Privacy Notice for Individuals Involved in an Adverse Event, Medical Information Query, or Product Complaint

This Privacy Notice is addressed to:

• individuals reporting adverse events, providing safety information concerning our products, requesting medical information, and submitting product quality complaints; and
• individuals that are the subject of adverse events, medical information queries, and product quality complaints.

Novartis is committed to protecting personal data and being transparent about its collection and use. This notice provides you with information on how Novartis Pharmaceuticals UK Limited (“Novartis”, “we” or “us”) processes personal data as data controller.

We invite you to read this Privacy Notice carefully, as it contains important information. Should you have any further questions, we invite you to contact [email protected]

Why do we collect and use personal data?

We process personal data for the following purposes:

• monitoring the safety of medicinal products and medical devices, which includes detecting, assessing, following up on, and preventing adverse events, and reporting adverse events to health authorities;
• responding to medical information queries, for example in relation to availability of products, clinical data, dosing and administration, formulation and stability, and interactions with other drugs, foods, and conditions;
• responding to quality complaints regarding our products, such as any fault of quality and/or effectiveness, stability, reliability, safety, performance, or usage;
• answering other questions or requests and improving our products and services;
• complying with our policies and local legal, regulatory, and compliance requirements; and
• conducting audits and defending litigation.

We do not process personal data unless we have a proper legal basis. The processing of personal data described in this Privacy Notice is necessary for the legitimate interests of Novartis in managing adverse events, medical information queries, and product complaints.

Novartis may process special category personal data, such as data concerning health. For this processing, Novartis relies on the exception under Article 9 (2)(g) GDPR, applied in the UK through the Data Protection Act 2018, for processing this special category personal data. Specifically, this processing is necessary for Novartis’ purposes of complying with its obligations under EU and UK legislation relating to conduct of pharmacovigilance as required under the Human Medicines Regulations 2012 implementing the body of EU law governing medicinal products. It is also necessary for reasons of substantial public interest in ensuring the safety of medicines.

In addition, it may be necessary for Novartis to process personal data for the purpose of protecting the vital interests of an individual or individuals.

What personal data do we collect and use?

For the purposes listed in this Privacy Notice, we collect and use the following categories of personal data:

• information about individuals that report adverse events or make medical information queries or product quality complaints, including healthcare professionals and carers. This allows us to respond to queries and seek additional information as needed. The data we collect may include your name, email and/or postal address, phone number, and place of work (for healthcare professionals);
• patients details, including name, hospital record numbers, age or date of birth, sex, weight, height, race, whether pregnant and/or breastfeeding, ethnicity (where the Summary of Product Characteristics includes specific information relating to ethnic origin), and occupational data (where this is strictly necessary for the evaluation of the adverse event); and
• where strictly necessary and relevant for the purposes described in this Privacy Notice, patient health and lifestyle information, including but not limited to nature of adverse effects, examination results, personal or family medical history, diseases or associated events, risk factors, information about the use of medicines and therapy management, physical exercise, diet and eating behaviour, sexual life/contraception, and consumption of tobacco, alcohol, and drugs.

Who has access to personal data?

We do not share or otherwise transfer personal data to third parties other than those indicated in this Privacy Notice. Personal data may be accessed by or transferred to:

• our personnel (including those in our Patient Safety, Medical Information, Quality Assurance, and Legal departments) and other Novartis Group companies (in particular Novartis AG)
• other pharmaceutical and medical device companies, if the adverse event, request for information, or complaint relates to one of their products; and
• service providers acting on behalf of Novartis companies, such as IT system and data hosting providers, and adverse event processing service providers (including call centre providers). These third parties are contractually obliged to protect the confidentiality and security of personal data, in compliance with applicable law.

Personal data may also be shared with:

• healthcare professionals involved in an adverse event, request for information, or complaint;
• the Medicines and Healthcare products Regulatory Agency (MHRA), as well as the European Medicines Agency (EMA) which controls the EudraVigilance database (visit https://www.ema.europa.eu for more information); and
• a national and/or international regulatory, enforcement, public body or court where we are required to do so by applicable law or regulation or at their request.

Where is personal data stored?

Personal data may processed, accessed, or stored in a country outside the country where you are located, which may not offer the same level of protection of personal data.

If we transfer personal data to external companies in other jurisdictions, we will protect personal data by (i) applying the level of protection required under the local data protection/privacy laws applicable to Novartis Pharmaceuticals UK Limited: (ii) acting in accordance with our policies and standards; and (iii) for Novartis companies located in the European Economic Area (“EEA”), unless otherwise specified, only transferring your personal data on the basis of standard contractual clauses approved by the European Commission. You may request additional information in relation to international transfers of personal data and obtain a copy of the adequate safeguard put in place by exercising your rights as set out below.

For intra-group transfers of personal data, the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland. You can read more at https://www.novartis.com/privacy-policy/novartis-binding-corporate-rules-bcr

How long do we store personal data?

We will only store the above personal data for as long as we reasonably consider necessary for achieving the purposes set out in this Privacy Notice and as required under applicable laws.

What are your rights and how can you exercise them?

You have the right to:

• access your personal data and, if you believe that it is incorrect, obsolete or incomplete, to request that it is corrected or updated;
• request the erasure of your personal data or the restriction of its use;
• if the processing is based on your consent, to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
• object, in whole or in part, to the processing of your personal data; and
• request portability of your personal data (i.e. for it to be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format).

We may apply exceptions to these rights where appropriate and in accordance with local law.

How do we protect personal data?

We have implemented appropriate technical and organisational measures to provide an appropriate level of security and confidentiality to personal data. These measures take into account: (i) the state of the art of the technology; (ii) the costs of its implementation; (iii) the nature of the data; and (iv) the risk of the processing.

The purpose of these measures is to protect personal data against accidental or unlawful destruction or alteration, accidental loss, unauthorised disclosure or access, and against other unlawful forms of processing.

How can you contact us?

If you have a question or want to exercise the above rights, please email [email protected] or write to Data Privacy, Novartis, Frimley Business Park, Surrey, GU16 7SR.

If you are not satisfied with the processing of personal data, please address your request to our Data Protection Officer at [email protected] who will    investigate your concern.  

In any case, you also have the right to file a complaint with Information Commissioner’s Office (ICO) at https://www.ico.org.uk in addition to your rights above.

This Privacy Notice was last updated in July 2019. Changes or additions will be notified through our usual communication channels (e.g. via our website).