Privacy policy
PRIVACY AND PERSONAL DATA PROTECTION POLICY
ESTE carries out its activities, including the processing of Personal Data, based on its Fundamental Values of Innovation, Integrity, and Responsibility, and in the culture of Ethics and Compliance.
This Privacy and Personal Data Protection Policy of ESTE applies to all those who browse this Website and those who communicate with our company through our service channels, whether they are professionals, clients, consumers, employees, former employees, and others, even if they do not have a registered account, but whose data is processed by our company.
This Policy sets out the terms of use and service of the Website https://www.este.com.py/ and our channels. It is essential to read this Policy to understand how your personal information may be treated by our company.
If you have questions or requests related to your Personal Data, please contact our Data Protection Officer via email: atencion@este.com.py.
WHAT IS THE PURPOSE OF THIS POLICY AND OUR COMMITMENT?
The processing (use) of personal data is necessary to carry out various legitimate activities of our company.
However, we understand how important your personal data is to you, so we commit to process (use) your data in accordance with the forms authorized by current legislation.
In this regard, the purpose of this Policy is to inform, in a straightforward manner, how your personal data may be processed and protected by our company and how you can exercise your rights as the data subject. To facilitate comprehension, we have divided the content into the following topics:
- Definitions
- What personal data is collected?
- For what purposes do we process (use) personal data?
- What are cookies?
- With whom can we share personal data?
- How do we keep personal data secure?
- How long will personal data be stored?
- Your rights as a Data Subject and how to exercise them.
DEFINITIONS
To facilitate understanding, we list in the table below the definitions and key terms commonly related to privacy and personal data protection, which we refer to in this text of this Policy:
LPDP – Ley de Protección Credit Personal Data Protection Law, Law No. 6534/2020.
Personal data – Information related to a natural person, identified or identifiable.
Sensitive personal data – Personal data about racial or ethnic origin, religious beliefs, political opinions, membership in unions or religious, philosophical, or political organizations, data related to health or sexual life, genetic or biometric data when linked to a natural person.
Data subject – A natural person to whom the personal data that are processed refer. These individuals can be healthcare professionals or others, patients, consumers, employees, former employees, or other natural persons.
Users – People who access our Website and/or interact with the activities offered on it.
Controller – A natural or legal person, of public or private law, responsible for decisions related to the processing of personal data. Our company may act as a Controller and/or Processor in the processing of Personal Data.
Processor – A natural or legal person, of public or private law, who carries out the processing of personal data on behalf of the controller. Our company may act as a Controller and/or Processor in the processing of Personal Data.
Data Protection Officer – A person designated by the controller and the processor to act as a communication channel between the controller, data subjects, and the National Data Protection Authority (ANPD). Our Data Protection Officer can be contacted via email: atencion@este.com.py.
Processing – Any operation performed with personal data, such as collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation, or information control, modification, communication, transfer, dissemination, or extraction.
Anonymization – Processes by which personal data lose the possibility of direct or indirect association with an individual, considering the use of reasonable and available technical means at the time of processing. According to the law, the LPDP does not apply to anonymized personal data.
Automatic collection – Automatic collection is carried out through access to the digital channels of our company without the Data Subject having necessarily provided personal data. Examples of data collected automatically include cookies, access logs, device or browser characteristics, IP address (with date and time), IP origin, information about clicks, pages visited, search terms entered on our channels, among others.
Cookies – Files sent by the website server to Users’ devices to identify them and obtain access data, such as pages visited or links selected, allowing the customization of Users’ navigation on the Website according to their preferences.
IP – Abbreviation for Internet Protocol. It is a set of numbers that identifies the connection through which it is possible to identify the Users’ computers on the Internet.
Logs – Records of User activities carried out on the Website. Website – Refers to the electronic address https://www.este.com.py/ and its subdomains.
WHAT PERSONAL DATA IS COLLECTED?
To carry out our activities, it may be necessary for our company to collect certain information or personal data related to you.
This information may have been provided directly by you, by third parties contracted or contacted by our company, or collected automatically.
Some examples of this information that may be collected include:
• Contact information, such as name, email, phone numbers, state, and city.
