GDPR

1. General Information
a) Introduction
The following statements are provided by Alliance Healthcare s.r.o., headquartered at Podle Trati 624/7, 108 00 Prague 10, ID No.: 14707420, registered in the Commercial Register maintained by the Municipal Court in Prague, section C, insert 87837 (hereinafter referred to as "Alliance Healthcare"), to inform about the processing of personal data, particularly in connection with the contractual relationship with its buyers/customers—especially pharmacy operators when concluding contractual documentation with customers or establishing their access to the customer zone on the Alliance Healthcare website (hereinafter referred to as "Contractual Documentation").

Personal data refers to any information about an identified or identifiable natural person (such as name and surname, address, phone number, or email address, etc.).

Alliance Healthcare further presents and informs its buyers/customers/applicants primarily about which personal data are processed in connection with the Contractual Documentation, the purposes of this processing, and their rights, i.e., the rights of buyers/customers/applicants regarding such processing according to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in relation to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (hereinafter referred to as “GDPR”).

b) Controller
Alliance Healthcare is the “controller” (Article 4(7) GDPR) for any processing of data in connection with the Contractual Documentation and thus is responsible for the processing of relevant personal data of buyers/customers/applicants. If a buyer/customer/applicant has any questions, requests, or other comments regarding the processing of their personal data, they can contact Alliance Healthcare at any time using the following contact details:
Alliance Healthcare s.r.o., Podle Trati 624/7, 108 00 Prague 10
Email address: GDPR@a-h.cz

2. Information Regarding the Processing of Personal Data
a) Categories of Data Processed by Alliance Healthcare in Connection with the Contractual Documentation:

• Data about the buyer/customer/applicant: Business name, registered office/business address, identification number (ID No.), contact details (e.g., phone number, email address), bank account information, tax information (e.g., tax identification number), and other data provided by the buyer/customer/applicant during the duration of the Contractual Documentation;
• Data about the contact persons of the buyer/customer/applicant: Contact details (e.g., name and surname of the contact person, job position, work phone number, and work email address, etc.).

b) Purposes and Legal Basis for Processing under the Contractual Documentation:

• Data about the buyer/customer/applicant: Alliance Healthcare processes data about the buyer/customer/applicant for the purposes of fulfilling the Contractual Documentation. This processing is based on Article 6(1)(b) GDPR. Furthermore, Alliance Healthcare processes data about the buyer/customer/applicant for the identification of the buyer/customer/applicant, for assessing the financial suitability of the buyer/customer/applicant, for preparing and enforcing claims, for providing support/services to the buyer/customer/applicant, for internal statistics and risk management, for compliance with regulations, and for data security purposes, calculating bonuses, and executing transfer orders. This processing is based on Article 6(1)(f) GDPR. These purposes are closely related to fulfilling the Contractual Documentation and represent the legitimate legal and economic business interest of Alliance Healthcare. Moreover, Alliance Healthcare may process the data of the buyer/customer/applicant if the processing is necessary to fulfill a legal obligation, e.g., for reporting to (tax) authorities. In this case, the processing is based on Article 6(1)(c) GDPR.
• Data about the contact persons of the buyer/customer/applicant: For the purposes of fulfilling the Contractual Documentation, it is necessary for Alliance Healthcare to process data about the contact persons of the buyer/customer/applicant (e.g., employees) to a certain extent, e.g., for communication with contact persons within the Contractual Documentation. This processing is conducted based on Article 6(1)(f) GDPR. It is a legitimate interest of Alliance Healthcare to process data about the contact persons of the buyer/customer/applicant for the purposes of fulfilling the Contractual Documentation even if they are not themselves a contractual party, as otherwise, fulfilling the Contractual Documentation would not be possible.

c) Communication with Buyers/Customers/Applicants via Call Center or Website
Alliance Healthcare can be contacted by a buyer/customer or a third party without any contractual or other relationship with Alliance Healthcare via i) the call center and phone lines listed on the website www.a-h.cz or directly via ii) the special website www.alphega.cz as specified below, or iii) the customer zone of Alliance Healthcare as specified below.

