Novartis considers the protection of your personal data and privacy a very important matter. We seek to adhere to all privacy laws and enforce clear policies on protecting personal information. Our data privacy programme includes a global organisation and infrastructure as well as procedures and training to support local activities and help our efforts to ensure compliance.

Novartis processes personal data in a variety of contexts and we invite you to carefully read our Privacy Notices, which set out how we process your personal data and explain your rights and our obligations:

Should you have any questions about our Privacy Notices or approach to data privacy, or wish to exercise your rights, we invite you to contact [email protected].

This Privacy Policy describes the ways in which we collect, hold and use information about individuals who visit this website and other websites controlled by Novartis Pharmaceuticals UK Limited.

We invite you to carefully read this Privacy Policy, which sets out in which context we may process your information (“Personal Data”) and explains your rights and our obligations when doing so.

For the purpose of this Privacy Policy, “Novartis” refers to Novartis Pharmaceuticals UK Limited, which is registered at The WestWorks Building, White City Place, 195 Wood Lane, London, W12 7FQ.

 

What Personal Data do we process and for which purposes?

Most of our services do not require any form of registration, allowing you to visit our sites without telling us who you are. Some services may require you to provide us with Personal Data, which may include your direct identifiers, such as name, birth date, email address or telephone number. We may collect and use Personal Data to provide you with products or services, to bill you for products and services you request, to market products and services which we think may be of interest to you, or to communicate with you for other purposes which are evident from the circumstances or about which we inform you when we collect Personal Data from you.

We will not process your Personal Data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal data if:

  • we have obtained your prior consent;
  • the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request;
  • the processing is necessary to comply with our legal or regulatory obligations;
  • the processing is necessary to protect your vital interests or those of another person; or
  • the processing is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms.

1.1 Personal Data used for website usage analytics

We may collect and process information about your visit to this website, such as the pages you visit, the website you came from and some of the searches you perform. Such information is used by us to help improve the contents of the site and to compile aggregate statistics using our site for internal, market research purposes. In doing this, we may install "cookies" that collect the domain name of the user, your internet service provider, your operating system, and the date and time of access. A "cookie" is a small piece of information, which is sent to your browser and stored on your computer’s hard drive. Cookies do not damage your computer. You can set your browser to notify you when you receive a "cookie”, this will enable you to decide if you want to accept it or not, however, if you do not accept, you may not be able to use all functionalities of your browser software.

Occasionally, we may use internet tags (also known as action tags, single-pixel GIFs, clear GIFs, invisible GIFs and 1-by-1 GIFs) and cookies at this site and may deploy these tags/cookies through a third-party advertising partner or a web analytical service partner which may be located and store the respective information (including your IP-address) in a foreign country. These tags/cookies are placed on both online advertisements that bring users to this site and on different pages of this site. We use this technology to measure the visitors' responses to our sites and the effectiveness of our advertising campaigns (including how many times a page is opened and which information is consulted) as well as to evaluate your use of this website. The third-party partner or the web analytical service partner may be able to collect data about visitors to our and other sites because of these internet tags/cookies, may compose reports regarding the website’s activity for us and may provide further services which are related to the use of the website and the internet. They may provide such information to other parties if there is a legal requirement that they do so, or if they hire the other parties to process information on their behalf. If you would like more information about web tags and cookies associated with on-line advertising or to opt-out of third-party collection of this information, please visit the Network Advertising Initiative website http://www.networkadvertising.org .

We use Google Analytics to rationalise our portfolio of websites by (i) optimising traffic to and between corporate websites, and (ii) integrating and optimising web pages where appropriate. “Google Analytics” is a service offered by Google Inc. (“Google”) that generates detailed statistics about a website's traffic and traffic sources and measures conversions and sales. Google Analytics uses “cookies” stored on your computer to help analyse how users use our website. The information generated by the cookies about your use of our website, including your IP address, will be anonymised by use of the appropriate settings prior to be transmitted to Google servers in the United States. For more information on how IP anonymisation works, please see https://support.google.com/analytics/answer/2763052 .

You may prevent or stop the installation and storage of cookies by you browser settings by downloading and installing the free Opt-out Browser Add-on available at https://tools.google.com/dlpage/gaoptout?hl=en . If you do not accept cookies, you may not be able to fully experience all functions of our website.

 

Who has access to your Personal Data and to whom are they transferred?

We will not sell, share, or otherwise distribute your Personal Data to third parties except as provided in this Privacy Policy. We may share your Personal Data with other Novartis affiliates worldwide. Personal Data may also be transferred to third parties who act for or on our behalf, for further processing in accordance with the purpose(s) for which the data were originally collected or may otherwise be lawfully processed, such as services delivery, evaluating the usefulness of this website, marketing, data management, or technical support.

These third parties have contracted with us to only use Personal Data for the agreed upon purpose, and not to sell your Personal Data to third parties, and not to disclose it to third parties except as may be permitted by us, as required by law, or as stated in this Privacy Policy.

Personal Data collected from you may also be transferred to a third party in the event that the business of this site or a part of it and the customer data connected with it is sold, assigned or transferred, in which case we would require the buyer, assignee or transferee to treat Personal Data in accordance with this Privacy Policy.

