Privacy Policy

(Personal Pharmacovigilance Data)


Pharmaffairs, Pharmaceutical Consulting – Consultadoria, Lda. (hereinafter referred to as Pharmaffairs), has as area of expertise the provision of consultancy services for the Pharmaceutical Industry in the following areas: Regulatory Affairs; Pharmacovigilance; and Technical Translations.


As regards to the exercise of Pharmacovigilance and Vigilance activity, Pharmaffairs must comply with certain legal obligations in order to enable effective monitoring of the safety of medicinal products authorised in the European Union with its customers.


For such purpose, within the scope of contractual obligations with its customers and in compliance with existing legislation in force regarding Pharmacovigilance and Vigilance in Portugal and in the European Union, Pharmaffairs must identify the adverse events and/or reactions (i.e., the harmful and unintended reactions that may originate by a medicine), as well as special situations, as defined in the Good Pharmacovigilance Practices (GVPs), which may occur in relation to medicinal products authorized by Pharmaffairs’ clients.


The existence and management of a Pharmacovigilance system is a legal obligation for marketing authorization holders in Portugal and in the European Union.


To this end, one of the main obligations of entities, in particular for marketing authorization holders for medicinal products, is the designation of a QPPV, a QPPV Deputy and, in the specific case of Portugal, a Local Contact Person, if EU-QPPV does not reside in Portuguese territory.


Therefore, it is, among others, in this context that Pharmaffairs is contracted by its clients to perform these functions, and in this sense, regarding to Personal Data and its processing, Pharmaffairs acts as a processor, never as personal data controller regarding to pharmacovigilance and vigilance activities.


Thus, Pharmaffairs acts not only in compliance with its legal obligations and the legal obligations of its clients, but also within the scope and with the delimitations which may be eventually established in the celabrated contracts.


In the scope of the contracts celebrated with clients in Pharmaffairs’ area of activity, Pharmaffairs has as main competence and obligation to identify and record adverse events/reactions and special situations in relation to medicines, cosmetic products, food supplements, biocides, medical devices, among other products in the activity area, of which it has direct knowledge to whom it was reported by any means.


To this end, it is essential for Pharmaffairs to process personal data (in particular, health data), not only of patients, but also of those who reported to Pharmaffairs, or its clients, the circumstances described above. The processing and transmission of personal data and reports relating to adverse events and special situations allows the management and control of these circumstances, which, consequently, allows the protection of public health and the quality and safety assurance of authorised medicinal products in the European Union.


The personal data under consideration, as well as the adverse events/reactions, special situations and their reports, after registered and analysed, are sent to the competent regulatory and supervisory authorities – namely INFARMED, European Medicines Agency (EMA), Direção Geral de Alimentação e Veterinária (DGAV) and Direção Geral de Saúde (DGS)-, as well as to the customers themselves (considering that the processing of the data is done on their behalf, under their instructions and in compliance with the subject-matter of the contract), in order to allow the creation of a genuine and global pharmacovigilance/vigilance system, thereby ensuring the quality and safety of medicines and other authorised products, and, consequently, the quality and safety of public health.


With this declaration, Pharmaffairs is intended to provide relevant information on the form of action, especially regarding the processing of personal data for pharmacovigilance purposes, in particular by referring the categories of personal data subject to processing, the purposes of the processing, the possibility and mandatory transmission of the personal data concerned, the retention period, the legal basis and the rights of the personal data subject.


Pharmaffairs’ performance, in the context of personal data processing within the scope of Pharmacovigilance and Vigilance, is strictly governed by the national and European legal obligations, in particular, pursuant to and for the purposes of the General Data Protection Regulation, Law n.º 58/2019 August 8th, Law n.º 59/2019 August 8th, General Medicinal Law (Estatuto do Medicamento), Directive 2001/83/EC of the European Parliament and the Council of November 6th 2001, Regulation (EC) 726/2004 of the European Parliament and the Council, of March 31st 2004, as well as the Guidelines on good pharmacovigilance practices (GVPs), and also Decree-Law n.º 145/2009 June 17th (on medical devices), Directive 2007/47/EC, of the European Parliament and the Council of September 5th (on medical devices and biocidal products ), Regulation (EC) 1223/2009 of November 30th (on cosmetic products) and Regulation (EC) 178/2002 of the European Parliament and the Council of January 28th2002 (with regard to food supplements).