If Alliance Healthcare is contacted via the call center, the caller is always informed at the beginning of each call that the call may be monitored or recorded. Alliance Healthcare retains the entire call record, and the retention period of the call record depends on the purpose and subject of the call. In this case, personal data provided by the caller will be processed by Alliance Healthcare, particularly to the extent specified in Article 2(a) of this information.

If Alliance Healthcare is contacted by a buyer/customer or a third party without any contractual relationship through the website www.alphega.cz or the customer zone of Alliance Healthcare, which are primarily intended for communication between AH and pharmacy operators, personal data that the buyer/customer or third party provided or attached in the attachments on the website or in the customer zone will be processed, particularly to the extent specified in Article 2(a) of this information for contact persons and their expertise and contact addresses.

The purposes of processing personal data are primarily i) to handle inquiries, requests, complaints, grievances, or other demands, ii) to order goods by processing the received order (i.e., concluding a purchase agreement), reserving or complaining about goods, iii) subsequently retaining a recording of the call or communication as evidence that the inquiry or request was delivered/processed, a purchase agreement was concluded, a reservation was made, or goods were complained about, etc.

Personal data provided through any of the aforementioned methods of communication and the content of that communication will be retained by Alliance Healthcare only for the time necessary to process the relevant request. If it is necessary to process personal data for a longer period, the conditions and time frames mentioned in point (f) of this information and established by applicable legislation will apply.

The legal basis for the above processing of personal data is the legitimate interest of Alliance Healthcare under Article 6(1)(f) GDPR related to handling the relevant request or fulfilling the relevant contract in the case of processing an order for the delivery of goods or provision of services.

d) Monitoring Our Facilities with a Camera System
The premises of Alliance Healthcare (i.e., headquarters and individual distribution warehouses) are continuously monitored by a camera system with recording for the purpose of ensuring the safety of its employees, buyers/customers, contractual partners, and third parties, as well as for protecting its property and equipment. Areas monitored by the camera system are always marked with pictograms. Camera recordings are provided to administrative authorities or criminal law enforcement authorities in cases required by applicable legislation. The processing of personal data for these purposes is based on the legitimate interest of Alliance Healthcare under Article 6(1)(f) GDPR.

e) Recipients of Personal Data
To achieve the above purposes, Alliance Healthcare uses service providers, i.e., as data processors according to Article 28 GDPR, such as IT service providers including maintenance, email dispatch providers, providers of personalized printing, etc. These may be external service providers or affiliated entities of Alliance Healthcare located in countries within the European Union (EU) and the European Economic Area (EEA) as well as outside of them. Through contractual provisions, Alliance Healthcare ensures that these service providers process personal data in accordance with European data protection laws to guarantee a high level of data protection, even when personal data are transferred to a country where a different level of data protection is customary and where there is no adequacy decision from the EU Commission. Other transfers of personal data to other recipients do not take place, except in cases where Alliance Healthcare is obligated to do so by law or does so according to the concluded contractual documentation, but solely for the purposes stated in point (b) of this article. For more information on the relevant safeguards for international data transfers, please contact Alliance Healthcare using the contact details provided in Article 1(b) of this information.

f) Provision of Data and Retention Period
Providing the data specified in Article 2(a) in the first paragraph of this information is mandatory for fulfilling the Contractual Documentation. In general, Alliance Healthcare retains the personal data of the buyer/customer/applicant provided under Article 2(a) of this information until the Contractual Documentation is terminated and/or as long as Alliance Healthcare has a legitimate interest that allows it to retain such data. To the extent that any personal data is subject to a legal retention period, Alliance Healthcare will retain the relevant data for the period specified in the relevant provisions of the legislation. In this second case, the data will be retained in a limited form, and further processing is only permitted to fulfill a legal obligation, to establish, exercise, or defend legal claims, to protect the rights of another person, or for reasons of significant public interest.

Furthermore, personal data provided by the buyer/customer/applicant or a third party according to Article 2(c) of this information during inquiries, requests, complaints, grievances, or other submissions will be processed by Alliance Healthcare only for the necessary time, usually for up to 3 years, in necessary cases up to 10 years (see maximum duration required by legal regulations, for example, for accounting and tax regulations concerning the sale of goods or provision of services) from the moment relevant for the retention period. The relevant moment is considered, for example, the order of goods or services, the filing of a complaint, or another action associated with the necessity of processing personal data. Retention of personal data for the purposes of fulfilling legal obligations is based on Article 6(1)(c) GDPR. At the same time, Alliance Healthcare typically retains records of telephone calls for up to 30 days, with exceptions if the need to retain the call record for a longer period arises from the nature or seriousness of the subject of the call or applicable legal regulations.

