What Personal Data do we process, for which purpose and why is this justified?
We process your Personal Data for the purposes of monitoring the safety of medicinal products and medical devices, which includes detecting, assessing and preventing adverse events and reporting to health authorities and for any other purposes imposed by law and authorities. The processing of your Personal Data is based on our legal obligations regarding the safety of medicinal products and medical devices.
If you report an adverse event concerning one of our products, we will ask for your name and contact details in order to be able to contact you in case additional information is needed and/or to respond to your report. We will also collect information about your qualification in case you are a healthcare professional. We are also recording the IP address of the system from which the report was submitted.
Depending on your adverse event report and if necessary for the assessment, we may also process the following data categories:
Patient identification data, such as: number, identification code, demographic information (age, year or date of birth, sex, weight, height);
Health data: treatments administered, examination results, nature of the adverse effect(s), personal or family history, diseases or associated events, risk factors; information on how the prescribes medicines were used as well as the therapy management.
Information on ancestry and descent of the person, whether it is a newborn, information on pregnancy and/or breastfeeding;
Occupational data: current and past occupations;
Information regarding consumption of tobacco, alcohol, drugs;
Information on lifestyle, life habits and behaviors, including, e.g., dependency, physical exercise (intensity, frequency, duration), diet and eating behavior, sex life;
Ethnicity, in cases where the Summary of Product Characteristics (SmPC) includes specific information relating to the ethnic origin and according to the criteria defined in the SmPC.
Who has access to your Personal Data?
We will not share, or otherwise transfer your Personal Data to third parties other than those indicated in this Privacy Notice. In the course of our activities and for the same purposes as those listed in this Privacy Notice, your Personal Data can be accessed by, or transferred to:
The Head of Drug Safety and their teams;
The general manager and their representatives, within the limits of their attributions;
Members of the legal and regulatory affairs department, depending on their responsibility;
Audit department to check compliance with regulatory or internal requirements;
Other Novartis Group companies;
Other pharma companies whose product may be at stake (without disclosing your identity);
Health care providers concerned by the report;
Service providers acting on behalf of Novartis, such as providers of IT systems, hosting providers and adverse events processing services (e.g., translation services). The above third parties are contractually obliged to protect the confidentiality and security of your Personal Data, in compliance with applicable law.
Your Personal Data can also be accessed by or transferred to national or international regulatory, enforcement, or other authorities where we are required by applicable law or at their request. Your Personal Data may also be processed, accessed or stored in a country outside of the country where you are located. If we transfer your Personal Data to external companies in other jurisdictions, we will make sure to protect your Personal Data by (i) applying the level of protection required under the local data protection/privacy laws applicable to the exporting Novartis entity, (ii) acting in accordance with our policies and standards and, (iii) for exporting Novartis entities located in the European Economic Area (EEA, i.e. the EU member states plus Iceland, Liechtenstein and Norway), unless otherwise specified, only transferring your Personal Data on the basis of standard contractual clauses approved by the European Commission or the Swiss Federal Data Protection and Information Commissioner respectively. You may request additional information in relation to international transfers of Personal Data and obtain a copy of the adequate safeguard put in place by exercising your rights as set out below.
For intra-group transfers of Personal Data, Novartis has adopted Binding Corporate Rules - a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of Personal Data outside the EEA and Switzerland.
How long do we store your Personal Data?
We will only store Personal Data for a as long as we reasonably consider necessary for achieving the purposes set out in this Privacy Notice and as it is required and/or permissible under applicable laws.
What are your rights and how can you exercise them?
Under the conditions provided for by the applicable regulation, you have the right to:
Access your Personal Data as processed by us;
Ask for correction or erasure of your Personal Data;
Request portability, where applicable, of your Personal data, i.e., that the Personal Data you have provided to us, are returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format. If you have questions regarding how we use your Personal Data or if you wish to exercise the above rights, please email us at [email protected]
In any case, you also have the right to file a complaint with the competent data protection authorities.