Novartis d.o.o. having its registered office at Verovškova 57, 1000 Ljubljana, is responsible for the processing of your personal information as it decides why and how it is processed, thereby acting as the “data controller”. It may exercise this responsibility alone or jointly with other company(-ies) in the Novartis group, acting as “co-controller(s)”. In this Privacy Notice, “we” or “us” refers to Novartis d.o.o. and its group companies.

For the purpose of the scope of this data privacy notice (“Notice”), it applies to the users (will be further referred in this Notice as “you”) of our websites, web applications or mobile applications (collectively referred as ”app”) where this Notice has been specifically referred.

We invite you to carefully read this Notice, which sets out in which context we are processing information that relates directly or indirectly to you as an individual (“personal information”) and explains your rights with respect to the processing of your personal information.

Do take note that if you access any third-party link or website from our app, you may need to refer to the privacy policies of such third parties. Novartis does not endorse and is not responsible for the information or privacy practices of websites or services owned by third parties.

We consider privacy as a very important matter. We are committed to ensuring that any personal information we receive is processed and protected in accordance with applicable data protection laws and Novartis policies and standards.

If you have any questions in relation to the processing of your personal information or this Notice, please contact our data protection officer at [email protected].

We may change or update this Notice from time to time by posting a new Notice on the website or in the app. Please keep checking this Notice occasionally so that you are aware of any changes.

Should you have any further questions in relation to the processing of your personal information, you are invited to contact our data protection officer at [email protected].

Novartis d.o.o. is processing personal information about you when you are visiting our corporate website htps://www.novartis.com/si-en/ which we are using for communicating with you and rest of the public.

1. What personal information do we have about you?

The personal information may either be directly provided by you (e.g. when filling a web form or interacting with a website or app), provided by the third parties owning or managing the apps or obtained through trusted publicly available sources, having obtained your consent to provide us with such personal information where necessary under applicable law. We may collect various types of personal information about you, including:

(i) your general contact and identification information (e.g. name, first name, last name, gender, email and/or postal address, fixed and/or mobile phone number);

(ii) your electronic identification data where required for the purpose of the delivery of products or services to our company (e.g. login, access right, passwords, badge number, IP address, online identifiers/cookies, system activity logs, access and connexion times, image recording or sound such as badge pictures, CCTV or voice recordings and meeting recordings).

(iii) information regarding your browser and device (e.g. internet service provider’s domain, browser’s type and version, operating system and platform, screen resolution, device manufacturer and model);

(iv) statistics in relation to your use of our website and our app (e.g. information regarding the pages visited, information researched, time spent on our website);

(v) usage data (i.e. date and time of access of our website and app, files downloaded);

(vi) your device’s location when using our app (unless you disabled this function by changing your device’s settings); and

(vii) more generally, any information you provide to us when using our website and app.

Please note that we will not knowingly collect, use or disclose personal data from a minor under the age of 15 without obtaining prior consent from a parent or legal guardian.

In some countries, information relating to a company (“legal person”) is also considered as personal information. In such scenarios, if the above-mentioned information collected or provided is specific to a legal entity, we will treat it as personal information in accordance with the applicable data protection law.”

2. For which purposes do we use your personal information and why is this justified?

2.1 Legal basis for the processing 

We will not process your personal information if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal information if:

  • we have obtained your prior consent;
  • the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps such as responding to requests for information as part of Novartis’ due diligence process;
  • the processing is necessary to comply with our legal or regulatory obligations; or
  • the processing is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms.

Please note that, when processing your personal information on this last basis, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such ‘legitimate interests’ are data processing activities performed are:

  • to develop a proximity and trustful professional relationship;
  • to promote Novartis innovation in the pharmaceutical field;
  • to manage Novartis human and financial resources;
  • to benefit from cost-effective services (e.g. we may opt to use certain platforms to process data);
  • to offer our products and services to our customers;
  • to prevent fraud or criminal activity, misuses of our products or services as well as the security of our IT systems, architecture and networks;
  • to sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party; or 
  • to meet our corporate and social responsibility objectives.

Mostly we process your personal information on a legal basis other than consent. However, if you have consented to the processing of your personal information, you have the right to withdraw that consent at any time. To withdraw your consent or to get more information on our specific interests and your rights, Novartis can be contacted as indicated under section 7 below.

