Privacy Policy

ROCHE PRODUCTS LIMITED PRIVACY POLICY

Roche Products Limited (“Roche”) takes its responsibilities with regard to the management of personal data very seriously, and we do not take lightly the trust you have reposed in us, in providing us with your personal information. This Policy describes how Roche processes your personal data according to the Nigeria Data Protection Act 2023 (“NDPA”), but it may not address all possible data processing scenarios. This Privacy Policy is a guide to help you understand:

(1) The Information We Collect

(2) How We Collect and Use Your Data

(3) Consent and Access Rights

(4) Your Rights

(5) Legal Basis for Processing Personal Data

(6) Personal Data Protection Principles

(7) User Responsibility

(8) Data Security

(9) Link to Third Party Sites

(10) Third Party Access

(11) Violation of Privacy

(12) Data Retention

(13) How to Contact Us

1. The Information We May Collect

The types of personal data which may be processed by Roche include the following;

a) Contact details: includes your name, professional email address, telephone number, employing health care organization.

b) Professional Information: includes your biographical information (CV), professional society number, memberships, affiliations/profession, job title, therapeutic area, qualifications or experience, education and scientific/medical activity.

c) Financial/Transaction information: includes your bank account number, credit card, customer account information, order history.

d) Transfer of value: includes the nature, value, date of any financial/non-financial transfers to you by Roche.

e) Interaction Information: includes professional interactions between Roche and you, records of your collaborations, registration and participation in Roche’s event or related activity, clinical trials in which you served or are serving as an investigator.

f) Profile data: includes information about your contact and product preferences, languages, marketing preferences, qualifications or experience, collaborations, publications, posts, demographic data, feedback and interest.

g) Technical and usage data: includes your online user ID, IP address, geographic information, viewing data, other information regarding your usage and interactions with our websites, applications, emails, and advertisements.

2. How We Collect and Use Your Data

2.1 Roche collects the above-mentioned personal data from you, your authorised representatives, or from publicly available sources using forms, email, physical requests, cookies, web tokens, etc.

2.2 When you send email or other communications to Roche, we may retain those communications in order to process your inquiries, respond to your requests and improve our services. When you access Roche’s services, our servers automatically record information that your browser sends whenever you visit a website.

2.3 We use the above-mentioned personal data for research, legal and/or regulatory compliance, marketing, business development, listing on pharmaceutical and medical directories, publicity, human resources management, recruitment, events planning and hosting, in-house security and analysis, key business operations, processing or carrying out tasks to fulfill business goals or objectives and purposes as may be directed or consented to by you; and for any other relevant purposes that are related to the purpose you submit your personal data to us (collectively “Purposes”).

3. Consent and Access Rights

3.1 We may require your consent for the processing of your data. We will seek your consent prior to undertaking any of the following:

a) direct marketing;

b) the processing of sensitive personal data;

c) further processing that is incompatible with the Purposes;

d) transferring personal to a country in respect of which the NDPC has not made an adequacy decision; and

e) making a decision based solely on automated processing which produces legal effects significantly affecting you.

3.2 We can process your personal data in the absence of consent where:

a) processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract;

b) processing is necessary for compliance with a legal obligation to which we are subject to;

c) processing is necessary in order to protect your vital interests or those of another natural person;

d) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official public mandate vested in us; and

e) processing is necessary for the purposes of the legitimate interests pursued by us, so long as those interests do not override your fundamental rights and freedoms

3.3 If we intend to use your data for a purpose which is different from the purpose for which your data was obtained, we will seek your consent prior to the use of your data for that other purpose.

3.4 In the event of any merger, acquisition or other arrangement whereby Roche sells or transfers all, or a portion of its business or assets (including in the event of a reorganization, dissolution or liquidation) to third parties, you hereby consent that your personal data held with Roche can be transferred or assigned to third parties who may become the controllers and/or processors of your personal data that was held by Roche prior to such merger, acquisition or other arrangement. Roche shall at all times ensure that you are notified when your personal data is intended to be transferred to third parties in the circumstances outlined in this clause.

