General Privacy Notice for Business Partners - France (English Version)

General Privacy Notice for Business Partners - France (English Version)

This privacy notice was updated in April 2025

It has been updated to i) specify the categories of personal data collected (data relating to your user and interaction behavior, publicly available information), ii) present in the form of a table the purposes and legal bases used, iii) add information related to the use of artificial intelligence, iv) specify how you will be informed about the amendments to this privacy notice.

April 2025

This privacy notice is addressed to our business partners, in particular health care professionals, we engage with in the context of our business activities, which may include informing about our products and services and for other promotional and non-promotional activities (hereinafter “business partner” or “you”).

This privacy notice describes the ways in which Novartis Pharma SAS having its registered office at 8-10 rue Henri Sainte-Claire Deville F-92563 Rueil-Malmaison (hereinafter “Novartis” or “we”) collects, uses and otherwise, processes information about you that may identify you directly or indirectly (hereinafter referred to as “personal data”). Novartis considers the protection of personal data and privacy a very important matter.

Novartis is responsible for the processing of your personal data as it decides why and how it is processed, thereby acting as the “controller”. To the extent you will be provided with specific privacy notices (including through publishing such notices on our website), or other specific privacy notices, e.g. when reporting an adverse event, these privacy notices shall govern the processing of your personal data for the purposes described in those notices and shall not be superseded by this privacy notice.

We invite you to carefully read this privacy notice, which sets out in which context we are processing your personal data, we are using it and how long we keep it and explains your rights.

What information do we have about you?

Information Novartis may have about you may either be directly provided by you, such as when you share personal data with us or we receive information through your interactions with us, by our business partners (i.e. the organization for whom you work), or by third parties (e.g. our external service providers or medical agencies). We may further obtain your personal data through public sources where you may publish information in a professional context or other trusted publicly available sources (such as PubMed, Clinical Trials.gov, congress websites or university websites). Information about you may also be inferred from personal data we have about you.

We may collect various types of personal data about you, such as:

  • your general and identification information (e.g. last name, first name, gender, business email and/or postal address, phone number);
  • your function and professional activities/experience (e.g. title, position, name of company, as well as, for health care professionals, specialties, year of graduation, publications, congress activities, awards, biography, education, links to universities, expertise and participation in/contribution to clinical trials, guidelines, editorial boards and organizations, conferences, events, and speaking engagements, type of the structure where you work (teaching hospital, general hospital, center dedicated to the fight against the cancer or private clinic)); 
  • payment information (e.g. amount of payments, credit card details, bank account details, VAT or other tax identification number); 
  • Novartis unique business partner ID and profile; 
  • your national identifier called “Répertoire partagé des professionnels de santé” (“RPPS”) or other identifier like ordinal number or unique national identifier number for student, registration number to “Fichier National des Etablissements Sanitaires et Sociaux” (“FINESS”);
  • your electronic identification data where required for the purpose of delivering products or services (e.g. login, access right, passwords, badge number, IP address, online identifiers/cookies, logs, access and connection times, image recording or sound such as badge pictures, CCTV of Novartis premises or voice recordings); 
  • information regarding your usage, your profile, types of messages discussed, your responses and/or preferences, including in terms of channels of communication, and time and frequency, and transcription of content or matters discussed;
  • user behavior and interaction with our websites, online portals, and electronic communications (such as website usage analytics information, or email click, read and/or open rates);
  • publicly available information from professional social media interactions and/or membership in groups (such as public blogs, forums, posts or interactions via social media accounts relating to the professional/therapeutic area);
  • data which relate to our products and services; 
  • information about the scientific and medical activities/interactions you have with us, including services you may provide to us and potential future interactions; and
  • other data you provide to us, such as when filling out forms, making an enquiry, responding to a survey, or participating in market research.

If you intend to provide us with personal data about other individuals (e.g. your colleagues), you must provide a copy of this privacy notice to the relevant individuals, directly or through their employer.

For which purposes do we use your personal data and why is this justified?


We will always process your personal data for a specific purpose, and we will not process such personal data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal data if:
  • we have obtained your prior consent (“consent”);
  • the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request (“contractual necessity”);
  • the processing is necessary to comply with our legal or regulatory obligations (“legal obligation”); or 
  • the processing is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms (“legitimate interest”).

In the table below, we set out for which purposes we process your personal data and indicate the corresponding legal justification/basis (where required).

