GENERAL PERSONAL DATA PROTECTION POLICY
1. About Covetrus
Covetrus is a global animal-health technology and services company supporting the companion, equine, and large-animal veterinary markets. The company also supplies products to dental laboratories, government and institutional health care clinics and other alternate care sites. Covetrus, headquartered in Portland, has operations or affiliates in 25 countries.
Covetrus (“Covetrus”) operates a centralised and automated distribution network with a large selection of products that bear not only the Covetrus brand name. Covetrus also offers its customers innovative technological solutions, including practice management software.
You can find our contact details in the last section of this Policy.
Your privacy is important to us. As part of our commitment to an ethical and responsible practice, we fully respect your privacy and your other rights and freedoms.
This General Personal Data Protection Policy (the “Policy“) sets out the rules and principles based on which we process not only your personal data. All employees and those with whom we share your personal data must adhere to the same or stricter rules than those we set out below.
Covetrus is committed to protecting the information that our customers, employees, partners, suppliers and vendors have entrusted to us. We collect and use personal data particularly to perform business functions and provide quality products and services to our customers.
Consistent with our values and principles, we treat any personal data that we obtain particularly in accordance with the principles of transparency, including the right to information about personal data processing, purpose limitation, data minimisation, data integrity, confidentiality, accountability and protection of privacy. More details on this are provided below.
This Policy applies to all personal data in any format or medium relating, inter alia, to all employees, customers, vendors and others who do business with Covetrus.
3. Types of personal data we collect and process
We recognise personal data as any information related to an identified or identifiable natural person. Depending on the context of your interactions with Covetrus, we collect and process different types of personal data from employees, suppliers, job candidates, customers, prospective customers and vendors.
Types of personal data we collect:
- Customers and suppliers: Name, surname, date of birth, address, phone number, banking details, tax and financial information, contract information for key personnel, IT communication and login details, other network identifiers (IP addresses, cookies), reliability assessment, information about our business relationship, information about the amount and type of goods and services provided, and video recordings from security cameras.
- Employees and job candidates: Name, surname, birth number, date of birth, address, phone number, banking details, tax and financial information, contact information for key personnel, IT communication and login details, other network identifiers (IP addresses, cookies), number of children, education, information on state of health, information from personnel files, location data, data required by legal regulations, information on employment history, benefits, compensation and performance, and video recordings from security cameras.
- Customers of our customers: We process personal data from the customers of our customers that may contain confidential information only when it is necessary to provide the service. In this context, we act on behalf of our customers, and this service is governed by a data processing agreement.
- Visitors to our offices: Name, contact information and video recordings from security cameras in some of our office buildings.
4. Our Policy towards children
Our services are not directed at children. We do not knowingly collect personal data from children. If a parent or guardian becomes aware that his or her child has provided our company with personal data without their consent, please contact us immediately. If we become aware that a child has registered for a service and has provided us with personal data, we will delete such information from our files.
5. Sources of personal data
Covetrus processes various types of personal data in order to conduct its day-to-day business activities. When collecting and using personal data, we also apply the data minimisation principle, which ensures that we only collect information that is necessary. We inform personal data subjects that we will be processing their personal data and request their consent to such processing when necessary.
Some of this personal data is collected directly from you in the following situations:
- You apply for a position with our company.
- We negotiate and/or enter into a contractual relationship with you.
- You provided us with any type of service as a provider or supplier.
- When we provided any type of services, product or user support.
- When you browse or use our website, e-commerce services or social media pages.
We sometimes also obtain data from third parties, including the subsidiaries and affiliates of Covetrus worldwide, in the following situations:
- We may conduct analytics to determine additional products and services that may be of interest to you.
- We may share data within the group as part of the centralisation of the customer relationship management system.
- We may purchase data from external companies for marketing purposes.
6. Use and purpose of personal data
The purposes for which we process your personal data may vary depending on the type of relationship you have with us, such as if you are one of our employees, customers or website users. Covetrus always processes personal data according to the purpose limitation principle. The use of personal data for other purposes should be consistent with the original purpose for which it was obtained and may not be at variance with your personal data protection expectations; otherwise, we shall request your authorisation or consent.