3.5 No consent shall be sought, given or accepted in any circumstance that may engender direct or indirect propagation of atrocities, hate, child rights violation, criminal acts and anti-social conducts.

3.6 You may withdraw your consent, in writing, at any time and may request access to your personal information in our possession at nigeria.contact@roche.com. We can, however, deny you access to the information where we determine that your request is unreasonable.

3.7 You reserve the right to request the modification or amendment of your personal data in our possession.

3.8 In all cases of access or modification / amendment of personal information, we shall request sufficient identification to enable us to confirm that you are the owner of the data sought to be accessed or modified / amended

4. YOUR RIGHTS

4.1 You have rights in relation to the way we handle your personal data. These include the following rights:

a) where the legal basis of our processing is consent, to withdraw that consent at any time;

b) to ask for access to the personal data that we hold;

c) to prevent our use of the personal data for direct marketing purposes;

d) to object to our processing of personal data in limited circumstances;

e) to ask us to erase personal data without delay:

I) if it is no longer necessary in relation to the purposes for which it was collected or otherwise processed;

II) if the only legal basis of processing is consent and that consent has been withdrawn and there is no other legal basis on which we can process that personal data;

III) if you object to our processing where the legal basis is the pursuit of a legitimate interest or the public interest and we can show no overriding legitimate grounds or interest; and

IV) if the processing is unlawful.

f) to ask us to rectify inaccurate data or to complete incomplete data.

g) to restrict processing in specific circumstances e.g. where there is a complaint about accuracy.

h) to ask us for a copy of the safeguards under which personal data is transferred outside of Nigeria.

i) the right not to be subject to decisions based solely on automated processing, including profiling, except where necessary for entering into, or performing, a contract, with Roche; it is based on your explicit consent and is subject to safeguards; or is authorised by law and is also subject to safeguards.

j) to prevent processing that is likely to cause damage or distress to you or anyone else.

k) to data portability.

l) to be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;

m) to make a complaint to the Nigerian Data Protection Commission, or any other regulatory body; and

n) in limited circumstances, receive or ask for their personal data to be transferred to a Third Party (e.g. another company which the client has dealings with) in a structured, commonly used and machine-readable format.

4.2 In all cases of access or modification/amendment of personal information, we shall request sufficient identification to enable us to confirm that you are the owner of the data sought to be accessed or modified/amended.

5. Legal Basis for Processing Personal Data

We process personal data in accordance with the NDPA, and we rely on one or more of these legal bases depending on the nature of the processing:

a) Where you have freely given, specific, informed, and unambiguous consent for the processing of your personal data. You may withdraw your consent at any time.

b) Where processing is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into a contract.

c) Where processing is required to comply with a legal obligation imposed by Nigerian law, including regulatory requirements.

d) Where processing is necessary for the legitimate interests of our organisation or a third party, provided that such interests are not overridden by your fundamental rights and freedoms.

e) Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

f) Where processing is necessary to protect your life or the life of another person, particularly in emergency situations.

We ensure that all personal data processing is lawful, fair, and transparent, in full compliance with the NDPA.

6. Personal Data Protection Principles

When we process your personal data, we are guided by the following principles, which require personal data to be:

a) processed lawfully, fairly, in a transparent manner and with respect for the dignity of the human person.

b) collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.

c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

d) accurate and where necessary kept up to date.

e) removed or not kept in a form which permits identification of data subject for longer than is necessary for the purposes for which the personal data is processed.

f) processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage.

7. User Responsibility

You are required to familiarise yourself with this policy and to ensure that the information you provide to us is complete, accurate and up to date.

8. Data Security

8.1 Roche implements and maintains appropriate safeguards to protect personal data, taking into account in particular the risks to you, presented by unauthorised or unlawful processing or accidental loss, destruction of, or damage to their personal data.

8.2 Safeguarding will include the use of encryption and pseudonymisation where appropriate. It also includes protecting confidentiality (i.e. that only those who need to know and are authorised to use personal data have access to it), integrity and availability of the personal data. We regularly evaluate and test the effectiveness of those safeguards to ensure security of our processing of personal data.