Purpose

Justification (legal basis)
 (where required under applicable law)
 

We always process your personal data for a specific purpose and will only process the personal data, which is relevant to achieve that purpose. In particular, we process the personal data we may have about you for the following purposes:

The applicable legal basis may vary depending on the specific processing purpose and the applicable requirements in your jurisdiction.

 

Contract management

We process your personal data for the purpose of initiating or performing a contract (e.g. a specialist lecture), including as necessary for:

  • implementing tasks in preparation of or to perform existing contracts, including through our electronic platforms and ensure the management of electronic signature services; 
  • granting you access to our training modules allowing you to provide us with certain services; 
  • evidencing transactions; 
  • billing and invoicing.

 

Contractual necessity or legitimate interest

Our legitimate interests may include:

  • to establish a business/ contractual relationship with you or your employer; 
  • to ensure and document the adequacy between data relating to your profession and the activities that Novartis may envisage with you under a contract; and
  • to administer the payment for our products and services.

To the extent we enter into a contractual relationship with you we will collect certain personal data in the context of that contractual relationship. Our processing of such data which is necessary to perform the negotiation or execution of the contract will be based on the legal basis of the contractual necessity.

Business partner relationship management

We process your personal data to manage, maintain and organize our professional relationship with you, including as necessary for:

  • contacting you with marketing, medical and other communications regarding products, therapeutic areas or services that we promote, including in the form of visits, calls, emails and mobile messaging; 
  • managing, evaluating, documenting and maintaining our relationship with you (e.g. through our databases), including segmentation and profiling activities to provide appropriate and educational, scientific and business-related support and care tailored to your specific characteristics, needs and preferences; 
  • inviting you to events or promotional meetings sponsored by us (e.g. medical events, speaker events, conferences); 
  • providing you with appropriate, adequate and updated information about diseases, drugs as well as our products and services; 
  • answering your requests and providing you with efficient support; 
  • sending you surveys (e.g. to help us improve your future interactions with us);
  • tracking our activities (e.g. measuring interactions or sales, number of appointments/calls, website usage, or email click, read and/or open rates); 
  • managing, plan and executing communications and interactions with you (e.g. through the use of AI-assisted technology and operation of a database keeping records of interactions with business partners or managing call planning as well as call reporting); and
  • improving the quality of our interactions and services by adapting our offering to your specific needs. 

 

Contractual necessity, legitimate interest, or consent

Our legitimate interests may include:

  • to administer, organize, maintain and optimize our professional relationship with you, and ensure efficient business communication;
  • to develop a proximity and trustful professional relationship with you; 
  • to provide knowledge to you about Novartis medicines and scientific developments;
  • to promote innovation in the pharmaceutical field; 
  • to manage Novartis human and financial resources and optimize our interactions with you; 
  • to provide you with information and insights which may help you with taking technically and professionally well-informed decisions so that the right medicine may reach the patient; 
  • to offer our products and services to our customers.

Our goal is to personalize our relationship with you, and – depending on your personal characteristics, history of interactions, needs and preferences – to provide you with the most relevant information and to contact you in the best possible way. 

To achieve our legitimate interests in ensuring effective, adequate and proportionate communication and interaction with you, including optimizing the content, means and timing of our communications, we will segment our business partners, and allocate you to a profile that matches the information that we have about you (such as your personal characteristics, expertise, preferences, prior interactions with Novartis, responses to marketing communications, and/or areas of interests). 

Your profile will be adapted and will evolve over time, and will ultimately drive what type of communications we send you, what content they contain, and when and through which channels these communications occur. 

Our segmentation and profiling activities may involve the use of artificial intelligence (AI), including for analyzing your personal data and other information, such as aggregated and/or estimated sales or market data, or for predicting future trends and behavior. We may occasionally optimize such AI solutions by training or fine-tuning them with some limited amount of your personal data, always ensuring that we are not compromising your privacy, rights and interests, and we remain within the realm of our legitimate interest.

To the extent we enter into a contractual relationship with you we will collect certain personal data in the context of that contractual relationship. Our processing of such data which is necessary to perform the negotiation or execution of the contract will be based on the legal basis of the contractual necessity.

