General Privacy Statement
At F. Hoffmann-La Roche Ltd ("Roche"), our commitment is to protect your personal information. This Privacy Notice describes the types of personal information that Roche may collect; the means by which Roche may gather, use, or share your personal information; the measures Roche takes to safeguard your personal information; and the choices you are provided with regarding the use of your personal information. This Notice applies solely to Roche's websites that have links to this Notice. Our websites may also contain links to third-party websites. We do not endorse or take responsibility for the content of third-party websites or resources, and our Privacy Notice does not apply to any site not associated with Roche, even if you access them through a link on our portal. You should review the privacy policies of any third-party website before providing any information. For the purposes of this Privacy Notice, "personal data" refers to any information by which you can be individually identified, directly or indirectly, including but not limited to: your name, address, email address, and phone number. Identity and Contact Details of the Data Controller The entity responsible for handling the data is F. Hoffmann-La Roche Ltd, Grenzacherstrasse 124, CH-4070 Basel, Switzerland. As such, the representative for Latin America is F. Hoffmann-La Roche Ltd, email: latam.rochepressday@roche.com Data Processing Policy In the pursuit of its corporate purpose, Roche will collect and process Personal Data and Sensitive Personal Data in accordance with the provisions of this Policy, the Applicable Regulations, and the Corporate Program, in order to guarantee the security and confidentiality of the Data included in the Databases. In order to process Personal Data and Sensitive Personal Data, the followinmust be taken into account:
- Those who process Personal Data and Sensitive Personal Data, whether within Roche or on behalf and on behalf of Roche, must comply with the guiding principles of data protection established in the Applicable Regulations, such as: i) legality; ii) purpose; iii) freedom; iv) truthfulness; (v) transparency; (vi) restricted access and circulation; (vii) security; and (viii) confidentiality.
- This Policy must at all times comply with the Corporate Program, paying attention to all its content in accordance with the provisions of the Roche Global Data Management Directive and the Applicable Regulations.
- This Policy shall be available at all times to Data Subjects and third parties who wish to consult it.
- Roche will be the Data Controller of Personal Data and Sensitive Personal Data that are collected by its personnel, by third parties to whom it has entrusted such work, or by any electronic means that Roche makes available to Data Subjects for this purpose.
- The Personal Data and Sensitive Personal Data contained in Roche’s Databases will be handled under strict security and confidentiality policies. In the event that any risk or violation of the Processing of Personal Data and Sensitive Personal Data is detected, it will be the responsibility of the person or area detecting it to immediately inform the area responsible for the protection of Personal Data at Roche.
- Roche’s employees will implement all necessary measures to protect the reliability, authenticity, use, integrity, and confidentiality of Personal Data and Sensitive Personal Data.
- Only the Personal Data and Sensitive Personal Data subject to Processing at any given time will be kept in work areas and will be protected at all times during their use.
- The Processing of Personal Data and Sensitive Personal Data will only be carried out when the data subjects’ authorizations have been obtained, which must be prior, express, informed, and clear. The foregoing, except in cases where the Applicable Regulations allow the Processing of data without requiring authorization.
- It will be necessary to request and retain proof of the authorizations granted.
- Within the authorization granted by the Data Subject, the specific purposes for which the authorization is granted must be expressed. This authorization may be granted through the signing of contracts, acceptance of privacy notices, signing of informed consents, among other documents that include such authorization.
In the Processing of Personal Data and Sensitive Personal Data, the following must be confirmed:
- The purpose of the collection, handling, and methods of collecting the data;
- In the case of use by third parties, it must be verified that the Data Subject has authorized the Processing by third parties, the identity of the third parties, the purposes of their use, and the type of data provided;
- The authorized period of use and data deletion process;
- The contact details of the Data Controller.
- In the case of Processing Sensitive Personal Data, the specific and limited purpose of the Processing must be specified.
- Roche may disclose information it collects about Data Subject to provide information to governmental entities when requested, comply with labor and tax regulations, and address administrative and judicial requirements, which may be delivered for these purposes to external lawyers and advisors, or auditors.
- Personal Data may be stored in Latin American countries and outside of it, including countries that do not provide adequate levels of protection, so the Data Subjects of Personal Data collected authorize their Data to be processed in those countries, given that Roche will take all necessary measures to ensure the security and confidentiality of Personal Data.
- Social networks (such as Facebook and Twitter, among others) that constitute a communication and interconnection platform between digital platforms of different users are not Roche’s responsibility. The information that individuals provide within social networks in which Roche participates as a user does not constitute or form part of the Personal Data subject to the protection of this Policy; this responsibility lies with the company providing that platform and the entity posting the information.
3. Online Data Processing Roche uses two general methods to collect personal information online: Information obtained by Roche:
- Personal information: You can visit our websites without having to provide personal information. Roche may collect your personal identification information, such as name, address, phone number, email address, or other information concerning your identification, only if you decide to provide it. Roche may also collect information about your health as you respond to our questions and surveys.
