General Privacy Notice for Business Partners - France (English Version)

Information Novartis may have about you may either be directly provided by you, by our business partners (i.e. the legal entity for whom you work), by third parties (e.g. external vendors or medical agencies) or be obtained through trusted publicly available sources (such as PubMed, Clinical Trials.gov, congress websites or university websites). We may collect various types of personal data about you, including:

• your general and identification information (e.g. last name, first name, gender, business email and/or postal address, fixed and/or mobile phone number);
• your function (e.g. title, position, name of company, as well as, for healthcare professionals, first specialty, second specialty, year of graduation from medical school, publications, congress activities, awards, biography, education, links to universities, expertise and participation in/contribution to clinical trials, guidelines, editorial boards and organizations, national identifier called “Répertoire partagé des professionnels de santé” (“RPPS”) or other identifier like ordinal number or unique national identifier number for student, registration number to “Fichier National des Etablissements Sanitaires et Sociaux” (“FINESS”), type of the structure where you work (teaching hospital, general hospital, center dedicated to the fight against the cancer or private clinic));
• payment information (e.g. amount of payments, credit card details, bank account details, VAT or other tax identification number); 
• Novartis unique business partner ID and profile; 
• your electronic identification data where required for the purpose of delivering products or services to our company (e.g. login, access right, passwords, badge number, IP address, online identifiers/cookies, logs, access and connection times, image recording or sound such as badge pictures, CCTV or voice recordings); 
• information regarding your usage, your profile, types of messages discussed, your responses and/or preferences, including in terms of channels of communication and frequency, and transcription of content or matters discussed;
• data you provide to us for example when you fill in forms or during events you attend, or when you answer questions during a conversation or in a survey; 
• data which relate to our products and services; 
• interaction data of health care professionals with our electronic communications collected through tracking technologies; and 
• information about the promotional, scientific and medical activities/interactions you have with us, including potential future interactions.

If you intend to provide us with personal data about other individuals (e.g. your colleagues), you must provide a copy of this Privacy Notice to the relevant individuals, directly or through their employer.

Legal basis for the processing

• we have obtained your prior consent;
• the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request;
• the processing is necessary to comply with our legal or regulatory obligations; or 
• the processing is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms.

Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interests and your privacy.

Examples of such ‘legitimate interests’ are data processing activities performed:

• to develop a proximity and trustful professional relationship with health care professionals; 
• to email you promotional and non-promotional materials to your business email address;
• to provide knowledge to the health care professionals about Novartis medicines and scientific developments;
• to establish individualized profiles based on your specialty, interests and preferences;
• to promote innovation in the pharmaceutical field; 
• to manage Novartis human and financial resources and optimize the interactions with health care professionals; 
• to ensure that the right medicine according to a well-informed HCP’s technical and professional opinion reaches the patient; 
• to benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers to process data); 
• to offer our products and services to our customers; 
• to prevent fraud or criminal activity, misuses of our products or services as well as the security of our IT systems, architecture and networks;
• to sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party; and 
• to meet our corporate and social responsibility objectives.

You can obtain further information on the balancing test of the above specific interests upon an express request to Novartis; 

Purposes of the processing

We always process your personal data for a specific purpose and only process the personal data, which is relevant to achieve that purpose. In particular, we process the personal data we may have about you for the following purposes :

• manage our relationship with you (e.g. through our databases); 
• implement tasks in preparation of or to perform existing contracts, including through our electronic platforms and ensure the management of electronic signature services; 
• evidence transactions and ensure value our legal obligation of transparency publication;
• ensure our legal obligation of anti-gift law; 
• provide you with appropriate, adequate and updated information about diseases, drugs as well as our products and services; 
• improve the quality of our interactions and services by adapting our offering to your specific needs, by analyzing information held to ensure its compliance; 
• answer your requests and provide you with efficient support; 
• send you surveys and polls (e.g. to help us improve your future interactions with us);
• send you communications regarding products, therapeutic areas or services that we promote; 
• manage, plan and execute communications and interactions with you (e.g. through the operation of a database keeping records of interactions with healthcare professionals or managing call planning as well as call reporting); 
• track our activities (e.g. measuring interactions or sales, number of appointments/calls); 
• invite you to events or promotional meetings sponsored by us (e.g. medical events, speaker events, conferences); 
• grant you access to our training modules allowing you to provide us with certain services; 
• in the scope of early access programs: ensure the tracking of patients personal data collection to secure a compliant usage of the concerned product; collect data about the conditions of product usage; ensure the management of contacts with the health care professionals and their personnel under their responsibility or authority;
• analyze and customize our products and services according to your interests and personal preferences (e.g. information about date and time of electronic communications opening, technical information about the equipment used, communications campaigns analysis, relevant content, etc.);
• manage our IT resources, including infrastructure management and business continuity; 
• preserve the company’s economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax deductions, managing alleged cases of misconduct or fraud; conducting audits and defending litigation);
• manage mergers and acquisitions involving our company; 
• archiving and record keeping; 
• billing and invoicing; and
• any other purposes imposed by law and authorities.

