Your shopping cart is empty!
Furthermore, COVAC may share the data of those users (“Users”) who register on the website or app (the “Platform”) and of those persons who contact COVAC using the forms available on its Platform with each of the subsidiaries and companies of the COVAC Group for the purpose of offering the services requested by Users through the Platform.
Processing of Data of Users and Persons Who Contact COVAC
3.1 Data Processed
a) Information supplied directly by Users:
Registration Data: the information provided by Users when they create an account on the COVAC Platform: username and e-mail.
User Profile Information: the information added by Users on the Platform in order to be able to use the COVAC service; i.e. their mobile phone number and delivery address. Users can view and edit the personal data on their profile whenever they wish. COVAC does not store Users’ credit card details, but these are provided to licensed electronic payment service providers, who receive the data included directly and store it in order to facilitate the payment process for Users and to manage it on COVAC’s behalf. This information is under no circumstances stored on COVAC’s servers. Users may delete the details of the credit cards linked to their account at any time. This will trigger the service provider to delete the information, which will have to be re-entered or selected in order to place new orders through the Platform. Users may request such providers’ privacy policies at any time.
Additional information that Users wish to share: any information that a User could supply to COVAC for other purposes. Examples include a photograph of the User or the billing address in the case of Users who have asked to receive invoices from COVAC.
Information about previous communications with COVAC: COVAC will have access to the information supplied by Users for the resolution of any queries or complaints about the use of the platform, whether through the contact form, by e-mail or by phone through the customer service.
Information on accidents involving any of the parties involved in the provision of services through the Platform for the purpose of making insurance claims or carrying out any other actions with the insurance companies contracted by COVAC.
Transcription and recording of conversations held between the USER and COVAC for the processing of incidents, queries or any other consultations that may be made.
Information on Communications between Users and Mandataries: COVAC will have access to the communications exchanged between Users and the Mandatories that collaborate with the Platform by means of the chat system provided on the Platform.
b) Information indirectly supplied by Users:
- Data arising from the Use of the Platform: COVAC collects the data arising from Users’ Use of the Platform every time they interact with the Platform.
- Data on the application and the device: COVAC stores data on the device and the Application used by Users to access the services. This data is:
The IP address used by each User to connect to the Internet using his/her computer or mobile phone.
Information about his/her computer or mobile phone, such as his/her Internet connection, browser type, version and operating system, and type of device.
The full uniform resource locator (URL) Clickstream, including date and time.
Data from the User’s account: information on the orders made by each User, as well as feedback and/or comments made about them by such User.
The User’s browsing history and preferences.
- Data arising from the User’s origin: if a User arrives at the COVAC Platform through an external source (such as a link from another website or a social network), COVAC collects data on the source from which the COVAC User arrived.
- Data resulting from the management of incidents: if a User contacts the COVAC Platform through the Contact Form or on COVAC’s phone number, COVAC will collect the messages received in the format used by the User and may use and store them to manage current or future incidents.
- Data resulting from external third parties: COVAC may collect personal data or information from external third parties only if the User authorises such third parties to share that information with COVAC. For example, if a User creates an account through their Facebook account, Facebook could disclose to us the personal data of that User that can be found on his/her Facebook profile (such as name, gender or age).
Similarly, if a user accesses COVAC through products and services offered by Google, Google may send the User’s browsing data to COVAC, with access to the platform through the links created by Google.
- Geolocation Data: provided that this has been authorised by Users, COVAC will collect data relating to their location, including the real-time geographic location of their computer or mobile device.
3.2.1. To use the COVAC Platform
3.2.2. To send communications
COVAC uses Users’ personal data to communicate via e-mail and/or send them SMS messages relating to the operation of the service.
COVAC may send messages to the User’s mobile phone with information relating to the status of the order requested. When the order is completed, COVAC will send a summary/receipt of the order and price thereof to the User’s e-mail.
3.2.3. To detect and investigate fraud and possible criminal offences
COVAC also uses the information to research and analyse how to improve the services it provides to Users, as well to develop and improve the features of the service it offers. Internally, COVAC uses the information for statistical purposes in order to analyse User behaviour and trends, to understand how Users use the COVAC Platform and to manage and improve the services offered, including the possibility of adding new, different services to the Platform.
