Celltrion, Inc. ("we", "us", "our" or "Celltrion") is committed to protecting and respecting your personal data. In the event that you send us any of your personal data, we are committed to collecting, maintaining, and securing personal data about you in accordance with our internal data protection policies and local laws.
This privacy notice ("Privacy Notice") outlines the types of personal data we collect and why and how we process your information. We advise you to carefully read this Website Privacy Notice so that you are aware of how, where and why we are using your personal data.
This website ("Site") is provided and operated by Celltrion. This Site is intended for the general public, healthcare professionals and business partners.
If you have any queries regarding this Privacy Notice, please contact us using one of the following email addresses:
- DPO_KR@celltrion.com if you live in Republic of Korea;
- DPO_EU@celltrion.com if you live in the European Union/EEA; or
- DPO@celltrion.com (Rest of the World except Korea and EU/EEA)
This Privacy Notice is updated from time to time. If we update the terms, we will provide notice through our website, or by other means, so you can to review the changes. Please check back if you continue to use this website or interact with Celltrion.
For purposes of this Privacy Notice, "personal data" is any information by which you can be individually identified both directly and indirectly, including, but not limited to, your name, address, e-mail address, IP address and telephone number.
2. Type of information we have; Why we collect and use it
Personal Data Obtained Through the Site. We may collect and process personal data provided by you through the Site, for example:
• Your names, contact information, email address, and other information in combination with these identifiers including your CV if you apply to Celltrion via the Site;
• records of your correspondence if you contact us, such as emails;
• other technical data, such as IP address, browser type and operating system;
• communications data, such as your preferences in receiving communications from us
We do not use tracking cookies. This means we only require the minimum amount of your personal information necessary.
We may process your personal data provided through the Site for many reasons, including:
• To respond to your requests or inquiries;
• To complete a transaction;
• To offer a career;
• To share with our affiliates;
• To operate, improve and maintain the website, including for security purposes.
LEGAL BASIS: If you make inquiries from our Site, we will ask your consent and we will process your personal data provided by you on your consent. If your personal data is obtained via emails sent from you to one of our official email addresses provided in the Site, the collection and process of your personal data will be done for our legitimate interests, where the legitimate interests impact assessment has been carried out. If we request further information, we will request and collect your Personal Data on your consent.
Personal Data Obtained Through our business activities. As well as information collected through this Site, we may obtain personal data in other ways during the course of our business operations such as by phone, email or in paper form including business cards. The type of personal data includes:
• names, contact information, and email address;
• records of your correspondence with us; or
• your financial information such as your billing and payment information if you provide services to us.
We may process your personal data provided to us during the business operation for many reasons, including:
• administering a contract we have entered into with you;
• providing you with information and/or services;
• understanding your business needs and improving our products and/or services;
• holding discussion forums, such as scientific advisory boards;
• communications regarding our products, therapy areas and/or services.
LEGAL BASIS: The collection and process of personal data provided by you will be done for our legitimate business interests, where the legitimate interests impact assessment has been carried out. If we request further information, we will request and collect your personal data on your consent.
If there is any valid contract in place between you and Celltrion, such processing is necessary for the performance of a contract.
Personal Data obtained as a Processor. Celltrion may collect your information as a processor, who process your personal data on behalf of a third-party controller, who has a legal basis for obtaining and processing your personal data. In this case, we will only use your personal data in accordance with the instructions of the data controller.
LEGAL BASIS: The collection and process of personal data provided by you will be done for performance of contractual obligation with Data Controller. We will have a valid Data Processing Agreement in place in order to undertake such service.
Personal Data obtained from Public Sources. We may collect personal data from public sources such as conferences, symposiums or training events we attend in order to stay in contact with you and manage our relationship with you or to enquire about potential services or business opportunities. The type of personal data include names, contact information and email address.
LEGAL BASIS: The collection and process of your Personal Data will be deemed electronic marketing (unless carried out by Post) and the legal basis is legitimate business interests, with the addition of "soft opt-in" (as defined by the EU e-Privacy Directive (2002)). The legitimate interests impact assessment has been carried out. If we request further information, we will request and collect your Personal Data on your consent.
3. How We Share Your Personal Data
We may share your personal data with a member of the Celltrion Group of companies around the world. Our group companies will use your Personal Data for the same purposes as we do.
We may also share your Personal Data with third parties, including our data processors, Consultants and professional advisors, certain software or IT systems services providers, for the following purposes:
• To help fulfill Celltrion business transactions;
• To provide services such as website hosting, data analysis, information technology and related infrastructure provision, customer service, email delivery, auditing and other services;
• To facilitate a merger, consolidation, transfer of control or other corporate reorganization in which Celltrion participates, or pursuant to a financial arrangement undertaken by Celltrion; and
• to comply with applicable laws and our regulatory monitoring and reporting obligations (which may include laws outside your country of residence), to respond to requests from public and government authorities (which may include authorities outside your country of residence), to cooperate with law enforcement, or for other legal reasons.