• Financial information: potential amounts to be paid or received, through bank accounts or invoices in connection with our business relationship.
• Behavioral information: access identification, information about clicks, and other data collected through technological means such as cookies.
Our company ensures that personal data is collected and processed only to the extent necessary, for legitimate, clear, and informed purposes, and with authorization, whether by consent or other authorized means under the LPDP.
FOR WHAT PURPOSES DO WE PROCESS (USE) PERSONAL DATA?
Personal data can be processed by our company for various legitimate purposes. Below, we list some of these purposes and examples:
• Conducting business operations: carrying out marketing and sales activities; responding to requests received; monitoring interactions and meetings, even when you communicate with our company to request information or support.
• Complying with legal or regulatory obligations: managing adverse events; conducting prevention, evaluation, and investigation activities; complying with administrative formalities; maintaining records and reports; undergoing audits.
• Providing customer support using contact and registration data provided in advance.
• Providing access to services: allowing access, download, use, or management of applications, websites, and online platforms.
• Improving and developing products and services: identifying usage trends and developing new products and services; understanding how people and their electronic devices interact with our services and platforms; tracking and responding to security issues; assessing the effectiveness of our promotional campaigns, conducting research, among others.
• Personalizing your experience when using services that our company may offer: enabling services to be presented in a way that best suits the user’s preferences; understanding their professional and personal interests in relation to the content, products, and services available on our communication channels; presenting products and content as users perform searches.
• Communicating with you: answering your questions; addressing your requests; providing support for products and services; sending important information, necessary communications, and promotional materials; sending news and information about our products, services, brands, and operations; organizing and managing events, meetings, classes, and professional conferences, whether in person or remotely.
• Processing payments in specific and clearly informed situations: receiving and verifying financial information in order to enable the processing and receipt of payments in specific and clearly informed situations.
• Offering donations and sponsorships when permitted or applicable.
• Responding to requests from administrative or judicial authorities in accordance with applicable laws: complying with subpoenas, providing necessary records, tracking, responding, or defending in legal proceedings.
• Protecting the rights and interests of our company: safeguarding the health and safety of employees, third parties, and company facilities; conducting internal audits, asset management, systems, and other business controls; managing and overseeing business administration (including finance and accounting; fraud monitoring and prevention, among others); maintaining the security of services and operations; protecting the rights of our company, whether privacy, security, or property; providing solutions; mitigating risks; limiting damages that may be incurred by our company when necessary; protecting our company and affiliated companies against possible fraudulent actions.
WHAT ARE COOKIES?
Cookies are files or information that can be stored on Users’ electronic devices when they visit the
Website or use our company’s digital channels.
Our company adopts an ethical and transparent policy regarding the use of “cookies.”
When you first access our company’s website, you can indicate your preferences regarding the use of cookies. To review or revoke the consent given, please contact us via email atencion@este.com.py.
WITH WHOM CAN WE SHARE PERSONAL DATA?
Based on the purposes described above, it may be necessary for our company to share your personal data with:
• Our partners, including professionals, healthcare organizations, distributors, and other institutions related to healthcare and the pharmaceutical industry.
• Authorities, government entities, or other third parties to comply with legal or regulatory requirements, to protect our company’s interests in any type of conflict, including legal actions and administrative processes.
• Selected providers, service providers, or vendors who may act in accordance with our instructions, whether for website hosting, data analysis, payment processing, order processing, information technology processing, provision of related infrastructure, customer service, email delivery, audits, among others.
• Potential acquirers and other stakeholders in case of corporate or legal restructurings, such as acquisitions, mergers, joint ventures, assignments, divisions, investments, or divestments. Personal data may also be subject to international transfer, which will always be carried out in accordance with legal and regulatory standards and through the use of legal means or instruments that guarantee the security of personal data, as permitted by the LPDP or other laws or regulations, as appropriate to the destination of the information.
HOW DO WE KEEP PERSONAL INFORMATION SECURE?
Any personal data processed by our company will be stored in accordance with the strictest security standards, including the adoption of measures such as:
• Protection of our systems against unauthorized access.
• Restriction of access to personal data only to specific individuals at the location where personal data is stored.
