Skip to Contents

Hanmi Pharmaceutical Privacy Policy.

Hanmi Pharmaceutical Privacy Policy

The EU Commission adopted on 17 December 2021 an adequacy decision addressing the transfers of personal data to the Republic of Korea under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive.
Accordingly, personal data transferred offshore from the EU to Korea are processed in accordance with the Korean Personal Data Act


Hanmi Pharm.Co.,Ltd. (“we”, “our”, “us”, “the Company”) keeps and processes information about contact persons (each a “Business Partner Contact”, “you”) at our customers, suppliers, vendors and partners (each a “Business Partner”). This notice describes how we collect and use personal information about you during and after your business relationship with us, in accordance with the EU General Data Protection Regulation ((EU) 2016/679) (GDPR). It is important that you read this notice, together with any other notice we will provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under the GDPR.


The Company is the data controller for the purposes of the GDPR and other applicable data protection laws. If you wish to contact the Company regarding your personal information or concerns you have about this Privacy Notice, please contact.

[Contact Information]

  • Hanmi Pharm. Co., Ltd., 14, Wiryeseong-daero, Songpa-gu, Seoul,Republic of Korea, 05545

[DPO contact information in case appointed]

  • Hong Sung-Hwan,


We will comply with data protection law. This says that the personal information we hold about you must be:

  1. 1. Used lawfully, fairly and in a transparent way.
  2. 2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
  3. 3. Relevant to the purposes we have told you about and limited only to those purposes.
  4. 4. Accurate and kept up to date.
  5. 5. Kept only as long as necessary for the purposes we have told you about.
  6. 6. Kept securely.


The GDPR defines “personal data”, or “personal information”, as any information about an individual from which that person can be identified. We collect, store, and use certain categories of personal information about you, such as:

  • Personal contact details such as name, title, work addresses, work telephone numbers, work fax numbers and work email addresses
  • Information necessary to manage and administer our relationship with you and Business Partner such as work history, educational background, performing transactions and orders of products or services, processing payments, performing accounting, auditing, billing and collection activities, arranging shipments and deliveries, facilitating repairs and providing support services


We collect your information directly from you (e.g. signing a contract, filling in a form, presenting business card or making a call to us).


We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following purposes:

  • Communicating with Business Partners about products and services
  • Performing marketing campaigns or other promotional activities or events
  • Planning, performing and managing the (contractual) relationship with Business Partners
  • Ensuring compliance with legal obligations such as record keeping obligations
  • Solving disputes, enforce our contractual agreements and to establish, exercise or defend legal claims

If you refuse to provide personal information listed hereinabove, business relationship and communication with you could be deferred or limited. We will use your personal information in the following legal bases:

  1. 1. Where we need to perform the contract we have entered into with Business Partners.
  2. 2. Where we need to comply with a legal obligation.
  3. 3. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We can also use your personal information in the following legal bases, which are likely to be rare:

  1. 1. Where we need to protect your interests (or someone else’s interests).
  2. 2. Where it is required to defend or pursue legal claims.
  3. 3. Where your consent is given

Please see the Appendix for more information on those legal bases.


We share your data with third parties, including affiliates and third-party service providers, in or outside the EU to comply with our legal or contractual requirements or to pursue our legitimate interests in connection with business relationship. If such a recipient is located outside of the European Union and the European Economic Area (“EEA”) in a country that is not recognised by the European Commission as ensuring an adequate level of data protection, we will implement appropriate measures to ensure that your personal information remains protected and secure when it is transferred outside of your home country, in accordance with applicable data protection and privacy laws. These measures include data transfer agreements implementing European Commission's Standard Contractual Clauses (a form of data transfer agreement pre-approved by the European Commission as providing adequate safeguards for personal information).


We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.


We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, as more fully set out in our Data retention policy, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements. Broadly, most of your information is kept for the duration of our working relationship with you. In certain circumstances we anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you.


