AUTH/3429/11/20: Member of the public v Sanofi — medical information call recording and email retention (No breach)

📅 2020 | 🖉 Dr Anzal Qurbain
📊

Key facts

CaseAUTH/3429/11/20
PartiesMember of the public v Sanofi
Issue areaCompany responses to enquiries; GDPR-related concerns in medical information interactions (call recording notice, email retention, offline discussions)
Applicable Code year2019
Complaint received16 December 2019
Case completed6 August 2021
AppealNo appeal
Clauses consideredClause 1.11; Clause 7.2; Clause 9.1
DecisionNo breach
Notable remediation (company)Sanofi revised the enquiry handling process to remind recipients of outgoing calls that calls were being recorded.

Download the full case report (PDF)


Reviewed by Dr Anzal Qurbain (FFPM) — ABPI Final Signatory

🤖

Got a question about this case?

Ask one of our 13 specialist ABPI advisors — instant answers, 24/7.

Ask AskAnzal AI
🎬 Expert Video Walkthrough
🎬
Video walkthrough — coming for members
Subscribe now and get expert video analysis for every case as we publish them.
Subscribe — from £299/yr
📋

What happened

  • A member of the public raised additional allegations following an earlier case (AUTH/3281/11/19) about interactions with Sanofi.
  • The complainant alleged that during a medical information call-back, Sanofi (via an outsourced agency) did not state the call would be recorded.
  • The complainant alleged Sanofi’s statement about a “90-day automatic deletion policy” for emails implied insecure systems and destruction of potentially important medical information (including for adverse reactions).
  • The complainant alleged colleagues suggested calling each other to discuss the complainant “to avoid being captured by GDPR”.
  • Sanofi explained inbound medical information calls included a recording notice (“calls are recorded for quality and training purposes”), but this was not repeated on return calls (treated as a continuation). After the complaint, Sanofi revised the process to remind recipients of outgoing calls that calls were being recorded.
  • Sanofi described its retention approach: adverse event emails are captured and stored in the pharmacovigilance database per regulatory requirements; medical information enquiries/responses are stored in a medical information database for 30 years; other inboxes have a 90-day retention policy (not applying to PV/MI databases).
⚖️

Outcome

  • No breach of Clause 1.11 in relation to the call recording/GDPR allegation (no formal finding by a competent authority that GDPR had been breached).
  • No breach of Clause 1.11 in relation to the data retention policy/GDPR allegation (no formal finding by a competent authority that GDPR had been breached).
  • No breach of Clause 9.1 regarding the email retention concerns (complainant did not establish MI emails were insecure or automatically deleted as alleged; nor that adverse events were not appropriately captured/managed).
  • No breach of Clause 7.2 (Panel considered it not relevant to the allegations raised).
  • No breach of Clause 9.1 regarding alleged attempts to avoid GDPR by moving discussions offline (complainant did not establish this on the balance of probabilities).
🔒

Unlock the full case analysis

Members get the complete breakdown — Clauses, Sanction, Signatory Lens, Audit checklist, and 3 Key Questions.

Best value
£249/year
Annual — save £99
or
£29/mo
Monthly
Join Now — Instant Access

⭐ Business Intelligence Access

See the full compliance picture for every pharma company

291 Company Intelligence Reports — breach patterns, appeal history, industry ranking, PDF export.

Request Access →
⭐ Flagship Programme

AQP Flagship Path — the complete UK ABPI signatory programme

12 modules. 12 weeks. Final Signatory readiness. The industry standard for ABPI Code signatories — £995 + VAT.

Enrol — AQP Path Learn more

📰 Weekly PMCPA Case Breakdown

One real case. One key lesson. Every week — free.

Subscribe Free
🎓 AQP Training