Personal Data may be disclosed to a third party if we are required to do so because of an applicable law, court order or governmental regulation, or if such disclosure is otherwise necessary in support of any criminal or other legal investigation or proceeding here or abroad.

The personal data we collect from you may also be processed, accessed, or stored in countries outside the UK. Such countries may offer a different level of protection of personal data. If we transfer your personal data to external companies in other jurisdictions, we will make sure to protect your personal data by applying the level of protection required under applicable data privacy laws.

For intra-group transfers of personal data, Novartis has adopted Binding Corporate Rules, a system of principles, rules, and tools, provided by European law, that ensures effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland. Read more about the Novartis Binding Corporate Rules

 

How do we protect your personal data?

To ensure the security and confidentiality of Personal Data that we collect online, we use data networks protected, inter alia, by industry standard firewall and password protection. In the course of handling your Personal Data, we take measures reasonably designed to protect that information from loss, misuse, unauthorised access, disclosure, alteration or destruction and against other unlawful forms of processing.

 

How long do we store personal data?

We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.

 

What are your rights and how can you exercise them?

Whenever we process Personal Data, we take reasonable steps to ensure that your Personal Data is kept accurate and up-to date for the purposes for which it was collected. We will provide you with the ability to exercise the below rights under the conditions and within the limits set forth in the law.

If you wish to contact us regarding the use of your Personal Data or you want to object in whole or in part to the processing of your Personal Data, please email us at [email protected]. If you have provided consent, you may wish to withdraw consent. You may request to access your Personal Data as processed by us, to ask for correction, erasure or to request portability, where applicable, of your Personal data, i.e. that the personal data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format, subject to your confidentiality obligations.

By contacting us, please note the name of the website related to your request, your relationship and/or interactions with us (as applicable), as well as the specifics of the information you would like us to provide.

We do not currently respond to web browser “do not track” signals or other mechanisms that provide a method to opt out of the collection of information across websites or other online services.

 

Binding Corporate Rules ("BCR")

Binding Corporate Rules, so called “BCR”, are the system of privacy principles, rules and tools based on European Law that govern data privacy at Novartis. BCR represent today’s best practice to meet the European Economic Area’s (“EEA”) data protection requirements for the transfer of personal data within a Group of companies.

To be legally effective, the BCR have to be approved by relevant Data Protection Supervisory Authorities. You may find more information on BCR on the official European site.

 

Contact us

If you wish to contact us regarding our use of your personal data or you wish to exercise your data privacy rights, you may send an email to [email protected]. If you contact us, please include the following information in your email, so that we may efficiently respond to your request and so that we may identify you and the subject of your request:

  • the name of the website your inquiry is referring to;
  • your relationship and/or interactions with us (as applicable); and
  • the specifics of the information you would like us to provide or you want us to take action upon.

If you are not satisfied with how we process your personal data, please address your request to our Data Protection Officer at [email protected], who will investigate your concern.

In any case, you also have the right to file a complaint with the competent data protection authorities, in addition to your rights above.

Effective: 16 April 2024

This Privacy Notice is addressed to:

  • the healthcare professionals with whom we create or maintain a relationship; 
  • our customers or prospective customers who are natural persons (such as self-employed pharmacists);
  • the representatives or contact persons of our customers or prospective customers who are legal entities (such as wholesale pharmacists).

You are receiving this Privacy Notice because Novartis is processing information about you which constitutes “personal data” and Novartis considers the protection of your personal data and privacy a very important matter.

For the purpose of this Privacy Notice, “Novartis” refers to the Novartis UK entity processing your personal data, for example Novartis Pharmaceuticals UK Limited, Novartis Grimsby Limited or Advanced Accelerator Applications (UK & Ireland) Limited, which are registered at The WestWorks Building, White City Place, 195 Wood Lane, London, W12 7FQ.

The relevant Novartis UK entity is responsible for the processing of your personal data as it decides why and how it is processing, thereby acting as the “controller”. It may exercise this responsibility alone or jointly with other companies in the Novartis group (acting as a “co-controller”). In this Privacy Notice, “we” or “us” refers to the relevant Novartis UK entity.

We invite you to carefully read this Privacy Notice, which sets out in which context we are processing your personal data and explains your rights and our obligations when doing so.

Should you have any further question in relation to the processing of your personal data, including which Novartis UK entity is processing your personal data, we invite you to contact [email protected]

1.  What information do we have about you?

Information Novartis holds about you may either be directly provided by you, by our business partners (i.e. the legal entity for whom you work), by third parties (e.g. external medical agencies) or be obtained through trusted publicly available sources (such as NHS websites, congress websites or university websites). We collect various types of personal data about you, including:

