Effective: 1 November 2021
This Privacy Notice is addressed to:
- the healthcare professionals with whom we create or maintain a relationship;
- our customers or prospective customers who are natural persons (such as self-employed pharmacists);
- the representatives or contact persons of our customers or prospective customers who are legal entities (such as wholesale pharmacists).
You are receiving this Privacy Notice because Novartis is processing information about you which constitutes “personal data” and Novartis considers the protection of your personal data and privacy a very important matter.
For the purpose of this Privacy Notice, “Novartis” refers to the Novartis Ireland entity processing your personal data, for example Novartis Ireland Limited (registered at Vista Building, Elm Park Business Campus, Merrion Road, Dublin 4) and Novartis Ringaskiddy Limited and Novartis International Pharmaceutical Ltd, Branch Ireland (registered at Ringaskiddy, Co Cork, P43FR63).
The relevant Novartis Ireland entity is responsible for the processing of your personal data as it decides why and how it is processing, thereby acting as the “controller”. It may exercise this responsibility alone or jointly with other companies in the Novartis group (acting as a “co-controller”). In this Privacy Notice, “we” or “us” refers to the relevant Novartis Ireland entity.
We invite you to carefully read this Privacy Notice, which sets out in which context we are processing your personal data and explains your rights and our obligations when doing so.
Should you have any further question in relation to the processing of your personal data, including which Novartis Ireland entity is processing your personal data, we invite you to contact [email protected]
1. What information do we have about you?
Information Novartis holds about you may either be directly provided by you, by our business partners (i.e. the legal entity for whom you work), by third parties (e.g. external medical agencies) or be obtained through trusted publicly available sources (such as HSE websites, congress websites or university websites). We collect various types of personal data about you, including:
- your general and identification information (e.g. name, first name, last name, gender, email and/or postal address, fixed and/or mobile phone number);
- your function (e.g. title, position, name of company, as well as, for healthcare professionals, specialties, publications, congress activities, awards, biography, education, links to universities, expertise and participation in/contribution to clinical trials, guidelines, editorial boards and organisations);
- payment information (e.g. credit card details, bank account details, VAT or other tax identification number);
- unique IDs and profiles (if any) of our business partners;
- details of any transfers of value in accordance with the Irish Pharmaceutical Healthcare Association (“IPHA”) Code of Practice (“Code”)
- your electronic identification data where required for the purpose of delivering products or services to our company (e.g. login, passwords, badge number and picture, IP address, online identifiers/cookies, logs, access and connection times, CCTV footage);
- information regarding your utilisation, responses and/or preferences including in terms of types of messages discussed, channels of communication and frequency;
- data you provide to us for example when you fill in forms or during events you attend, or when you answer questions during a conversation or in a survey;
- data which relate to our products and services; and
- information about the promotional, scientific and medical activities/interactions you have with us, including potential future interactions.
If you intend to provide us with personal data about other individuals (e.g. your colleagues), you must provide a copy of this Privacy Notice to the relevant individuals, directly or through their employer.
2. For which purposes do we use your personal data and why is this justified?
2.1. Legal basis for the processing
We will not process your personal data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal data if:
- we have obtained your prior consent;
- the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request;
- the processing is necessary to comply with our legal or regulatory obligations; or
- the processing is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms.
Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such ‘legitimate interests’ are data processing activities performed:
- To develop and demonstrate a transparent and professional relationship with health care professionals; (“HCPs”), decreasing any perception of influence on HCPs by the pharmaceutical industry;
- To provide knowledge to HCPs about Novartis medicines and scientific developments;
- To promote Novartis innovation in the pharmaceutical field;
- To manage Novartis human and financial resources and optimise interactions with health care professionals;
- To ensure that the right medicine according to a well-informed health care professional technical and professional opinion reaches the patient;
- To benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers to process data);
- To offer our products and services to our customers;
- To prevent fraud or criminal activity, misuses of our products or services as well as the security of our IT systems, architecture and networks;
- To sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party;
- To meet our corporate and social responsibility objectives; and
- To disclose and make publicly available details of transfers of value to IPHA in pursuance of the following objectives, which serve multiple legitimate interests:
- Promoting a culture of integrity of transactions between pharmaceutical companies and HCPs;
- Increasing public and patient confidence in the integrity and independence of HCPs (itself essential for generating confidence in those relationships and their proper functioning);
- Ensuring compliance by the pharmaceutical industry with legislative and Code restrictions in relation to advertising and promotion;.
- Showing accountability in these relationships and compliance by the industry and HCPs in relation to their legal obligations not to provide (on one hand) or accept (on the other hand) inducements to prescribe;
- Promoting confidence on the part of the public and on the part of stakeholders (e.g. regulators, managers of public health services, Government) in the legitimacy and bona fides of the engagements between the industry and HCPs; and
- Providing assistance in avoiding conflicts of interest.
For more information on our specific interests, please contact us as indicated under section 6 below.
2.2. Purposes of the processing
We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In particular, we process your personal data for the following purposes:
- manage our relationship with you (e.g. through our databases);
- implement tasks in preparation of or to perform existing contracts;
- evidence transactions and ensure transparency on transfers of value;
- provide you with appropriate, adequate and updated information about disease, medicines as well as our products and services;
- improve the quality of our interactions and services by adapting our offering to your specific needs;
- answer your requests and provide you with efficient support;
- send you surveys (e.g. to help us improve your future interactions with us);
- send you communications regarding products, therapeutic areas or services that we promote;
- manage, plan and execute communications and interactions with you (e.g. through the operation of a database keeping records of interactions with health care professionals or managing call planning as well as call reporting);
- track our activities (e.g. measuring interactions or sales, number of appointments/calls);
- invite you to events or promotional meetings sponsored by us (e.g. medical events, speaker events, conferences);
- grant you access to our training modules allowing you to provide us with certain services;
- manage our IT resources, including infrastructure management and business continuity;
- preserve the company’s economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud; conducting audits and defending litigation);
- manage mergers and acquisitions involving our company;
- archiving and record keeping;
- billing and invoicing; and
- any other purposes imposed by law and authorities i.e. our obligation to disclose transfers of value pursuant to the requirements of the IPHA code and the objectives of transparency and accountability in the relationships between pharmaceutical companies and HCPs/HCOs enshrined therein.
