This Privacy Notice is addressed to:
- individuals reporting adverse events, providing safety information concerning our products, requesting medical information, and submitting product quality complaints;
- and individuals that are the subject of adverse events, medical information queries, and product quality complaints.
Novartis is committed to protecting personal data and being transparent about its collection and use. This notice provides you with information on how Novartis Corporation (Malaysia) Sdn Bhd (referred here as “Novartis”, “we” or “us”) processes personal data as Data User. We invite you to read this Privacy Notice carefully, as it contains important information for you.
Why do we collect and use personal data?
We process personal data for the following purposes:
- monitoring the safety of medicinal products and medical devices, which includes detecting, assessing, following up on, and preventing adverse events, and reporting adverse events to health authorities;
- responding to medical information queries, for example in relation to availability of products, clinical data, dosing and administration, formulation and stability, and interactions with other drugs, foods, and conditions;
- responding to quality complaints regarding our products, such as any fault of quality and/or effectiveness, stability, reliability, safety, performance, or usage; answering other questions or requests and improving our products and services; complying with our policies and local legal, national / international regulatory, and compliance requirements; and
- conducting audits and defending litigation.
We do not process personal data unless we have a proper legal basis which include:
- your prior consent;
- it is necessary for the legitimate interests of Novartis in managing adverse events, medical information queries, and product complaints in compliance with its obligations under local legislation and national / international regulatory relating to conduct of pharmacovigilance. It is also necessary for reasons of substantial public interest in ensuring the safety of medicines; and
- it may be necessary for Novartis to process personal data for the purpose of protecting the vital interests of an individual or individuals.
What personal data do we collect and use?
For the purposes listed in this Privacy Notice, we collect and use the following categories of personal data:
- information about individuals that report adverse events or make medical information queries or product quality complaints, including healthcare professionals and carers. This allows us to respond to queries and seek additional information as needed. The data we collect may include your name, email and/or postal address, phone number, and place of work (for healthcare professionals);
- patients details, including name, hospital record numbers, age or date of birth, sex, weight, height, race, whether pregnant and/or breastfeeding, ethnicity (where the Summary of Product Characteristics includes specific information relating to ethnic origin), and occupational data (where this is strictly necessary for the evaluation of the adverse event); and
- where strictly necessary and relevant for the purposes described in this Privacy Notice, patient health and lifestyle information, including but not limited to nature of adverse effects, examination results, personal or family medical history, diseases or associated events, risk factors, information about the use of medicines and therapy management, physical exercise, diet and eating behaviour, sexual life/contraception, and consumption of tobacco, alcohol, and drugs.
Who has access to personal data?
We will not sell, share or otherwise transfer personal data to third parties other than those indicated in this Privacy Notice. Personal data may be accessed by or transferred to:
- our personnel (including those in our Patient Safety, Medical Information, Quality Assurance, and Legal departments) and other Novartis Group companies.
- other pharmaceutical and medical device companies, if the adverse event, request for information, or complaint relates to one of their products; and
- service providers acting on behalf of Novartis companies, such as IT system and data hosting providers, and adverse event processing service providers (including call centre providers if any in your local country). These third parties are contractually obliged to protect the confidentiality and security of personal data, in compliance with applicable law.
Personal data may also be shared with:
- healthcare professionals involved in an adverse event, request for information, or complaint; and
- national and/or international regulatory, enforcement, public body or court where we are required to do so by applicable law or regulation or at their request.
Where is personal data stored?
Personal data may processed, accessed, or stored in a country outside the country where you are located, which may not offer the same level of protection of personal data.
If we transfer personal data to external companies in other jurisdictions, we will protect personal data by:
- applying the level of protection required under the local data protection/privacy laws applicable to Novartis Corporation (Malaysia) Sdn Bhd; and
- acting in accordance with our Novartis policies and standards;
For intra-group transfers of personal data, the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland.
You can read more at https://www.novartis.com/privacy-policy/novartisbinding-corporate-rules-bcr
How do we protect personal data?
We have implemented appropriate technical and organisational measures to provide an appropriate level of security and confidentiality to personal data. These measures take into account: (i) the state of the art of the technology; (ii) the costs of its implementation; (iii) the nature of the data; and (iv) the risk of the processing.
The purpose of these measures is to protect personal data against accidental or unlawful destruction or alteration, accidental loss, unauthorised disclosure or access, and against other unlawful forms of processing
How long do we store personal data?
We will only store the above personal data for as long as we reasonably consider necessary for achieving the purposes set out in this Privacy Notice and as required under applicable laws.
What are your rights and how can you exercise them?
You have the right to:
- access your personal data and, if you believe that it is incorrect, obsolete or incomplete, to request that it is corrected or updated;
- request the erasure of your personal data or the restriction of its use; and
- if the processing is based on your consent, to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal; object, in whole or in part, to the processing of your personal data;
How can you contact us?
If you have a question or want to exercise the above rights, please email our Country Data Privacy Officer at [email protected] or write to:
Novartis Corporation (M) Sdn Bhd
Level 22, Tower B, Plaza 33
No. 1, Jalan Kemajuan, Seksyen 13
46200 Petaling Jaya
If you are not satisfied with the processing of personal data, please address your request to our Data Protection Officer at [email protected] who will investigate your concern.
This Privacy Notice was last updated in March 2020. Changes or additions will be notified through our usual communication channels (e.g. via our website).