Personal data is processed only for the purposes of Pharmacovigilance and Vigilance, in accordance with the terms in which they are relevant, necessary and appropriate to register, evaluate, report and transmit the adverse events/reactions, and special situations according to the obligations related to the activity.


Notwithstanding the provisions on this declaration, and in case of doubt or need of clarification on matters relating to this declaration, or on the processing of your personal data, you may contact us through the contacts placed at your disposal and stated at the end of this document.


I – Personal Data Categories


Within the Pharmacovigilance activity, it may be necessary[1] to process the following personal data of the patient:

  • Name or initials;
  • Date of birth or age group, gender, weight, height;
  • Information on health, racial or ethnic origin and sexual activity;
  • Contacts, in particular, email address, telephone number or mobile phone, especially in order to be able to track the adverse event;
  • History and clinical situation, which may include:
    • Date of start of adverse reaction;
    • Duration of adverse reaction;
    • Seriousness of adverse reaction;
    • Evolution of adverse reaction;
    • Identification of the suspected medicinal product;
    • Date of beginning of drug administration;
    • Date of drug administration suspension;
    • Route of administration of the suspected medicinal product;
    • Daily dose;
    • Therapeutic indication;
    • First use;
    • Last use;
    • Data on concomitant medication;
    • Existence of previous reactions to the same drug;
    • Reintroduction of the same drug;
    • Suspected interaction;
    • Clinical data;
    • Auxiliary diagnostic tests;
    • Allergies;
    • Pregnancy;
    • Last menstrual Date;
    • Medical assessment on the causal relationship.


As for the reporter, the data to be processed is as follows:

  • Name;
  • Contact details (which may include address, email address, phone number, mobile phone number, fax number):
  • Profession/ocupation, therefore, can determine the issues that can be asked, which may be more or less technical, especially if it is a healthcare professional;
  • Relation with the patient.


Regarding the other health products mentioned above, in the context of vigilance, if it is necessary to process personal data, it will be only those referred to in pharmacovigilance, with the remaining data being transferred only relating to the products themselves.


II – Purpose of Personal Data Processing under Pharmacovigilance


The personal data processing will be carried out so that Pharmaffairs can comply with its obligations and the obligations of its customers, related with Pharmacovigilance and Vigilance, and the concrete purpose for the processing will be as follows:

  • Collection, analysis and investigation of the adverse event or special situation;
  • Contact the reporter of the adverse event to obtain additional information and monitor the evolution of that same event, in order to be able to effectively know all its consequences;
  • Carry out mandatory reports on adverse events and special situations, and to transmit them to Pharmaffairs customers (controllers of the personal data and marketing authorization holders for medicinal products), and for the fulfilment of legal obligations relatively to other health products referred above, transmitting that reports also to national and European regulatory authorities (in INFARMED, DGAV, DGS and EMA) in order to analyse the quality and safety of the medicinal product and other products concerned.


III – Transmission of Personal Data


In order to be able to comply with the legal obligations related to Pharmacovigilance and Vigilance on the part of Pharmaffairs and its customers, it is essential to Pharmaffairs to transmit the collected personal data.


Thus, Pharmaffairs may have to transmit processed personal data to its customers, which will be done internally and by electronic means, subject to high control and protection, and is not in any way disseminated internally by other ways, other than those preconceived for that purpose, such as direct and restricted contacts of the client and the employee responsible, designatedby Pharmaffairs for the provision of the contracted service.


Moreover, Pharmaffairs, where its competences so permit, should transmit processed personal data under Pharmacovigilance and Vigilance, and their reports, to the competent regulatory authorities at national and European level, only by official means, in particular through the EudraVigilance database and the official means indicated by the national authorities for such.


Pharmaffairs shall also transmit the concerned personal data to external service providers and may include security database providers, IT Support, in order to ensure the effective protection of such personal data.


Pharmaffairs ensures the implementation of appropriate protection measures with their customers and with external suppliers, also implementing these measures in the context of the directly carried out treatment.


Personal data databases relating to pharmacovigilance and vigilance and subject to processing by Pharmaffairs are hosted in Portugal, and the transmission of personal data carried out by Pharmaffairs to its customers (controllers of personal data), will be carried out through databases of customers based in the European Union and in third countries.