  • your general and identification information (e.g. name, first name, last name, gender, email and/or postal address, fixed and/or mobile phone number);
  • your function (e.g. title, position, name of company, as well as, for healthcare professionals, specialties, publications, congress activities, awards, biography, education, links to universities, expertise and participation in/contribution to clinical trials, guidelines, editorial boards and organisations); 
  • payment information (e.g. credit card details, bank account details, VAT or other tax identification number);
  • details of any transfers of value in accordance with the Association of the British Pharmaceutical Industry (“ABPI”) Code of Practice (the “Code”).
  • unique IDs and profiles (if any) of our business partners; 
  • your electronic identification data where required for the purpose of delivering products or services to our company (e.g. login, passwords, badge number and picture, IP address, online identifiers/cookies, logs, access and connection times, CCTV footage); 
  • your audio and video recordings (e.g. captured in the context of our meetings, calls and virtual events that you attend or participate in);
  • your feedback or comments (e.g. received during our meetings, calls or virtual events);
  • information regarding your utilisation, responses and/or preferences including in terms of types of messages discussed, channels of communication and frequency;
  • data you provide to us for example when you fill in forms or during events you attend, or when you answer questions during a conversation or in a survey; 
  • data which relate to our products and services; and 
  • information about the promotional, scientific and medical activities/interactions you have with us, including potential future interactions.

If you intend to provide us with personal data about other individuals (e.g. your colleagues), you must provide a copy of this Privacy Notice to the relevant individuals, directly or through their employer.

2.  For which purposes do we use your personal data and why is this justified?  

2.1.  Legal basis for the processing

We will not process your personal data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal data if:

  • we have obtained your prior consent; 
  • the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request; 
  • the processing is necessary to comply with our legal or regulatory obligations; or
  • the processing is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms. 

Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such ‘legitimate interests’ are data processing activities performed:

  • To develop and demonstrate a transparent and professional relationship with health care professionals (“HCPs”), decreasing any perception of influence on HCPs by the pharmaceutical industry;
  • To provide knowledge to HCPs about Novartis medicines and scientific developments;
  • To promote Novartis innovation in the pharmaceutical field;
  • To manage Novartis human and financial resources and optimise interactions with health care professionals; 
  • To ensure that the right medicine according to a well-informed health care professional technical and professional opinion reaches the patient;
  • To benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers to process data);
  • To offer our products and services to our customers;
  • To prevent fraud or criminal activity, misuses of our products or services as well as the security of our IT systems, architecture and networks;
  • To sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party;
  • To meet our corporate and social responsibility objectives; and
  • To disclose and make publicly available details of transfers of value to ABPI in pursuance of the following objectives, which serve multiple legitimate interests: 

    i. Promoting a culture of integrity of transactions between pharmaceutical companies and HCPs;  
    ii. Increasing public and patient confidence in the integrity and independence of HCPs (itself essential for generating confidence in those relationships and their proper functioning);  
    iii. Showing accountability in these relationships and compliance by the industry and HCPs in relation to their legal obligations not to provide (on one hand) or accept (on the other hand) inducements to prescribe;  
    iv. Promoting confidence on the part of the public and on the part of stakeholders (e.g. regulators, managers of public health services, Government) in the legitimacy and bona fides of the engagements between the industry and HCPs;
    v. Addressing conflicts of interest by promoting the accountability of HCPs; and
    vi. Driving objectives in other legislation, such as tax, anti-bribery and fraud prevention.

For more information on our specific interests, please contact us as indicated under section 6 below.

2.2.  Purposes of the processing

We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In particular, we process your personal data for the following purposes:

  • manage our relationship with you (e.g. through our databases), and liaise with you in about the programmes we sponsor that you participate in (e.g. preceptorships);
  • implement tasks in preparation of or to perform existing contracts; 
  • evidence transactions and ensure transparency on transfers of value;
  • provide you with appropriate, adequate and updated information about disease, medicines as well as our products and services;
  • improve the quality of our interactions and services by adapting our offering to your specific needs; 
  • answer your requests and provide you with efficient support; 
  • send you surveys (e.g. to help us improve your future interactions with us);  
  • send you communications regarding products, therapeutic areas or services that we promote; 
  • manage, plan and execute communications and interactions with you (e.g. through the operation of a database keeping records of interactions with health care professionals or managing call planning as well as call reporting); 
  • track our activities (e.g. measuring interactions or sales, number of appointments/calls); 
  • to analyse your engagement with our marketing campaigns to measure their effectiveness;
  • to gain insights into the current opinions and sentiments related to our areas of treatment and services, topics, brands and industries by tracking and reviewing online conversations, mentions and discussions;
  • to improve the skill development of our staff by assessing the content of their meetings, calls and virtual events with you which may include your feedback and comments;
  • invite you to events or promotional meetings sponsored by us (e.g. medical events, speaker events, conferences); 
  • grant you access to our training modules allowing you to provide us with certain services;
  • manage our IT resources, including infrastructure management and business continuity;
  • preserve the company’s economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud; conducting audits and defending litigation);
  • manage mergers and acquisitions involving our company; 
  • archiving and record keeping;
  • billing and invoicing; and
  • any other purposes imposed by law and authorities i.e. our obligation to disclose transfers of value pursuant to the requirements of the Code and the objectives of transparency and accountability in the relationships between pharmaceutical companies and HCPs/HCOs enshrined therein.

3.  Who has access to your personal data and to whom are they transferred?

We will not sell, share, or otherwise transfer your personal data to third parties other than those indicated in this Privacy Notice.