Fulfilment of our legal and regulatory obligations

We process your personal data to fulfil our legal and regulatory requirements, including as necessary for:

  • ensuring and documenting compliance with reporting and other legal obligations (such as regulatory monitoring and reporting, adverse event and product safety related obligations, complying with our policies and local legal requirements, anti-corruption and anti-bribery laws, tax laws, transparency disclosure obligations, and/or statutory retention obligations);
  • ensure and document proof of your active participation in our work meetings through a detailed report that will be sent to the health care professionals present;
  • in the scope of early access programs: ensure the tracking of patients personal data collection to secure a compliant usage of the concerned product; collect data about the conditions of product usage; ensure the management of contacts with the health care professionals and their personnel under their responsibility or authority;
  • archiving and record keeping; and
  • any other purposes imposed by law and authorities.

Legal obligation or legitimate interest

Our legitimate interests may include:

  • to ensure and document compliance with applicable legal or regulatory requirements, or industry standards and practices.

 

Managing company activities

We process your personal data for our operational business purposes to manage and protect our company, including as necessary for:

  • preserving the company’s economic interests and ensuring compliance and reporting (such as complying with our policies and local legal requirements, tax deductions, managing alleged cases of misconduct or fraud; conducting audits and defending litigation);
  • managing our IT resources, including infrastructure management and business continuity, and protect the security of our IT-systems, architecture and networks; 
  • preventing fraud or criminal activity, or misuses of our products or services;
  • managing mergers and acquisitions involving our company; and
  • achieving our corporate social responsibility goals.

Legitimate interest

Our legitimate interests may include:

  • to benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers to process data); 
  • to prevent fraud or criminal activity, misuses of our products or services as well as the security of our IT systems, architecture and networks;
  • to sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party; and 
  • to meet our corporate and social responsibility objectives.

 

Our processing activities may include the use of artificial intelligence (AI) when processing your personal data for the purposes listed above. We may also occasionally optimize such AI solutions by training or fine-tuning them with some limited amount of your personal data, always ensuring that we are not compromising your privacy, rights and interests, and remain within the realm of our legitimate interest. When using AI Novartis does so in compliance with applicable laws and adheres to human-centric principles, applies appropriate transparency, and uses AI responsibly, always applying adequate security measures.

You can obtain further information on the purposes and applicable legal justification/basis, including the balancing test of the above specific interests, upon an express request to Novartis. In addition, you may object to the processing of your personal data under the conditions and within the limits set forth in applicable law and as further described below (Section: “What are you rights and how can you exercise them?”).

Who has access to your personal data and to whom are they transferred?

In the course of our activities and for the same purposes as those listed in this privacy notice, your personal data may be accessed by or transferred to the following categories of recipients, on a need-to-know basis to achieve such purposes:

  • our personnel (including personnel, departments or other companies of the Novartis group); 
  • our suppliers and service providers that provide services and products to us, including consultants and technical service providers, such as cloud services and other IT services; 
  • our independent agents or brokers (if any); 
  • our advisors and external lawyers, including in the context of investigations/litigation;
  • our advisors, external lawyers and other third parties directly involved in the sale or transfer of any part of our business or its assets or directly involved in acquisition or transfer of a third-party business or asset;
  • our business partners who offer products or services jointly with us; and
  • any third party to whom we assign or novate any of our rights or obligations.

The above third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law. 

Your personal data can also be accessed by or transferred to any national and/or international regulatory, enforcement, public body or court, where we are required to do so by applicable law or regulation or at their request. In addition, some of your personal data may need to be made available publicly following legal and regulatory obligations which we may have, such as meeting our transparency obligations.

The personal data we collect from you may also be processed, accessed or stored in a country outside the country where you are located, which may not offer the same level of protection of personal data. 

If we transfer your personal data to external companies in other jurisdictions, we will make sure to protect your personal data by applying the level of protection required under the data protection/privacy laws applicable to Novartis, and acting in accordance with our policies and standards. To the extent that our processing of personal data is subject to the privacy laws of the European Economic Area (“EEA”), Switzerland, or the United Kingdom (“UK”), or any other country prescribing the use of protective measures for the transfer of personal data to third countries, we are only transferring personal data to countries not providing for the same level of data protection on the basis of standard contractual clauses approved by the European Commission or other alternatives prescribed by the applicable privacy laws. You may request more information or a copy of such measures by contacting us as described below (Section: “What are your rights and how can you exercise them?”).

For intra-group transfers of personal data to our group companies, the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data to Novartis affiliates outside the EEA, UK and Switzerland. Read more about the Novartis Binding Corporate Rules here.

How do we protect your personal data?

