This Privacy Notice is addressed to:
- Individuals reporting adverse events, providing safety information concerning our products, requesting medical information, and submitting product quality complaints
- Individuals that are the subject of adverse events, medical information queries, and product quality complaints
Novartis is committed to protecting personal data and being transparent about its collection and use. This notice provides you with information on how Novartis Ireland Limited (“Novartis”, “we” or “us”), processes personal data as data controller.
We invite you to read this Privacy Notice carefully, as it contains important information. Should you have any further questions, we invite you to contact [email protected]. Changes or additions to Privacy Notice will be notified through our usual communication channels (e.g. by email or via our website).
Why do we collect and use personal data?
We process personal data for the following purposes:
- Monitoring the safety of medicinal products and medical devices, which includes detecting, assessing, following up on, and preventing adverse events, and reporting adverse events to health authorities
- Responding to medical information queries, for example in relation to availability of products, clinical data, dosing and administration, formulation and stability, and interactions with other drugs, foods, and conditions
- Responding to quality complaints regarding our products, such as any fault of quality and/or effectiveness, stability, reliability, safety, performance, or usage
- Answering other questions or requests and improving our products and services
- Complying with our policies and local legal, regulatory, and compliance requirements
- Conducting audits and defending litigation
We do not process personal data unless we have a proper legal basis. For the purposes listed in this Privacy Notice, we process data on the basis that it is necessary for:
- Ensuring high standards of quality and safety of medicinal products or medical devices, and our associated legal obligations and/or legitimate interests
- Protecting the vital interests of an individual or individuals
What personal data do we collect and use?
For the purposes listed in this Privacy Notice, we collect and use the following categories of personal data:
- Information about individuals that report adverse events or make medical information queries or product quality complaints, for example healthcare professionals and careers. This allows us to respond to queries and seek additional information as needed. The data we collect may include your name, email and/or postal address, phone number, and place of work (for healthcare professionals)
- Patients details, including name, hospital record numbers, age or date of birth, sex, weight, height, race, whether pregnant and/or breastfeeding, ethnicity (where the Summary of Product Characteristics includes specific information relating to ethnic origin), and occupational data (where this is strictly necessary for the evaluation of the adverse event)
- Where strictly necessary and relevant for the purposes described in this Privacy Notice, patient health and lifestyle data, including but not limited to nature of adverse effects, examination results, personal or family medical history, diseases or associated events, risk factors, information about the use of medicines and therapy management, physical exercise, diet, eating behaviour, sexual life/contraception, and consumption of tobacco, alcohol, and drugs
Who has access to personal data?
We do not share or otherwise transfer personal data to third parties other than those indicated in this Privacy Notice. Personal data may be accessed by or transferred to:
- Our personnel (including those in our Patient Safety, Medical Information, Quality Assurance, and Legal departments) and other Novartis Group companies (in particular Novartis AG
- Other pharmaceutical and medical device companies, if the adverse event, request for information, or compliant relates to one of their products
- Service providers acting on behalf of Novartis Companies, such as IT system and data hosting providers, and adverse event processing service providers (including call centre providers). These third parties are contractually obliged to protect the confidentiality and security of personal data, in compliance with applicable law
Personal data may also be shared with:
- Healthcare professionals involved in an adverse event, request for information, or complaint
- The Health Products Regulatory Authority (HPRA) and European Medicines Agency (EMA) which controls the EudraVigilance database (visit https://www.ema.europa.eu for more information)
- A national and/or international regulatory, enforcement, public body or court where we are required to do so by applicable law or regulation or at their request
Where is personal data stored?
Personal data may processed, accessed, or stored in a country outside the country where you are located, which may not offer the same level of protection of personal data.
If we transfer personal data to external companies in other jurisdictions, we will protect personal data by (i) applying the level of protection required under the local data protection/privacy laws applicable to Novartis Ireland Limited, (ii) acting in accordance with our policies and standards and, (iii) for Novartis companies located in the European Economic Area (“EEA”), unless otherwise specified, only transferring your personal data on the basis of standard contractual clauses approved by the European Commission. You may request additional information in relation to international transfers of personal data and obtain a copy of the adequate safeguard put in place by exercising your rights as set out below.
For intra-group transfers of personal data, the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland. You can read more at https://www.novartis.com/privacy-policy/novartis-binding-corporate-rules-bcr
How long do we store personal data?
We will only store the above personal data for as long as we reasonably consider necessary for achieving the purposes set out in this Privacy Notice and as required under applicable laws.
What are your rights and how can you exercise them?
You have the right to:
- Access your personal data and, if you believe that it is incorrect, obsolete or incomplete, to request that it is corrected or updated
- Request the erasure of your personal data or the restriction of its use
- If the processing is based on your consent, to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal
- Object, in whole or in part, to the processing of your personal data
- Request portability of your personal data (i.e. for it to be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format)
We may apply exceptions to these rights where appropriate and in accordance with local law.
How do we protect personal data?
We have implemented appropriate technical and organisational measures to provide an appropriate level of security and confidentiality to personal data. These measures take into account (i) the state of the art of the technology, (ii) the costs of its implementation, (iii) the nature of the data, and (iv) the risk of the processing.
The purpose of these measures is to protect personal data against accidental or unlawful destruction or alteration, accidental loss, unauthorised disclosure or access, and against other unlawful forms of processing.
How can you contact us?
If you have a question or want to exercise the above rights, please email [email protected] or write to Data Privacy, Vista Building, Elm Park Business Campus, Merrion Road, Dublin 4.
If you are not satisfied with the processing of personal data, please address your request to our Data Protection Officer at [email protected] who will investigate your concern.
In any case, you also have the right to file a complaint with Data Protection Commission (https://www.dataprotection.ie), in addition to your rights above.
How will you be informed of the changes to this Privacy Notice?
Any future changes or additions to the processing of your personal data as described in this Privacy Notice will be notified to you in advance through our usual communication channels (e.g. via this website or by email or letter).
This Privacy Notice was last updated in March 2019.