This Privacy Notice is addressed to:

  • the adverse event reporters providing patient safety information concerning our products.
  • individuals requesting medical information; or
  • submitting quality complaints through various platforms such as phone, e-mail, etc.

Novartis South Africa Pty Ltd (respectively “Novartis”) is committed to protecting your personal information and to being transparent about the information we are collecting and what we do with it.

This notice provides you with information on how Novartis (hereinafter: “Novartis”, “we” or “us”), processes information about you which constitutes personal data. Novartis is responsible for the processing of your personal data as it decides why and how it is processed, thereby acting as the “Responsible Party” under the Protection of Personal Information Act 4 of 2013. In this Privacy Notice, “we” or “us” refers to Novartis. Please consider the Novartis entity which processes your personal information as “Responsible Party” of the processing activity.

We invite you to read this Privacy Notice carefully, as it contains important information for you. Should you have any further questions in relation to the processing of your personal data, please contact the local Novartis data privacy officer at [email protected]

We may process personal data (which you might provide voluntarily or be required by the local legislation) about you for the following purposes:

  • monitoring the safety and efficacy of the medicinal products and medical devices, which includes detecting, assessing and preventing adverse events and reporting to health authorities.
  • responding to the medical information enquiries,
  • addressing quality complaints regarding our products.
  • improving our products and services;
  • training or educational purposes within or outside Novartis and/or Sandoz;
  • providing you with adequate and updated information about disease, drugs, as well as our products and services;
  • answering any questions or requests you may have;
  • managing our IT resources, including infrastructure management and business continuity;
  • preserving the company’s economic interests and ensuring compliance and reporting (such as complying with our policies and local legal requirements, conducting audits and defending litigation);
  • archiving and record-keeping;
  • where instructed by a local Health Authority or Regulator to advise healthcare professionals in general or a group of healthcare professionals on a patient safety related matter related to our products or services;
  • to gain insights into broad trends about our products and/or disease areas of interest; and
  • any other purposes imposed by law and authorities.

We will not process your personal data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will process your personal data on the basis:

  • that this is necessary to comply with our legal obligations regarding the safety of medicinal products and medical devices,
  • that this is necessary for reasons of public interest in the area of public health,
  • of your prior consent, where needed,
  • that this is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms.

Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such ‘legitimate interests’ are data processing activities performed:

  • to benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers to process data);
  • to prevent fraud or criminal activity, misuses of our services and products as well as the security of our IT systems, architecture and networks;
  • to sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party; and
  • to meet our corporate and social responsibility objectives.

If you report an adverse event concerning one of our products, submit a quality complaint or request medical information, we will ask for your name and contact details in order to be able to contact you in case additional information is needed and/or to respond to your enquiry. We will also collect information about your qualification in order to determine if you are a healthcare professional or a consumer. Note that any further processing and transfer of your name and contact details to Health Authorities or Licensed Partners, as required by country regulations, will be done in an anonymized format.

In the event of the adverse event report, we will also process the following data categories:

  • Patient identification data, such as: number, alphabetic identification code as provided by the adverse reaction reporting form, demographic information (age, year or date of birth, sex, weight, height);
  • Health data: treatments administered, examination results, nature of the adverse effect(s), personal or family history, diseases or associated events, risk factors; information on how the prescribes medicines were used as well as the therapy management.

Additionally, if necessary for an adverse event assessment we may also collect and process:

  • Information on ancestry and descent of the person, whether it is a newborn, information on pregnancy and/or breastfeeding;
  • Occupational data: current and past occupations (only where this can be justified for the evaluation of the adverse event);
  • Information regarding consumption of tobacco, alcohol, drugs;
  • Information on lifestyle, life habits and behaviours, including for instance: dependence, physical exercise (intensity, frequency, duration), diet and eating behaviour;
  • Sexual life;
  • Ethnicity, only in cases where the) Professional Information (“PI”) Leaflet includes specific information relating to the ethnic origin and according to the criteria defined in the PI.

We will not sell, share, or otherwise transfer your personal data to third parties other than those indicated in this Privacy Notice.

In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal data can be accessed by, or transferred to other Novartis Group companies and service providers acting on behalf of Novartis Companies, such as providers of IT systems hosting and other services or providers of adverse events processing services. The above third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.

Your personal data can also be accessed by or transferred to any national and/or international regulatory, enforcement, public body or court where we are required to do so by applicable law or regulation or at their request or where required.
The personal data we collect from you may also be processed, accessed or stored in a country outside the country where you are located, which may not offer the same level of protection of personal data.

If we transfer your personal data to external companies in other jurisdictions, we will make sure to protect your personal data by (i) applying the level of protection required under the local data protection/privacy laws applicable to Novartis and Sandoz, (ii) acting in accordance with our policies and standards and, (iii) for Novartis companies located in the European Economic Area (i.e. the EU Member States plus Iceland, Liechtenstein and Norway, the "EEA"), unless otherwise specified, only transferring your personal data on the basis of standard contractual clauses approved by the European Commission You may request additional information in relation to international transfers of personal data and obtain a copy of the adequate safeguard put in place by exercising your rights as set out below.

For intra-group transfers of personal data the Novartis Group has adopted Binding Corporate Rules - a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland. Read more about the Novartis Binding Corporate Rules by clicking here https://www.novartis.com/privacy/novartis-binding-corporate-rules-bcr

We will only store the above personal data for as long as we reasonably consider necessary for achieving the purposes set out in this Privacy Notice and as it is required and/or permissible under applicable laws.

You have the right to:

  • access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
  • request rectification or erasure of your personal data that is inaccurate or processed for the purposes not stated above.
  • request the restriction of processing of your data to specific categories of processing;
  • file a complaint with the competent data protection authorities.

If you have a question, want to exercise the above rights or if you are not satisfied with how we process your personal data, please send an email to [email protected] with a scan of your identity card for identification purpose, it being understood that we shall only use such data to verify your name and identity and shall not retain the scan after completion of the verification. When sending us such a scan, please make sure to only redact your picture and identity number or equivalent on the scan.

You may also contact your local Novartis Company by using the contact details available on our website.

Any future changes or additions to the processing of your personal data as described in this Privacy Notice will be notified to you in advance through an individual notice, through our usual communication channels (e.g. by email or via our internet websites).