personal-data

Personal Data Policy

Last update: December 2025

Definitions

“Personal Data”: any information relating to an identified or identifiable natural person, as defined by Regulation (EU) 2016/679 of 27 April 2016 and any subsequent equivalent legislation.
“Processing Purposes”: the objective pursued by the use of Personal Data.

“Applicable Data Protection Laws” or “Applicable Laws”: Law No. 78-17 of 6 January 1978 on data processing, data files and individual liberties as amended by Law No. 2004-801 of 6 August 2004 on computer processing of personal data, by Law No. 2016-1321 of 8 October 2016 for a Digital Republic, as well as the European General Data Protection Regulation (EU) 2016/679 and Law No. 2018-493 of 20 June 2018 on the protection of personal data, and any subsequent equivalent legislation, and/or any applicable law or regulation in force relating to data protection.

“Third Country”: any country outside the European Union that does not have legislation deemed adequate for the processing of Personal Data, as determined by the European Commission.

“Data Controller”: the legal entity (company, municipality, etc.) or natural person who determines the purposes and means of processing, i.e., the objective and how it is carried out. For this Policy, the Data Controller is ISISPHARMA France, registered with the Lille Trade and Companies Register under number 499855013, with registered office at 29 Avenue de la Marne, Parc des 3 Chênes, 59290 WASQUEHAL.

“Processing”: any operation or set of operations performed with or without automated means and applied to Personal Data or sets of Personal Data, such as collection, recording, organization, structuring, storage, disclosure by transmission, dissemination, extraction, consultation of Personal Data, as defined by Regulation (EU) 2016/679 of 27 April 2016 and any subsequent equivalent legislation.

“Website”: the Data Controller’s website available at: isispharma.fr

“Processor”: the third party that processes Personal Data on behalf of the Data Controller.

“User” or “You”: the natural person whose Personal Data is collected and processed under this Policy.

This Personal Data Protection Policy detailed below (hereinafter the “Policy”) has been drafted so that You may become aware of the practices and conditions under which the Data Controller collects, uses and stores your Personal Data when You browse the Website.

Personal Data is processed in a lawful, fair and transparent manner.

The Personal Data collected is adequate, relevant and limited to what is strictly necessary in light of the Processing Purposes.

Purposes of the Processing of Personal Data

The Data Controller collects the User’s Personal Data in order to:

  • Process your request submitted via the form available on the Website, depending on the selected section, namely: partnership requests, product information requests, reports of defective products, opportunity searches, and reports of adverse effects relating to one of ISISPHARMA’s products;
  • Process your application for an internship or a job via the form available on the Website;
  • Manage requests to exercise data subject rights.

Categories of Personal Data Collected

The User is informed that the Data Controller collects and processes Personal Data, including in particular:

  • When the User submits a request via the form: identification data, contact data, and any information provided in the request;
  • When the User reports an adverse effect of a product: identification data, contact data, any data relating to the adverse effect observed, and any data provided at the time of reporting;
  • When the User submits a request to exercise rights: identification data and any data provided in the request;
  • When the User applies via the contact form: identification data, contact data, and any data relating to the application.

Personal Data may come directly from You or be collected automatically. This Personal Data is collected for the purposes described above and is marked with an asterisk (*) when it is mandatory.

The Website is not intended for minors under the age of thirteen. Any collection and processing of Personal Data of minors under thirteen on the Website is incidental. In certain cases, such as the reporting of adverse effects, we may process Personal Data of minors with the consent of their parents.

Retention Period for Personal Data

The Data Controller will retain Personal Data for as long as necessary for the purposes for which it was collected and processed, namely:

  • For any other request or product information request submitted via the contact form: for the time necessary to process the request;
  • For partnership management: for the duration of the partnership and 5 years thereafter;
  • For the management of reports of defective products: for the duration the product is on the market;
  • For any report of an adverse effect: for the time necessary to manage the report and up to 70 years thereafter in archives;
  • When the User applies via the contact form: 2 years from the application date;
  • To respond to requests for access, rectification and objection: the calendar year of the request plus 5 years.

Legal Basis for the Processing of Personal Data

The Data Controller processes Personal Data on a specifically identified legal basis, namely:

  • Its legitimate interest in processing Personal Data in order to respond to the request submitted via the contact form;
  • The performance of pre-contractual measures for recruitment and for managing partnership requests;
  • Compliance with legal obligations, in particular when handling requests to exercise rights and managing reports of defective products and adverse effects.

Who Processes Your Personal Data?

