Privacy Policy

Updated on May 17, 2018

Introduction

Roche pays great attention to protecting the privacy of all the people with whom it interacts and undertakes to respect it in application of the relevant regulations, including in particular Regulation (EU) 2016/679 - hereinafter referred to as the "Regulation" for the sake of brevity.

All Roche Websites that contain this Privacy Policy (hereinafter the “Policy”) undertake to collect, store and safeguard users' personal data in compliance with the Policy, applicable laws and regulations. Furthermore, in the sections of the Sites where the user's personal data are collected, a specific privacy policy is normally published, which this Policy supplements.

This Policy describes how Roche and other Roche Group companies collect, use and share personal data relating to the user that is communicated to us by the same or that we obtain or generate in any other way, at the moment in time. which the user accesses the Site.

If you have any questions or concerns about the use of your personal data, the user can contact us using the contact information in chapter 8 of this Policy.

This Policy does not apply to online resources and third-party sites to which Roche websites are linked and for which Roche does not control either the content or the procedures regarding the protection of privacy. Users who decide to access the aforementioned websites are therefore recommended to consult the Terms and Conditions and the privacy policies available within the sites they access.

1. What personal data does Roche process and how does it obtain it?

2. Why does Roche process the user's personal data and how?

3. How does Roche keep data and for how long?

4. How does Roche ensure the security and quality of personal data?

5. Who can access the data?

6. Exercise of the user's rights under this Information

7. Refusal to provide personal data

8. Contacts: Data protection owners and managers

1. What personal data does Roche process and how does it obtain it?

The following may be processed:

·                        Common personal data that may be provided by the user when it interacts with the functions of the Site, including navigation data, or when it asks to use the services offered on the Site (for example: registration in any reserved areas, requests for information via contact forms, etc.).

Most of the Sites that contain this Privacy Policy are accessible to the visitor without requiring their registration. For a limited number of sections, however, it may be necessary for the user to complete a registration procedure, which involves filling in fields with their personal data. Failure to provide the data requested in the mandatory fields does not allow access to the reserved area or the provision, by Roche, of the service requested by the user.

Roche may also become aware of the user's personal data if the latter decides to transmit them to us by sending e-mails using the addresses indicated on the Roche Sites.

-                        Data belonging to particular categories (ad esempio, dati sensibili) ai sensi dell’art. 9 del Regolamento, forniti spontaneamente dall’utente. In questo caso, il trattamento viene effettuato sulla base del consenso dell’utente, nonché per gli adempimenti connessi alle segnalazioni di eventi avversi, per adempiere agli obblighi derivanti da leggi o da regolamenti, o per adempiere ad obblighi contrattuali o precontrattuali inerenti la fornitura di beni o servizi (inclusa la richiesta di informazioni sui prodotti Roche).

-                        Data collected automatically: Roche automatically collects certain types of data each time the user accesses the Site or interacts with Roche via e-mail. The automatic collection technologies that Roche uses include, for example, web server logs / IP addresses, cookies and web beacons.

In particular:

·       Web server logs / IP addresses

The IP address is a number that is assigned to the user's computer each time he accesses the Internet. All computers connected to the Internet are identified by an IP address: this allows computers and servers to recognize each other and communicate with each other. Roche collects IP addresses to administer the system and transmits aggregate data to affiliates, business partners and / or suppliers to perform Site analysis and Site performance assessments.

·       Cookies

Cookies are information that are automatically saved on the hard drive of the user's computer when he accesses certain websites and that uniquely identify his browser. Cookies allow Roche to store information on the server that helps us to improve user navigation and to conduct analyzes to evaluate the performance of the Site. Most browsers accept cookies automatically: the user can however change the settings of the your browser in such a way as to refuse all cookies or to be notified when someone is sent. In any case, it must be said that some areas of the Roche sites may not function properly if the user refuses cookies.

·       Web Beacon

In certain cases, Roche may use common technology based on the use of so-called “Web beacons” (also known as “clear GIFs” or “action tags”) on certain web pages or in certain email messages. allow to analyze the effectiveness of the sites by measuring, for example, the number of visitors to a particular site or the number of visitors who click on one or more key elements of the site.

Web beacons, cookies, and tracking technologies do not automatically collect personal identification data concerning the user.

The Roche Sites are aimed at an adult audience. Therefore, Roche will not voluntarily collect identification data of individuals who are minors.

2. Why does Roche process the user's personal data and how?

Roche may process the user's common personal data to allow them to use the services and features on the Site and to optimize their operation, to perform statistics on visits, to manage requests and reports received through the Site, to register the user to any reserved areas. In addition, with the user's optional consent, common data can also be used for the purpose of making institutional communications or to send material and / or communications requested by the user using the contact details indicated by the user.

The legal basis of the processing for these purposes is art. 6.1.a) of the Regulations.

The Company may also process the user's personal data to fulfill obligations deriving from laws, regulations, community legislation: the legal basis of the processing for this purpose is art. 6.1.c) of the Regulations. The user's common and sensitive data could also be processed for the management and for the obligations related to reports of adverse events, pursuant to art. 9.2. letters a), g) and i) of the Regulations.