In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal data can be accessed by, or transferred to the following categories of recipients, on a need to know basis to achieve such purposes: 

  • our personnel (including personnel, departments or other companies of the Novartis group);
  • our independent agents or brokers (if any);
  • our suppliers and services providers that provide services and products to us;
  • our IT systems providers, cloud service providers, database providers and consultants;
  • our business partners who offer products or services jointly with us or with our subsidiaries or affiliates;
  • any third party to whom we assign or novate any of our rights or obligations; and 
  • our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets. 

The above third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law. 

Important Information - Change of legal basis for Transfer of Value disclosure from Consent to Legitimate Interests with effect from 1 January 2022.

In respect of transfers of value, your personal data including your name, principal practice address and details of the transfer of value, will be disclosed to the ABPI pursuant to legitimate interests of Novartis effective from 1 January 2022. If you would like to exercise your right to object to the processing of your personal data for this purpose, please read the section “What are your rights and how can you exercise them?” below.

For disclosures relating to payments made to you prior to 1 January 2022, your personal data shall only be shared with ABPI based on your consent and in the absence of your consent, such details regarding the transfer of value will be disclosed on an aggregate basis for this reporting period in relation to these payments. The disclosure will be made publicly available for a period of three years on their website (www.abpi.org.uk/our-ethics/disclosure-uk) and ABPI will be an independent data controller in respect of such personal data. For further details regarding how ABPI process your data or to exercise your data rights for the same, please refer to ABPI’s privacy notice available at www.abpi.org.uk. Alternatively, you may contact them directly at: 

Association of the British Pharmaceutical Industry

7th floor
Southside
105 Victoria Street
London 
SW1E 6QT

Your personal data can also be accessed by or transferred to any national and/or international regulatory, enforcement, public body or court, where we are required to do so by applicable law or regulation or at their request.

The personal data we collect from you may also be processed, accessed or stored in a country outside the UK, which may not offer the same level of protection of personal data.

If we transfer your personal data to external companies in other jurisdictions, we will make sure to protect your personal data by (i) applying the level of protection required under the local data protection/privacy laws applicable to the UK, (ii) acting in accordance with our policies and standards. You may request additional information in relation to international transfers of personal data and obtain a copy of the adequate safeguard put in place by exercising your rights as set out in Section 6 below.

For intra-group transfers of personal data, the Novartis group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland. Read more about the Novartis Binding Corporate Rules at https://www.novartis.com/privacy/novartis-binding-corporate-rules-bcr.

4.  How do we protect your personal data?

We have implemented appropriate technical and organisational measures to provide a level of security and confidentiality to your personal data. 
These measures take into account:

(i)    the state of the art of the technology;
(ii)    the costs of its implementation;
(iii)    the nature of the data; and
(iv)    the risk of the processing.

The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorised disclosure or access and against other unlawful forms of processing.

Moreover, when handling your personal data, we:

  • only collect and process personal data which is adequate, relevant and not excessive, as required to meet the above purposes; and
  • ensure that your personal data remains up to date and accurate. 

For the latter, we may request you to confirm the personal data we hold about you. You are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up-to-date.

5.  How long do we store your personal data?

We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.

Personal data which is not related to a specific contract will be stored for 24 months after your last interaction with us.

For contracts, the retention period is the term of your (or your company’s) contract with us, plus the period of time until the legal claims under this contract become time-barred, unless overriding legal or regulatory schedules require a longer or shorter retention period. When this period expires, your personal data is removed from our active systems.

Personal data collected and processed in the context of a dispute are deleted or archived (i) after a settlement has been reached, (ii) once a decision in last resort has been rendered or (iii) when the claim becomes time barred.

6.  What are your rights and how can you exercise them?

You may exercise the following rights under the conditions and within the limits set forth in the law:

  • the right to access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating; 
  • the right to request the erasure of your personal data or the restriction thereof to specific categories of processing; 
  • the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal; 
  • the right to object, in whole or in part, to the processing of your personal data; 
  • the right to object to a channel of communication used for direct marketing purposes; and 
  • the right to request its portability, i.e. that the personal data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations. 

If you have a question or want to exercise the above rights, you may send an email to [email protected] or a letter to Data Privacy, The WestWorks Building, White City Place, 195 Wood Lane, London, W12 7FQ. If you wish to exercise your rights, please provide a copy an identity document, it being understood that we shall only use such data to verify your identity and shall not retain the scan after completion of the verification. When sending us a copy of your identity document, please make sure to redact any photographs.

If you are not satisfied with how we process your personal data, please address your request to our data protection officer at [email protected], who will investigate your concern.

In any case, you also have the right to file a complaint with the competent data protection authorities, in addition to your rights above.

7.  How will you be informed of the changes to our Privacy Notice? 

We may update this Privacy Notice from time to time to reflect changes in technology, legal requirements and our practices. Such updates will be available through our usual communication channels (e.g. via email or our website) and the revised notice will be effective from the date shown.

May 2018

This Privacy Notice is addressed to:

  • our suppliers and service providers who are natural persons (such as self-employed persons);
  • the representatives or contact persons of our suppliers and service providers who are legal entities; and 
  • any other visitors of one of our facilities.

For the purpose of this Privacy Notice, “Novartis” refers to the Novartis UK entity processing your personal data, for example Novartis Pharmaceuticals UK Limited or Novartis Grimsby Limited, which are registered at The WestWorks Building, White City Place, 195 Wood Lane, London, W12 7FQ.

