Privacy notice for pharmacovigilance and medical information inquiries
General Information
At F. Hoffmann-La Roche (hereafter “Roche”, “we”, us”), we take data privacy seriously and treat all your “personal data“ in accordance with Roche General Privacy Policy and applicable privacy and data protection laws, including the General Data Protection Regulation (GDPR), the Swiss Federal Data Protection Act, and other applicable local laws that regulate the storage, process, access and transfer of personal data.
This Privacy Notice (“Notice”) is intended to explain how Roche collects and processes your personal data for the purposes of pharmacovigilance related activities. The scope of this Notice is limited to the collection and processing of your personal data for pharmacovigilance and/or medical information inquiries. For general information about data processing at Roche, please visit the Roche Privacy Notice.
Purposes and legal basis for processing - Pharmacovigilance
Any personal data provided to Roche related to adverse events or other activities related to pharmacovigilance will be used solely for these purposes. This information is very important for public health and will be used for the detection, assessment, understanding and prevention of adverse effects or any other medicine-related problem.
We collect and process your data to respond to your inquiries based on legitimate interests (Article 6 (1)(f)) and, where applicable, your consent (Article 6(1)(a)). If reporting of adverse event is required, your data may be processed to comply with Roche legal pharmacovigilance (GVP) obligations (Article 6(1)(c)).
Purposes and legal basis for processing – Medical Inquiries
Any personal data provided to Roche related to a medical inquiry may be used to answer the inquiry, follow up on such requests and maintain the information in a Medical Information database for reference. Where required by law (such as for pharmacovigilance), we may also be required to report the data to regulatory authorities. Your data will not be used for any other purposes.
We collect and process your data for inquiries based on your consent (Article 6(1)(a) of the GDPR). If reporting of adverse event is required, your data may be processed to comply with Roche legal pharmacovigilance (GVP) obligations (Article 6(1)(c) of the GDPR).
Categories of personal data processed
The type of information that we collect from you will depend on the data subject and the type of processing activity:
Pharmacovigilance: We collect the name, contact details, and affiliations/profession of the reporting individual. We may collect some additional personal data related to health and medical history of the individual experiencing an adverse event if required for processing of adverse event for pharmacovigilance purposes.
Medical Inquiries: We may collect the name, contact details and affiliation/profession of the individual making the inquiry.
Recipients of your personal data
Roche may share the data you provided to us among Roche Group companies and affiliates, business partners and service providers, where required to operate Roche global pharmacovigilance database and fulfill obligation of pharmacovigilance legislation.
Roche is also obliged to report certain pharmacovigilance and product relevant information to Health Authorities worldwide, including those with different level of data protection compared to EU. The reports contain details about the incident but will only contain limited personal data:
Patients: Information as provided, including age or date/year of birth (where permitted by regulations) and gender (note that patient name will never be provided)
Reporting Individuals: Information as provided to allow the regulatory authority to follow up with the reporting individual, including name, profession, initials, address, email, phone number
Additional information in case your data is covered by GDPR: It is possible that in the exchange of data within the Roche Group, business partners and service providers, your personal data may be transferred to countries that do not provide the same level of protection as your own. In this case, contracts containing the EU Standard Contractual Clauses according to EU Commission decisions of 27 December 2004 (2004/915/EC) and 05 February 2010 (C(2010) 593) constitute appropriate and suitable safeguards to ensure compliance with GDPR.
Storage period
As information related to pharmacovigilance (reports about adverse events) are important for public health reasons, reports are kept for a minimum of 10 years after the withdrawal of the product in the last country where the product is marketed. Personal data retained as part of a medical information inquiry are kept for minimum of 10 and maximum of 15 years after receipt.
Information about your rights
If your personal data is covered by GDPR, please note that you have the right to request from Roche information on which personal data we store and the purpose for which we process them. You can also request access to and rectification of your personal data as well as the right to data portability, if applicable (which means if the legal basis for collecting your data is consent). Erasure or restriction of processing is only possible if and to the extent the processing of personal data is based on consent or legitimate interest. Please note that due to our legal obligations for on pharmacovigilance legislation, Roche may not be able to erase or restrict processing of your data if processed for pharmacovigilance.
If data processing is based on consent, kindly note that you have the right to withdraw your consent at any time, however, without affecting the lawfulness of processing based on consent before its withdrawal. If you would like to contact us to exercise your right to withdraw consent, please see find our contact details in the section “Identity and contact details of the data controller” below.
To prevent your data from being entered into our systems again after your request for erasure, in your interest and for us to comply with GDPR, we may keep your name and e-mail address with a flag “Don’t contact anymore” in our systems.
In the event you have the impression that our data processing is non-compliant with GDPR: You are entitled to lodge a complaint with the responsible supervisory authority.
Identity and contact details of the data controller
F. Hoffmann-La Roche Ltd, Grenzacherstrasse 124, CH-4070 Basel, Switzerland, email: global.privacy@roche.com (“Roche”) is the data controller.
In the event that your personal data is covered by the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”): EU representative of F. Hoffmann-La Roche Ltd is Roche Privacy GmbH, Emil-Barell-Str. 1, D-79639 Grenzach-Wyhlen.
Please direct any questions and requests related to this information to F. Hoffmann-La Roche Ltd, Global Privacy Office, Grenzacherstrasse 124, CH-4070 Basel, Switzerland, email: global.privacy@roche.com.