Celltrion does not sell, rent, or trade personal data it collects with third parties. Any third parties to with whom Celltrion shares personal data are not permitted to sell, rent, or trade such personal data.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed without your specific authorization.
4. The Rights of Individuals
If you would like to request to review, correct, update, suppress, restrict or delete personal data that you have provided to us through the Site, or if you would like to request to receive an electronic copy of such personal data for purposes of transmitting it to another company, you may contact us at DPO@celltrion.com or DPO_EU@celltrion.com, if you live in EU/EEA. We will respond to your request consistent with applicable law.
In your request, please tell us what personal data you would like to have changed, whether you would like to have it suppressed from our database, or otherwise let us know what limitations you would like to put on our use of it. For your protection, we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable, but in any case within a calendar month.
If you live in Europe (EU/EEA), you have the following specific rights with respect to our use and processing of your personal data:
a) Right to be informed – you have the right to enquire what data is held about you as an individual.
b) Right to access – you have the right to request a copy of all data held about you as an individual, including emails in which your name has been mentioned, or other structured records.
c) Right of rectification – you have the right to request corrections to information held about you which is erroneous.
d) Right to data portability – you have the right to request structured personal data in a machine-readable format.
e) Right to opt-out from marketing – you have the right to opt-out from marketing purposes at any time.
Note that the Right to be forgotten (also known as "Right of Erasure") is not absolute, and may be denied to comply with a legal obligation. Furthermore, there is no right to object to processing, because the data is necessary to be processed for the performance of a contract (the exception to this is marketing.)
At any time, you have the right to complain to Celltrion's DPO or a relevant supervisory authority. This will usually be the Data Protection Authority located in the country where you are normally resident. The following link provides a list of the relevant authorities within the EU: https://edpb.europa.eu/about-edpb/board/members_en
5. How we store your Data; International Transfers
Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country.
Specifically, our servers are located in South Korea and our group companies and third party service providers and partners operate around the world. This means that when we collect your personal information, we may process it in any of these countries.
However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice. These include implementing the European Commission's Standard Contractual Clauses for transfers of personal information between our group companies, which require all group companies to protect personal information they process from the EEA in accordance with European Union data protection law.
Our Standard Contractual Clauses can be provided on request. We have implemented similar appropriate safeguards with our third-party service providers and partners and further details can be provided upon request.
South Korea is presently (2019) considered to be a 3rd country with respect to EU General Data Protection Regulation, however it is anticipated that it will soon receive an adjudication of adequacy, which will formally recognize the strength of its own data protection laws, at which time this will become the lawful basis for international transfers.
6. Security Measures
We seek to use reasonable organizational, technical and administrative measures to protect your personal data. Specific measures we use include encrypting your personal information in transit and at rest.
• Our organizational measures include establishment and implementation of internal management plans, regular employee training, etc.
• Our technical measures include installation of security programs, encryption of matters such as unique identifiers, installation of access control systems, and careful management of access authority.
• Our physical measures includes access controls for the data processing room or data storage room.
7. Data Retention
Unless otherwise required by law, the general retention period for each of the personal data obtained by us is as follows:
• Personal identification number for confirmation of name: 3 years
• Records on consumer complaints or settlement of disputes: 5 years from the termination date of handling the dispute
• Cases relating to product administration and medical information relating to the products: 5 years from receipt
• Personal data processed in connection with product research, development and improvement: 5 years after completion of the project (pseudonymized information will be kept after 5 years retention period)
When we have no ongoing legitimate business need to process your personal information or the applicable retention period elapses, whichever is later, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
This Site is neither designed nor intended for use by children under the age of 16. We do not knowingly collect any personal data from anyone under the age of 16 without the prior, verifiable consent of a parent or guardian. Such parent or guardian may have the right, upon request, to view the information provided by the child and require that it be deleted. Moreover, all minors should seek their parent's or guardian's permission prior to using or disclosing any personal data on this website or online resource.
9. How to complain
In the first instance, please contact our data protection officer via DPO@celltrion.com or DPO_EU@celltrion.com (if you live in EU/EEA). You may contact our EU data protection officer at the following address:
Data Protection Officer
Chaucer Group Limited
10 Lower Thames St
London EC3R 6EN
You can also complain to your local Data Protection Authority if you are unhappy with how we have used your data. Our Data Protection Representative is located in London, UK and the contact details of UK Data Protection Authority (ICO) is as follows:
Information Commissioner's Office
Wycliffe House,Water Lane,
Helpline number: 0303 123 1113
Last updated: May 31, 2019.