[Your duty to inform us of changes]

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

[Your rights in connection with personal information]

Under certain circumstances, by law you have the right to:

  • Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction and/or deletion of the personal information.
  • Request the restriction of the processing of your personal information.
  • Request the object to that processing (especially if we use your information for direct marketing, you can “opt out” at any time)
  • Request receipt or transmission to another organisation, in a machine-readable form, of the personal information that you have provided to us

We will need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it. In the event that you wish to make a complaint about how we process your personal information, please contact and we will endeavour to deal with your request as soon as possible. You have also the right to complain directly to the relevant data protection authority.


In the limited circumstances where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law


If you have any questions about this notice or how we handle your personal information, please contact.


We reserve the right to update this notice at any time without prior notice, and we will notify you when we make any material updates.


Purpose of Use Legal Basis for Processing
Communicating with Business Partners about products and services Contract, Legitimate interests
Performing marketing campaigns or other promotional activities or events Legitimate interests
Planning, performing and managing the (contractual) relationship with Business Partners Contract, Legitimate interests
Ensuring compliance with legal obligations such as record keeping obligations Legal obligation
Solving disputes, enforce our contractual agreements and to establish, exercise or defend legal claims Contract, Legitimate interests

Pharmacovigilance Privacy Notice

Each of marketing authorization holders of Hanmi products is obliged to report pharmacovigilance related information to health authorities worldwide. Hanmi is performing such pharmacovigilance activities as a marketing authorization holder and/or on behalf of the marketing authorization holders pursuant to a specific delegation agreement. It requires us to process certain information, which allow to directly or indirectly identify a person, (hereinafter “personal data”) of a patient and/or the reporter of an adverse event that we receive in order to comply with strict obligations.

This Pharmacovigilance Privacy Statement provides important information to you about how we process Personal Data for PV purposes, in line with our obligations under applicable data privacy laws and in particular the EU General Data Protection Regulation ((EU) 2016/679) (“GDPR”).

  1. 1. Categories of Personal Data

    We may need to obtain and process the following personal data for the purpose of pharmacovigilance:

    1. A. About the Patient
      1. 1. patient names and/or initials
      2. 2. date of birth, age group, sex, weight, height
      3. 3. information about health, racial, or ethnic origin and sexual life and
      4. 4. medical history and status, including but not limited to details of the adverse event and the Hanmi product suspected to cause the adverse event.
    2. B. About the Reporter
      1. 1. reporter names and/or initials
      2. 2. contact details, which may include your address, e-mail address, phone number or fax number
      3. 3. profession (this information may determine the questions you are asked about an adverse event, depending on your assumed level of medical knowledge) and
      4. 4. relationship with the subject of the report.
  2. 2. Purpose

    Any personal data provided to us related to reporting adverse events or other activities related to pharmacovigilance will be used solely for the following purposes:

    1. A. to investigate the adverse event
    2. B. to contact you for further information about the adverse event you reported
    3. C. to collate the information about the adverse event with information about other adverse events received by Hanmi to analyze the safety of Hanmi products and
    4. D. to provide mandatory reports to national and/or regional competent regulatory authorities so that they can analyze the safety of Hanmi products.
  3. 3. Retention Period

    We will use and store your personal data in accordance with mandatory legal requirements governing storage and reporting of pharmacovigilance related information. Such mandatory requirements oblige us to archive PV information which may include personal data at least for the duration of the product life-cycle and for an additional ten years after the withdrawal of the product in the last country where it is marketed.

  4. 4. Transfer of Personal Data

    As part of meeting our pharmacovigilance obligations, we may share personal data with the following parties:

    1. A. with competent regulatory authorities, in respect of a suspected adverse event
    2. B. with Hanmi’s affiliates around the world for the same purposes as we do
    3. C. with third party service providers of Hanmi; these service providers may include safety database providers, call center operators, and in the event that you disclose details of your suspected adverse reaction to our market researchers, that particular market research provider and
    4. D. with other pharmaceutical companies who are our co-marketing, co-distribution, or other license partners of Hanmi, where pharmacovigilance obligations for a Hanmi Product require such exchange of safety information.

    Please note that your personal data may be transferred to, and processed in, countries other than the country in which you are resident. Specifically, our affiliates, third party service providers and partners operate around the world. This means that when we collect your personal data we may process it in any of these countries. These countries may have data protection laws that are different to the laws of your country. However, we have taken appropriate safeguards to require that your personal data will remain protected in accordance with this Privacy Notice.