Data Protection Notice for Healthcare Professionals

1. Introduction

This data protection notice describes how we process personal data of healthcare professionals when we provide them scientific and product information, samples of medicinal products, organise and carry out events and webinars or process their product orders.

2. Who is responsible for the processing of personal data?

Generics (UK) Limited trading as Mylan, Mylan UK Healthcare Limited and Meda Pharmaceuticals Limited (herein referred to as “we”) are responsible for the processing of your personal data.

3. Which personal data do we process?

We process the following categories of your personal data: first and last name, title, specialty, business contact details and, if applicable, registration for and participation in an event or webinar, product interest or product orders. If you order samples of medicinal products, we also process information on the type, extent and date on which the samples were provided.

4. For which purposes and on which legal basis do we process your personal data?

We process your personal data in order to announce visits from our sales department and to provide you with scientific information as well as information about pharmaceutical products, events and webinars of our group (herein referred to as "information purposes").

If you give us your voluntary consent for processing of your personal data for information purposes, the legal basis for this data processing is Article 6 paragraph 1 sentence 1 letter a in connection with Article 7 GDPR.

If you have not given your consent, we process your personal data based on legitimate interests. Our legitimate interests are the processing for information purposes and data exchange within our group for the related internal administrative purposes. After an event or webinar, we may also ask you to evaluate it based on our legitimate interest to carry out a satisfaction survey among participants. The legal basis for this data processing is Article 6 paragraph 1 sentence 1 letter f GDPR. Upon request, you can obtain the details of the balancing test in accordance with this legal provision from our data protection officer, see section 11.  

If you agree to participate in an event or webinar, we process your personal data in order to organize and carry out this event or webinar. If you order a sample of a medicinal products or a product, your personal data will be used to process your order. The legal basis for this data processing is Article 6 paragraph 1 sentence 1 letter b GDPR.

If we provide you with samples of a medicinal product, we process your personal data in order to document it in accordance with legal requirements. The legal basis for this data processing is Article 6 paragraph 1 sentence 1 letter c GDPR.

5. Are you obliged to provide your personal data to us?

Your consent is voluntary. The provision of personal data for information purposes (see section 4) is not a statutory or contractual requirement. You are not obliged to provide your personal data. If you do not provide your personal data, this will not have any consequences for you.

In relation to participation in an event or webinar, processing of product orders and provision of samples of a medicinal product, the processing of your personal data is necessary for the handling of your request. If you do not provide your personal data, we will not be able to fulfil your request.

6. Who has access to your personal data?

Your personal data will only be made available to a limited number of recipients, including our employees and departments in the companies of our group, who need it according to their area of responsibility or legal requirements.

We also use third-party service providers (e.g., hosting and IT support providers) who may also have access to your personal data to provide their services.

Within the scope of our legal obligations, we may transfer your personal data to the competent supervisory authorities. If data processing is necessary for establishment, exercise or defense of legal claims, we may also transfer your personal data to our lawyers and insurers.

7. Will your personal data be transferred to third countries?

We may transfer your personal data to other companies in our group or third-party service providers located outside the European Economic Area (EEA) for the above purposes. This includes countries that do not have the same level of protection for personal data as the EEA. In such cases, we will ensure that these transfers are carried out in accordance with the applicable data protection laws. Data transfers to other companies in our group or third-party service providers are protected by appropriate contractual safeguards such as EU standard contractual clauses or EU-US Privacy Shield certification. To obtain a copy of the relevant documents, you can contact our data protection officer, see section 11.

8. How long do we store your personal data?

Your personal data will be stored in the form that allows your identification as long as necessary for the purposes for which they are processed.

If you have given us your consent for processing of your personal data for information purposes (see section 4), we will store your personal data until you withdraw your consent. In any case, we will not use your personal data for longer than 17 months after we contacted you last time.

If you participate in an event or webinar, we will delete your personal data within 7 days after the end of the event or webinar, unless longer storage is necessary according to statutory retention requirements. The data which are processed for performance of a contact with you including any product orders are stored during the business relationship and then archived for the duration of the statutory retention periods. The retention periods according to tax law and commercial law are up to 10 years. The evidence relating to provision of samples of medicinal products is stored for a period of 10 years.

We can store your personal data longer if and insofar as your personal data is necessary for the establishment, exercise or defense of legal claims.

9. Which rights do you have under data protection law?

You have the right to withdraw your consent at any time, without the withdrawal affecting the lawfulness of processing based on your consent before it. You can contact us for this purpose, see section 11.

You have the right to obtain from us confirmation as to whether or not your personal data are being processed, and, where that is the case, you have the right of access to your personal data and to the information listed in detail in Article 15 GDPR.

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you and, where appropriate, to have incomplete personal data completed (Article 16 GDPR).

You have the right to obtain from us the erasure of your personal data without undue delay, if one of the grounds stated in Article 17 GDPR applies, for example, if your personal data are no longer necessary in relation to the pursued purposes (right to erasure).

You have the right to obtain from us restriction of processing where one of the grounds stated in Article 18 GDPR applies, for example, if the accuracy of your personal data is contested by you, for a period enabling us to verify the accuracy of your personal data.

You have the right according to Article 20 GDPR to receive your personal data, which you provided to us, in a structured, commonly used and machine-readable format (data portability). You also have the right to transmit those data to another controller without hindrance from us.


You have the right to object (Article 21 GDPR), on grounds relating to your particular situation, at any time to processing of your personal data. We will no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.


Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, if you consider that the processing of your personal data infringes the GDPR (Article 77 GDPR). You can exercise this right at the supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement.

10. From which source do your personal data originate?

We have collected your personal data directly from you or received them from an address broker.

11. How can you contact us or our Data Protection Officer?

To exercise your rights or make a request concerning the processing of your personal data, you may contact our compliance hotline via the phone number indicated at https://www.tnwgrc.com/mylan/newdialing2.htm or send an email to our Data Protection Officer via dataprivacy@mylan.com.

Job Code: NON-2020-0800
Date of Preparation: April 2020

Last Updated  23/04/2020