2.2 Purposes of the processing

We always process your personal information for a specific purpose and only process the personal information, which is relevant to achieve that purpose. In particular, we process your personal information for any or all of the following purposes:

  • manage our users (e.g. registration, account management, answer questions and provide technical support);
  • manage and improve our website and apps (e.g. diagnose server problems, optimize traffic, integrate and optimize web pages where appropriate);
  • measure the usage of our website and apps (e.g. by drawing up statistics about the traffic, by gathering information regarding the users’ behaviour and the pages they visit);
  • improve and personalize your experience and better tailor content to you (e.g. by remembering your selections and preferences, by using cookies);
  • improve the quality of our products and services and expand our business activities;
  • monitor and prevent fraud, infringement and other potential misuse of our website and app;
  • reply to an official request from a public or judicial authority with the necessary authorisation;
  • manage our IT resources, including infrastructure management and business continuity;
  • preserve the company’s economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct fraud, conducting audits, defending litigation);
  • archiving and record keeping; and
  • any other purposes imposed by law and authorities.

Please note that the collected data may also be used by us for a number of other standard purposes (e.g. to measure the usage of our website and app), as mentioned below

  • to manage our third parties throughout the relationship;
  • to organise tender-offers, implement tasks in preparation of or to perform existing contracts;
  • to monitor activities at our facilities, including compliance with applicable policies as well as health and safety rules in place;
  • to grant you access to our training modules allowing you to provide us with certain services;
  • to communicate with you during the term of the contract and contact you in case of emergency
  • to manage our IT resources, including infrastructure management and business continuity;
  • to preserve Novartis’ economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud, conducting audits and defending litigation);
  • to manage mergers and acquisitions involving our company;
  • for archiving and record-keeping;
  • for billing and invoicing; or 
  • any other purposes imposed by law and authorities.

3. Who has access to your personal information and to whom your personal information is transferred?

We will not sell, share, or otherwise transfer your personal information to third parties other than those indicated in this Notice.

We will share your personal data with the following third parties:

In the course of our activities and for the same purposes as those listed in this Notice, your personal information can be also accessed by, or transferred to the following categories of recipients on a need to know basis to achieve such purposes:

  • our personnel (including personnel, departments or other companies of the Novartis group);
  • our independent agents or brokers (if any);
  • our other suppliers and services providers that provide services and products to us;
  • our IT systems providers, cloud service providers, database providers and consultants;
  • any third party to whom we assign or novate any of our rights or obligations; and
  • our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets.

The above parties are contractually obliged to protect the confidentiality and security of your personal information, in compliance with applicable law.

Your personal information can also be accessed by or transferred to any national and/or international regulatory, enforcement, public body or court, where we are required to do so by applicable law or regulation or at their request.

The personal information we collect from you may also be processed, accessed or stored in a country outside the country where Novartis d.o.o. is located, which may not offer the same level of protection of personal information.

If we transfer your personal information to external parties in other jurisdictions, we will make sure to protect your personal information by (i) applying the level of protection required under the local data protection/privacy laws applicable to Novartis d.o.o. and its group companies, (ii) acting in accordance with our policies and standards and, (iii) for Novartis d.o.o. and its group companies located in the European Economic Area (i.e. the EU Member States plus Iceland, Liechtenstein and Norway, the "EEA"), unless otherwise specified, only transferring your personal information on the basis of standard contractual clauses approved by the European Commission. You may request additional information in relation to international transfers of personal information and obtain a copy of the adequate safeguard put in place by exercising your rights as set out in Section 6 below.

For intra-group transfers of personal information the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal information outside the EEA and Switzerland. Read more about the Novartis Binding Corporate Rules by clicking here https://www.novartis.com/privacy-policy/novartis-binding-corporate-rules-bcr

4. How do we use cookies and other similar technologies on our websites and apps?

We may also collect and process information about your visit to this website or app, such as the pages you visit, the website you came from and the searches you perform. We may use such information to help improve the contents of the site or app and to compile aggregate statistics about people using our site for our internal usage statistics and market research purposes. In doing this, we may install "cookies" or similar technologies that collect the domain name of the user, your internet service provider, your operating system, and the date and time of access. Cookies are created and stored on the user's computer, phone or other devices when the user's browser loads a particular website. Every time the user goes back to the same website, the browser retrieves and sends this "cookie" file to the website. Cookies are useful because they serve key purposes like helping a website remember your preferences and settings, performing analytics to improve services, serving you relevant content or advertisements and authenticating you on the websites. Cookies do not damage your computer. You can set your browser to notify you when you receive a cookie, this will enable you to decide if you want to accept it or not. You can also refuse cookies altogether. However, if you do not accept our cookies, you may not be able to use all functionalities of our website or app. When you visit our websites, you may be presented with a cookie-setting banner that allows you to manage the settings and accept or deny the cookies. It is legally permitted to store cookies on your machine if they are essential to the operation of the website, but for all other types of cookies we need your permission to do so.