Camera recordings according to Article 2(d) of this information are retained by Alliance Healthcare for a maximum of 30 days, except in cases where they are needed to defend its legal claims or are retained for a longer period in accordance with applicable legal regulations.

If the processing of personal data is carried out based on the consent of the buyer/customer/applicant or another third party, the processing is always conducted only for the duration for which the consent was granted or until the granted consent is revoked.

3. Rights of Buyers/Customers/Applicants and Third Parties
A buyer/customer/applicant or third party, as the data subject, may contact Alliance Healthcare at any time with a notification in any form using the contact details provided in Article 1(b) of this information, and in the case of email communication to the address: GDPR@a-h.cz to exercise their rights under GDPR. These rights are as follows:

• The right to receive information about the processing of data and a copy of the processed data (right of access, Article 15 GDPR),
• The right to request the correction of inaccurate data or completion of incomplete data (right to rectification, Article 16 GDPR),
• The right to request the deletion of personal data and, if the personal data has been published, to inform other controllers about the request for deletion (right to erasure, Article 17 GDPR),
• The right to request the restriction of data processing (right to restriction of processing, Article 18 GDPR),
• The right to obtain personal data concerning the data subject in a structured, commonly used, and machine-readable format and to request the transfer of this data to another controller (right to data portability, Article 20 GDPR),
• The right to object to data processing to stop it (right to object, Article 21 GDPR),
• The right to revoke consent at any time to stop the processing of data based on that consent. The revocation of consent does not affect the legality of processing based on consent granted before such revocation (right to withdraw consent, Article 7 GDPR),
• The right to lodge a complaint with a supervisory authority if the data subject believes that their rights to personal data protection have been violated (right to lodge a complaint with a supervisory authority, Article 77 GDPR).

1. General Information
a) IntroductionThe following statements are provided by Alliance Healthcare s.r.o., with its registered office at Podle Trati 624/7, 108 00 Prague 10, ID No.: 14707420, registered in the Commercial Register maintained by the Municipal Court in Prague, section C, insert 87837 (hereinafter referred to as "Alliance Healthcare"). This document provides information about the processing of personal data, particularly in relation to the contractual relationship with its contractual partners - manufacturers, service providers, and suppliers (hereinafter referred to as "Contractual Documentation").

Personal data refers to any information about an identified or identifiable natural person (such as name and surname, address, phone number, or email address, etc.).

Alliance Healthcare further presents and informs its contractual partners about the types of personal data processed in connection with the Contractual Documentation, the purposes of this processing, and their rights, i.e., the rights of manufacturers, service providers, and suppliers regarding such processing under Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (hereinafter referred to as "GDPR").

b) ControllerAlliance Healthcare is the "controller" (Article 4(7) GDPR) for any data processing in connection with the Contractual Documentation and is therefore responsible for processing the relevant personal data of manufacturers, service providers, and suppliers. If a manufacturer, service provider, or supplier has any questions, requests, or other comments regarding the processing of their personal data, they can contact Alliance Healthcare at any time using the following contact details:
Alliance Healthcare s.r.o., Podle Trati 624/7, 108 00 Prague 10

Email address: GDPR@a-h.cz

2. Information Regarding the Processing of Personal Data
a) Categories of Data Processed by Alliance Healthcare in Connection with the Contractual Documentation:

• Data about the manufacturer/service provider/supplier: Business name, registered office/business address, identification number (ID No.), contact details (e.g., phone number, email address), bank account information, tax information (e.g., tax identification number), and other data provided by the manufacturer/service provider/supplier during the duration of the Contractual Documentation;
• Data about the contact persons of the manufacturer/service provider/supplier: Contact details (e.g., name and surname of the contact person, job position, work phone number, and work email address, etc.).