8.3 You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures, we cannot guarantee absolute security. Roche, therefore, accepts no liability for any damage or loss, however caused, in connection with transmission over the internet or electronic storage.

9. Links to third party sites

The Roche website may contain links to other websites owned and operated by third parties. These links are provided for your information and convenience only and are not an endorsement by Roche of the content of such linked websites or third parties. The information that we collect from you will become available to these websites if you click the link to the websites. These linked websites are neither under our control nor our responsibility. Roche, therefore, makes no warranties or representations, express or implied about the safety of such linked websites, the third parties they are owned and operated by and the suitability or quality of information contained on them. This Privacy Policy does not apply to these websites, thus, if you decide to access these linked third-party websites and/or make use of the information contained on them, you do so entirely at your own risk. Roche accepts no liability for any damage or loss, however caused, in connection with accessing, the use of or reliance on any information, material, products or services contained on or accessed through any such linked websites. We advise that you contact those websites directly for information on their privacy policy, security, data collection and distribution policies.

10. Third Party Access

10.1 Roche will only share personal information with other companies, entities or individuals in the following limited circumstances:

a) Where it is necessary to provide our services under the any contract or agreement between the you and Roche;

b) Where we have obtained your consent;

c) Where we provide such information to other professional advisers or other trusted businesses or persons for the purpose of processing personal information on our behalf. We require that these parties agree to process such information based on our instructions and in compliance with this Privacy Policy and any other appropriate confidentiality and security measures.

d) In good faith that access, use, preservation or disclosure of such information is reasonably necessary to (i) satisfy any applicable law, regulation, legal process or enforceable governmental request, (ii) enforce applicable terms of service, including investigation of potential violations thereof, (iii) detect, prevent, or otherwise address fraud, security or technical issues, or (iv) protect against imminent harm to the rights, property or safety of Roche, its users or the public as required or permitted by law.

10.2 Roche is at all times responsible for the security and appropriate use of that data as long as it remains with Roche.

11. Violation of Privacy

11.1 We have put in place procedures to deal with any suspected personal data breach and will notify you of any personal data breach and let you know the steps we have taken to remedy the breach and the security measures we have applied to render your personal data unintelligible.

11.2 All suspected breach of personal data will be remedied within 1 (one) month from the date of the report or discovery of the breach.

11.3 If you know or suspect that a personal data breach has occurred, you should immediately contact the Roche team at nigeria.contact@roche.com.

11.4 Roche will not be responsible for any personal data breach which occurs as a result of:

a) an event which is beyond the control of Roche;

b) an act or threats of terrorism;

c) an act of God (such as, but not limited to fires, explosions, earthquakes, drought, tidal waves and floods) which compromises Roche’s data protection measures;

d) war, hostilities (whether war be declared or not), invasion, act of foreign enemies, mobilization, requisition, or embargo;

e) rebellion, revolution, insurrection, or military or usurped power, or civil war which compromises Roche’s data protection measures;

f) pandemics or epidemics;

g) the transfer of your personal data to a third party on your instructions;

h) the use of your personal data by a third party designated by you; and

i) any damage or loss, however caused, in connection with transmission over the Internet or electronic storage.

12. Data Retention

Roche shall retain and use your Personal Data only as long as is necessary to implement, administer and manage your request and contract with Roche and after the limitation period provided by applicable limitation laws for instituting civil suits after expiration or termination of the contract or as required to comply with legal or regulatory obligations, including under tax and security laws. At your request, at any time, your Personal Data, which is in the custody of Roche, may be deleted unless the limitation period provided under the applicable limitation laws has not lapsed or we are required by law to retain such information for a certain period of time to comply with our obligations under the law.

13. How to Contact Us

If you believe that your Personal Data are being processed in a manner incompatible with this Privacy Notice or with your choices as a Data Subject, or if you have questions regarding the manner in which we process your Personal Data, or if you would like to exercise any of your data subject rights, please feel free to contact us at nigeria.contact@roche.com.

For any enquiries you have in relation to this Privacy Policy, please feel free to contact us at nigeria.contact@roche.com.