COVAC may monitor all actions that could result in fraud or in the commission of a criminal offence relating to the means of payment employed by users. COVAC may ask users for a copy of their ID card as well as for certain information on the credit card used to place the order. In any event, all data will be processed by COVAC for the sole purpose of fulfilling its fraud prevention and monitoring functions, and it shall be stored for as long as its relationship with the user concerned remains in force, and even after this time until the user’s right to make claims or take legal action relating to payment for the products or services ordered through COVAC has expired. The data relating to the credit card used will be retained until the incident has been resolved and for 120 days thereafter. If any irregularities in its use that could be considered illegal activities are detected, COVAC reserves the right to retain the data provided and to share it with the competent authorities in order to carry out the relevant investigation. COVAC may share the data with the authorities based on the legal obligation to prosecute conducts that are contrary to the applicable law.
3.2.4. To ensure security and an appropriate environment for the safe supply of services
COVAC may use the data in order to ensure the proper use of the products requested on its Platform (e.g. to guarantee pharmaceutical advice or to ensure the delivery is made to persons over the age of 18).
When COVAC is the intermediary for the collection of Pharmaceutical products, when the User enters the Pharmacy area of the Platform, he/she expressly authorises COVAC, where applicable, to provide the pharmacist with any personal data that may be necessary to enable the pharmacist responsible for dispensing the product to contact the purchaser, if he/she considers it appropriate, and provide relevant information on the treatment that will result in a correct use of the product and to dispatch it, thus ensuring that Pharmaceutical advice is given. The Pharmacist may not use the data for any other purpose than that of providing the advice needed to provide the service entrusted.
3.2.5. To comply with the legislation and bring and defend legal actions
COVAC informs the user that conversations with the Mandatary using the chat system may be reviewed and used by COVAC for the purpose of filing and/or defending any claims and/or legal actions that may be necessary, as well as to manage any incidents arising in connection with orders.
3.2.6. Promotion and commercial offers (on-line and off-line)
COVAC uses third-party technology integrated in its Platform for the purpose of collecting Users’ data and preferences and using this with CRM systems and advanced technology for the benefit of Users. The following processing will thus be carried out on their data through the information collected:
COVAC may send e-mails with promotional messages and/or offers relating to the service offered by it that may be of interest to Users. COVAC may gauge and personalise such advertising in accordance with its Users’ preferences. If a COVAC User does not wish to receive this information and/or commercial communications, he/she may at any time opt to “Unsubscribe” in the e-mail, and COVAC will immediately stop sending the aforementioned information.
COVAC may also send Users messages and/or offers relating to such services through “push” notifications consisting of sending such promotional messages and/or offers to their mobile phones. If a COVAC User does not wish to receive the commercial communications described in this clause and in 3.1 above, he/she may remove them all by disabling them with a single click in the privacy preferences of his/her profile.
COVAC and/or the third parties associated with COVAC may use the order delivery address entered by the User for the purpose of carrying out promotional activities for the delivery of samples or free products of the service related to COVAC which may be of interest to the User (e.g. home delivery of free samples or advertising brochures) at the same time as delivering the order.
As a result of using the COVAC Platform, Users may also receive commercial communications from third parties associated with the Platform, such as Facebook and Google, all this in accordance with the privacy preferences set by each User on the said Platforms.
Users may use their privacy management centre to unsubscribe from online marketing services or to close their account if they do not wish to receive samples with their COVAC orders.
3.2.7. For statistical and service analysis purposes
COVAC uses the information for statistical purposes in order to analyse User behaviour and trends, to understand how Users use the COVAC Platform and to manage and improve the services offered, including the possibility of adding new, different services to the Platform.
COVAC also uses the information to research and analyse how to improve the services it provides to Users, as well to develop and improve the features of the service it offers.
3.2.8. To ensure security and an appropriate environment for the safe supply of services
3.2.9. To process incidents and claims with insurance companies
If a User contacts COVAC to report the occurrence of any damage or unforeseen event that may be covered by COVAC’s insurance policy, COVAC shall process all data relating to the incident for the purpose of handling and responding to requests.
3.3 Legal Basis of Processing
Users’ data is processed in accordance with the following legal bases:
To perform the contractual relationship following Users’ registration on the Platform (for example, processing their data to deliver an order placed).
On the basis of our own legitimate interest (such as monitoring for the prevention of fraud through the Platform).
To fulfil our legal obligations (such as when competent authorities request data in connection with court investigations and/or with the filing of the necessary actions to protect COVAC’s interests.