b) Purposes and Legal Basis for Processing in Connection with the Contractual Documentation:

• Data about the manufacturer/service provider/supplier: Alliance Healthcare processes data about the manufacturer/service provider/supplier for the purposes of fulfilling the Contractual Documentation. This processing is based on Article 6(1)(b) GDPR. Furthermore, Alliance Healthcare processes data about the manufacturer/service provider/supplier for the identification of the manufacturer/service provider/supplier, for assessing the financial suitability of the manufacturer/service provider/supplier, for preparing and enforcing claims, for providing support/services to the manufacturer/service provider/supplier, for internal statistics and risk management, for compliance with regulations, and for data security purposes. This processing is based on Article 6(1)(f) GDPR. These purposes are closely related to fulfilling the Contractual Documentation and represent the legitimate legal and economic business interest of Alliance Healthcare. Additionally, Alliance Healthcare may process the data of the manufacturer/service provider/supplier if the processing is necessary to fulfill a legal obligation, e.g., for reporting to (tax) authorities. In this case, the processing is based on Article 6(1)(c) GDPR.
• Data about the contact persons of the manufacturer/service provider/supplier: For the purposes of fulfilling the Contractual Documentation, it is necessary for Alliance Healthcare to process data about the contact persons of the manufacturer/service provider/supplier (e.g., employees and/or subcontractors of the manufacturer/service provider/supplier) to a certain extent, e.g., for communication with contact persons within the Contractual Documentation. This processing is conducted based on Article 6(1)(1)(f) GDPR. It is a legitimate interest of Alliance Healthcare to process data about the contact persons of the manufacturer/service provider/supplier for the purposes of fulfilling the Contractual Documentation even if they are not themselves a contractual party, as otherwise, fulfilling the Contractual Documentation would not be possible.

c) Monitoring Our Facilities with a Camera System
The premises of Alliance Healthcare (i.e., headquarters and individual distribution warehouses) are continuously monitored by a camera system with recording for the purpose of ensuring the safety of its employees, customers, contractual partners, and third parties, as well as for protecting its property and equipment. Areas monitored by the camera system are always marked with pictograms. Camera recordings are provided to administrative authorities or law enforcement authorities in accordance with applicable legislation. The processing of personal data for these purposes is based on the legitimate interest of Alliance Healthcare under Article 6(1)(1)(f) GDPR.

d) Recipients of Personal Data
To achieve the purposes mentioned above, Alliance Healthcare uses service providers, i.e., as data processors according to Article 28 GDPR, such as IT service providers including maintenance, email dispatch providers, etc. These may be external service providers or affiliated entities of Alliance Healthcare located in countries within the European Union (EU) and the European Economic Area (EEA) as well as outside of them. Through contractual provisions, Alliance Healthcare ensures that these service providers process personal data in accordance with European data protection laws to guarantee a high level of data protection, even when personal data are transferred to a country where a different level of data protection is customary and where there is no adequacy decision from the EU Commission. Other transfers of personal data to other recipients do not take place, except in cases where Alliance Healthcare is obliged to do so by law. For more information on the relevant safeguards for international data transfers, please contact Alliance Healthcare using the contact details provided in Article 1(b) of this information.

e) Provision of Data and Retention Period
Providing the data specified in Article 2(a) in the first paragraph of this information is mandatory for fulfilling the Contractual Documentation. In general, Alliance Healthcare retains the personal data of the manufacturer/service provider/supplier provided under Article 2(a) of this information until the Contractual Documentation is terminated and/or as long as Alliance Healthcare has a legitimate interest that allows it to retain such data. To the extent that any personal data is subject to a legal retention period, Alliance Healthcare will retain the relevant data for the period specified in the relevant provisions of the legislation. In this second case, the data will be retained in a limited form, and further processing is only permitted to fulfill a legal obligation, to establish, exercise, or defend legal claims, to protect the rights of another person, or for reasons of significant public interest.

Camera recordings according to Article 2(c) of this information are retained by Alliance Healthcare for a maximum of 30 days, except in cases where they are needed to defend its legal claims or are retained for a longer period in accordance with applicable legislation.

If the processing of personal data is carried out based on the consent of the manufacturer/service provider/supplier, the processing is always conducted only for the duration for which the consent was granted or until the granted consent is revoked.