On Novartis websites, you have the option to consent to the use of cookies by using <Cookie Settings> banner that pops up while visiting the website for the first time or manage these settings anytime later. The cookie settings gives you the option of accepting or denying your consent to every category of cookies (with the exception of the necessary cookies). Please refer to our <Cookie Settings> to learn more about what types of cookies we use (the purpose they serve, their lifespan, and their provenance) and how you can manage your preferences.

Certain of our Services, including websites, may use the web analysis service “Google Analytics” from Google LLC, of 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) to optimize them. Google uses this information obtained by the cookie to save a profile of which pages you have visited within a session. The information generated by the cookie about the use of the Services is transmitted to Google servers and stored there. In order to increase the security of your personal data, we use the "anonymize IP" function or other features provided by Google to keep you anonymous. For more information on how IP anonymization works, click https://support.google.com/analytics/answer/2763052

Google will use this information on our behalf to evaluate your use of the website, to compile reports on website activity for us and to provide us with other services relating to website activity and internet usage. Novartis uses the data received from Google Analytics for business planning, for its own business activities and for marketing measures in order to better understand how the content of our web services and the associated experience can be improved.

Certain of our websites also use OneTrust cookies to enable you to manage the cookies easily and help us to obtain your consent for our placement and use of cookies on your device . We need these cookies to remember the choices that you have made regarding cookie settings.

Apart from cookies we may also use other tracking technologies (also known as action tags, Flash local objects, single-pixel GIFs, clear GIFs, invisible GIFs and 1-by-1 GIFs) provided by third party advertisement companies to provide relevant advertisements (interactive or non-interactive) to you based on your interests or browsing history. Typically, we use the services of social media companies and other third-party advertisement companies to collect information like your browser details, unique client ID etc. so that we may serve you ads on our websites and on other websites you may use.

The legal basis for the processing of your Personal Information when we do website analytics is your consent or our legitimate business interests.

5. How do we protect your personal information?

We have implemented appropriate technical and organisational measures to provide an adequate level of security and confidentiality to your personal information.

The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of processing.

6. How long do we store your personal information?

We will only retain your personal information for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.

Personal information collected and processed in the context of a dispute are deleted or archived (i) as soon as an amicable settlement has been reached, (ii) once a decision in last resort has been rendered or (iii) when the claim becomes time barred.

7. What are your rights and how can you exercise them?

You may exercise the following rights under the conditions and within the limits set forth in the law:

  • the right to be informed about what personal information we have about you and how we process your personal information;
  • the right to access your personal information as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
  • the right to request the erasure of your personal information or the restriction thereof to specific categories of processing;
  • the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
  • the right to object, in whole or in part, to the processing of your personal information. With certain exceptions, this includes the right to object to direct marketing and the right to object to your personal information being used for research;
  • the right to request its portability, i.e. that the personal information you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations; and
  • the right to object to automated decision making including profiling, i.e. you can request an human intervention in any automated decision making process related to processing of your data and where such processing is not based on your consent, authorised by law or necessary for the performance of a contract. However, we don’t currently make decisions using automated processes.

If you have a question or want to exercise the above rights, you may send an email to our data protection officer at [email protected] or a letter to Novartis at their local address (DPO for Novartis d.o.o., Verovškova 57, 1000 Ljubljana) with a scan of your identity card for identification purpose, it being understood that we shall only use such data to verify your identity and shall not retain the scan after completion of the verification. When sending us such a scan, you should make sure to redact your picture and national registry number or equivalent on the scan.

If you are not satisfied with how we process your personal information, you may address your request to our global data protection officer at [email protected], who will investigate your concern.

In any case, you also have the right to file a complaint with the competent data protection authorities, in addition to your rights above.

8. How will you be informed of the changes to our Privacy Notice?

We may change or update this Notice from time to time by posting a new privacy notice. Please keep checking this Notice occasionally so that you are aware of any changes.

