Privacy Notice - Information for all potential subscribers about the dontforget.ie compliance service. www.dontforget.ie Ireland's first medication SMS text message reminder service

Privacy Notice for people using Novartis website dontforget.ie

June 2018

This Privacy Notice is addressed to our users.

You are receiving this Privacy Notice because Novartis Ireland Ltd (“Novartis”) is processing information about you which constitutes “personal data” and Novartis considers the protection of your personal data and privacy a very important matter.

Novartis is responsible for the processing of your personal data as it decides why and how it is processed, thereby acting as the “controller”. In this Privacy Notice, “we” or “us” refers to Novartis.

This Privacy Notice is divided into two parts. Part I contains key information about what personal data we process, why and how. Part II contains more general information about the context in which we are processing your personal data as well as your rights in that respect.

We invite you to carefully read this Privacy Notice, as it contains important information for you.

Part I – Key information

Novartis is processing personal data about you in the following context:

Dontforget.ie is a reminder text service. Once registered for the service you will receive a text message to remind you to take your medication at the same time every day.

You can unsubscribe to the service at any time. To unsubscribe from this service you need to log into dontforget.ie and click on change details/unsubscribe. You will be asked to provide your name and mobile phone number and then you will be sent a validation code via text message, which you must input into the website to confirm your wish to unsubscribe.

Specific personal data to be collected

For this purpose, we will collect some general personal data about you such as your name and contact details (see Part II for a complete list of categories of data collected), but will also require the following specific personal data about you and/or your condition:

Your name, date of birth, phone number, prescribed medication (optional) and the frequency with which you take it, how often you wish to be reminded to take your medication (e.g. daily, weekly, monthly) and what time of day you wish to be reminded.

Specific purposes for which we require your personal data

The collected information will be used by us for the following specific purposes:

To provide the service and text you reminders to take your medication at allocated times.

Please note that the collected data may also be used by us for a number of other standard purposes (e.g. for further research and product development), as set out in Part II below.

Specific third parties with whom we share your personal data

We will share your personal data with the following third parties:

MedMedia Limited, which manages the service and the website and processes your personal data on our behalf.

Please note that we may also have to share your data with a number of other recipients (e.g. another entity of the Novartis Group if the entity collecting the data is not the same as the one using it) but always under strict conditions, as further explained in Part II.

Duration of storage

We will store the above personal data for as long as you are subscribed to use the service. Once you unsubscribe from the service, this personal data will be deleted, unless any legal or regulatory obligations require it to be retained for a longer period.

Dedicated point of contact

Should you have any question in relation to the processing of your personal data in the above context, please contact privacy_uk.ireland@novartis.com

Part II – General information

The second part of this Privacy Notice sets out in more detail in which context we are processing your personal data and explains your rights and our obligations as a patient when doing so.

1 What information do we have about you?

In addition to the information specifically identified in Part I of this Privacy Notice, we may also collect your general and identification information (e.g. email and/or postal address), but only if this is necessary to provide the service or necessary for the purposes described below.

Please note that we will not knowingly collect, use or disclose personal data from a minor under the age of 16 without obtaining prior consent from a parent or legal guardian.

2 For which purposes do we use your personal data and why is this justified?

2.1 Legal basis for the processing

We will not process your personal data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal data if we have obtained your prior consent, or the processing is necessary to comply with our legal or regulatory obligations.

2.2 Purposes of the processing

We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In addition to the specific purposes identified on the first two pages, we may also process your personal data for the following general purposes:

for pharmacovigilance purposes (tracking of side effects);
improve our products and services;
scientific research purposes or statistical purposes subject to appropriate safeguards such as pseudonymisation;
answer any questions or requests you may have;
ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud, conducting audits and defending litigation); and
archiving and record-keeping.

3 Who has access to your personal data and to whom are they transferred?

We will not sell, share, or otherwise transfer your personal data to third parties other than those indicated in this Privacy Notice.

In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal data can be accessed by, or transferred to the specific third parties identified in Part I of this Privacy Notice and to the following categories of recipients, on a need to know basis to achieve such purposes:

our personnel (including personnel, departments or other companies of the Novartis group);
our suppliers and services providers that provide services and products to us;
our IT systems providers, cloud service providers, database providers and consultants;
any third party to whom we assign or novate any of our rights or obligations; and
our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets.

The above third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.

Your personal data can also be accessed by or transferred to any national and/or international regulatory, enforcement, public body or court where we are required to do so by applicable law or regulation or at their request.

The personal data we collect from you may also be processed, accessed or stored in a country outside the country where Novartis is located, which may not offer the same level of protection of personal data.

If we transfer your personal data to external companies in other jurisdictions, we will make sure to protect your personal data by (i) applying the level of protection required under the local data protection/privacy laws applicable to Novartis, (ii) acting in accordance with our policies and standards and, (iii) for Novartis Ireland Ltd located in the European Economic Area (i.e. the EU Member States plus Iceland, Liechtenstein and Norway, the “EEA”), unless otherwise specified, only transferring your personal data on the basis of standard contractual clauses approved by the European Commission. You may request additional information in relation to international transfers of personal data and obtain a copy of the adequate safeguard put in place by exercising your rights as set out in Section 6 below.

For intra-group transfers of personal data, the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland. Read more about the Novartis Binding Corporate Rules at https://www.novartis.com/our-company/corporate-responsibility/doing-business-responsibly/ethics-compliance/data-privacy

4 How do we protect your personal data?

We have implemented appropriate technical and organisational measures to provide a level of security and confidentiality to your personal data.

These measures take into account:

the state of the art of the technology;
the costs of its implementation;
the nature of the data; and
the risk of the processing.

The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorised disclosure or access and against other unlawful forms of processing.

Moreover, when handling your personal data, we:

only collect and process personal data which is adequate, relevant and not excessive, as required to meet the above purposes;
ensure that your personal data remains up to date and accurate (for the latter, we may request you to confirm the personal data we hold about you. You are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up-to-date); and
process any sensitive data about yourself (including your medical/health related data) you provide in compliance with applicable data protection rules and strictly as required for the relevant purposes listed above. The data is accessed and processed solely by the relevant personnel, under the responsibility of one of our representatives who is subject to an obligation of professional secrecy or confidentiality.

5 How long do we store your personal data?

We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.

The retention period is set out at the beginning of this Privacy Notice. When this period expires, your personal data is removed from our active systems.

6 What are your rights and how can you exercise them?

You may exercise the following rights under the conditions and within the limits set forth in the law:

the right to access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
the right to request the erasure of your personal data or the restriction thereof to specific categories of processing;
the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
the right to object, in whole or in part, to the processing of your personal data; and
right to request its portability, i.e. that the personal data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations.

If you have a question or want to exercise the above rights, you may send an email to privacy_uk.ireland@novartis.com or a letter to Data Privacy, Vista Building, Elm Park Business Campus, Merrion Road, Dublin 4. If you wish to exercise your rights, please provide a copy of an identity document, it being understood that we shall only use such data to verify your identity and shall not retain the scan after completion of the verification. When sending us a copy of your identity document, please make sure to redact any photographs

7 In any case, you also have the right to file a complaint with the competent data protection authorities, in addition to your rights above. How will you be informed of the changes to our Privacy Notice?

Any future changes or additions to the processing of your personal data as described in this Privacy Notice will be notified to you in advance through an individual notice through our usual communication channels (e.g. by text message or via this website).