March 23, 2021
Novartis considers privacy as a very important matter. Accordingly, Novartis is pursuing the greatest transparency concerning its processing of personal information.
Novartis Pharma AG having its registered office at Novartis Campus, CH-4056 Basel, Switzerland, is responsible for the processing of your personal information as it decides why and how it is processed, thereby acting as the “data controller”. It may exercise this responsibility alone or jointly with other company(-ies) in the Novartis group, acting as “co-controller(s)”. In this Privacy Notice, “we” or “us” refers to Novartis Pharma AG and its group companies.
We are committed to ensuring that any personal information we receive is protected and processed in accordance with applicable data protection laws and Novartis policies and standards.
For the purpose of the scope of this Privacy Notice, third parties are as follows:
- Suppliers: An external natural or legal person/entity outside the Novartis Group from whom Novartis sources goods or services. This includes, for example:
- Contract Manufacturing Organizations (CMOs)
- Institutions and collaborators carrying out research for or on behalf of Novartis, where Novartis is acting as the sponsor and paying for the research, including collaborators of both Contract Research Organizations (CROs) and Academic Research Organizations AROs)
- Third parties that handle or distribute Novartis products (i.e. logistics services) where the ownership of the products is not transferred to the third party service provider
- HCPs acting as "third parties" only, i.e. where they provide goods or services against a fee for a service beyond their profession as an HCP, such as app developers or commercial/marketing consultants, etc. (otherwise HCPs are out of scope).
- Business Development & Licensing (BD&L): Any third party with whom a product in-licensing agreement has been contracted with Novartis.
- Distributors and Wholesalers: Any third party that imports and/or resells for its own business purposes Novartis Products (whether or not they provide promotion services for the specific Novartis Products on behalf of Novartis).
The purpose of this Privacy Notice is to clarify the way Novartis is processing personal information of representatives and/or employees as contact persons (data subjects) of a third party or its subcontractor (who will be further referred in this Privacy Notice as “you”).
We invite you to carefully read this Privacy Notice, which sets out in which context we are processing information that relates directly or indirectly to you (“personal information”) and explains your rights with respect to the processing of your personal information.
We have separate privacy notices in relation to processing personal information of our employees, business partners which are not providing services to us, patients and users of our other websites, and you should refer to those where appropriate.
Should you have any further questions in relation to the processing of your personal information, you are invited to contact our data protection officer at [email protected].
What information do we have about you?
This personal information may either be directly provided by you or provided by our third party (i.e. the legal entity you work for or on behalf of).
We may collect various types of personal information about you, including:
- your general contact and identification information (e.g. name, first name, last name, gender, date and place of birth, nationality, ID card or passport numbers, email and/or postal address, fixed and/or mobile phone number and car registration number);
- your function (e.g. title, position and name of company);
- your financial information (e.g. bank account details, credit worthiness and financial health checks), taxation information (government issued tax ID or account number), information about transactions (delivery and payment history) and background information about your business capabilities and operational performance when you individually act as a third party (e.g. one person company/Sole proprietorship); and
- your electronic identification data where required for the purpose of the delivery of products or services to our company (e.g. login, access right, passwords, badge number, IP address, online identifiers/cookies, system activity logs, access and connexion times, image recording or sound such as badge pictures, CCTV or voice recordings and meeting recordings).
In some countries, information relating to a company (“legal person”) is also considered as personal information. In such scenarios, if the abovementioned information collected or provided is specific to a legal entity, we will treat it as personal information in accordance with the applicable data protection law.
We do not collect any health data unless it is for making reasonable arrangements for a person with disability.
The third party you work for will provide the majority of the personal information that we process about you. If you intend to provide us with personal information about other individuals (e.g. your colleagues), you must ask the relevant individuals to go through this Privacy Notice available on our corporate website (www.novartis.com/privacy) before providing us with such personal information.
For which purposes do we use your personal data and why is this justified?
Legal basis for the processing
We will not process personal data, Novartis may have about you if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal data if:
- we have obtained your prior consent;
- the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request;
- the processing is necessary to comply with our legal or regulatory obligations; or
- the processing is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms.
[Note: For China, the legitimate interest criteria does not apply]
Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interests and your privacy.
Examples of such ‘legitimate interests’ are data processing activities performed:
- to develop a proximity and trustful professional relationship;
- to promote innovation in the pharmaceutical field;
- to manage Novartis human and financial resources;
- to benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers to process data);
- to offer our products and services to our customers;
- to prevent fraud or criminal activity, misuses of our products or services as well as the security of our IT systems, architecture and networks;
- to sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party; or
- to meet our corporate and social responsibility objectives.
Mostly we process your personal information on a legal basis other than consent. However, if you have consented to the processing of your personal information, you have the right to withdraw that consent at any time. To withdraw your consent or to get more information on our specific interests and your rights, Novartis can be contacted as indicated below.
