Privacy and cookies policy [1]

You have been sent or you have accessed this Privacy Statement because you are visiting a website or using a mobile application (‘app’) belonging to one of the companies of the Novartis Group. As a result, this company is processing information about you that is considered ‘personal data’. Please note that Novartis takes the protection of your personal data and privacy very seriously.

Novartis Farmacéutica, S.A. (‘Novartis’), with registered office at Gran Via de les Corts Catalanes, 764, 08013 Barcelona, is responsible for the processing of your personal information, as ‘data controller’, given that it decides why and how to process your personal data. In this Privacy Statement, ‘we’ refers to Novartis.

This Privacy Statement is divided into two parts. Part I contains practical information about the specific personal data that we process when you visit our websites or use our apps, as well as why we process these data and how we do so. Part II contains more general information about the standard technical or transactional personal data that we process in relation to visitors to our websites and the users of our apps, the legal basis for using your personal data, and which are your rights with regard to all personal data collected about you.

We invite you to read this Privacy Statement carefully and to contact the data protection officer (DPO) at dpospain.novartis@novartis.com [2] if you have any questions relating to the processing of your personal data.

Novartis processes personal data about you whenever you visit our websites or use our apps.

 

Specific personal data that will be collected

We will collect the following specific personal data: the data that you provide to us when filling in a form, the data that you send to us when contacting us using the channels available in our “contact sections” and, if you have downloaded and used one of our apps, the data related to such app. 

This information may be directly provided by you (e.g. by filling in a form or interacting with a website or app), provided by third parties or obtained through trusted public sources after obtaining your consent to supply these personal data when necessary under the applicable legislation.

 

Specific purposes for collecting your personal data

We will use the information we collect for the following specific purposes: 

  • to manage our users;
  • to manage and improve our websites and apps; 
  • to measure the use of our websites and apps;
  • to improve and personalise your experience and adjust the content for you;
  • to send you personalised services and content according to your location;
  • to improve the quality of our products and services and expand our commercial activities;
  • to monitor and prevent fraud, infringements and other misuse of our websites and apps;
  • careers or job search: if this feature is activated, your data will be used with the primary aim of recruiting.
  • provided that you have requested so and it is permitted under applicable laws, we will send you electronic commercial communications relating to our own products and/or services or those of third parties.
  • social media: we will process your data for the purposes of correctly managing your presence on our social media accounts, informing you about our own activities, products and/or services, or those of third parties that are related to our activity, as well as for any other purpose permitted under the legislation governing social media.
  • to respond to an official request from a duly authorised public or legal authority;
  • to manage our information technology (IT) resources, including infrastructure management and business continuity;
  • to protect the company’s economic interests and to ensure compliance and reporting;
  • archiving and record keeping; and
  • any other purpose stipulated by applicable laws or relevant authorities.

Please note that we may also use the data we collect for a number of other usual purposes, which are listed in Part II below.

 

Specific third parties with whom we will share your personal data

We will share your personal data with third parties providing services to us, always ensuring that all appropriate legal guarantees are in place.

We may also need to share your data with other recipients (e.g. another organisation in the Novartis Group if the organisation collecting the data is not the same as the one using the data), always under strict conditions, as further explained in Part II.

 

Data retention

We will only store the aforementioned personal data and the personal data listed in Part II from the first use of the specific website or app, up to a maximum of three years since your last visit.

 

Cookies and similar technologies

The specific types of cookies and other monitoring technologies that are used are described in Part II. In the event that the website has its own cookies policy, the content of such specific cookies policy will prevail. 

Please note that we also use cookies and other usual technologies for the standard purposes listed in Part II (e.g. to ensure the correct functioning of our websites or apps).

 

Specific contact person

If you have any questions regarding the processing of your personal data in this context, please contact the DPO by emailing dpospain.novartis@novartis.com [2].

The second part of this Privacy Statement describes the context in which we process your personal data in greater depth and explains your rights and our obligations during the process.

 

When will we use your personal data?

We will not process your personal data without an appropriate legal basis to do so. Therefore, we will only process your personal data:

  • if we have obtained your prior consent;
  • if the processing is required to meet our contractual obligations towards you or to take pre-contractual measures upon your request; 
  • if the processing is required to comply with our legal or regulatory obligations; or
  • if the processing is required for our legitimate interests and it does not unduly affect your interests or fundamental rights and freedoms.

Please note that when processing your personal data for the purposes of our legitimate interests, we always attempt to maintain a balance between those and your privacy. Among these ‘legitimate interests’ there are data processing activities carried out:

  • to take advantage of profitable services (e.g. we may opt to use platforms offered by suppliers to process data);
  • to advertise our products and services to our customers;
  • to prevent fraud, criminal activities and the misuse of our products and services, as well as to ensure the security of our IT networks, architecture and systems; 
  • to sell any part of our business or its assets or to allow the acquisition of all or part of our business or assets by a third party; and 
  • to fulfil our corporate social responsibility goals.