Express consent for the disclosure of users’ data to third parties for the purpose of making commercial communications.
3.4 Recipients of the Data
3.4.1. When carrying out an order, data may be shared with:
The Mandatory who carries out the task of collecting and delivering the product.
The establishment or venue in charge of selling the product, if the User has requested the purchase of a product. If a User contacts the above-mentioned providers directly and gives them his/her data directly, COVAC will not be responsible for the providers’ use of such data.
The Customer Care Services contracted by COVAC for the purpose of warning the User of any possible incidents or asking why negative feedback has been given for the service. COVAC may use the data provided in order to manage any incidents that may occur during the provision of the services.
The payment Platform and payment service providers so that the amount can be charged to the User’s account.
Telecommunications service providers, when they are used to send communications regarding orders or incidents relating to orders.
Providers rendering satisfaction survey services on COVAC’s behalf.
3.4.2. Sharing User data with third parties
In order to continue providing the services offered through the Platform, COVAC may share certain personal data of Users with:
Pharmacies: COVAC may provide a User’s name and phone number to pharmacists dispensing products to those Users in order to ensure the provision of pharmaceutical advice in accordance with the current applicable legislation.
Payment Service Providers: When a User enters his/her card number on the COVAC Platform, this is stored directly by the Payment Platforms contracted by COVAC, which will allow payment to be charged to the User’s account. Payment service providers have been chosen based on their security measures and in any event complying with the security measures stipulated in the payment service legislation, and they are PC1 Compliant under the Payment Card Industry Data Security Standard or PCI DSS. COVAC does not store such data in any event.
Service providers for fraud control purposes: COVAC will share Users’ data with fraud control service providers to assess the risk of the transactions carried out.
Service providers for the anonymisation of some data: In order to prevent the misuse of Users’ data by third-party service providers, COVAC may disclose Users’ data for the purpose of anonymising it so that it can be used solely for the provision of the service to Users. For example, COVAC may assign Users’ telephone numbers to third parties in order to anonymise them and provide them in this format to the providers used to carry out the services contracted by Users.
Call centre and incident management services: In order to provide a Customer Service and call centres, actions to measure Users’ degree of satisfaction and the provision of administrative support services, COVAC may disclose Users’ data to companies located outside the EEA, provided it is authorised to do so and the security requirements mentioned in the preceding section have been met.
Telecommunications services: In order to be able to provide Users with telephone contact services, COVAC may contact telecommunications companies that provide secure lines and systems for the purpose of contacting Users.
Companies in the COVAC group: In order to be able to provide its services, COVAC may transfer certain personal data of Users to subsidiaries, based on the geographical area from which users request our services. Users are hereby informed that, when they register on the Platform from any country in which COVAC operates, their data will be stored on COVAC’s database, which is located in Ireland and belongs to the Spanish company COVAC. In the case of subsidiaries located outside the EEA, the data will be transferred, using the systems established by the European Commission and the GDPR, to countries with an appropriate personal data protection level or through contracts approved by the European Commission establishing and guaranteeing the rights of data subjects.
Third parties associated with COVAC for the purposes of commercial communications: COVAC may, with a User’s express consent, transfer his/her personal data to third parties associated with COVAC, provided that the User has given his/her express informed and unequivocal consent to such transfer of data and is aware of the purpose and recipient of such transfer.
Changes of ownership: If COVAC’s ownership changes or the majority of its assets are acquired by a third party, Users are informed that COVAC will transfer their data to the acquiring organisations in order to continue to provide the services subject to the processing of data. The new file controller will inform Users of its identification data. COVAC states that it will comply with its duty of information to the relevant Supervisory Authority in the event of such circumstances arising, and it shall inform Users of the change of file controller if and when this happens. This processing shall be carried out under the contract entered into with COVAC.
Insurance companies: COVAC may provide users’ data to those insurers and insurance brokers with which it has an agreement in place for the management and processing of claims and losses arising from the activity carried out by COVAC and the parties that collaborate with it.
COVAC Users’ data will not be disclosed to any third parties unless: (i) this is necessary in order to provide the services requested if COVAC is collaborating with third parties; (ii) if COVAC has the User’s express and unambiguous authorisation; (iii) where this has been requested by a competent authority pursuant to its functions (in order to investigate, prevent or take action in relation to illegal actions); or (iv) finally, where required by law.
