AUTH/3429/11/20 - Member of the public v Sanofi

Company responses to enquiries

  • Received
    16 December 2021
  • Case number
    AUTH/3429/11/20
  • Applicable Code year
    2019
  • Completed
    06 August 2021
  • No breach Clause(s)
  • Additional sanctions
  • Appeal
    No appeal

Case Summary

This complaint arose from Case AUTH/3281/11/19 wherein the complainant, a member of the public, complained about various interactions he/she had had with Sanofi. The complainant provided a copy of an email he/she had sent to Sanofi which stated that when a member of Sanofi’s staff called the complainant, the member of staff failed to say the call would be recorded. In addition, the complainant noted that normal record management systems would keep information for 6 years. Given that medical information needed to be held for longer as adverse reactions might occur, Sanofi’s comment that ‘For data security purposes, Sanofi has a 90‐day automatic deletion policy on all e‐mails sent to e‐mail inboxes. This includes e‐mails sent to individuals. This may explain why the e‐mails from [a named Sanofi staff member] that you mentioned have not been provided.’, in the complainant’s view, indicated a clear breach of GDPR (General Data Privacy Regulation) as Sanofi was firstly implying that Sanofi’s email system was insecure and secondly Sanofi was allegedly destroying emails which might be relevant for future reference. The complainant asked why this 90-day retention period was not mentioned to anyone emailing Sanofi and why it was missing from Sanofi’s Privacy Policy.

The detailed response from Sanofi is given below.

The Panel noted that Sanofi’s medical information function was outsourced to an agency. It was an established principle that companies were responsible for the acts and omissions of their agencies that came within the scope of the Code. The Panel also noted that the complainant bore the burden of proof and had to establish his/her case on the balance of probabilities.

The Panel noted Sanofi’s submission that at the beginning of each inbound medical information call, callers were advised ‘calls are recorded for quality and training purposes’. In cases where the call could not be taken immediately, it might be necessary to return the call which Sanofi explained would represent a continuation of that call. Sanofi stated that the message regarding recording of calls was not repeated in the context of return calls. The call which was the subject of this complaint was such a return call and, according to Sanofi, contained sensitive personal data. The Panel noted Sanofi’s response that following this complaint Sanofi had now revised the enquiry handling process to remind recipients of outgoing calls that such calls were being recorded.

The Panel did not have a copy of the privacy policy in place at the time the call was made to the complainant but noted that the privacy policy provided by Sanofi, last updated December 2019, stated:

‘Data that we collect automatically, for instance recordings of telephone calls when you call SANOFI or we call you (you will always be notified in advance when we are intending to record a telephone call).’

Management of personal data was an important issue. The Panel noted that Sanofi had not argued that the matter was not within the scope of the Code. The Panel noted the scope of the Code as set out at Clause 1.1. Whilst the Code did not explicitly refer to GDPR, Clause 1.11 stated that pharmaceutical companies must comply with all applicable codes, laws and regulations to which they are subject. In the Panel’s view, this meant codes, laws and regulations that related to matters that fell within the scope of the ABPI Code. Whether matters in relation to GDPR fell within the scope of the Code would be decided on a case-by-case basis. The Panel noted that the complaint concerned GDPR in relation to medical information interactions. The Panel noted from the evidence before it that there did not appear to have been any formal finding by any judicial authority or appropriate body formally charged with determining matters in relation to GDPR that Sanofi had not complied with the relevant laws and regulations in relation to the telephone call in question. The Panel therefore ruled no breach of the Code.

The Panel noted the complainant’s allegation that a 90‐day automatic deletion policy on all emails sent to email inboxes was inadequate for medical information as adverse reactions might occur.

The Panel noted that whether allegations about an email retention policy came within the scope of the Code would be decided on a case-by-case basis and noted, again, that Sanofi had not commented on this point. The Panel noted that it appeared that the medical information emails in question were retained for 30 years rather than deleted after the 90-day period referred to by the complainant. The Panel noted, however, that the letter dated 16 December 2019 from Sanofi to the complainant referred to a 90-day automatic deletion policy on all emails sent to email inboxes including emails to individuals. The Panel thought it odd that Sanofi had not referred to the 30 year policy in relation to medical information in this letter. The Panel noted that the complainant’s allegation related specifically to medical information emails particularly in relation to adverse events and, in this regard, considered that the complainant had not established that such emails were insecure or automatically deleted as alleged. No breach of the Code was ruled.

The Panel noted from the evidence before it that there did not appear to have been any formal finding by any judicial authority or appropriate body formally charged with determining matters in relation to GDPR that Sanofi had not complied with the relevant laws and regulations in relation to its data retention policy. The Panel therefore ruled no breach of the Code. Nor had the complainant established that Sanofi’s data retention policy was such that adverse events were not appropriately captured and managed. No breach of the Code was ruled.

Although the Panel had concerns in relation to the letter dated 16 December 2019 from Sanofi to the complainant, these were not matters raised by the complainant. In the Panel’s view, the cited clause was not relevant in relation to the allegations raised and the Panel therefore ruled no breach of the Code.

The Panel noted Sanofi’s submission that a review of the emails held by Sanofi relating to the complainant had identified some references to off-line discussions which, according to Sanofi, was not unusual if there were complex situations which would benefit from more detailed verbal discussion between two or more Sanofi personnel. No cases had been identified where Sanofi colleagues had sought to ‘avoid being captured by GDPR’ by advising talking to each other rather than corresponding by email. The Panel noted that Sanofi had not commented on whether this matter came within the scope of the Code. The Panel noted that the complainant bore the burden of proof and considered that the complainant had not established that Sanofi employees attempted to avoid being captured by GDPR in the manner alleged. No breach of the Code was ruled.