Effective Date: April 2025

Introduction

This Privacy Notice is addressed to healthcare professionals registered and that access our Controlled  Access Portal, related to the risk management plan mandated by our regulator (Medicines and Healthcare products Regulatory Agency) specifically for the medicine to which they have prescribed (the “Portal”). At Novartis we are committed to the responsible use of your personal data and consider privacy a very important matter.

For the purpose of this Privacy Notice, “Novartis” refers to Novartis Europharm Ltd., Vista Building, Elm Park, Merrion Road, Dublin 4, Ireland. Novartis is responsible for the processing of your personal data as it decides why and how it is processed, thereby acting as a “controller”.

In this Privacy Notice, “we” or “us” refers to Novartis as defined in this Privacy Notice. The purpose of this Privacy Notice is to provide you with transparent information on how Novartis collects, uses, and discloses your personal data in the context of providing the Portal.

We invite you to carefully read this Privacy Notice, as it contains important information for you. Should you have any questions or concerns in relation to the processing of your personal data, we invite you to contact [email protected].

1. Collection of personal data

If you register to use the Portal, we will collect the information you provide to set up your access and generate secure log-in credentials, which may include your full name, work email address, and area of expertise.

2. For which purposes do we use your personal data and why is this justified?

We may collect and process personal data for the following purposes:

  • To register you on the Portal and provide secure log-in credentials;
  • To contact you regarding your Portal access; and 
  • To provide you with reminder letters related to the purpose of the Portal
     

We will not process personal data without a proper justification, and we will only process your personal data in this context if:

  • the processing is necessary to comply with our legal or regulatory obligations (e.g. when sending you safety information about our products); or
  • the processing is necessary for our legitimate interests (e.g. when responding to your queries).
     

3. Who has access to your personal data and to whom are they transferred?

We will only share your personal data with the entities mentioned in this Privacy Policy. Personal data may be viewed or shared with:

  • our employees (including, Patient Safety, Medical Information, Quality Assurance, Audit and Legal departments) and other Novartis Group companies;
  • Suppliers and service providers acting for and on behalf of Novartis entities that provide services to us. These third parties are contractually obligated to protect the confidentiality and security of your personal information in accordance with applicable laws.
     

In order to comply with local pharmaceutical industry laws, regulations, or codes applicable to Novartis, personal information may also be shared with national and/or international regulatory authorities, other law enforcement agencies, commissions, courts, or ethics committees, including, where applicable, those located in other jurisdictions. Our employees and the employees of other Novartis Group companies have access to personal data.

The personal data we collect from you may also be processed, accessed or stored in a country outside the country where Novartis is located, which may not offer the same level of protection of personal data. If we transfer your personal data to external companies in other jurisdictions, we will make sure to protect your 
personal data in accordance with the law. For more information about how Novartis processes and protects personal data, please visit https://www.novartis.com/privacy  or contact us for more information.

For intra-group transfers of personal data (that is, transfers between companies which are members of the Novartis Group), the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland. Further information regarding the Novartis Binding Corporate Rules is located at:  https://www.novartis.com/privacy/novartis-binding-corporate-rules-bcr

4. Duration of storage

We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.

5. How do we protect your personal data?

We have implemented appropriate technical and organisational measures to provide a level of security and confidentiality to your personal data. These measures take into account: the state of the art of the technology; the costs of its implementation; the nature of the data; and the risk of the processing. The purpose of these measures is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorised disclosure or access and against other unlawful forms of processing. Moreover, when handling your personal data, we:

  • only collect and process personal data which is adequate, relevant and not excessive, as required to meet the above purposes;
  • ensure that your personal data remains up to date and accurate (for the latter, we may request you to confirm the personal data we hold about you. You are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up- to-date); and
  • process any sensitive data about yourself (including your medical/health related data) you provide in compliance with applicable data protection rules and strictly as required for the relevant purposes listed above. The data is accessed and processed solely by the relevant personnel, under the responsibility of one of our representatives who is subject to an obligation of professional secrecy or confidentiality.
     

6. What are your rights and how can you exercise them?

You may exercise the following rights under the conditions and within the limits set forth in the law:

  • the right to access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
  • the right to request the erasure of your personal data or the restriction thereof to specific categories of processing;
  • the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
  • the right to object, in whole or in part, to the processing of your personal data; and
  • the right to request its portability, i.e. that the personal data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations.
     

Please note that Novartis is subject to legal and regulatory obligations which may limit or restrict the enforcement of your rights on some occasions. If you wish to contact us regarding our use of your personal data or you wish to exercise your data privacy rights, you may email to [email protected] or a letter to Data Privacy, Vista Building, Elm Park, Merrion Road, Dublin 4, Ireland.

If you are not satisfied with how we process your personal data, please address your request to our Data Protection Officer at [email protected], who will investigate your concern.

In any case, you also have the right to file a complaint with the Data Protection Commissioner at: www.dataprotection.ie, in addition to your rights above.

7. How will you be informed of the changes to our Privacy Notice?

We may update this Privacy Notice from time to time to reflect changes in technology, legal requirements and our practices. Such updates will be available through our usual communication channels (e.g. via email or our website) and the revised notice will be effective from the date shown.