In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal data may be accessed by or transferred to the following categories of recipients, on a need to know basis to achieve such purposes:

• our personnel (including personnel, departments or other companies of the Novartis group); 
• our independent agents or brokers (if any); 
• our suppliers and services providers that provide services and products to us;
• our IT systems providers, cloud service providers, database providers and consultants; 
• our business partners who offer products or services jointly with us or with our subsidiaries or affiliates; 
• any third party to whom we assign or novate any of our rights or obligations; and
• our advisors and external lawyers, including in the context of the sale or transfer of any part of our business or its assets.

The above third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law. 

Your personal data can also be accessed by or transferred to any national and/or international regulatory, enforcement, public body or court, where we are required to do so by applicable law or regulation or at their request. 

The personal data we collect from you may also be processed, accessed or stored in a country outside the country where Novartis Pharma SAS / Advanced Accelerator Applications SA is located, which may not offer the same level of protection of personal data. 

If we transfer your personal data to external companies in other jurisdictions, we will make sure to protect your personal data by (i) applying the level of protection required under the data protection/privacy laws applicable to Novartis Pharma SAS / Advanced Accelerator Applications SA, (ii) acting in accordance with our policies and standards and, (iii) unless otherwise specified, only transferring your personal data on the basis of standard contractual clauses approved by the European Commission or the Swiss Federal Data Protection and Information Commissioner respectively.

For intra-group transfers of personal data to our group companies, the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the European Economic Area (i.e. European Union Member States, plus Iceland, Liechtenstein and Norway, “EEA”), Switzerland and United Kingdom. Read more about the Novartis Binding Corporate Rules here.

You may request more information about international transfers of personal data and obtain a copy of the adequate protections put in place by exercising your rights as described in the dedicated section below.

We have implemented appropriate technical and organizational measures to provide an adequate level of security and confidentiality to your personal data. 

These measures take into account:

• the state of the art of the technology;
• the costs of its implementation;
• the nature of the data; and
• the risk of the processing.

The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of processing.

Moreover, when handling your personal data, we:

• only collect and process personal data which is adequate, relevant and not excessive, as required to meet the above purposes; and
• may request you to confirm the personal data we hold about you. You are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up-to-date.

We will only retain personal data we may have about you for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.

In particular, we retain the data collected via the tracking technologies called “tracking pixels” during 18 months from your last interaction with us.

We may collect, if you have provided your consent, information automatically from your device by using tracking technologies. These tracking technologies will allow us to collect and process your personal data for the purpose of sending you personalized communications, for example based on your area of expertise or interests, to continuously improve your experience and to measure the success of our communication campaigns.

The technologies used can be:

• Web beacons (such as action tags, single-pixel GIFs, clear GIFs, invisible GIFs, and 1-by-1 GIFs, which are technologies that allow us to have information about your interactions with our communications;
• Adobe Flash technology (including Flash cookies, unless you have decided otherwise in your settings on your device).

Tracking technologies provide information such as whether and when you open our electronic communications, what content you view, which links you click, which pages you access, what personal data you provide when registering for our events.

You may exercise the following rights under the conditions and within the limits set forth in the law:

• the right to be informed about the personal data we process about you and how we process the personal data;
• the right to access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
• the right to request the erasure of your personal data or the restriction thereof to specific categories of processing;
• the right to object, in whole or in part, to the processing of your personal data, including the right to object at any time to the sending of promotional and non-promotional material to your business email address;
• the right to withdraw your consent to the use of tracking technologies to send you personalized communications; 
• the right to withdraw your consent at any time to the processing of your personal data for which your consent is requested, with no effect on the lawfulness of processing based on consent before its withdrawal;
• the right to provide guidance about the processing of your personal data after death; and
• the right to request its portability, i.e. that the personal data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations.

If you have a question or want to exercise the above rights, please click here.

A scan of your identity card for identification purpose may be required, it being understood that we shall only use such data to verify your identity and shall not retain the scan after verification completion. When sending us such a scan, please make sure to redact your picture and national registry number or equivalent on the scan.

If you are not satisfied with how we process your personal data, please address your request to our data protection officer by written notice to our email address: global.privacy_office@novartis.com, who will investigate your concern.

In any case, you also have the right to file a complaint with the competent data protection authorities, in addition to your rights above (for the CNIL: www.cnil.fr).

How will you be informed of the changes to our Privacy Notice?

Any future changes or additions to the processing of your personal data as described in this Privacy Notice will be notified to you in advance through our usual communication channels (e.g. via our internet websites).