 

Who has access to your personal data and to whom are transferred?

We undertake not to sell, disseminate or otherwise transfer your personal data to third parties, except in the scenarios set out in this Privacy Statement.

As part of our activities and for the purposes listed in this Privacy Statement, your personal data may be accessed by the specific third parties identified in Part I above, or transferred to them and to the following categories of recipients, where necessary:

  • our personnel (including personnel, departments and other companies of the Novartis Group);
  • our suppliers and other service providers who supply us with products and services;
  • our IT systems providers, cloud services providers, database providers and consultants;
  • our commercial partners, who offer products or services in collaboration with us;
  • any third party to whom we assign or novate any of our rights and obligations;
  • our external advisors and lawyers in the context of the sale or transfer of any part of our business or assets.

These third parties are contractually obliged to ensure the confidentiality and security of your personal data in compliance with the applicable legislation.

Your personal data may also be accessed by or transferred to domestic and international regulatory, law enforcement or public bodies or courts when we are legally required to do so or upon their request.

The personal data we collect about you may also be processed, accessed or stored in a country other than the one in which Novartis is located, which may not offer the same level of personal data protection.

If we transfer your personal data to external companies in other jurisdictions, we will guarantee the protection of your personal data (i) by applying the level of protection required under local legislation on data protection/privacy applicable to Novartis, (ii) by complying with our own rules and policies, and (iii) since Novartis is located in the European Economic Area (the EU member states, as well as Iceland, Liechtenstein and Norway, the ‘EEA’), unless otherwise stated, by only transferring your personal data in compliance with the standard contractual clauses approved by the European Commission. You can request additional information about international transfers of personal data and obtain a copy of the security measures that have been implemented by exercising your rights as explained below.

For transfers of personal data within a group, the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools deriving from European legislation, in order to ensure effective protection of transfers of personal data outside the EEA and Switzerland. Click here or follow the link for more information about the Novartis Binding Corporate Rules: www.novartis.es [3], (‘Data protection: your rights’) section.

 

How do we protect your personal data?

We have adopted appropriate technical and organisational measures to ensure that your personal data are processed securely and confidentially.

These measures are based on:

  1. the most recent technological developments and the cost of implementing them;
  2. the nature of the data; and
  3.  the risk posed by the processing.

They are intended to protect personal data from destruction and accidental or improper alteration, accidental loss, unauthorised dissemination or access, and any other improper processing.

Additionally, when processing your personal data, we comply with the following obligations:

  • we only collect and process personal data that are appropriate, relevant and not excessive, where it is necessary to do so to fulfil the aforementioned purposes;
  • we guarantee that your personal data are up-to-date and correct (we may ask you to confirm the personal data that we have about you and encourage you to inform us if your personal circumstances change so that we can ensure that your data are up-to-date); we may process confidential data provided voluntarily by you in compliance with the applicable data protection rules and only where strictly necessary for the relevant purposes listed above; and only the relevant personnel are authorised to access and process personal data, under the responsibility of one of our representatives, and are bound by professional secrecy and confidentiality.

 

How long will we store your personal data?

We will only store your personal data for as long as necessary to fulfil the purpose for which they were collected or to fulfil regulatory or legal requirements.

Unless otherwise stated in Part I of this Privacy Statement, the data retention period is 36 months from last use/access of the relevant website or app. When this period comes to an end, your personal data will be removed from our active systems.

 

Cookies

 

How do we use cookies and similar technologies on our websites and apps?

Cookies are small text files that are sent to your computer when you visit a website. We use cookies for the aforementioned purposes in compliance with this Privacy Statement.

We do not use cookies to monitor or identify individual visitors, but rather to obtain practical knowledge of the way in which our websites and apps are used to allow us to improve them for users. The personal data generated via cookies are collected in a pseudo-anonymised manner and are subject to your right to object to this processing of your data, as explained below.

We may use the following types of cookies:

  • personalisation cookies (cookies that record your preferences);
  • authentication cookies (cookies that allow you to leave our websites and return without having to log in again);
  • video reproduction cookies (cookies that store the information required to reproduce audio or video content and store your preferences);
  • first-party analytics cookies (cookies that memorise the websites you have visited and provide information about your interactions with these websites); and 
  • third-party analytics cookies (cookies from third parties that monitor our website’s statistics and vice versa).

Remember that you can change the settings on your browser to receive notifications when cookies are placed. If you do not want to allow cookies, you can reject them by changing the settings on your browser. Finally, you can also remove cookies that have already been placed.

For more information about how to manage cookies on your device, please consult the Help section on your browser or visit www.aboutcookies.org [4], which features exhaustive information about how to manage cookies on a wide variety of browsers (this is an external link).

However, in some cases, failure to accept cookies or the configuration of your browser settings may affect your browsing experience and prevent you from using certain features of our websites or apps.

