office@iij-pj.jp.
You may also write to: Data Protection Officer, Sumitomo Pharma Co., Ltd., 6-8, Doshomachi 2-chome, Chuo-ku, Osaka 541-0045, Japan.
We will be happy to assist with any inquiries or concerns you may have regarding your personal data.