The relevant Novartis UK entity is responsible for the processing of your personal data as it decides why and how it is processing, thereby acting as the “controller”. In this Privacy Notice, “we” or “us” refers to the relevant Novartis UK entity.

We invite you to carefully read this Privacy Notice, which sets out in which context we are processing your personal data and explains your rights and our obligations when doing so.

Should you have any further question in relation to the processing of your personal data, including which Novartis UK entity is processing your personal data, we invite you to contact [email protected].

1. What information do we have about you?

This information may either be directly provided by you or provided by our supplier or service provider (i.e. the legal entity for whom you work).

We may collect various types of personal data about you, including:

(i) your general and identification information (e.g. name, first name, last name, gender, email and/or postal address, fixed and/or mobile phone number and car registration number);

(ii) your function (e.g. title, position and name of company);

(iii) for natural persons acting as suppliers or service providers, financial information (e.g. bank account details); and

(iv) your electronic identification data where required for the purpose of delivering products or services to our company (e.g. login, passwords, badge number and picture, IP address, online identifiers/cookies, logs, access and connection times, CCTV footage);

If you intend to provide us with personal data about other individuals (e.g. your colleagues), you must provide a copy of this Privacy Notice to the relevant individuals, directly or through your employer.

2. For which purposes do we use your personal data and why is this justified?

2.1. Legal basis for the processing

We will not process your personal data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal data if:

  • we have obtained your prior consent;
  • the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request;
  • the processing is necessary to comply with our legal or regulatory obligations; or
  • the processing is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms.

Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such ‘legitimate interests’ are data processing activities performed:

  • to benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers to process data);
  • to offer our products and services to our customers;
  • to prevent fraud or criminal activity, misuses of our products or services as well as the security of our IT systems, architecture and networks;
  • to sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party; and
  • to meet our corporate and social responsibility objectives.

2.2. Purposes of the processing

We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In particular, we process your personal data for the following purposes:

  • manage our suppliers and service providers throughout the supply chain;
  • organise tenders, implement tasks in preparation of or to perform existing contracts;
  • monitor activities at our facilities, including compliance with applicable policies as well as health and safety rules in place;
  • grant you access to our training modules allowing you to provide us with certain services;
  • manage our IT resources, including infrastructure management and business continuity;
  • preserve the company’s economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud, conducting audits and defending litigation);
  • manage mergers and acquisitions involving our company;
  • archiving and record-keeping;
  • billing and invoicing; and
  • any other purposes imposed by law and authorities.

3. Who has access to your personal data and to whom are they transferred?

We will not sell, share, or otherwise transfer your personal data to third parties other than those indicated in this Privacy Notice.

In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal data can be accessed by or transferred to the following categories of recipients on a need to know basis to achieve such purposes:

  • our personnel (including personnel, departments or other companies of the Novartis group);
  • our independent agents or brokers (if any);
  • our other suppliers and services providers that provide services and products to us;
  • our IT systems providers, cloud service providers, database providers and consultants;
  • any third party to whom we assign or novate any of our rights or obligations; and
  • our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets.

The above third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.

Your personal data can also be accessed by or transferred to any national and/or international regulatory, enforcement, public body or court, where we are required to do so by applicable law or regulation or at their request.

The personal data we collect from you may also be processed, accessed or stored in a country outside the UK, which may not offer the same level of protection of personal data.

If we transfer your personal data to external companies in other jurisdictions, we will make sure to protect your personal data by (i) applying the level of protection required under the local data protection/privacy laws applicable to the UK, (ii) acting in accordance with our policies and standards and, (iii) for entities located in the European Economic Area (i.e. the EU Member States plus Iceland, Liechtenstein and Norway, the "EEA"), unless otherwise specified, only transferring your personal data on the basis of standard contractual clauses approved by the European Commission. You may request additional information in relation to international transfers of personal data and obtain a copy of the adequate safeguard put in place by exercising your rights as set out in Section 6 below.

For intra-group transfers of personal data, the Novartis group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland. Read more about the Novartis Binding Corporate Rules at https://www.novartis.com/privacy/novartis-binding-corporate-rules-bcr

4. How do we protect your personal data?

We have implemented appropriate technical and organisational measures to provide a level of security and confidentiality to your personal data.

These measures take into account:

(i) the state of the art of the technology;

(ii) the costs of its implementation;

(iii) the nature of the data; and

(iv) the risk of the processing.

The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorised disclosure or access and against other unlawful forms of processing.

Moreover, when handling your personal data, we:

  • only collect and process personal data which is adequate, relevant and not excessive, as required to meet the above purposes; and
  • ensure that your personal data remains up to date and accurate.

For the latter, we may request you to confirm the personal data we hold about you. You are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up-to-date.

5. How long do we store your personal data?

We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.

The retention period is the term of your (or your company’s) supply or service contract, plus the period of time until the legal claims under this contract become time-barred, unless overriding legal or regulatory schedules require a longer or shorter retention period. When this period expires, your personal data is removed from our active systems.

