our suppliers and service providers who are natural persons (such as self-employed persons);
the representatives or contact persons of our suppliers and service providers who are legal entities; and
any other visitors of one of our facilities.
You are receiving this Privacy Notice because Novartis South Africa Pty Ltd (“Novartis”) and Sandoz South Africa Pty Ltd (“Sandoz”) (together will be referred as “Novartis group”) are processing information about you which constitutes “personal data”. The Novartis group considers the protection of your personal data and privacy a very important matter. Accordingly, we have developed this notice in order for you to understand how we collect, use, share and store your personal information.
Novartis and Sandoz are separately responsible for the processing of your personal data as it decides why and how it is processed, thereby acting as the “Responsible Party” under the Protection of Personal Information Act 4 of 2013. In this Privacy Notice, “we” or “us” refers to Novartis or Sandoz. Please consider the Novartis entity which processes your personal information as “Responsible Party” of the processing activity.
Should you have any questions in relation to the processing of your personal data, we invite you to contact our Data Privacy Officer at [email protected]
This information may either be directly provided by you or provided by our supplier or service provider (i.e. the legal entity for whom you work) on a voluntary basis or required by the local applicable legislation.
We may collect various types of personal data about you, including:
your general and identification information (e.g. name, first name, last name, gender, date and place of birth, nationality, ID card or passport numbers, email and/or postal address, fixed and/or mobile phone number and car registration number);
your function (e.g. title, position and name of company);
for natural persons acting as suppliers or service providers, financial information (e.g. bank account details); and
your electronic identification data where required for the purpose of the delivery of products or services to our company (e.g. login, access right, passwords, badge number, IP address, online identifiers/cookies, logs, access and connexion times, image recording or sound such as badge pictures, CCTV or voice recordings).
Race and gender information as per Broad-Based Black Economic Empowerment Act.
If you intend to provide us with personal data about other individuals (e.g. your colleagues), you must provide a copy of this Privacy Notice to the relevant individuals, directly or through your employer.
Legal basis for the processing:
We will not process your personal data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal data if:
we have obtained your prior consent;
the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request;
the processing is necessary to comply with our legal or regulatory obligations, e.g. Broad-Based Black Economic Empowerment Act; or
the processing is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms.
Please note that, when processing your personal data on the last basis, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such ‘legitimate interests’ are data processing activities performed:
to benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers to process data);
to offer our products and services to our customers;
to prevent fraud or criminal activity, misuses of our products or services as well as the security of our IT systems, architecture and networks;
to sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party; and
to meet our corporate and social responsibility objectives.
2. Purpose of the processing:
We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In particular, we process your personal data for the following purposes:
manage our suppliers and service providers throughout the supply chain;
organise tender-offers, implement tasks in preparation of or to perform existing contracts;
monitor activities at our facilities, including compliance with applicable policies as well as health and safety rules in place;
grant you access to our training modules allowing you to provide us with certain services;
manage our IT resources, including infrastructure management and business continuity;
preserve the company’s economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud, conducting audits and defending litigation);
conduct due diligence processes and for internal audit purposes so as to manage and mitigate relevant risks for our organization;
Comply with the provisions of the Broad-Based Black Economic Empowerment Act 53 of 2013, (“B-BBEE Act”) and its regulations, where applicable;
manage mergers and acquisitions involving our company;
archiving and record-keeping;
payment, billing and invoicing; and
any other purposes imposed by law and authorities.
We will not sell, share, or otherwise transfer your personal data to third parties other than those indicated in this Privacy Notice.
In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal data can be accessed by or transferred to the following categories of recipients on a need to know basis to achieve such purposes:
our personnel (including personnel, departments or other companies of the Novartis group);
our independent agents or brokers (if any);
our other suppliers and services providers that provide services and products to us;
our IT systems providers, cloud service providers, database providers and consultants;
any third party to whom we assign or novate any of our rights or obligations; and
our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets.
The above-mentioned third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.
Your personal data can also be accessed by or transferred to any national and/or international regulatory, enforcement, public body or court, where we are required to do so by applicable law or regulation or at their request.
The personal data we collect from you may also be processed, accessed or stored in a country outside the country where the Responsible Party is located, which may not offer the same level of protection of personal data.
If we transfer your personal data to external companies in other jurisdictions , we will make sure to protect your personal data by (i) applying the level of protection required under the local data protection/privacy laws applicable to the Responsible Party, (ii) acting in accordance with our policies and standards. You may request additional information in relation to international transfers of personal data and obtain a copy of the adequate safeguard put in place by exercising your rights as set out in Section 6 below.
For intra-group transfers of personal data, the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland.
We have implemented appropriate technical and organisational measures to provide an adequate level of security and confidentiality to your personal data.
These measures take into account:
the state of the art of the technology;
the costs of its implementation;
the nature of the data; and
the risk of the processing.
The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of processing.
Moreover, when handling your personal data, we:
only collect and process personal data which is adequate, relevant and not excessive, as required to meet the above purposes; and
ensure that your personal data remains up to date and accurate.
For the latter, we may request you to confirm the personal data we hold about you. You are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up-to-date.
We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.
The retention period is the term of your (or your company’s) supply or service contract, plus the period of time until the legal claims under this contract become time-barred, unless overriding legal or regulatory schedules require a longer or shorter retention period. When this period expires, your personal data is removed from our active systems.
Personal data collected and processed in the context of a dispute are deleted or archived (i) as soon as an amicable settlement has been reached, (ii) once a decision in last resort has been rendered or (iii) when the claim becomes time barred.
You may exercise the following rights under the conditions and within the limits set forth in the law:
the right to access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
the right to request the erasure of your personal data or the restriction thereof to specific categories of processing;
the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
the right to object, in whole or in part, to the processing of your personal data; and
If you have a question or want to exercise the above rights, you may send an email to [email protected] with a scan of your identity card for identification purpose, it being understood that we shall only use such data to verify your identity and shall not retain the scan after completion of the verification. When sending us such a scan, please make sure to redact your picture and national registry number or equivalent on the scan.
Any future changes or additions to the processing of your personal data as described in this Privacy Notice will be notified to you in advance through an individual notice through our usual communication channels (e.g. by email or via our internet websites).