Last updated 4. 10. 2023

This Privacy Notice is addressed to:

  • individuals reporting adverse events/special case scenarios, providing safety information concerning our products, requesting medical information, and submitting product quality complaints; and
  • individuals that are the subject of adverse events/special case scenarios, medical information queries, and product quality complaints.

Novartis is committed to protecting personal data and being transparent about its collection and use. This notice provides you with information on how Novartis Pharma AG and/or its affiliates which act as Marketing Authorisation Holders for medicinal products (“Novartis”, “we” or “us”) process personal data as controllers. Novartis Pharma AG designated Novartis Pharma S.A.S., 8-10, rue Henri Sainte-Claire Deville, 92563 Rueil Malmaison, France as its representative in the European Union.

We invite you to read this Privacy Notice carefully, as it contains important information. Should you have any further questions, we invite you to contact [email protected].

Why do we collect and use personal data?

We process personal data for the purposes below, and we do not process personal data unless we have a proper justification in law.

PurposeJustification (legal basis)
Monitoring the safety of medicinal products and medical devices, which includes detecting, assessing, following up on, and preventing adverse events, and reporting adverse events to health authorities.

Novartis’ legitimate interests in these purposes.

Compliance with legal obligations regarding the safety of medicinal products and medical devices and/or to ensure the safety of medicines in the substantial public interest.

To protect the vital interests of an individual or individuals.

Responding to medical information queries, for example in relation to availability of products, clinical data, dosing and administration, formulation and stability, and interactions with other drugs, foods, and conditions.
Responding to quality complaints regarding our products, such as any fault of quality and/or effectiveness, stability, reliability, safety, performance, or usage.
Performing non-interventional studies using safety monitoring data to evaluate the reproductive toxicity risk when a product might be used during pregnancy. For this purpose, we may periodically follow up with relevant healthcare professionals to collect information on the outcome of the pregnancy and the development of the child after birth.
Answering other questions or requests and improving our products and services.Novartis’ legitimate interests in these purposes.
Complying with our policies and legal, regulatory, and compliance requirements, as well as conducting audits and defending litigation.

Novartis’ legitimate interests in these purposes.

The processing is necessary for the establishment, exercise or defence of legal claims.

Please note that in some countries, consent is the basis on which personal data is processed.

What personal data do we collect and use?

For the purposes listed in this Privacy Notice, we collect and use the following categories of personal data:

  • information about individuals that report adverse events or a special case scenario (such as exposure during pregnancy, breastfeeding, overdose, lack of efficacy, etc.) or make medical information queries or product quality complaints, including healthcare professionals and carers. This allows us to respond to queries and seek additional information as needed. The data we collect may include your name, email and/or postal address, phone number, and place of work (for healthcare professionals). If you are a healthcare professional, we may also collect information in order to confirm that you are a healthcare professional;
  • patients details, including name, hospital record numbers, age or date of birth, sex, weight, height, race, whether pregnant and/or breastfeeding, ethnicity (where the Summary of Product Characteristics includes specific information relating to ethnic origin), and occupational data (where this is strictly necessary for the evaluation of the adverse event); and
  • where strictly necessary and relevant for the purposes described in this Privacy Notice, patient health and lifestyle information, including but not limited to nature of adverse effects, examination results, personal or family medical history, diseases or associated events, risk factors, information about the use of medicines and therapy management, physical exercise, diet and eating behaviour, sexual life/contraception, and consumption of tobacco, alcohol, and drugs.

Who has access to personal data?

We do not share or otherwise transfer personal data to third parties other than those indicated in this Privacy Notice. Personal data may be accessed by or transferred to:

  • our personnel (including those in our Patient Safety, Medical Information, Quality Assurance, and Legal departments) and other Novartis Group companies;
  • other pharmaceutical and medical device companies, if the adverse event, request for information, or complaint relates to one of their products; and
  • service providers acting on behalf of Novartis companies, such as IT system and data hosting providers, and adverse event processing service providers (including call centre providers). These third parties are contractually obliged to protect the confidentiality and security of personal data, in compliance with applicable law.

Personal data may also be shared with:

  • healthcare professionals involved in an adverse event, request for information, or complaint;
  • health authorities including the European Medicines Agency (EMA) which controls the EU EudraVigilance database (https://www.ema.europa.eu), as well as the US Federal Drug Agency (FDA); and
  • a national and/or international regulatory, enforcement, public body or court where we are required to do so by applicable law or regulation or at their request.

