May 2020
This Privacy Notice is addressed to:
- the healthcare professionals with whom we create or maintain a relationship;
- our customers or prospects who are natural persons (such as self-employed pharmacists);
- the representatives or contact persons of our customers or prospects who are legal entities (such as wholesale pharmacists).
You are receiving this Privacy Notice because Novartis is processing information about you which constitutes “personal information” and Novartis considers the protection of your personal information and privacy a very important matter.
For the purpose of this Privacy Notice, “Novartis” refers to the entity processing your personal information:
- Novartis Australia Pty Ltd, 54 Waterloo Road, Macquarie Park, Sydney, NSW 2113, Australia
- Novartis New Zealand Ltd, 12 Madden Street, Wynyard Quarter, Auckland 1010, New Zealand
Novartis is responsible for the processing of your personal information as it decides why and how it is processed, thereby acting as the “controller”. In this Privacy Notice, “we” or “us” refers to Novartis.
We invite you to read this Privacy Notice carefully, which sets out in which context we are processing your personal information and explains your rights and our obligations when doing so.
Should you have any further question in relation to the processing of your personal information, we invite you to contact [email protected]
- What information do we have about you?
This information may either be directly provided by you, by our business partners (i.e. the legal entity for whom you work), by third parties (e.g. medical agencies) or be obtained through trusted publicly available sources (such as AMPCo). We collect various types of personal information about you, including:
- your general and identification information (e.g. first name, last name, gender, email and/or postal address, fixed and/or mobile phone number, AHPRA number where required for verification purposes, and other contact information);
- your function (e.g. title, position, name of company, as well as, for healthcare professionals, first specialty, second specialty, year of graduation from medical school, publications, congress activities, awards, biography, education, links to universities, expertise and participation in/contribution to clinical trials, guidelines, editorial boards and organisations);
- payment information (e.g. credit card details, bank account details, GST or any relevant tax identification number);
- Novartis unique business partner ID and profile;
- your electronic identification data where required for the purpose of delivering products or services to our company (e.g. login, access right, passwords, badge number, IP address, online identifiers/cookies, logs, access and connection times, image recording or sound such as badge pictures, CCTV or voice recordings);
- information regarding your preferences including in terms of channels of communication and frequency;
- data you provide to us for example when you fill in forms or during events you attend, or when you answer questions in a survey;
- data which relate to our products and services; and
- information about the scientific and medical activities/interactions you have with us, including potential future interactions.
If you intend to provide us with personal information about other individuals (e.g. your colleagues), you must provide a copy of this Privacy Notice to the relevant individuals, directly or through their employer.
- For which purposes do we use your personal information and why is this justified?
- Legal basis for the processing
We will not process your personal information if we do not have a proper justification foreseen in the law for that purpose. Examples of the legal basis for when we may process your personal information include if:
- we have obtained your prior consent;
- the collection of the personal information is reasonable necessary for one or more of our functions or activities, and where the information is sensitive information, where we additionally have your consent;
- the information is reasonable necessary for one or more of our functions or actives;
- the collection of the information is required or authorisesd by or under an Australian law or a court/tribunal order;
- a permitted general situation or permitted health situation exists in relation to the collection of the information, under the Privacy Act 1988; or
- there are other lawful reasons for us to do so.
Please note that, when processing your personal information, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such ‘legitimate interests’ are data processing activities performed:
- to develop a transparent and professional relationship with healthcare professionals;
- to promote Novartis innovation in the pharmaceutical field;
- to manage Novartis human and financial resources and optimise interactions with healthcare professionals;
- to ensure that the right medicine according to well-informed healthcare professional technical and professional opinion reaches the patient;
- to benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers to process data);
- to offer our products and services to our customers;
- to prevent fraud or criminal activity, misuses of our products or services as well as the security of our IT systems, architecture and networks;
- to sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party; and
- to meet our corporate and social responsibility objectives.
- Purposes of the processing
We always process your personal information for a specific purpose and only process the personal information that is relevant to achieve that purpose. In particular, we process your personal information for the following purposes:
- managing our relationship with you (e.g. through our databases);
- implementing tasks in preparation of or to perform existing contracts;
- evidencing transactions and ensuring transparency on transfers of value;
- providing you with adequate and updated information about disease, medicines as well as our products and services;
- improving the quality of our interactions and services by adapting our offering to your specific needs;
- answering your requests and providing you with efficient support;
- sending you surveys (e.g. to help us improve your future interactions with us);
- sending you communications regarding products, therapeutic areas or services that we promote;
- Managing, planning and executing communications and interactions with you (e.g. through the operation of a database keeping records of interactions with healthcare professionals or managing call planning as well as call reporting);
- tracking our activities (e.g. measuring interactions or sales, number of appointments/calls);
- inviting you to events or promotional meetings sponsored by us (e.g. medical events, speaker events, conferences);
- granting you access to our training modules allowing you to provide us with certain services;
- managing our IT resources, including infrastructure management and business continuity;
- preserving the company’s economic interests and ensuring compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud; conducting audits and defending litigation);
- managing mergers and acquisitions involving our company;
- archiving and record keeping;
- billing and invoicing; and
- any other purposes imposed by law and authorities.