We have implemented appropriate technical and organizational measures to provide an adequate level of security and confidentiality for your personal data. These measures take into account the state of the art of the technology, the costs of its implementation, the nature of the data; and the risk of the processing. 

The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of processing.

Moreover, when handling your personal data, we:

  • only collect and process personal data, which is adequate, relevant and not excessive, as required to meet the above purposes; and
  • may request you to confirm the personal data we hold about you. You are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up to date.
How long do we store your personal data?

We will only retain personal data we may have about you for as long as we reasonably consider it necessary for achieving the purposes set out in this privacy notice and to comply with legal or regulatory requirements.

In particular, we retain the data collected via the tracking technologies called “tracking pixels” during 18 months from your last interaction with us.

How do we use technologies similar to cookies, including tracking technologies?

We may collect, if you have provided your consent, information automatically from your device by using tracking technologies. These tracking technologies will allow us to collect and process your personal data for the purpose of sending you personalized communications, for example based on your area of expertise or interests, to continuously improve your experience and to measure the success of our communication campaigns.

The technologies used can be:

  • Web beacons (such as action tags, single-pixel GIFs, clear GIFs, invisible GIFs, and 1-by-1 GIFs, which are technologies that allow us to have information about your interactions with our communications;
  • Adobe Flash technology (including Flash cookies, unless you have decided otherwise in your settings on your device).
Tracking technologies provide information such as whether and when you open our electronic communications, what content you view, which links you click, which pages you access, what personal data you provide when registering for our events
What are your rights and how can you exercise them?

You may exercise the following rights under the conditions and within the limits set forth in the law:

  • the right to object, in whole or in part, to the processing of your personal data including opting out from our communications for direct marketing purposes;
  • the right to be informed about the personal data we process about you and how we process the personal data;
  • the right to access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
  • the right to request the erasure of your personal data or the restriction thereof to specific categories of processing;
  • the right to provide guidance about the processing of your personal data after death; and
  • the right to request its portability, i.e. that the personal data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations.

Furthermore, you have the right to withdraw any consent you provided, without affecting the lawfulness of the processing prior to such withdrawal, including the right to withdraw your consent to the use of tracking technologies to send you personalized communications.

If want to exercise the above rights, please click here.

Should you have any further questions, or if you want to contact our data protection officer, you may send an email to global.privacy_office@novartis.com or write our Data Protection Service, Novartis Pharma SAS, 8-10 rue Henri Sainte-Claire Deville 92563 Rueil-Malmaison. You may also learn more about privacy at Novartis on our website (https://www.novartis.com/fr-fr/notices-dinformation-sur-la-protection-des-donnees-personnelles).

A scan of your identity card for identification purpose may be required, it being understood that we shall only use such data to verify your identity and shall not retain the scan after verification completion. When sending us such a scan, please make sure to redact your picture and national registry number or equivalent on the scan.


In addition to the rights above, you may have the right to file a complaint with the competent data protection authority, in addition to your rights above (for the CNIL: www.cnil.fr)

How will you be informed of the changes to our Privacy Notice?

This privacy notice was last updated in April 2025. We invite you to visit our website (https://www.novartis.com/fr-fr/notices-dinformation-sur-la-protection-des-donnees-personnelles) from time to time for any updates of our privacy notice. Any future changes or additions to the processing of your personal data as described in this privacy notice will be notified to you via an update on our website (https://www.novartis.com/fr-fr/notices-dinformation-sur-la-protection-des-donnees-personnelles) and/or other communication channels as appropriate.

Source URL: https://www.novartis.com/fr-fr/notices-dinformation-sur-la-protection-des-donnees-personnelles/privacy-notice-business-partners-en

List of links present in page
  1. https://www.novartis.com/fr-fr/fr-fr/notices-dinformation-sur-la-protection-des-donnees-personnelles/privacy-notice-business-partners-en
  2. https://www.novartis.com/fr-fr/politique-de-confidentialite
  3. https://www.novartis.com/privacy/dsr
  4. mailto:global.privacy_office@novartis.com
  5. https://www.novartis.com/fr-fr/notices-dinformation-sur-la-protection-des-donnees-personnelles
  6. http://www.cnil.fr
  7. https://www.novartis.com/fr-fr/notices-dinformation-sur-la-protection-des-donnees-personnelles
  8. https://www.novartis.com/fr-fr/notices-dinformation-sur-la-protection-des-donnees-personnelles