Privacy Notice for Business Partners – Novartis Entities in SSA
Mar 19, 2020
What information do we have about you?
This information may either be directly provided by you, by our business partners (i.e. the legal entity for whom you work), by third parties (e.g. medical agencies) or be obtained through trusted publicly available sources (such as Medpages, PubMed, Clinical Trials.gov, congress websites or university websites). To the extent necessary, you provide us with your consent to collect your personal data from such other persons. We collect various types of personal data about you, including:
your general and identification information (e.g. name, first name, last name, gender, email and/or postal address, fixed and/or mobile phone number);
your function (e.g. title, position, name of company, as well as, for healthcare professionals, first specialty, second specialty, year of graduation from medical school, publications, congress activities, awards, biography, education, links to universities, expertise and participation in/contribution to clinical trials, guidelines, editorial boards and organisations);
payment information (e.g. bank account details, VAT or other tax identification number);
Novartis unique business partner ID and profile;
your electronic identification data where required for the purpose of delivering products or services to our company (e.g. login, access right, passwords, badge number, IP address, online identifiers/cookies, logs, access and connection times, image recording or sound such as badge pictures, CCTV or voice recordings);
information regarding your preferences including in terms of channels of communication and frequency;
data you provide to us for example when you fill in forms or during events you attend, or when you answer questions in a survey;
data which relate to our products and services; and
information about the scientific and medical activities/interactions you have with us, including potential future interactions.
If you intend to provide us with personal data about other persons (e.g. your colleagues), you must provide a copy of this Privacy Notice to the relevant person(s), directly or through their employer, and ensure that they provide consent to your sharing their personal data with us in terms of this Privacy Notice.
For which purposes do we use your personal data and why is this justified?
Legal basis for the processing
We will only process your personal data if permitted by law, including if:
we have obtained your prior consent;
the processing is necessary to carry out actions for the conclusion or performance of a contract to which you are a party ;
the processing is necessary to comply with our legal or regulatory obligations;
the processing protects your legitimate interest; and / or
the processing is necessary for our legitimate interests or the legitimate interests of a third party to whom the personal data is supplied, and does not unduly affect your interests or fundamental rights and freedoms.
Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such ‘legitimate interests’ may include data processing activities performed:
to benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers to process data);
to offer our products and services to our customers;
to prevent fraud or criminal activity, misuses of our products or services as well as the security of our IT systems, architecture and networks;
to sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party; and
to meet our corporate and social responsibility objectives.
We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In particular, we process your personal data for the following purposes:
manage our relationship with you (e.g. through our databases);
implement tasks in preparation of or to perform existing contracts;
provide you with adequate and updated information about disease, drugs as well as our products and services;
improve the quality of our services by adapting our offering to your specific needs;
answer your requests and provide you with efficient support;
send you surveys (e.g. to help us improve your future interactions with us);
send you communications regarding products or services that we promote;
manage communications and interactions with you (e.g. through the operation of a database keeping records of interactions with healthcare professionals or managing call planning as well as call reporting and other electronic and digital interactions);
track our activities (e.g. measuring interactions or sales, number of appointments/calls);
invite you to events or promotional meetings sponsored by us (e.g. medical events, speaker events, conferences, webinars, meetings on various digital platforms);
grant you access to our training modules allowing you to provide us with certain services;
manage our IT resources, including infrastructure management and business continuity;
preserve the company’s economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud; conducting audits and defending litigation);
manage mergers and acquisitions involving our company;
archiving and record keeping;
billing and invoicing; and
any other purposes imposed by law and authorities.
Who has access to your personal data and to whom are they transferred?
We will not sell, share, or otherwise transfer your personal data to third parties other than those indicated in this Privacy Notice.
In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal data can be accessed by or transferred to the following categories or recipients:
our personnel (including personnel, departments or other companies of the Novartis group) on a strictly need-to-know basis;
our independent agents or brokers (if any);
our suppliers and services providers that provide services and products to us;
our IT systems providers, cloud service providers, database providers and consultants;
our business partners who offer products or services jointly with us or with our subsidiaries or affiliates;
any third party to whom we assign, cede or novate any of our rights or obligations;
our advisors and external lawyers; and
any national and/or international regulatory, enforcement, public body or court where we are required to do so by applicable law or regulation or at their request.
The above third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.
We work with affiliates and other trusted partners and service providers located outside of your country of domicile. The personal data we collect from you may therefore also be processed, accessed, stored in or transferred to a country outside South Africa, which may not offer a level of protection of personal data which is substantially similar to the protections as may be enjoyed in your country of domicile.
If we transfer your personal data to any third party we will do so in accordance with data protection laws applicable.
For intra-group transfers of personal data, the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, which accord with the data protection principles provided by applicable law, in an effort to ensure effective levels of data protection relating to transfers of personal data to other countries. Read more about the Novartis Binding Corporate Rules by clicking here: https://www.novartis.com/sites/www.novartis.com/files/bcr-individual-rights-2012.pdf
How do we protect your personal data?
We have implemented appropriate, reasonable technical and organisational measures to provide a level of security and confidentiality to your personal data.
These measures take into account:
the state of the art of the technology;
the costs of its implementation;
the nature of the data; and
and the risk of the processing.
The purpose thereof is to protect it against accidental or unlawful destruction or alteration, loss, damage, unauthorized disclosure or access and against other unlawful forms of processing.
Moreover, when handling your personal data, we:
only collect and process personal data which is adequate, relevant and not excessive, as required to meet the above purposes; and
ensure that your personal data remains up to date and accurate.
For the latter, we may request you to confirm the personal data we hold about you. You are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up-to-date.
How long do we store your personal data?
We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements. When this period expires, your personal data is removed from our systems.
What are your rights and how can you exercise them?
You may exercise the following rights under the conditions and within the limits set forth in the law:
the right to access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
the right to request the erasure of your personal data or the restriction thereof to specific categories of processing;
the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
the right to object, in whole or in part, to the processing of your personal data;
the right to object to a channel of communication used for direct marketing purposes; and
the right to request its portability where applicable.
If you have a question or want to exercise the above rights, you may send an email to [email protected] or a letter at P.O Box 12257 Vorna Valley 1686 addressed to the Data Privacy Office.
If you are not satisfied with how we process your personal data, please address your request to our data protection officer [email protected], who will investigate your concern.
In any case, you also have the right to file a complaint with the competent data protection authorities, in addition to your rights above.
How will you be informed of the changes to our Privacy Notice?
Any future changes or additions to the processing of your personal data as described in this Privacy Notice will be notified to you in advance through an individual notice through our usual communication channels (e.g. by email or via our internet websites).