Recipients Reasons for Sharing
Our staff:
• Marketing department
• IT department
• Quality department
• Cosmetovigilance department		 For the processing operations as defined in the purposes mentioned above.

For the management of adverse effect reports, only the cosmetovigilance department will have access to the reports, to the exclusion of any other internal department.
Processors and service providers We share data with service providers and processors that help us operate, promote and improve the Website. For more information, please refer to Section 7 of this Policy.
Law enforcement authorities We may disclose your data to: (i) comply with a legal process such as a court order, subpoena or search warrant, a government investigation/law enforcement authorities or other legal requirements; (ii) help prevent or detect criminal offences; (iii) protect the safety of any individual; (iv) transmit and manage adverse effects with the competent health authorities (ANSM); and (v) establish, exercise, enforce or defend legal claims.

Recipients
Data collected by the Data Controller is processed internally, but may also be transmitted to third parties.

Reasons for Sharing
Our staff:
• Marketing department
• IT department
• Quality department
• Cosmetovigilance department For the processing operations as defined in the purposes mentioned above.

For the management of adverse effect reports, only the cosmetovigilance department will have access to the reports, to the exclusion of any other internal department.
Processors and service providers We share data with service providers and processors that help us operate, promote and improve the Website. For more information, please refer to Section 7 of this Policy.
Law enforcement authorities We may disclose your data to: (i) comply with a legal process such as a court order, subpoena or search warrant, a government investigation/law enforcement authorities or other legal requirements; (ii) help prevent or detect criminal offences; (iii) protect the safety of any individual; (iv) transmit and manage adverse effects with the competent health authorities (ANSM); and (v) establish, exercise, enforce or defend legal claims.

Data Controller Commitments

  • process Personal Data only for the purposes described above;
  • process Personal Data in accordance with Applicable Laws;
  • in the event of a transfer of Personal Data to a third country or to an international organization, inform the User in advance;
  • ensure the confidentiality of Personal Data by taking all appropriate technical and organizational measures to (i) prevent access to Personal Data by unauthorized persons, (ii) perform identity and access checks via an authentication system and a password policy, (iii) use an authorization management system, and (iv) store your Data on secure servers protected by different systems and protocols such as firewalls, antivirus and restricted access;
  • ensure that any data transmitted as part of an adverse effect report is collected and processed securely and confidentially to protect the concerned Users;
  • ensure that persons authorized to process Personal Data commit to confidentiality or are subject to a confidentiality obligation and receive the necessary training in Personal Data protection;
  • take into account data protection by design for its tools, applications or services;
  • delete, anonymize or archive Personal Data at the end of the retention period;
  • the Data Controller shall not be liable for security incidents related to the User’s use of the Internet, in particular in the event of loss, alteration, destruction, disclosure or unauthorized access to the User’s data or information.

Processors / Transfers of Personal Data

The User agrees that Personal Data concerning them may be transmitted to Processors and recipients solely for the purposes of carrying out the aforementioned Processing Purposes, provided they are subject to regulations ensuring an appropriate level of protection as defined by the GDPR.

For this purpose, the Data Controller enters into a data protection agreement with each Processor defining the terms and conditions for the processing of Personal Data.

In the event of a transfer of all or part of the Personal Data to a Third Country, i.e., located outside the European Union or not providing a level of protection recognized as adequate under Applicable Laws, or to an international organization, appropriate safeguards provided for under Applicable Laws will be put in place and respected by the Processors.

You can find below the list of Processors and any transfers of Personal Data:

Purpose Processor Location
Technical maintenance of the website Welp Agency and Les Animals (agencies) France
Hosting OVH France

 

Under no circumstances does the Data Controller sell, rent, or use Personal Data for any purposes other than those specified. Personal Data is disclosed to third parties only for the purpose of carrying out the Processing Purposes.

Exercising Your Rights

The following rights are guaranteed to the User: right of access, rectification, erasure and objection, right to restriction of processing, right to data portability, and the right not to be subject to an automated individual decision (including profiling).

With regard to the processing of Personal Data related to the reporting of adverse effects, this processing being necessary to comply with a legal obligation within the framework of health vigilance to which the Data Controller is subject, the User is informed that the exercise of the rights to object and to erasure is limited.

You may exercise these rights by sending an email to: donneespersonnelles@isispharma.com.

The Data Controller then has one month to respond to any request relating to the exercise of your rights. This period may be extended by two months due to the complexity or the large number of requests.

Finally, you have the right to lodge a complaint with the French Data Protection Authority (CNIL), in particular on its website: www.cnil.fr.

Policy Updates

The Data Controller regularly updates this Policy, which remains available on the Website at any time.