Finally, the user's common and / or sensitive personal data could be processed by the Company to protect their rights in court.

All user data are processed with paper and automated tools, however suitable for guaranteeing their security and confidentiality.

3. How does Roche keep data and for how long?

In compliance with the provisions of art. 5.1.c) of the Regulations, the information systems and computer programs used by Roche are configured in such a way as to minimize the use of personal and identification data. In particular, the data are processed only to the extent necessary for the achievement of the purposes indicated in this Policy and are kept for the period of time strictly necessary to achieve the purposes actually pursued. In any case, the criterion used to determine the retention period is based on compliance with the terms permitted by applicable laws and the principles of minimization of treatment, limitation of conservation and rational management of archives.

4. How does Roche ensure the security and quality of personal data?

Roche undertakes to protect the security of the user's personal data and complies with the security provisions in order to avoid data loss, illegitimate or illicit use of data and unauthorized access to the same, with particular but not exclusive reference to art. 32 of the Regulation.

The Company uses multiple advanced security technologies and procedures to promote the protection of users' personal data.

Roche also carefully selects the suppliers who can access the user's personal data (ref. Paragraph 5), requiring them to take appropriate measures to protect the confidentiality and security of the personal data provided by the user.

5. Who can access the data?

The Company's personnel, appropriately appointed as Data Processor, who need to process them in the performance of their duties are authorized to process user data.

User data may also be disclosed, even in non-EU countries ("Third Countries"), to other Roche Group companies for the same purposes and / or for technical, administrative or accounting purposes.

Furthermore, the data can be communicated, even in third countries, to:

(i) institutions, authorities, public bodies for their institutional purposes;

(ii) courts of all levels, arbitrators or other judicial bodies;

(iii) professional consultants, auditors and, more generally, suppliers used by the Data Controller for the provision of professional and technical services functional to the management of the Site and related functions (e.g. IT service providers and hosting), to pursue the purposes specified above and the services requested by the user;

(iv) other third parties in relation to any disposal, merger, acquisition or reorganization, even partial, of Roche, or any similar change involving it;

(v) the internal and external control bodies of the Company, such as the DPO, the SB and external auditors, for the pursuit of their own internal supervision and verification activities.

The aforementioned subjects receive only the data strictly necessary for the related functions and undertake to process them only for the purposes indicated above and in compliance with the applicable privacy legislation. The subjects who receive the data treat them as Data Controllers or Data Processors, depending on the case.

As regards the possible transfer of data to third countries, including countries that may not guarantee the same level of protection provided for by the Regulation, the processing takes place in any case on the basis of one of the conditions defined by the Regulation, such as the consent of the user, the adoption of Standard Contractual Clauses (SCC) approved by the European Commission, the selection of subjects adhering to international programs for the free circulation of data or operating in countries considered safe by the European Commission.

6. Exercise of the user's rights pursuant to this Notice

At any time, the user may exercise, pursuant to articles 15 to 22 of the Regulations, the right to:

a) ask for confirmation of the existence or otherwise of their personal data;

b) obtain information about the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be communicated and, when possible, the retention period;

c) obtain the rectification and cancellation of data;

d) obtain the limitation of the processing;

e) obtain data portability, i.e. receive them from the data controller, in a structured format, commonly used and readable by an automatic device, and transmit them to another data controller without hindrance;

f) oppose the processing at any time;

g) oppose an automated decision-making process, including profiling.

h) withdraw the consent at any time without prejudice to the lawfulness of the processing based on the consent given prior to the revocation;

j) propose a complaint to the Supervisory Authority to the Guarantor for the Protection of Personal Data.

For any request relating to the processing of personal data by the Company, to exercise the rights recognized by the applicable legislation, as well as to know the updated list of the subjects to whom the data is accessible, the user can contact the Data Controller and / or the DPO. at the addresses indicated at the end of this Policy.

7. Refusal to provide personal data

The user can always choose whether or not to share their personal data with Roche. If the user decides not to provide their personal data, to object to the processing of the data, or to withdraw consent to the processing already given, Roche respects this decision, without prejudice to the legal obligations to which it is subject in this regard. However, this could make it impossible for Roche to perform the necessary actions to achieve the purposes referred to in point 2), as well as the impossibility for the user to use the services and products offered by Roche.

8. Contacts: Data protection owners and managers

a) Roche S.p.A.

The data controller of the collected data is Roche S.p.A., with registered office and administrative offices in Monza, V.le G.B. Stucco 110.

b) Roche Diagnostics S.p.A.

The data controller of the data collected is Roche Diagnostics S.p.A., with registered office and administrative offices in Monza, V.le G.B. Stucco 110.

c) Roche Diabetes Care Italy S.p.A.

The data controller of the collected data is Roche Diabete Care Italy S.p.A., with registered office in Monza, V.le G.B. Stucco 110.

To contact the Data Controller and the Data Protection Officer, you can write to: monza.privacy@roche.com