Novartis Privacy Notice
Purpose and justification for collecting personal information
Your personal data will be processed by Novartis International AG, their affiliated companies and their authorized agents for the sole purpose of stakeholder engagement management. The objective of stakeholder engagement management is to inform our business strategy, proactively shape our business environment, manage risks and identify opportunities to embed the business in society and ensure long-term sustainability.
Data controller of personal information collected
Novartis will operate as Data Controller. The personal information collected will be shared within the Novartis Group of Companies for processing insofar as necessary for achieving the purposes described above.
Personal information collected and legal basis for the processing
We will not process your personal data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal data if:
- we have obtained your prior consent;
Novartis will not hold “sensitive data” related to you in the Database. Depending on applicable laws and regulations, sensitive data may include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, personal health or sexual orientation.
Personal information disclosure to third parties
“Novartis” will not sell, share, or otherwise distribute your personal information to third parties except as provided in this Privacy Notice. Your personal information may also be transferred to third parties who act for or on Novartis’ behalf, for processing data for further communication and interactions in accordance with the purposes described above. These third parties may be located in countries or territories which may not offer the same level of data protection as the country in which you reside. They have contracted with Novartis to use your personal information solely for the agreed upon purpose, not to sell your personal information to third parties, and not to disclose it to third parties except as may be required by law, as permitted by Novartis or as stated in this Privacy Notice. Such transfers of personal data from the EU, Switzerland or any other EEA country to a country with a lower level of data protection is performed in compliance with local data privacy laws, which may include but is not limited to data transfer agreements with Novartis based on the standard contractual clauses of the EU Commission.
Your personal information may also be transferred to a third party in the event that this part of Novartis’ business and the personal information connected with it is sold, assigned or transferred, in which case Novartis would require the buyer, assignee or transferee to treat your personal information in accordance with this Privacy notice. Also, your personal information may be disclosed to a third party if Novartis is required to do so because of an applicable law, court order or governmental regulation, or if such disclosure is otherwise necessary in support of any criminal or other legal investigation or proceeding here or abroad.
Retention of personal information
This data is retained by Novartis for the duration required to manage these relationships. There may be cases when your personal information or part of it may be stored in the Database for a longer time period if Novartis is required to do so because of an applicable law, court order or governmental regulation or if such retention is otherwise necessary in support of any criminal or other legal investigation or proceeding here or abroad.
Protection of your personal data
We have implemented appropriate technical and organizational measures to provide an adequate level of security and confidentiality to your personal data, taking into account the nature of the data and the risk of processing such data. The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of
processing.
Moreover, when handling your personal data, we comply with the following obligations:
- we only collect and process personal data which is adequate, relevant and not excessive, as required to meet the above purposes;
- we ensure that your personal data remains up to date and accurate (for the latter, we may request you to confirm the personal data we hold about you and you are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up-to-date.
Exercise of access rights and contact details
You may exercise the following rights under the conditions and within the limits set forth in the law:
the right to access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
the right to request the erasure of your personal data or the restriction thereof to specific categories of processing;
- the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
- the right to object, in whole or in part, to the processing of your personal data;
- the right to object to a channel of communication used for direct marketing purposes; and
- to the extent applicable the right to request its portability, i.e. that the personal data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations.
If you have a question, if you are not satisfied how we process your personal data or if you want to exercise the above rights, you may send an email to [email protected]. When contacting us, please add a description of your relationship and/or your interactions with us. If you wish to receive information related to your personal data, please also add a scan of your identity card for identification purpose, it being understood that we shall only use such data to verify your identity. When sending us such a scan, please make sure to redact your picture and national registry number or equivalent on the scan.
In any case, you also have the right to file a complaint with the competent data protection authorities, in addition to your rights above.
