Privacy notice for reporting undesirable effects for cosmetics

The serious undesirable effect reports may contain personal data such as name, address and age, and ‘special category data’, in particular, health data. 

Legal basis for processing

The legal basis for processing personal data in serious undesirable effect reports is firstly, Article 6(1)(c) of the General Data Protection Regulation (GDPR), which states:

Processing is necessary for compliance with a legal obligation to which the controller is subject

In terms of special categories of personal data, the HPRA relies on Article 9(2)(g) of GDPR, which states:

Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

To comply with our statutory and legal reporting requirements, partially anonymised details of this report (your personal contact information will be removed) will be shared with other bodies also responsible for monitoring the safety of products. These bodies include other regulatory authorities in Ireland, regulatory authorities in the EEA, and the European Commission. 

The HPRA is also legally obliged to communicate serious undesirable effect reports to the natural or legal person that is responsible for the cosmetic, known as the responsible person. The HPRA may share your contact details with the responsible person to allow them to follow up with you in relation to the undesirable effect you experienced. The HPRA will always seek your consent before providing your contact details to the responsible person. 

If the reported undesirable effect does not meet the seriousness criteria, the HPRA will only communicate partially anonymised details of this report to the responsible person. However, given the nature of serious undesirable effect reports, some information may include data that in conjunction with other information contained in the report or elsewhere, may identify individuals. 

The healthcare professional, for whom you provided contact details, may be contacted to determine if the reported undesirable effect meets the seriousness criteria.

The HPRA uses third party service providers and suppliers (also known as data processors) in order to carry out both our regulatory functions and other related matters. These third parties process personal data on behalf of the HPRA and appropriate arrangements are in place with them to protect personal data.