- Who has access to your personal information and to whom are they transferred?
We will not sell, share, or otherwise transfer your personal information to third parties other than those indicated in this Privacy Notice.
In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal information can be accessed by or transferred to the following categories of recipients, on a need to know basis to achieve such purposes:
- our personnel (including personnel, departments or other companies of the Novartis group);
- our independent agents or brokers (if any);
- our suppliers and services providers that provide services and products to us;
- our IT systems providers, cloud service providers, database providers and consultants;
- our business partners who offer products or services jointly with us or with our subsidiaries or affiliates;
- any third party to whom we assign or novate any of our rights or obligations; and
- our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets.
The above third parties are contractually obliged to protect the confidentiality and security of your personal information, in compliance with applicable law.
Your personal information can also be accessed by or transferred to any national and/or international regulatory, enforcement, public body or court, where we are required to do so by applicable law or regulation or at their request.
The personal information we collect from you may also be processed, accessed or stored in a country outside of Australia , which may not offer the same level of protection of personal information.
If we transfer your personal information to external companies in other jurisdictions, we will make sure to protect your personal information by (i) applying the level of protection required under the local data protection/privacy laws applicable to Australia, and (ii) acting in accordance with our policies and standards. If you are located in Australia, the personal information we collect from you may be processed, access of stored outside of Australia, including in the EEA, Switzerland, USA and India. We will take reasonable steps to ensure that any overseas recipient will deal with such personal information in a way that is consistent with the Australian Privacy Principles. You may request additional information in relation to international transfers of personal information and obtain a copy of the adequate safeguard put in place by exercising your rights as set out in Section 6 below.
For intra-group transfers of personal information the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal information outside the EEA and Switzerland. Read more about the Novartis Binding Corporate Rules by clicking here.
- How do we protect your personal information?
We have implemented appropriate technical and organisational measures to provide a level of security and confidentiality to your personal information.
These measures take into account:
- the state of the art of the technology;
- the costs of its implementation;
- the nature of the data; and
- the risk of the processing.
The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of processing.
Moreover, when handling your personal information, we:
- only collect and process personal information which is adequate, relevant and not excessive, as required to meet the above purposes; and
- ensure that your personal information remains up to date and accurate.
For the latter, we may request you to confirm the personal information we hold about you is accurate. You are also invited to inform us whenever there is a change in your personal circumstances so we can ensure your personal information is kept up-to-date.
- How long do we store your personal information?
We will only retain your personal information for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.
Personal information we hold in our database about you which is not related to a specific contract will be stored for 24 months after your last interaction with us.
For contracts, the retention period is the term of your (or your company’s) contract with us, plus the period of time until the legal claims under this contract become time-barred, unless overriding legal or regulatory schedules require a longer or shorter retention period. When this period expires, your personal information is removed from our active systems.
Personal information collected and processed in the context of a dispute are deleted or archived (i) as soon as an amicable settlement has been reached, (ii) once a decision in last resort has been rendered or (iii) when the claim becomes time barred.
- What are your rights and how can you exercise them?
You may exercise the following rights under the conditions and within the limits set forth in the law:
- the right to access your personal information (including any health information) as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
- The right to know why your personal information is being collecting, how it will be used and who it will be disclosed to;
- The option of not identifying yourself, or of using a pseudonym in certain circumstances;
- the right to stop receiving unwanted direct marketing; and
- the right to make a complaint about Novartis if you think we have mishandled your personal information
If you have a question or want to exercise the above rights you may send an email to [email protected] or a letter to Data Privacy, 54 Waterloo Road, Macquarie Park, Sydney NSW 2113. Please include a scan of your identity card for identification purpose, it being understood that we shall only use such information to verify your identity and shall not retain the scan after completion of the verification. When sending us such a scan, please make sure to redact your picture and national registry number or equivalent on the scan.
If you are not satisfied with how we process your personal information, please address your request to our data protection at [email protected] who will investigate your concern.
In any case, you also have the right to file a complaint with the competent data protection authorities, in addition to your rights above.
- How will you be informed of the changes to our Privacy Notice?
Any future changes or additions to the processing of your personal information as described in this Privacy Notice will be notified to you in advance through an individual notice through our usual communication channels (e.g. by email or via our internet websites).