The responsible use of personal data is a core value at Novartis.
To complement the Novartis Policy on the Protection of Personal Information, Novartis has adopted Binding Corporate Rules (BCR), a set of principles governing the international transfer of personal information of Novartis associates, customers, business partners and other individuals whose data is governed by the EU GDPR or by the Swiss Federal Act on Data Protection. The approval by the EEA Data Protection Agencies and recognition of the Swiss Data Protection Authority allows Novartis to transfer your personal information from the EU and Switzerland to Novartis affiliates in other countries in compliance with EU and Swiss data protection laws.
Which data protection principles apply?
Novartis companies that transfer your personal information from the EU or Switzerland to other countries must comply with applicable laws, Novartis policies and the BCR. In particular, these companies will:
- Collect and process your personal information by fair and lawful means;
- Process your personal information only for specific and legitimate purposes;
- Where required by local laws inform you of the transfer of your information and, where appropriate, obtain your consent;
- Keep your personal information accurate, complete and, where necessary, up to date;
- Keep your personal information only for so long as necessary, unless longer or shorter retention periods are required or permitted by law;
- Keep your personal information confidential and take appropriate and reasonable security measures to protect it against unauthorized access, accidental loss or damage, misuse and unauthorized alteration and deletion.
What rights do I have?
If you are a Novartis associate, customer, business partner or any other individual whose personal information Novartis collects and processes in the EU or in Switzerland you can exercise the following rights:
- the right to access your personal data as processed by Novartis and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
- the right to request the erasure of your personal data or the restriction thereof to specific categories of processing;
- the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
- the right to object, in whole or in part, to the processing of your personal data;
- the right to request the portability of your data where applicable.
How can I exercise my rights?
If you wish to exercise your data privacy rights, please click here.
Alternatively, you can lodge complaint with the competent Data Privacy Authority.
Where can I find the BCR?
You can find the BCR here:
Novartis Binding Corporate Rules