3.5. Processing the Data of Job Applicants who Contact COVAC Using the Forms in the COVAC Jobs Section
These provisions shall apply to those persons who contact COVAC through its website for the purpose of applying for an available position (“Applicants”).
To consider the Applicant’s present or future suitability for any of the positions available at COVAC.
In addition, COVAC shall process the Applicant’s data for the purpose of conducting any interviews it may deem necessary for the position, test the Applicant’s knowledge, contact companies for which he/she has previously worked, check references, and assess the Applicant’s skills and abilities in general.
3.5.3. Legal Basis for Processing
3.5.4. Recipients of the Data
An Applicant’s data may be accessed by technology service providers and platforms contracted by COVAC for the purpose of managing its recruitment processes. An example of these is Greenhouse Software, Inc., which is located in the United States of America and has been contracted by COVAC to manage its recruitment tasks and contracting processes. This means that the personal data of Applicants located outside the United States will be transferred to the United States. Since the EU Commission has decided that US data privacy laws do not provide an adequate level of protection for personal data, the transfer will be subject to appropriate additional safeguards in accordance with standard contractual terms and/or the Privacy Shield scheme. At the same time, the Applicant’s data will be stored on Google, Inc. and on the servers of Amazon Web Services, which will act as processors and which are in compliance with the General Data Protection Regulation, and COVAC has a written agreement with each of them.
Depending on the position for which the Applicant is applying, his or her personal information may be transferred to other COVAC group companies for the purpose of assessing his/her application for the relevant country.
3.5.5. Retention of Data
3.6. International Data Transfers
When choosing service providers, COVAC may transfer users’ data outside the borders of the European Economic Area. In such cases, COVAC will ensure before sending the data that such service providers are in compliance with the minimum security standards established by the European Commission and that they always process the data in accordance with COVAC’s instructions. COVAC may have a contractual relationship with them under which the service providers agree to comply with COVAC’s instructions and to put in place the necessary security measures to protect Users’ data.
3.7. Retention Periods
Users’ data will be retained during the performance and maintenance of the contractual relationship; i.e. for as long as they are COVAC Users or until they exercise their right to restrict the processing of their data.
Once a User has cancelled his or her registration with the Platform, COVAC will keep his or her data for the time established in the tax, health, criminal and any other legislation that may apply, for the purpose of filing and defending any actions to which COVAC may be a party. COVAC will in any event block Users’ data so that it can only be consulted if an action has to be filed or defended in connection with it.
Specifically but without excluding any other legislation that may apply, the data will be retained following termination by the User as provided in the table in Annex II.
Regarding anonymous information, COVAC will apply everything set forth in Recital 26 of the GDPR, according to which “The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”
Exercise of Rights
Users may exercise their rights free of charge at any time using the form available on the Platform. They may also exercise their rights by sending an e-mail to the following e-mail address: email@example.com. The e-mail must specify which right they wish to exercise, as well as, where applicable, the identifying data registered on the Platform. We will contact the User if we need additional data to that provided in order to verify his or her identity.
You may exercise the following rights vis-à-vis COVAC:
The right of access to your personal data in order to know which data is being processed and the processing operations carried out thereon;
The right to correct any inaccuracies in relation to your personal data;
The right to the erasure of your personal data, where possible;
The right to request the restriction of processing of your personal data when the accuracy, legality or need for processing of the data is in question, in which case we may retain the data for the purpose of filing or defending claims.
The right to object to the processing of your data in order to resolve any query you may have raised with us through the contact form, and the right to object to the processing of your data on social media and/or for the purpose of processing your CV. In addition, you may withdraw your consent to the receipt of commercial communications at any time, through the Platform User profile, either by sending an e-mail or by using the link provided for this purpose in every commercial communication.
If you believe that COVAC is in breach of data protection law, please do not hesitate to contact us at the e-mail address firstname.lastname@example.org telling us what you consider to be the case, so that we can resolve the problem as soon as possible. In any event, you may also report it to the Spanish Data Protection Agency (Agencia Española de Protección de Datos) and file a claim with the said body for the protection of your rights.
COVAC has taken the necessary steps and the competent authority to maintain the required security level, according to the nature of the personal data processed and the circumstances of the processing, in order to avoid, to the extent possible and always in accordance with the state of the art, its alteration, loss or unauthorised access or processing. As mentioned above, the personal data supplied will not be disclosed to third parties without the data subject’s prior authorisation.
Notifications and Modifications