Personal data collected and processed in the context of a dispute are deleted or archived (i) after a settlement has been reached, (ii) once a decision in last resort has been rendered or (iii) when the claim becomes time barred.

6. What are your rights and how can you exercise them?

You may exercise the following rights under the conditions and within the limits set forth in the law:

  • the right to access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
  • the right to request the erasure of your personal data or the restriction thereof to specific categories of processing;
  • the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
  • the right to object, in whole or in part, to the processing of your personal data; and
  • the right to request its portability, i.e. that the personal data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations.

If you have a question or want to exercise the above rights, you may send an email to [email protected] or a letter to Data Privacy, The WestWorks Building, White City Place, 195 Wood Lane, London, W12 7FQ. If you wish to exercise your rights, please provide a copy an identity document, it being understood that we shall only use such data to verify your identity and shall not retain the scan after completion of the verification. When sending us a copy of your identity document, please make sure to redact any photographs.

If you are not satisfied with how we process your personal data, please address your request to our data protection officer at [email protected], who will investigate your concern.

In any case, you also have the right to file a complaint with the competent data protection authorities, in addition to your rights above.

7. How will you be informed of the changes to our Privacy Notice?

Any future changes or additions to the processing of your personal data as described in this Privacy Notice will be notified to you in advance through an individual notice through our usual communication channels (e.g. by email or via our internet websites).

This Privacy Notice is addressed to:

  • individuals reporting adverse events, providing safety information concerning our products, requesting medical information, and submitting product quality complaints; and
  • individuals that are the subject of adverse events, medical information queries, and product quality complaints.

Novartis is committed to protecting personal data and being transparent about its collection and use. This notice provides you with information on how Novartis Pharmaceuticals UK Limited (“Novartis”, “we” or “us”) processes personal data as data controller.

We invite you to read this Privacy Notice carefully, as it contains important information. Should you have any further questions, we invite you to contact [email protected]

Why do we collect and use personal data?

We process personal data for the following purposes:

  • monitoring the safety of medicinal products and medical devices, which includes detecting, assessing, following up on, and preventing adverse events, and reporting adverse events to health authorities;
  • responding to medical information queries, for example in relation to availability of products, clinical data, dosing and administration, formulation and stability, and interactions with other drugs, foods, and conditions;
  • responding to quality complaints regarding our products, such as any fault of quality and/or effectiveness, stability, reliability, safety, performance, or usage;
  • answering other questions or requests and improving our products and services;
  • complying with our policies and local legal, regulatory, and compliance requirements; and
  • conducting audits and defending litigation.

We do not process personal data unless we have a proper legal basis. The processing of personal data described in this Privacy Notice is necessary for the legitimate interests of Novartis in managing adverse events, medical information queries, and product complaints.

Novartis may process special category personal data, such as data concerning health. For this processing, Novartis relies on the exception under Article 9 (2)(g) GDPR, applied in the UK through the Data Protection Act 2018, for processing this special category personal data. Specifically, this processing is necessary for Novartis’ purposes of complying with its obligations under EU and UK legislation relating to conduct of pharmacovigilance as required under the Human Medicines Regulations 2012 implementing the body of EU law governing medicinal products. It is also necessary for reasons of substantial public interest in ensuring the safety of medicines.

In addition, it may be necessary for Novartis to process personal data for the purpose of protecting the vital interests of an individual or individuals.

What personal data do we collect and use?

For the purposes listed in this Privacy Notice, we collect and use the following categories of personal data:

  • information about individuals that report adverse events or make medical information queries or product quality complaints, including healthcare professionals and carers. This allows us to respond to queries and seek additional information as needed. The data we collect may include your name, email and/or postal address, phone number, and place of work (for healthcare professionals);
  • patients details, including name, hospital record numbers, age or date of birth, sex, weight, height, race, whether pregnant and/or breastfeeding, ethnicity (where the Summary of Product Characteristics includes specific information relating to ethnic origin), and occupational data (where this is strictly necessary for the evaluation of the adverse event); and
  • where strictly necessary and relevant for the purposes described in this Privacy Notice, patient health and lifestyle information, including but not limited to nature of adverse effects, examination results, personal or family medical history, diseases or associated events, risk factors, information about the use of medicines and therapy management, physical exercise, diet and eating behaviour, sexual life/contraception, and consumption of tobacco, alcohol, and drugs.

Who has access to personal data?

We do not share or otherwise transfer personal data to third parties other than those indicated in this Privacy Notice. Personal data may be accessed by or transferred to:

  • our personnel (including those in our Patient Safety, Medical Information, Quality Assurance, and Legal departments) and other Novartis Group companies (in particular Novartis AG)
  • other pharmaceutical and medical device companies, if the adverse event, request for information, or complaint relates to one of their products; and
  • service providers acting on behalf of Novartis companies, such as IT system and data hosting providers, and adverse event processing service providers (including call centre providers). These third parties are contractually obliged to protect the confidentiality and security of personal data, in compliance with applicable law.

Personal data may also be shared with:

  • healthcare professionals involved in an adverse event, request for information, or complaint;
  • the Medicines and Healthcare products Regulatory Agency (MHRA), as well as the European Medicines Agency (EMA) which controls the EudraVigilance database (visit https://www.ema.europa.eu for more information); and
  • a national and/or international regulatory, enforcement, public body or court where we are required to do so by applicable law or regulation or at their request.