· Employees and job candidates: If you apply for a job, we use your personal data to consider you for employment and to administer your application and/or account. If you have an employment relationship with Covetrus, we use your personal data to develop our contractual relationship, to conduct performance evaluations and to comply with legal obligations, including tax and labour regulations.
· Customers: We use our customers’ information to maintain our business relationships, to ensure the proper operation of day-to-day business, to comply with tax and other regulations, to administer sales and marketing activities, to send commercial communications and advertising, to provide discount and other benefits, and to collect debts.
· Customers of our customers: We provide support services for customers who, in case of need, make use of our products and services relating to the provision of healthcare. As part of drop shipping, we process the personal data of customers to whom our company delivers goods at the instruction of our customer.
· Prospective customers: Information from prospective customers is used to respond to requests for information, products or services, and for marketing activities.
· Suppliers: If you have a business or professional relationship with Covetrus, we will use your information to maintain and develop our business relationship with you and to comply with tax and other regulations.
· Visitors to our offices: Our buildings and premises generally have physical, technical access and movement controls; some have video surveillance systems for security purposes.
· Website and social media users: We collect personal data from visitors and users of our website and social media pages. We use this information to manage your account registration, to store your preferences and settings, to provided interest-based advertising, to conducts statistics and to analyse how the website and online services are used.
· We may also use the personal data of our employees, customers and suppliers for other purposes based on our legitimate interests, such as an analysis of goods and services provided, and product development and statistics creation, but only in the case of demonstrably legitimate interests in accordance with the appropriate legal regulations.
7. Legal basis for data collection and use
Covetrus only processes personal data when there is a fair and legal basis for its processing, for example when personal data processing is necessary to perform a contract, to meet our legitimate interests, to fulfil legal obligations or when we have your express consent.
The information that we collect when we conclude a contract or enter into a business relationship with you needs to be processed to develop our contractual relationship and to comply with legal obligations, for example tax laws, anti-fraud regulations, and so on. Without the required mandatory information, we would not be able to work with you.
Marketing activities, i.e., advertising or sending commercial communications, must be based on your consent or on an existing business relationship with us.
When we process your personal data for our legitimate interests, we always conduct a balancing test to ensure that the rights of personal data subjects are respected.
Finally, when we have access to the personal data of our customers and such data is transferred to a different processor, there is always a written contract regulating mutual cooperation, including specific instructions for data processing and safeguards.
8. Retention periods
We apply the personal data storage limitation principle to retain personal data in our records for the length of time required to fulfil the purpose for which the personal data was collected. We do not store or use personal data for longer than is necessary. The period necessary for retaining personal data depends on specific circumstances, such as regulations that require retaining information for a certain period of time and limitation periods.
The retention period depends on the context in which we process data, such as data from the use of our website, data from future employees or data about employees after they leave employment. Retention periods are established with regard to the legitimate business purpose of Covetrus and according to local legal regulations.
9. Disclosure to third parties and processing activities
Covetrus sometimes works with other processors, service providers and suppliers who help us achieve our business objectives.
If our obligation includes disclosure of personal data, Covetrus requires that the service providers process such data in compliance with this Policy. A Personal Data Protection Agreement is concluded before we disclose any data. Wherever legal regulations so require, your express consent will naturally be requested.
In certain circumstances, we may be required to disclose personal data when required by law, when required to protect our legal rights or in an emergency situation where the health or security of an individual is endangered.
Covetrus is committed to observing to all personal data protection principles, especially the security, confidentiality and integrity principles.
We take appropriate precautions to keep all information obtained from personal data subjects secure against unauthorised access and use. We regularly review our security measures. We are committed to processing your personal data in a secure manner and have introduced specific technical and organisational measures to prevent the personal data that we store from being accidentally or deliberately compromised.
11. Further information
We also conduct information risk assessments to ensure that our employees understand the importance of protecting personal data and responsibly manage access rights within the company. We include both physical security and IT security in our data security approach. We expend reasonable efforts to inform individuals and regulators as required by law if we have reason to believe that personal data or information has been stolen, made public, changed or breached by an unauthorised person. We create and maintain a breach notification and reporting protocol.