 

Other technologies

We may use other technologies on our websites and apps to collect and process your personal data for the purposes indicated above, including:

  • Internet tags (such as action tags, single-pixel GIFs, clear GIFs, invisible GIFs and 1-by-1 GIFs, which allow us to track user results); and 
  • Adobe Flash technology (including Flash local shared objects, unless you change your settings).

 

What are your rights and how can you exercise them?

You can exercise the following rights under the conditions and within the limits established by applicable laws:

  • the right to access your personal data, as processed, and, if you believe that any of the information about you is incorrect, obsolete or incomplete, to request its correction or updating;
  • the right to request deletion of your personal data or to limit processing to specific categories;
  • the right to withdraw your consent at any time, without this affecting the validity of the data processing prior to this withdrawal;
  • the right to object, in whole or in part, to processing of your personal data;
  • the right to object to direct marketing; and
  • the right to request data portability, i.e. for the personal data you have provided us with to be returned to you or transferred to an individual of your choice, in a structured, commonly used and machine-readable format, without hindrance on our part and subject to your confidentiality obligations

If you have a question or you wish to exercise the aforementioned rights, please email the DPO at dpospain.novartis@novartis.com [2] with a scanned image of your ID document for identification purposes.

If you are unhappy with our handling of your personal data, please contact our data protection officer at global.privacy_office@novartis.com [5], who will evaluate your complaint.

In addition to the aforementioned rights, you are also entitled to submit a complaint to the relevant data protection authorities.

 

What technical and transactional data do we collect?

 

Categories of technical and transactional data

  • information about your browser and device (e.g. internet service provider domain, browser type and version, operating system and platform, display resolution, device manufacturer and/or model);
  • statistics relating to your use of our websites and apps (e.g. information about websites visited, information searched and/or the duration of your visit to our website);
  • usage data (e.g. date and time of accessing our websites and apps and/or the downloaded files);
  • location of your device when using our apps (unless you have turned this function off in your device settings); and
  • more generally, any information that you provide to us when using our websites and apps.

We will not intentionally collect, use or disseminate personal data belonging to anyone aged under 18 without prior consent from their parent or guardian.

 

Why do we collect technical and transactional data?

We always process your personal data for a specific purpose and we only process the personal data that are needed to fulfil that purpose. Besides the purposes set out in Part I of this Privacy Statement, we also process personal data collected during the use of one of our websites or apps for the following purposes:

  • to manage our users (e.g. registration, account management, responding to questions and providing technical support);
  • to manage and improve our websites and apps (e.g. diagnose problems with servers, optimise traffic, integrate and optimise websites, where relevant); 
  • to measure the use of our websites and apps (e.g. by generating traffic statistics, compiling information about user behaviour and pages visited);
  • to improve and personalise your experience and adjust the content for you (e.g. by remembering your selections and preferences via the use of cookies);
  • to send you personalised services and content according to your location;
  • to improve the quality of our products and services and expand our commercial activities;
  • to monitor and prevent fraud, infringements and other misuse of our websites and apps;
  • provided that you have requested so and it is permitted under applicable laws, we will send you electronic commercial communications relating to our own products and/or services or those of third parties, related to the manufacturing and marketing of pharmaceutical products and/or services and/or pharmaceutical specialities for vision care, quality generic and biosimilar drugs, and the manufacturing and marketing of surgical equipment and devices.
  • social media: we inform you that we are present on social media. Data processing carried out on people who become followers (and/or click on any link or connect in any other way via social media) of the data controller’s official pages on social media will be governed by this section, the rest of this Privacy Statement and the Terms of Use of our website, as well as by the terms and conditions, privacy policies and other rules on access, use and other aspects belonging to the social network in question. We will process your data for the purposes of correctly managing your presence on our social media accounts and informing you about our activities, products and/or services or those of third parties related to our activity (manufacturing and marketing of pharmaceutical products and/or services and/or pharmaceutical specialities for vision care, quality generic and biosimilar drugs, and manufacturing and marketing of surgical equipment and devices), as well as for any other purpose permitted under the terms and conditions of the relevant social media platform.
  • to respond to an official request from a duly authorised public or legal authority;
  • to manage our information technology (IT) resources, including infrastructure management and business continuity;
  • to protect the company’s economic interests and ensure compliance and reporting (such as compliance with our policies and local legal requirements, taxation and deductions, management of alleged misconduct or fraud, auditing and litigation defence);
  • any other purpose stipulated by applicable laws or relevant authorities.

Your activity on any Novartis website will be governed by the terms of use and privacy policy for that website. You consent to the data you provide via the website being sent to us for the purposes listed above.

 

How will we inform you of any changes to our Privacy Statement?

You will be informed of any changes or additions to the processing of your personal data described in this Privacy Statement in advance via an individual notification sent through our usual communication channels (e.g. email) and through our websites or apps (e.g. banners, pop-ups and other notification mechanisms).

© 2021 Novartis Farmacéutica, SA

This website is intended for users in Spain

ES2106088791