IV – Store of Personal Data


Processed personal data in pharmacovigilance and vigilance shall be used and stored in accordance with the legally laid down requirements, namely, the obligation to store data related to adverse events/reactions and special situations during the life cycle of the medicinal product and other health products referred to in this document and even after revoked or withdrawal authorisation of the medicinal product and/or other health products concerned on the market for at least ten years, according to the rules for the store and notification of information to the competent regulatory authorities.


The personal data is stored through the implementation of appropriate technical and organisational measures for the protection of personal data, in particular by encrypting the stored personal data, as well as by limiting access or any other type of processing of the data only to Pharmaffairs employees who perform functions in the area of Pharmacovigilance and Vigilance and with proper authorization.


All physical, electronic, technical, procedural and training measures are implemented, appropriate to the effective protection of personal data subject to processing, any loss, destruction, unauthorized damage, use and disclosure, among other mishaps.


V – Legal Basis for the Processing of the Personal Data


The legal basis for the processing of personal data by Pharmaffairs, found in the Article 23 of Regulation (EU) 1235/2010 of the European Parliament and the Council of 15.12.2010 that explains: “In order to detect, to assess, to understand and to prevent adverse reactions, and to identify and take measures to reduce risks and to increase the benefits of medicinal products for human use in order to protect health it should be possible to process personal data under the Eudravigilance system, respecting Union data protection legislation. The purpose of protecting public health is a fundamental public interest and, therefore, the processing of personal data can be justified if identifiable health data are only processed when strictly necessary and only when the parties involved assess this need at each stage of the pharmacovigilance process.”


Although they cannot be regarded as being part of the pharmacovigilance system, but rather of the vigilance system, the mandatory processing of personal data regarding other above mentioned health products – fewer than those necessary for pharmacovigilance activity – they have the same legal basis, i.e., the need and mandatory protection of public health and the guarantee of quality and safety of the concerned products, being these reasons the legal bases for the referred treatment.


Thus, the legal basis and the lawfulness of the processing of personal data in terms of pharmacovigilance and vigilance, are, on one hand, compliance with legal obligations under the laws and regulations related with Pharmacovigilance, as well as the legitimate interests of ensuring the purposes of that activity, in accordance with Article 6 (1) (c) and (c) of the GDPR and, on the other hand, the fact that the obligations and legislation on Pharmacovigilance have been approved and implemented for reasons of substantial public interest with regards to public health and the safety of medicinal products and medical devices which are marketed in the European Union, in accordance with and for the purpose of Article 9 (2) (i) of the GDPR, as well as Article 29 of Lei n.º 58/2019 of August 8th.


VI – Rights of Data Subjects


Under the GDPR, as well as Law n.º 58/2019 of August 8th and Law n.º 59/2019 of August 8th, Pharmaffairs shall inform the data subjects to the processing of their rights in relation precisely to such processing.


In short, the data subjects have the following rights relating to their personal data:

  • Right to access their own personal data, in the event that they are treated;
  • Right to be informed about the processing of personal data;
  • Right to rectification of their own personal data, if they are inaccurate or incomplete, and may request the limitation of the processing until the necessary rectification is verified;
  • Right to erasure their personal data, when the purpose of the processing, the legal obligations related with the processing of personal data and the legal basis for the processing (in particular, for additional retention), are no longer applicable;
  • Right to object and to the restriction of processing the personal data, within legal limits;
  • Right to data portability, for the data subject or for another person, in a format of current use, within legal limits;
  • Right to lodge complaints with the competent authority, in accordance with the legally provided limitations. The national competent authority is the Comissão Nacional da Proteção de Dados, based at Avenida Dom Carlos I, 134 – 1, 1200-651 Lisboa, that can be contacted by phone number +351213928400 and by email


It should be noted that these rights may be limited to the strict extent of compliance with legal obligations, related with Pharmacovigilance and Vigilance, but can only be limited with an adequate legal basis.


VII – Contacts


For questions related to the protection and privacy of your personal data processing, you can contact the Pharmaffairs Data Protection Officer by email:, or by post to Rua Torcato José Clavine, no. 9, 1º Dto., 2800-710 Almada, or by phone number +351 211 583 657, information that is published on the website and in the communications made by Pharmaffairs.


[1] In terms and for the purposes of the Article 28 of the Implementing Regulation (EU) No 520/2012 and Module VI of the GVPs, Deliberation No 219/2009 on the principles applicable to the processing of personal data carried out under the National System of Pharmacovigilance of Medicinal Products for Human Use (Pharmacovigilance).