- Additional information: In some cases, Roche may remove personal identification data you provide and retain it in an additional form. Roche may combine this data with other information to achieve additional anonymous statistical information, such as the number of visitors, the original domain name of the Internet Server, which is very useful to improve our products and services. Information collected automatically
Roche receives certain types of information automatically each time you interact with us through our websites and through certain email messages that we may send and receive. Among the automatic technologies we use are, for example, web server logs/IP addresses, cookies, and web beacons. Web server logs/IP addresses: Roche collects IP addresses for system administration and communicating additional information to its associated companies, business partners, and/or vendors to perform site analysis and review. Cookies: Cookies allow us to store information on the server to help you have a better web experience, perform site analysis, and review site functionality. Most web browsers are set to accept cookies, but you can reset your browser to reject all cookies or to indicate when a cookie is being sent. However, please be aware that some portions of our sites may not function properly if you reject cookies. Web Beacons: On certain web pages or emails, Roche may use a common Internet technology called "Web Beacon," also known as a "clear GIF" or "transparent GIF" technology. Web beacons: Cookies and other tracking technologies do not automatically obtain information about your personal identification. These automatic tracking technologies can only be used if you voluntarily provide your personal identification information, such as by registering it or sending it via email, to provide additional information about your use of the websites and/or interactive email, to enhance their usefulness. Your Choices You have several options regarding the use of our websites; therefore, you can decide not to provide personal identification information if you do not enter it into any of our site forms or data fields, nor use the personalized services available to you. If you choose to provide your personal data, you have the right to review and correct your data at any time by entering the application. Some sites may request your permission for specific use of information, and you can confirm or deny it. If you opt for certain services or communications, such as an electronic newsletter (e-newsletter), you can unsubscribe at any time by following the instructions included in each communication. If you decide to unsubscribe from a service or communication, we will promptly delete your information; however, we may need additional information before we can process your request. As described above, if you want to prevent cookies from tracking you anonymously while browsing our sites, you can reset your browser to reject all cookies or indicate when a cookie is being sent. Not used for third-party direct marketing. Roche does not sell or transfer to third parties the personal identification information you have provided to us for our websites for use in their direct marketing unless we have securely notified you and obtained your explicit consent, so that we are authorized to share your data. Sending an Email to a Friend or Colleague. On certain Roche sites, you can send a link or message to a friend or colleague, referring them to a Roche website. The email addresses you may provide to a friend will only be used to send that friend information on your behalf, but neither Roche nor third parties can collect or use them for additional purposes. Links to Other Sites. Our websites contain links to a number of websites that may provide useful information to our visitors. This Privacy Report does not refer to those sites, and we recommend that you contact them directly for information about their privacy policies. Privacy Report for Children. Our websites are intended for an adult audience. We do not collect personal identification information from individuals under 18 years of age without the verified prior consent of their legal representative. If required, the legal representative has the right to review the information provided by the child and/or request its deletion. Data Processing Purposes: The general purposes for which the collected data are processed include the following:
- Comply with obligations to Data Subjects and Sensitive Data Subjects.
- Perform activities within Roche’s corporate purpose.
- Share, Transfer, and Transmit data to subsidiary companies or companies belonging to the business group to which Roche belongs, for the purpose of processing data in accordance with this Policy or as informed to the Data Subject at the time of collecting their Data.
- When Data Transmission occurs, this information will remain confidential and cannot be processed for a purpose other than that established in the data transmission contract or in the document containing the contractual relationship that is executed.
- Carry out management and administration of Roche’s Human Resources.
- Address and manage requests and suggestions made by Data Subjects.
- Perform business and marketing activities, as well as activities within Roche’s corporate purpose, through the Processing of Personal Data of customers and suppliers.
- When collecting Personal Data of children, it will be necessary to obtain the consent and authorization of the parents or legal representatives of minors. Once the authorization is granted, the Processing of minors’ Data will never go against their fundamental rights or contain content unsuitable for minors. If consent cannot be obtained after a reasonable period of time or if, upon contact, the parent or guardian requests not to use or retain such information, Roche will delete such information from its Databases.
- The Processing of Sensitive Personal Data is only allowed when the Data Subject has given explicit authorization. In cases where the Data Subject is physically or legally incapacitated and the Processing of Sensitive Personal Data is necessary to safeguard their vital interests, legal representatives must grant their authorization.
- For the Processing of patients’ sensitive data, Roche will always request special authorization, where patients provide explicit consent. The authorization must include the purpose for which the Processing is authorized and the Sensitive Personal Data subject to the authorization.
- In the execution of employment contracts, the Processing of Sensitive Data will be carried out in order to fulfill the obligations of the contract and only when the employee has expressly authorized the Processing of such data.
- The Processing of sensitive data for historical, statistical, or scientific purposes will be permitted. For these events, Roche will suppress the identity of the Data Subjects. In the Processing of Personal Data and Sensitive Personal Data, the collection of Data cannot be carried out if the Data Subject does not know or understand the purposes contained in this Policy.
- The creation of Databases of Sensitive Personal Data must have a legitimate justification, as well as a specific purpose, and must develop Roche’s activities. In order to create this type of Databases, it will be necessary to have the corresponding authorizations from the Sensitive Data Subjects.