Purposes of the processing
We always process your personal data for a specific purpose and only process the personal data, which is relevant to achieve that purpose. In particular, we process the personal information for any or all of the following purposes:
- to manage our third parties throughout the relationship;
- to organise tender-offers, implement tasks in preparation of or to perform existing contracts;
- to monitor activities at our facilities, including compliance with applicable policies as well as health and safety rules in place;
- to grant you access to our training modules allowing you to provide us with certain services;
- to communicate with you during the term of the contract and contact you in case of emergency;
- to manage our IT resources, including infrastructure management and business continuity;
- to preserve Novartis’ economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud, conducting audits and defending litigation);
- to manage mergers and acquisitions involving our company;
- for archiving and record-keeping;
- for billing and invoicing; or
- any other purposes imposed by law and authorities.
Who has access to your personal data and to whom are they transferred?
We will not sell, share, or otherwise transfer your personal information to third parties other than those indicated in this Privacy Notice.
In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal data maybe accessed by or transferred to the following categories of recipients, on a need to know basis to achieve such purposes :
- our personnel (including personnel, departments or other companies of the Novartis group);
- our independent agents or brokers (if any);
- our other suppliers and services providers that provide services and products to us;
- our IT systems providers, cloud service providers, database providers and consultants;
- any third party to whom we assign or novate any of our rights or obligations; and
- our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets. .
The above third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.
Your personal information can also be accessed by or transferred to any national and/or international regulatory, enforcement, public body or court, where we are required to do so by applicable law or regulation or at their request.
The personal information we collect from you may also be processed, accessed or stored in a country outside the country where Novartis Pharma AG is located, which may not offer the same level of protection of personal information.
If we transfer your personal information to external parties in other jurisdictions, we will make sure to protect your personal information by (i) applying the level of protection required under the local data protection/privacy laws applicable to Novartis Pharma AG and its group companies, (ii) acting in accordance with our policies and standards and, (iii) for Novartis Pharma AG and its group companies located in the European Economic Area (i.e. the EU Member States plus Iceland, Liechtenstein and Norway, the "EEA"), unless otherwise specified, only transferring your personal information on the basis of standard contractual clauses approved by the European Commission or the Swiss Federal Data Protection and Information Commissioner respectively. You may request additional information in relation to international transfers of personal information and obtain a copy of the adequate safeguard put in place by exercising your rights as set out below.
If you are located in Australia, the personal information we collect from you may be processed, accessed or stored outside of Australia, including in the EEA. We will take reasonable steps to ensure that any overseas recipient will deal with such personal information in a way that is consistent with the Australian Privacy Principles.
For intra-group transfers of personal data to our group companies, the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland. Read more about the Novartis Binding Corporate Rules here.
How do we protect your personal information?
We have implemented appropriate technical and organizational measures to provide an adequate level of security and confidentiality to your personal information.
The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of processing.
How long do we store your personal information?
We will only retain your personal information for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.
The retention period is the term of your (or the third party’s) relevant commercial agreement with Novartis plus the period of time until the legal claims under such commercial agreement become time-barred, unless overriding legal or regulatory schedules require a longer or shorter retention period. When this period expires, your personal information is removed from our active systems.
Personal information collected and processed in the context of a dispute are deleted or archived (i) as soon as an amicable settlement has been reached, (ii) once a decision in last resort has been rendered or (iii) when the claim becomes time barred..
What are your rights and how can you exercise them?
You may exercise the following rights under the conditions and within the limits set forth in the law:
- the right to be informed about what personal information we have about you and how we process your personal information;
- the right to access your personal information as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
- the right to request the erasure of your personal information or the restriction thereof to specific categories of processing;
- the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
- the right to object, in whole or in part, to the processing of your personal information. With certain exceptions, this includes the right to object to direct marketing and the right to object to your personal information being used for research;
- the right to request its portability, i.e. that the personal information you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations; and
- the right to object to automated decision making including profiling, i.e. you can request an human intervention in any automated decision making process related to processing of your data and where such processing is not based on your consent, authorised by law or necessary for the performance of a contract. However, we don’t currently make decisions using automated processes.
If you have a question or want to exercise the above rights, please click here.
If you are not satisfied with how we process your personal information, you may address your request to our data protection officer at [email protected], who will investigate your concern.
The third party you work for is also a data controller for your information. To exercise your data protection rights you may need to contact the third party you work for in relation to your personal information.
In any case, you also have the right to file a complaint with the competent data protection authorities, in addition to your rights above.
How will you be informed of the changes to our Privacy Notice?
We may change or update this Privacy Notice from time to time by posting a new privacy notice in our procurement systems or our corporate website (www.novartis.com/privacy). Please keep checking this Privacy Notice occasionally so that you are aware of any changes .