iGRO Privacy Policy

Individual Growth Response Optimization (iGRO) is a web-based tool developed by and on behalf of Pfizer Inc. for use by endocrine clinics (which may be sole practitioners, partnerships, incorporated bodies or other types of practice) (Clinics) and their authorised personnel (End Users) to predict growth outcomes in children treated with growth hormone.

Under EU and Swiss privacy laws, each Clinic will be the data controller of all Patient data submitted and used in iGRO and of all End User data. Pfizer Healthcare Ireland, located at 9 Riverwalk, National Digital Park, Citywest Business Campus, Dublin 24 - D24NT20, Ireland, will be a data controller in respect of the End User data.

Pfizer Inc. and other relevant Pfizer affiliates are jointly referred to in this Privacy Policy as ‘Pfizer’.

In order for Clinics and Pfizer to discharge their respective responsibilities under EU and Swiss privacy laws, this Privacy Policy sets out how information that is submitted in connection with the use of iGRO will be treated.

BY USING iGRO AND ENTERING PERSONAL DATA USING THE iGRO TOOL, YOU CONFIRM THAT YOU HAVE MADE EACH PERSON WHOSE PERSONAL DATA WILL BE / HAVE BEEN SUBMITTED BY OR ON BEHALF OF YOUR CLINIC, AWARE THAT THEIR PERSONAL DATA WILL BE PROCESSED IN ACCORDANCE WITH THIS PRIVACY POLICY AND ALSO CONFIRM THAT THEY HAVE CONSENTED TO SUCH PROCESSING.

 

(1) PERSONAL DATA

iGRO may store and otherwise process the following kinds of data as submitted by Clinics:

End User data

Patient data

Email address

Patient ID – this is the tracking number from the clinic

Password

Patient initials

Clinic

Date of birth

Name

Gender

Surname

Gestational age (for idiopathic growth hormone deficiency [IGHD] only)

 

Birth weight

 

Parents’ heights

 

Diagnosis

 

Pubertal status and age of onset

 

Height

 

Weight

 

Bone age

 

                                                                           

Maximum GH peak (optional for IGHD only)

 

Treatment start date

 

GH dose

 

Number of injections administered per week

(2) COOKIES

The iGRO tool employs two cookies. A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to the web browser and stored by the browser on your hard drive. The identifier is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser.

iGRO only stores anonymous and privacy compliant cookies. Cookies are not linkable to the End User or Patient personal data.

The two cookies stored by iGRO are:

  1. A session cookie

    Named for example "SESSc81e2429a611c7853e44eba4be44e134" with a value like "Ur9rDZxy3v981Pa9a9xwzEvHfaSf7I_24ZKnCXNR36o", so fully anonymous and compliant with privacy rules. Session cookies will be deleted from your computer when you close your browser.

  2. A cookie named "has_js" with a value "1" or "0", which is used by the tool to memorize browser's policy about the use of Javascript.

Most browsers automatically accept cookies but you can usually change your browser to prevent cookies being stored. For further information on cookies and how to switch them off, visit www.allaboutcookies.org. If you are using a smartphone, set your preferences through the “Settings” app of your smartphone and/or the browser(s) app(s). There are also software products available that can manage cookies for you.

PLEASE NOTE, IF YOU TURN COOKIES OFF, THIS WILL LIMIT THE SERVICE WE ARE ABLE TO PROVIDE AND MAY AFFECT YOUR USER EXPERIENCE.

 

(3) USE OF PERSONAL DATA

Each Clinic will be the data controller of all Patient data submitted and used in iGRO and of all End User data.

Pfizer Healthcare Ireland will be a data controller of the End User data to enable the Clinic’s use of iGRO as intended. Pfizer Healthcare Ireland has no requirement for, and does not expect to receive, any patient identifiable personal data and shall not take any decision as data controller regarding any patient identifiable personal data.

The use of the iGRO tool by the End User is based on Pfizer’s contractual relationship with the Clinic and the End User (governed, among others, by the iGRO Terms of Use). Once registered, the End User data are necessary for iGRO to perform as intended. Furthermore, based on our legitimate interests we may use aggregated and anonymous data for business analytics. Pfizer Healthcare Ireland may use Clinic and End User data:

(a)  for the registration and administration of Clinic / End User accounts and providing access to authorised End Users;

(b)  to track and assess use of iGRO by de-identified data;

(c)   to send notifications of application outages or updates (including suspensions of End User accounts and withdrawal of iGRO);

(d)  to respond to requests for support; and

(e)  to record details of which End User account has been used to create, view and update any patient records and/or End User data.

Pfizer Healthcare Ireland will not have access to patients’ personal data (only to de-identified information as detailed below) and the third party service providers will only be involved to operate, maintain and support iGRO as well as to produce and deliver the above-mentioned de-identified information, in the EEA/Switzerland and in accordance with the security measures mentioned below. Pfizer Healthcare Ireland will act as a data processor of all encrypted Patient data. Third party service providers, the Clinics, and the End Users are not required or expected to share any Patient personal data with Pfizer.

Pfizer will receive only the following de-identified information:

  • the number of End Users using iGRO in each country;

  • the number of patients with whom iGRO has been used; and

  • metrics on each indication (i.e. the number of patients who have been diagnosed with either IGHD, TS and small for gestational age and with whom iGRO has been used).

Pfizer will use the aggregated statistics on the data held in iGRO in order to assess how iGRO is used and to improve its functionality and performance.

The above-mentioned service providers will de-identify the data and will provide only the above-mentioned de-identified information to Pfizer.