3. Who has access to your personal data and to whom are they transferred?
We will not sell, share, or otherwise transfer your personal data to third parties other than those indicated in this Privacy Notice.
In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal data can be accessed by, or transferred to the following categories of recipients, on a need to know basis to achieve such purposes:
- our personnel (including personnel, departments or other companies of the Novartis group);
- our independent agents or brokers (if any);
- our suppliers and services providers that provide services and products to us;
- our IT systems providers, cloud service providers, database providers and consultants;
- our business partners who offer products or services jointly with us or with our subsidiaries or affiliates;
- any third party to whom we assign or novate any of our rights or obligations; and
- our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets.
The above third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.
Important Information – Change of legal basis for Transfer of Value disclosure from Consent to on Legitimate Interests with effect from 1 January 2022– Transfers of Value
In respect of transfers of value, your personal data including your name, principal practice address and details of the transfer of value, will be disclosed to the IPHA pursuant to legitimate interests of Novartis effective from 1 January 2022. If you would like to exercise your right to object to the processing of your personal data for this purpose, please read the section “What are your rights and how can you exercise them?” below.
For disclosures relating to payments made to you prior to 1 January 2022, your personal data shall only be shared with IPHA based on your consent and in the absence of your consent, such details regarding the transfer of value will be anonymised for this reporting period these payments. The disclosure will be made publicly available for a period of three years on their website (www.transferofvalue.ie) and IPHA will be an independent data controller in respect of such personal data. For further details regarding how IPHA process your data or to exercise your data rights for the same, please refer to IPHA’s privacy notice available at www.ipha.ie. Alternatively, you may contact them directly at:
Irish Pharmaceutical Healthcare Association
7 Clanwilliam Terrace
Dublin 2, D02 CC64
Telephone: (353 1) 661 0018
Email: [email protected]
The personal data we collect from you may also be processed, accessed or stored in a country outside Ireland, which may not offer the same level of protection of personal data.
If we transfer your personal data to external companies in other jurisdictions, we will make sure to protect your personal data by (i) applying the level of protection required under the local data protection/privacy laws applicable to Ireland, (ii) acting in accordance with our policies and standards and, (iii) for entities located in the European Economic Area (i.e. the EU Member States plus Iceland, Liechtenstein and Norway, the "EEA"), unless otherwise specified, only transferring your personal data on the basis of standard contractual clauses approved by the European Commission. You may request additional information in relation to international transfers of personal data and obtain a copy of the adequate safeguard put in place by exercising your rights as set out in Section 6 below.
For intra-group transfers of personal data, the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland. Read more about the Novartis Binding Corporate Rules at https://www.novartis.com/privacy/novartis-binding-corporate-rules-bcr
4. How do we protect your personal data?
We have implemented appropriate technical and organisational measures to provide a level of security and confidentiality to your personal data.
These measures take into account:
- the state of the art of the technology;
- the costs of its implementation;
- the nature of the data; and
- the risk of the processing.
The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorised disclosure or access and against other unlawful forms of processing.
Moreover, when handling your personal data, we:
- only collect and process personal data which is adequate, relevant and not excessive, as required to meet the above purposes; and
- ensure that your personal data remains up to date and accurate.
For the latter, we may request you to confirm the personal data we hold about you. You are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up-to-date.
5. How long do we store your personal data?
We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.
Personal data which is not related to a specific contract will be stored for 24 months after your last interaction with us.
Personal data relating to transfers of value disclosures shall be maintained by Novartis for a minimum of 5 years after the end of the relevant reporting period.
For contracts, the retention period is the term of your (or your company’s) contract with us, plus the period of time until the legal claims under this contract become time-barred, unless overriding legal or regulatory schedules require a longer or shorter retention period. When this period expires, your personal data is removed from our active systems.
Personal data collected and processed in the context of a dispute are deleted or archived (i) after a settlement has been reached, (ii) once a decision in last resort has been rendered or (iii) when the claim becomes time barred.
6. What are your rights and how can you exercise them?
You may exercise the following rights under the conditions and within the limits set forth in the law:
- the right to access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
- the right to request the erasure of your personal data or the restriction thereof to specific categories of processing;
- the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
- the right to object, in whole or in part, to the processing of your personal data;
- the right to object to a channel of communication used for direct marketing purposes; and
- the right to request its portability, i.e. that the personal data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations.
If you have a question or want to exercise the above rights, you may send an email to [email protected] or a letter to Data Privacy, Vista Building, Elm Park Business Campus, Merrion Road, Dublin 4. If you wish to exercise your rights, please provide a copy of an identity document, it being understood that we shall only use such data to verify your identity and shall not retain the scan after completion of the verification. When sending us a copy of your identity document, please make sure to redact any photographs.
If you are not satisfied with how we process your personal data, please address your request to our data protection officer at [email protected], who will investigate your concern.
In any case, you also have the right to file a complaint with the competent data protection authorities, in addition to your rights above.
7. How will you be informed of the changes to our Privacy Notice?
Any future changes or additions to the processing of your personal data as described in this Privacy Notice will be notified to you in advance through an individual notice through our usual communication channels (e.g. by email or via our internet websites).