3. Rights of Contractual Partners
The manufacturer/service provider/supplier, as the data subject, may contact Alliance Healthcare at any time with a notification in any form using the contact details provided in Article 1(b) of this information, and in the case of email communication, to the address: GDPR@a-h.cz to exercise their rights under GDPR. These rights are as follows:

• The right to receive information about the processing of data and a copy of the processed data (right of access, Article 15 GDPR),
• The right to request the correction of inaccurate data or the completion of incomplete data (right to rectification, Article 16 GDPR),
• The right to request the deletion of personal data and, if personal data have been published, to inform other controllers about the request for deletion (right to erasure, Article 17 GDPR),
• The right to request the restriction of data processing (right to restriction of processing, Article 18 GDPR),
• The right to obtain personal data concerning the data subject in a structured, commonly used, and machine-readable format and to request the transfer of this data to another controller (right to data portability, Article 20 GDPR),
• The right to object to data processing to stop it (right to object, Article 21 GDPR),
• The right to withdraw consent at any time to stop the processing of data based on that consent. The withdrawal of consent does not affect the legality of processing based on consent granted before such withdrawal (right to withdraw consent, Article 7 GDPR),
• The right to lodge a complaint with a supervisory authority if the data subject believes that their rights to personal data protection have been violated (right to lodge a complaint with a supervisory authority, Article 77 GDPR).

Due to possible changes in legislation or processing conditions, Alliance Healthcare may need to make changes to these terms or information regarding the processing of personal data. In such a case, Alliance Healthcare will inform the manufacturer/service provider/supplier of such changes by publishing these changes on the Alliance Healthcare website www.a-h.cz in the relevant section or by sending a notification to the provided contact details.

1. Introductory ProvisionsAlliance Healthcare s.r.o., with its registered office at Podle Trati 624/7, Prague 10, ID No.: 14707420, registered in the Commercial Register maintained by the Municipal Court in Prague, section C, insert 87837 (hereinafter referred to as the "Controller"), as an operator of a pharmacy and medical device dispensing facility in the Czech Republic (hereinafter collectively referred to as the "Pharmacy"), hereby informs, in accordance with i) Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as "GDPR," and ii) national (local) legal regulations concerning the processing of personal data, about the conditions under which personal data of customers, as data subjects, is processed in the operation of the Pharmacy.

According to GDPR and applicable legal regulations, personal data is any information relating to an identified or identifiable data subject. A data subject is considered identified or identifiable if they can be identified directly or indirectly, particularly based on a number, code, or one or more specific elements related to their physical, physiological, mental, economic, cultural, or social identity; personal data includes, for example, name, surname, email, mobile phone, address; personal data can also relate to purchase preferences when combined with other personal data (hereinafter collectively referred to as "personal data").

The personal data of the data subject is processed in accordance with this information and generally binding applicable legal regulations concerning the protection of personal data. The processing of personal data according to GDPR and applicable legal regulations is any operation or set of operations performed on personal data automatically or manually, by electronic means or otherwise, particularly collecting, storing on information carriers, making available, modifying or altering, searching, using, transmitting, preserving, sorting or combining, blocking, and destroying (hereinafter referred to as "processing").

The provision and processing of personal data is necessary for the purposes specified below. The processing of personal data is also necessary for the fulfillment of the contractual relationship established between the Controller and the customer, for fulfilling the Controller's obligations arising from generally binding applicable legal regulations, particularly from regulations governing the provision of health services, handling medicinal products, and consumer protection, as well as for protecting the legitimate interests of the Controller in demonstrating compliance during inspections by the relevant supervisory authorities and for ensuring the defense and enforcement of the Controller's rights. Therefore, the provision of personal data is mandatory, and if the requested personal data is not provided, the Controller cannot provide health services to the customer and/or exercise the customer's rights arising from the contractual relationship established with the Controller.

The processing of personal data regarding the customer's health status involves processing by the Controller of personal data that, according to applicable legal regulations, is a special category of personal data.

This information does not describe the processing of customers' personal data related to the offer and purchase of goods through the Alphega e-shop operated by the Controller; further information on the processing of customers' personal data within the operation of the Alphega e-shop is available on the e-shop's website:
www.alphega.cz .

