Pharmaline: Do Not Use Vaccine-Seekers Data for Commercial Purposes!

SMEX calls upon public bodies and private companies to respect the privacy of vaccine-seekers and to abide by the laws in force, particularly Law No. 81/2018 on Electronic Transactions and Personal Data.

Lebanese company Pharmaline is supplying COVID-19 vaccines to the private sector in Lebanon, and it has published its Privacy Policy and Terms of Use on its vaccine-application online platform,

Despite that, in the “Individual Vaccine Consent Form,” Pharmaline forces applicants to agree in advance to have their personal data and any vaccine-related information shared with a pharmaceutical company (Pharmatrade), an insurance company (NextCare) and vaccination centers, without any justification as to the role of these parties in the vaccination process!

Since the Ministry of Health requires that all vaccine-seekers be registered on the COVAX platform, which itself collects sufficient information about them, then why is Pharmaline collecting data too?

We demand that Pharmaline provides clear answers and justifications regarding our privacy concerns: 

  • Do you have permission to collect this data? 
  • What is the purpose behind keeping this data and sharing it with third-parties? 
  • Why have you selected these two specific companies, Pharmatrade and NextCare, to share the data with? 
  • Why would you share this data with an insurance company? 
  • Where would you save the data, and who has access to it, how it will be processed, and until when are you keeping the data? 
  • Will this data be sold or traded, and if yes, then why? 

The request for personal data by Pharmaline, and consequently Pharmatrade, is a clear violation of Law No. 81/2018 on Electronic Transactions and Personal Data, particularly the following articles thereof: 

  • Article 87, which stipulates that personal data shall be “appropriate, not go beyond the stated objectives, be correct and complete and remain on a daily basis as relevant as possible.” It also stipulates that “at a later stage, the said data may not be processed for purposes that are not in line with the specified objectives, unless this is related to processing data for statistical or historical purposes or for scientific research.”
  • Article 90, which stipulates that “Retention of personal data shall not be legitimate except during the period specified in the declaration of processing or in the decision authorizing the same.”
  •  Article 91, which prohibits the collection or processing of personal data “if it reveals, directly or indirectly, the health status, genetic identity or sexual life of the person concerned,” in the event that the person concerned has not explicitly agreed to process the same. Such data may only be collected or processed if it is necessary to establish a medical diagnosis or to provide medical treatment by a healthcare professional, if the right to do so is affirmed before a court of law or if a license is obtained in accordance with the provisions of Article 97 of the Law.
  • Article 93, which makes it mandatory for the personal data processing officer to “take all measures, in light of the nature of the data and the risks resulting from the processing thereof, in order to ensure the integrity and security of the data and to protect the same against being distorted, damaged or accessed by unauthorized persons.”

In light of the above, we urge Pharmaline (Pharmatrade) to refrain from forcing applicants and vaccine-seekers to share their personal and health-related data and information with third parties, as well as to cease its violation of the law, particularly with regard to collecting data and sharing it with third parties.

Furthermore, we call upon the Ministry of Economy to fulfil its obligation of disclosing to the public how the license to collect and process data was obtained, as well as to make available all data processing activities, the parties responsible for data processing and the purpose of such processing, in addition to granting people the right to correct this data, in accordance with Articles 97 and 98 of Law No. 81/2018 on Electronic Transactions and Personal Data.

Updates: 14 April, 2021, 3:57 PM

After publishing about this issue yesterday in Arabic, Maliagroup’s Chairman, Jacques Sarraf, contacted SMEX earlier today, and we agreed that our legal teams will discuss the potential changes needed to be adequate with international norms, and to protect users’ data. 

As SMEX, we work for the public interest, and for the protection of privacy and personal data in this case within our digital rights mandate.

Text of Pharmaline’s Individual Vaccine Consent Form, which applicants are asked to sign. 


This page is available in a different language العربية (Arabic) هذه الصفحة متوفرة بلغة مختلفة

Avatar photo


SMEX is a registered Lebanese NGO that works to advance self-regulating information societies in the Middle East and North Africa.