Where is personal data stored?

Personal data may processed, accessed, or stored in a country outside the country where you are located, which may not offer the same level of protection of personal data.

If we transfer personal data to external companies in other jurisdictions, we will protect personal data by (i) applying the level of protection required under the local data protection/privacy laws applicable to Novartis Pharmaceuticals UK Limited: (ii) acting in accordance with our policies and standards; and (iii) for Novartis companies located in the European Economic Area (“EEA”), unless otherwise specified, only transferring your personal data on the basis of standard contractual clauses approved by the European Commission. You may request additional information in relation to international transfers of personal data and obtain a copy of the adequate safeguard put in place by exercising your rights as set out below.

For intra-group transfers of personal data, the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland. You can read more at https://www.novartis.com/privacy-policy/novartis-binding-corporate-rules-bcr

How long do we store personal data?

We will only store the above personal data for as long as we reasonably consider necessary for achieving the purposes set out in this Privacy Notice and as required under applicable laws.

What are your rights and how can you exercise them?

You have the right to:

  • access your personal data and, if you believe that it is incorrect, obsolete or incomplete, to request that it is corrected or updated;
  • request the erasure of your personal data or the restriction of its use;
  • if the processing is based on your consent, to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
  • object, in whole or in part, to the processing of your personal data; and
  • request portability of your personal data (i.e. for it to be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format).

We may apply exceptions to these rights where appropriate and in accordance with local law.

How do we protect personal data?

We have implemented appropriate technical and organisational measures to provide an appropriate level of security and confidentiality to personal data. These measures take into account: (i) the state of the art of the technology; (ii) the costs of its implementation; (iii) the nature of the data; and (iv) the risk of the processing.

The purpose of these measures is to protect personal data against accidental or unlawful destruction or alteration, accidental loss, unauthorised disclosure or access, and against other unlawful forms of processing.

How can you contact us?

If you have a question or want to exercise the above rights, please email [email protected] or write to Data Privacy, Novartis, The WestWorks Building, White City Place, 195 Wood Lane, London, W12 7FQ.

If you are not satisfied with the processing of personal data, please address your request to our Data Protection Officer at [email protected] who will investigate your concern.

In any case, you also have the right to file a complaint with Information Commissioner’s Office (ICO) at https://www.ico.org.uk in addition to your rights above.

This Privacy Notice was last updated in July 2019. Changes or additions will be notified through our usual communication channels (e.g. via our website).

Effective: June 2022

This Privacy Notice is addressed to:

  • Personnel involved in either feasibility and/or selection, including trial site set-up, and participation of Novartis’ clinical trials.

Novartis will process information about you which constitutes “personal data”. At Novartis we are committed to the responsible use of your personal data and consider privacy a very important matter.

For the purposes of this Privacy Notice, “Novartis” refers to Novartis Pharmaceuticals UK Limited, which is registered at The WestWorks Building, White City Place, 195 Wood Lane, London W12 7FQ. In this Privacy Notice, references to “we” or “us” refers to Novartis as defined in this Privacy Notice.

Novartis is the “controller” as it is the entity that decides why and how your personal data is processed in the context of clinical trials sponsored by Novartis in the UK, or one of our affiliates such as Novartis Pharma AG or Novartis AG (“NVS Clinical Trials”). It may exercise this responsibility alone or jointly with other companies in the Novartis group (acting as a “co-controller”).

The purpose of this Privacy Notice is to provide you with transparent information on how Novartis collects, uses, and discloses your personal data in the context of NVS Clinical Trials.

You are receiving this Privacy Notice as Novartis is either: (i) conducting a feasibility study, to assess whether the site where you work (“Site”) is suitable to be selected for a NVS Clinical Trial (the “Feasibility Stage”); or (ii) following the Feasibility Stage, Novartis has selected the Site and is conducting a NVS Clinical Trial at the Site (“Participating Site”). We invite you to carefully read this Privacy Notice, as it contains important information for you regarding how we handle your information in both contexts.

Should you have any further questions or concerns in relation to the processing of your personal data, including which Novartis entity is processing your personal data, we invite you to contact [email protected].

1. Collection of personal data

This personal information may either be directly provided by you or provided by the Site (i.e. the legal entity you work for or on behalf of).
For the purposes described in this Privacy Notice, we will collect the following information about you including:

  • name,
  • address
  • telephone number
  • email address
  • your institution name e.g. NHS Trust Name, GP Surgery, etc.
  • research experience (details gathered within feasibility questionnaire)
  • previously recruited trials (details gathered within feasibility questionnaire)
  • ongoing or planned trials (details gathered within feasibility questionnaire)
  • GMC registration
  • present/previous appointments(s),
  • qualifications,
  • number of articles published,
  • the information contained in the CV provided to us,
  • previous experience in clinical trials and type of GCP training received,
  • financial interests in any companies of the Novartis group.

This personal information will be processed on the basis that it is necessary for our legitimate interests and those of the sponsor in conducting Feasibility or NVS Clinical Trials at Participating Sites. Where applicable, we may also process this personal data on the basis that it is necessary to perform our contractual obligations towards the Site, or where it is necessary to comply with our legal or regulatory obligations.