Contact details of the Controller: Alliance Healthcare s.r.o., Podle Trati 624/7, 108 00 Prague 10.
Email address: GDPR@a-h.cz

The Controller processes personal data according to this information always under the conditions of GDPR and other applicable legal regulations, with professional care and professionalism, transparently, and ethically, and processes only the personal data that are necessary for the specified purpose of processing. The Controller adheres to all principles of GDPR in any processing of personal data, particularly the principles of data minimization, accountability, integrity, confidentiality, accuracy, etc.

The Controller further states that due to possible changes in legislation or processing conditions, it may be necessary to make changes to this information or the provided information regarding the processing of personal data. In such a case, the Controller will inform customers of such changes by publishing these changes on its website www.a-h.cz in the relevant section, or by notifying the customer at their contact details, if the Controller has them available.

2. Processing of Personal Data, Purpose of Processing Personal Data, and Duration of ProcessingThe Controller processes the personal data of customers, as data subjects, in accordance with this information, GDPR, and generally binding applicable legal regulations for the purposes of operating the pharmacy.

Part A) Dispensing with a Medical PrescriptionFor the purpose of dispensing a medicinal product, medical device, or food for special medical purposes (hereinafter collectively referred to as "Product") based on a medical prescription, the Controller processes the personal data of the customer, as the data subject, to whom the Product was prescribed, including their insurance number or date of birth (if not insured), the customer's insurer code, diagnosis if stated on the prescription, identification of the prescribing healthcare provider, type and quantity of prescribed and dispensed Product, and date of dispensing the Product.

If the Product is individually prepared for the customer by the pharmacy, in addition to the above personal data, the customer's name and surname are also processed.

In cases where applicable legal regulations stipulate that the Product can only be dispensed on a prescription marked with a blue stripe, the Controller processes, in addition to the above personal data, the customer's name, surname, and residence. This personal data is kept in a paper record book at the pharmacy where the Product was dispensed to the customer.

Electronic prescriptions are stored in the Central Repository of Electronic Prescriptions, which is established and operated by the State Institute for Drug Control (hereinafter referred to as "SÚKL"). The record of dispensing based on an electronic prescription is sent to this repository. Original medical prescriptions in paper form are either forwarded to the relevant customer's health insurance company if the Product is fully or partially covered by public health insurance funds, or retained by the Controller at the pharmacy where the Product was dispensed. If the customer was dispensed a Product on a prescription marked with a blue stripe, one copy of this prescription is always kept at the dispensing pharmacy. Medical prescriptions stored in the pharmacy may also contain other personal data of the customer (e.g., the customer’s measurements, if provided); however, the Controller will only store these data together with the medical prescription and will not further process these personal data.

If the Product dispensed to the customer is fully or partially covered by public health insurance funds, the Controller forwards the above personal data to the relevant customer's health insurance company as another recipient.

The Controller may also disclose the personal data of the customer to the prescribing healthcare provider, particularly when necessary to ensure continuity of provided health services or to dispel doubts about the validity of the medical prescription or when it is necessary to consult with the healthcare provider regarding the dispensing of the Product.

The personal data mentioned above in this Part A) is processed by the Controller for a period of 5 years from the dispensing of the Product. The record book containing the records of the dispensing of Products containing addictive substances is kept for 5 years from the last entry in this record book.

Part B) Dispensing without a Medical Prescription with RestrictionsFor the purpose of dispensing a Product without a medical prescription with restrictions, the Controller processes the personal data of the customer to whom the Product was dispensed, including their name, surname, insurance number or date of birth (if not insured), and a brief record of the health status, including a record of the conducted interview necessary for assessing the indication.

If SÚKL has stipulated in the decision on the registration of the Product, the Controller will verify the possibility of dispensing such a Product in the register for Products with restrictions before dispensing it, where the customer's insurance number or name, surname, and date of birth will be stated if they are not insured by public health insurance. If the conditions for dispensing the Product without a medical prescription with restrictions are met, the Controller will make the appropriate entry in the register regarding the dispensing of the Product.