Where is personal data stored?

Personal data may be processed, accessed, or stored in a country outside the country where you are located, which may not offer the same level of protection of personal data.

If we transfer personal data to external companies in other jurisdictions, we will protect personal data by (i) applying the level of protection required under the data protection/privacy laws applicable to Novartis Pharma AG; (ii) acting in accordance with our policies and standards; and (iii) for Novartis companies located in the European Economic Area (“EEA”), unless otherwise specified, only transferring your personal data on the basis of standard contractual clauses approved by the European Commission. You may request additional information in relation to international transfers of personal data and obtain a copy of the adequate safeguard put in place by exercising your rights as set out below.

For intra-group transfers of personal data, the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland. You can read more at https://www.novartis.com/privacy.

How long do we store personal data?

We will only store the above personal data for as long as we reasonably consider necessary for achieving the purposes set out in this Privacy Notice and as required under applicable laws.

What are your rights and how can you exercise them?

You have the right to:

  • access your personal data and, if you believe that it is incorrect, obsolete or incomplete, to request that it is corrected or updated;
  • request the erasure of your personal data or the restriction of its use;
  • if the processing is based on your consent, to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
  • object, in whole or in part, to the processing of your personal data; and
  • request portability of your personal data (i.e. for it to be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format).

We may apply exceptions to these rights where appropriate and in accordance with local law.

If you have a question or want to exercise the above rights, please visit https://www.novartis.com/privacy.

In any case, you also have the right to file a complaint with a supervisory authority in addition to your rights above.

How can you contact us?

If you want to contact our Data Protection Officer, please email [email protected] or write to Global Data Privacy Office, Novartis Pharma AG, Lichtstrasse 35, 4056 Basel, Switzerland.

This Privacy Notice was last revised in September 2023. Changes or additions will be notified through our usual communication channels (e.g. via our website).

This Privacy Notice is intended for associates of the controller, outsourced associates, associates who perform work or activities for the controller on another legal basis, associates of external contractors, associates of third parties who rent premises from the controller and all other visitors who enter the secured area of one of the Novartis group companies. Novartis undertakes to handle personal data responsibly and in accordance with applicable regulations. Novartis d.o.o., Verovškova 57, 1000 Ljubljana ([email protected] and/or 01 580 33 33) is responsible for the processing of your personal data as it decides why and how it is processed, thereby acting as the “controller”.

Purpose of processing personal data:

Safety of people and property, as well as ensuring control of entry and exit to or from work premises (secured area).

Legal basis for processing personal data:

Article 6(1)(e) of the General Data Protection Regulation in connection with the Article 76, 77 and 78 of Personal Data Protection Act of the Republic of Slovenia – ZVOP-2 (Official Gazette RS, nr. 163/22).

Information about the legitimate interests:

The safety of people and property, as well as ensuring the control of entry and exit to or from the work premises, taking into account the conditions set by the legislation for the implementation of video surveillance, is a legitimate interest of the controller.

Retention period of personal data:

Personal data is kept for a maximum of six (6) months, after which it is deleted or otherwise destroyed, unless recordings of individual events are stored for a longer period in order to protect the legal interests of the controller (defense against claims by third parties, enforcement of claims against third parties), in accordance with their purposes.

Recipients or categories of recipients of personal data:

  • Video surveillance system administrator,
  • the security service,
  • on the basis of an explicit request, recipients whose acquisition of personal data is based on a law, the individual's personal consent or a contractual relationship.

Information about the transfer of personal data to third countries or international organizations:

There are no such transfers applicable.

Information on the right to withdraw consent when processing is based on consent:

Processing is not based on individual consent.

Information about the existence of automated decision-making and profiling

Automated decision-making and/or profiling is not carried out.

Information relating to the rights of individuals:

The individual about whom personal data is collected can exercise the following rights, namely under the conditions set by law and within legal limitations:

  • The right to access your personal data which is being processed;
  • if, in her/his opinion, the information related to her/him is incorrect, outdated or incomplete, she/he can request correction or update;
  • she/he also has the right to file a complaint with the competent supervisory authority for the protection of personal data.

More information regarding the processing of personal data is available via https://www.novartis.com/si-en/ or from the data protection officer at Novartis:

Data protection officer at Novartis


[email protected]


If you are not satisfied with how we process your personal data, please address your request to our global data protection officer by sending your message to [email protected], who will investigate your concern.