2.    Use of personal data

The above personal data will be processed for the following purposes:

  • in order to assess suitability to conduct a NVS Clinical Trial (i.e. the Feasibility Stage),
  • in order to conduct NVS Clinical Trials in accordance with good clinical practice and applicable laws,
  • to support applications for marketing approval of any medication studied under a NVS Clinical Trial (“Study Medication”),
  • to support applications to vary the terms of any marketing approval granted in respect of a Study Medication,
  • to comply with the conditions of any marketing approval granted in respect of Study Medication,  
  • to carry out research related to the development of pharmaceutical products, diagnostics or medical aids,
  • to comply with the US Financial Disclosure regulation, which is intended to ensure that financial interests and arrangements of clinical investigators that could affect the reliability of data submitted to the Federal Drug Administration of the U.S.A. (“FDA”) are identified and disclosed to the FDA.1 

If applicable to a NVS Clinical Trial, where the Site has been selected to conduct a NVS Clinical Trial, your personal data (name and contact information) may be incorporated in subject recruitment advertisements (print media or on Internet). Any such advertisement would be approved by the Ethical Committee before it is made public. For the avoidance of doubt, your personal information will not be processed in this context where the Site has undergone the Feasibility Stage and is not, or has not become, a Participating Site.

3. Sharing of personal data

We will not sell, share, or otherwise transfer your personal data to third parties other than those indicated in this Privacy Notice. In the course of our activities and for the purposes listed in this Privacy Notice, your personal data can be accessed by, or transferred to the following categories of recipients, on a need to know basis to achieve such purposes:

  • the sponsor,
  • our personnel (including personnel, departments, or other companies of the Novartis group),
  • our independent agents or brokers (if any),
  • our suppliers and services providers that provide services and products to us,
  • our IT systems providers, cloud service providers, database providers and consultants,
  • our business partners who offer products or services jointly with us or with our subsidiaries or affiliates,
  • any third party to whom we assign or novate any of our rights or obligations,
  • our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets.

The above third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.

Your personal data can also be accessed by or transferred to any national and/or international regulatory body, or Ethics Committee where necessary in order to fulfill the purposes outlined above.

The personal data we collect from you may also be processed, accessed or stored in a country outside the UK, which may not offer the same level of protection of personal data. If we transfer your personal data to external companies in other jurisdictions, we will make sure to protect your personal data by: (i) applying the level of protection required under the local data protection/privacy laws applicable to the UK; and (ii) acting in accordance with our policies and standards. You may request additional information in relation to international transfers of personal data and obtain a copy of the adequate safeguard put in place by exercising your rights as described below.

For intra-group transfers of personal data, the Novartis group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland. Further information regarding the Novartis Binding Corporate Rules is located at:  https://www.novartis.com/privacy/novartis-binding-corporate-rules-bcr

4. Duration of storage

We will only retain your personal information for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.

Novartis will generally retain your personal information for a period of up to 12 months after the Sponsor publishes the clinical study report pertaining to the NVS Clinical Trial for which your data was collected, unless we need to retain the personal information longer to comply with legal or regulatory requirements. Furthermore, some of your personal information may be contained within clinical trial documentation, which we eventually archive and retain on an on-going basis. Please note that we are required to retain clinical trial documentation for a minimum of 25 years.

5. What are your rights and how can you exercise them?

You may exercise the following rights under the conditions and within the limits set forth in the law: 

  • the right to be informed about what personal information we have about you and how we process your personal information;
  • the right to access your personal information as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
  • the right to request the erasure of your personal information or the restriction thereof to specific categories of processing;
  • the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
  • the right to object, in whole or in part, to the processing of your personal information. With certain exceptions, this includes the right to object to direct marketing and the right to object to your personal information being used for research;
  • the right to request its portability, i.e. that the personal information you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations; and
  • the right to object to automated decision-making including profiling, i.e. you can request a human intervention in any automated decision-making process related to processing of your data and where such processing is not based on your consent, authorised by law or necessary for the performance of a contract. However, we don’t currently make decisions using automated processes only that result in significant or legal effects on individual.

Please note that Novartis UK is subject to legal and regulatory obligations which may limit or restrict the enforcement of your rights on some occasions. If you wish to contact us regarding our use of your personal data or you wish to exercise your data privacy rights, you may send an email to [email protected]

If you are not satisfied with how we process your personal data, please address your request to our Data Protection Officer at [email protected], who will investigate your concern.

In any case, you also have the right to file a complaint with the Information Commissioner’s Office (ico.org.uk), in addition to your rights above. Making a complaint will not affect any other legal rights or remedies that you may have.

6. How will you be informed of the changes to our Privacy Notice?

Any future changes or additions to the processing of your personal data as described in this Privacy Notice will be notified to you in advance through our usual communication channels (e.g. by email or via our websites).

Reference

1 Clinical investigators (principal investigator, sub-investigator or co-investigator) who are directly involved in the treatment or evaluation of research subjects in NVS Clinical Trials affected by this law, must disclose information to Novartis regarding their financial interests in companies belonging to the Novartis group as well as those of their spouse and each dependent child.