The personal data mentioned above in this Part B) is processed by the Controller for a period of 5 years from the dispensing of the Product without a medical prescription with restrictions.

Part C) Complaints Procedure and Withdrawal from the Contractual RelationshipFor the purpose of resolving the customer's complaint, the Controller processes the customer's personal data, including their name, surname, residential address, contact information (email and/or phone number), data regarding the complained Product and/or product, including the purchase price of the Product and/or product, date of dispensing the Product and/or product, reasons for the complaint, and the customer's request regarding the resolution of the complaint. At the same time, the Controller processes the date when the complaint was resolved and the manner of its resolution.

If the customer withdraws from the contractual relationship established with the Controller, the Controller processes the customer's personal data for these purposes, including their name, surname, data regarding the Product and/or product to which the withdrawal applies, including the purchase price of the Product and/or product, date of dispensing the Product and/or product, and the method of refunding to the customer. If the withdrawal is not resolved directly at the pharmacy, the Controller also processes the customer's residential address, account number, and contact information (email and/or phone number).

The personal data mentioned above in this Part C) is processed by the Controller for a period of 5 years from the resolution of the complaints procedure or withdrawal from the contractual relationship, unless it is processed longer for the protection of the legitimate interests of the Controller.

Part D) ComplaintsFor the purpose of keeping a record of complaints against the activities of the Controller as a provider of health services, the Controller processes the personal data provided by the customer in the relevant complaint. This primarily includes their name, surname, residence, phone number, or email and any additional information provided in the complaint. Furthermore, the Controller processes the manner of resolving the complaint.

The personal data mentioned above in this Part D) is processed by the Controller for a period of 5 years from the resolution of the complaint.

3. Rights of Customers/Data SubjectsThe customer, as a data subject, may contact the Controller at any time with a notification in any form using the contact details provided above, and in the case of email communication, to the address: GDPR@a-h.cz to exercise their rights under GDPR.

These rights are as follows:

• The right to receive information about the processing of data and a copy of the processed data (right of access, Article 15 GDPR),
• The right to request the correction of inaccurate data or the completion of incomplete data (right to rectification, Article 16 GDPR),
• The right to request the deletion of personal data and, if personal data has been published, to inform other controllers about the request for deletion (right to erasure, Article 17 GDPR),
• The right to request the restriction of data processing (right to restriction of processing, Article 18 GDPR),
• The right to obtain personal data concerning the data subject in a structured, commonly used, and machine-readable format and to request the transfer of this data to another controller (right to data portability, Article 20 GDPR),
• The right to object to data processing to stop it (right to object, Article 21 GDPR),
• The right to withdraw consent at any time to stop the processing of data based on that consent. The withdrawal of consent does not affect the legality of processing based on consent granted before such withdrawal (right to withdraw consent, Article 7 GDPR),
• The right to lodge a complaint with a supervisory authority if the data subject believes that their rights to personal data protection have been violated (right to lodge a complaint with a supervisory authority, Article 77 GDPR).

Given that data regarding Products prescribed by a healthcare provider and dispensed to the customer in the pharmacy based on a medical prescription and regarding Products dispensed without a medical prescription with restrictions may indicate the customer's health status, and thus constitute a special category of personal data, these personal data will be made accessible to the customer only after verifying their identity.

Personal data is processed by the Controller under the conditions of applicable legal regulations, by both automated and manual means, by its own employees or third parties with whom the Controller has concluded the relevant data processing agreements (hereinafter referred to as "processors"). The Controller collaborates with these processors, who always have access only to the necessary extent of personal data, primarily in the areas of i) IT services, ii) communications, iii) marketing, iv) auditing, accounting, and legal services, etc. An up-to-date list of processors can be requested at the email address GDPR@a-h.cz.

Personal data may also be provided by the Controller to other recipients, particularly public authorities authorized to obtain personal data, such as law enforcement agencies, courts, supervisory authorities, etc., always under the conditions and in the manner defined by generally binding applicable legal regulations.

Request for contractual partners and their employees
Request for employees and former employees of Alliance Healthcare s.r.o

Available in Czech only

Information on the processing of personal data for employees of Alliance Healthcare s.r.o. is available on the company intranet Centro (https://centro.cencora.com/ ).