Each Clinic, as exclusive data controller of patient personal data, hereby represents that: 

(a)  all of its personal data processing instructions, which are relevant for Pfizer and the third party service providers to act on the Clinic’s behalf for iGRO’s purposes, are either described in this privacy policy or shall be the result of the End User’s use of the iGRO functionalities;

(b)  it is its exclusive responsibility to timely appoint and remove End Users (who shall be deemed acting on behalf of the Clinic which appointed them) as authorized users to access, update and remove patients’ personal data in iGRO;

(c)  it has approved the use of third party service providers, after having received from Pfizer (through this privacy policy or by otherwise addressing to Pfizer the relevant questions) and assessed related information required under the data protection law applicable to the Clinic;

(d)  it is fully aware how to access, update and delete patient personal data through the relevant iGRO functionalities and it is its exclusive responsibility to directly answer any patient privacy requests, and comply with its duties regarding personal data quality and personal data retention; and

(e)  it shall notify Pfizer, in writing, in case it decides to discontinue the use of iGRO, in which case it shall be the Clinic’s exclusive responsibility to remove patient personal data from iGRO.

IT IS THE CLINIC’S RESPONSIBILITY TO NOTIFY END USERS AND PATIENTS OF THE CLINIC’S AND PFIZER HEALTHCARE IRELAND’S RESPECTIVE STATUSES AS DATA CONTROLLER AND TO EXPLAIN TO END USERS AND PATIENTS HOW THEIR PERSONAL DATA WILL BE USED AND PROTECTED AS HEREIN DESCRIBED AND OBTAIN THEIR CONSENT BEFORE THEY INTRODUCE ANY PATIENT’S DATA IN IGRO.

 

(4) DATA SECURITY

iGRO and the service providers mentioned below employ security technology, including firewalls, to safeguard information and have procedures in place aimed at ensuring the confidentiality, integrity, availability and resilience of the systems used to host, maintain and support this information.

All End User data (except for email addresses) are encrypted using Secure Sockets Layer (SSL) once the End User has keyed it into the iGRO application and clicked ‘save’.

All Patient data are encrypted using Secure Sockets Layer (SSL) once the End User has keyed it into the iGRO application and clicked ‘save’.

In addition to the service providers mentioned below, only the Clinic (through the End Users) shall have access to patient identifiable data. Pfizer personnel cannot access patient identifiable data.

(5) USE OF SERVICE PROVIDERS

Pfizer will use third party service providers to provide the iGRO tool and service, including the hosting of iGRO (including its supporting databases), for providing maintenance and support services, and to act as a technical support function to End Users of iGRO.

These service providers will de-identify the data submitted to iGRO and will provide the above-described de-identified information only to Pfizer as described in this Privacy Policy. In all cases, Pfizer has taken measures to ensure that all End User data and Patient data are properly protected in accordance with this Privacy Policy and are kept entirely within the European Economic Area and/or Switzerland.

(6) POLICY AMENDMENTS

Privacy laws and practice are continually developing and Pfizer aims to meet high standards. Our policies and procedures are, therefore, under continual review. We may, from time to time, update this Privacy Policy and suggest you check this page periodically to review our latest version.

We may also notify Clinics and/or End Users of changes to our Privacy Policy by email.

(7) THIRD PARTY WEBSITES

Where the website contains links to other websites or services that are owned or controlled by third parties, neither Pfizer nor any of its service providers are responsible for the privacy policies or practices of those third party websites or services. The Clinic and/or its End Users should check that the policies and practices are acceptable to them before use.

(8) INDIVIDUAL RIGHTS AND DATA RETENTION

If you would like to request to review, correct, update, suppress, restrict or delete Personal Data that you have provided to us through iGRO, or if you would like to request to receive an electronic copy of such Personal Data for purposes of transmitting it to another company, you may do so using the functionalities within iGRO, or submit your request by using the contact form in the ‘Support’ page within iGRO or contact us as indicated in the Contact Us section below. We will respond to your request consistent with applicable law.

In your request, please tell us what Personal Data you would like to have changed, whether you would like to have it suppressed from our database, or otherwise let us know what limitations you would like to put on our use of it. For your protection, we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.

Please note that we may need to retain certain Personal Data for recordkeeping purposes and/or to complete any transactions that you began prior to requesting a change or deletion.

All patient requests for access should be addressed to the Clinic or managed by the End Users through the ‘Support’ page in iGRO. End Users are required to update and correct their profile information using the iGRO ‘Profile’ section of the iGRO tool.

Pfizer does not have access to the Patients’ personal data. It is the Clinic’s and End Users’ responsibility to ensure that Patient data is accurate and up-to-date. The End User is able to delete any Patient data introduced by him/her or his/her patients in iGRO at any time. 

(9) CONTACT US

The company responsible for collection, use, and disclosure of your Personal Data under this Privacy Notice is

Pfizer Healthcare Ireland

Pfizer Healthcare Ireland, 9 Riverwalk, National Digital Park, Citywest Business Campus, Dublin 24 - D24NT20, Ireland

If you have questions about this Privacy Policy, or if you would like to request to exercise any individual rights, please contact us at DataProtectionIreland@pfizer.com, or write to the following address:

Pfizer Healthcare Ireland, 9 Riverwalk, National Digital Park, Citywest Business Campus, Dublin 24 - D24NT20, Ireland

You may also contact our data protection officer responsible for your country or region, if applicable. To find their contact information, visit DPO.pfizer.com.

(10) LODGING A COMPLAINT WITH REGULATOR

The End User also has the right to lodge a complaint to data protection authority in his/her jurisdiction (http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080) if his/her rights have been breached.