12. Your data protection rights and options
Transparency and the right to information: We provide notice to our employees, customers, suppliers, vendors and others of how we use personal data at the time of collecting the personal data. We also publish this privacy protection notice for greater transparency.
Right to access, rectification, restriction of processing and erasure: We provide data subjects with access to their personal data where required by valid legal regulations or upon your request. Furthermore, we will rectify personal data if it is incorrect, inaccurate or incomplete.
We will ensure access to your personal data. This means that you can ask us at anytime to confirm whether any personal data pertaining to you is being processed by our company and, if so, for what purpose, to what extent, to whom it is being transferred or disclosed, for how long we will be processing it, whether and how you can exercise your right to rectify it, delete it or restrict the extent to which it is processed, or how and where you can object to your personal data being processed. We will inform you about where we obtained your personal data and whether automated decision-making, including any profiling, is taking place.
We will ensure your right to have your personal data erased, which means we are obliged to delete your personal data if: (a) it is no longer necessary in relation to the purposes for which it was collected or otherwise processed, (b) it has been unlawfully processed, (c) you object to the processing and there are no overriding legitimate grounds for the processing, or (d) if we are required to under the law. The exceptions are cases where your personal data needs to be retained for compliance with legal obligations, for reasons of public health concerns or, for instance, for establishing, exercising or defending legal claims.
We will ensure your right to restricting the processing of your personal data, which means that until any contentious issues relating to the processing of your personal data are resolved, we have to restrict the processing of your personal data. We will restrict the processing of personal data if you contest the accuracy of such data, if the processing is unlawful and you oppose the erasure of the personal data, if we no longer need your personal data but we require it for the establishment, exercise or defence of legal claims, or if you have warranted objections against the processing of your personal data.
The right to object means that you can object to our processing your personal data for direct marketing purposes. If you object to processing for direct marketing purposes, your personal data will not be processed for these purposes.
Right to object and withdraw consent to personal data processing at any time: For all marketing materials, you can opt-out at any time and free of charge. The right to object to other processing activities will be balanced to ensure that it is not incompatible with legal regulations or the legitimate interests of Covetrus.
Right to data portability: Depending on your specific situation, we provide data subjects with the right to obtain and reuse your data in various services. This includes the transmission of data to your or some other processor or a reliable third party.
Right to file a request or lodge a complaint:
Any requests may be submitted as follows:
- Opting out of marketing communication: You can opt out at any time according to the opt-out instructions in our commercial e-mail: firstname.lastname@example.org
- If you wish to exercise your other rights: Send your request to email@example.com We will respond as soon as possible, but not later than 72 hours after receiving your request. If for any reason we need to extend this period, we will contact you.
For all matters related to the processing of your personal data, our personal data protection trustee is available to you at the above e-mail addresses.
Exercising your rights has no bearing on your right to lodge a complaint with the competent supervisory authority. You can do so especially in cases where you believe that your personal data is being processed wrongly or at variance with legal regulations. You can lodge your complaint with the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7.
13. International transfers of personal data
If you communicate with our website or provided us with your personal data, then your personal data may be transferred to the United States, but always with your prior consent. We will inform you that your data may only be transferred to Covetrus, Portland, USA, only for the purpose of discharging our contractual obligations, which includes handling product-related claims and complaints, and for the purpose of analysing the economic performance of the controller within its business group; at the same, the EU-US Privacy Shield Framework is in force in the United States, which provides ample guarantees of protection of your personal data transferred to the USA. We provide appropriate guarantees for your data in the USA.
14. Changes to this Policy
We reserve the right to modify this Policy and related business practices at any time.
We will give you the opportunity to express your consent with the processing of your personal data for new purposes, or we will inform you in any event about the legal basis for this processing if your express consent is not required. The time stamp that you see in this Policy indicates the last date it was revised.
15. Contact information
At Covetrus we are committed to applying this Policy and the accountability principle. For this reason, if you have any concern or questions about how your personal data is used, please feel free to contact us at: firstname.lastname@example.org