• Ensuring that employees or external partners who need to carry out personal data processing commit to maintaining absolute confidentiality and adopt best practices in the eventual processing of this personal data, in accordance with corporate policies and procedures, contracts, legal standards, or regulations, among others. In addition to technical efforts, our company also takes institutional measures to protect personal data, through its Privacy and Personal Data Governance Structure, which includes its Privacy and Personal Data Protection Committee, as the Data Protection Officer.
HOW LONG WILL PERSONAL DATA BE STORED?
Personal data will be processed by our company until they cease to serve the purposes for which they were collected, at which point they will be deleted, or until the data subject requests their deletion, except in cases where our company needs to maintain the processing of Personal Data to comply with a legal or regulatory obligation, transfer them to third parties, provided that the requirements for the processing of personal data are respected, and their use is exclusively for our company, even for exercising their rights, including in judicial or administrative proceedings.
YOUR RIGHTS AS A DATA SUBJECT AND HOW TO EXERCISE THEM
Our company respects your rights as a data subject, whether these rights are established in the Law on Credit Personal Data Protection (LPDP) or other legal or regulatory provisions. Therefore, regarding the processing of personal data, our company guarantees you, as the data subject, the right to make the following requests:
Confirmation of the existence of processing: You can request information about any processing activity of your personal data. If your data has not been processed by our company, we will inform you of:
a) If we know who carries out the processing, we will inform you.
b) If we do not know, we will inform you that our company has not carried out the processing.
Access to your personal data: You can request access to your personal data processed by our company in two ways:
a) Simple: Receiving a simplified summary of your personal data.
b) Complete: Receiving, in addition to the processed personal data, information about the origin of your data, the lack of records, the criteria used, and the purpose of the processing, without prejudice to preserving trade secrets, industrial secrets, and other legal or regulatory provisions establishing confidentiality by our company.
Correction of incomplete, inaccurate, or outdated personal data: If you find that your data is not up to date, incorrect, or incomplete, you can request the modification, correction, or completion of your personal data by our company.
Anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data: If you believe that your personal data is being processed irregularly, you can request their anonymization, blocking, or deletion.
Revocation of Consent: If the processing of your personal data is based on your consent, you can revoke that consent at any time.
Deletion of data processed with the consent of the Data Subject: If the processing of your personal data is based on the collection of your consent, you can expressly request the deletion of your personal data from our databases at any time.
Obtaining information about public or private entities with which our company has shared your personal data: To help you understand in detail with whom we share your personal data, in addition to the information provided in this Policy, you can request a complete breakdown.
Information about the possibility of not granting your consent, as well as being informed of the consequences in case of denying your consent for the processing of personal data: For all activities in which the processing of your personal data requires the collection of your consent, you will be informed clearly and objectively about the possibility of not granting your consent and the natural
consequences of not doing so.
Review of automated decisions: If our company makes any automated decisions involving the processing of your personal data or that directly affect you, you can request a review of that decision.
ALL REQUESTS RECEIVED FROM DATA SUBJECTS PROCESSED BY OUR COMPANY WILL BE HANDLED AS FOLLOWS:
• They will be processed free of charge for the data subject (or their legal representative).
• They will be subject to some form of identity validation of the data subject or the submission of powers of representation so that our company can ensure the proper handling of the data subject’s requests.
All requests from data subjects regarding personal data will be evaluated by our company’s Privacy and Personal Data Protection Committee, which may request further information to better understand the request and ensure the best and most accurate attention to the data subject.
In some situations (as provided for in legal or regulatory provisions), it may not be possible to respond to data subject requests. Therefore, when it is not possible to respond, the relevant justifications will be provided to help you understand our reasons. To exercise your rights as a data subject, simply make your request through our contact channel atencion@este.com.py.
APPLICABLE LEGISLATION AND CHANGES TO THIS POLICY
This policy has been prepared based on the LPDP, and the requests and rights established here may be exercised from the date the LPDP comes into effect.
Our company reserves the right to change, add, adapt, or delete parts of this policy at any time and at its discretion.
This Privacy and Personal Data Protection Policy of ESTE was last updated in September 2020.
Our company is committed to the privacy of data subjects. For more information about our privacy practices and to exercise your rights as a data subject, please contact us via email atencion@este.com.py.