Privacy notice for pharmacovigilance and medical information and product quality

General Information

At Roche, we take data privacy seriously and treat all your “personal data” in accordance with Roche General Privacy Policy and applicable privacy and data protection laws that regulate the storage, process, access and transfer of personal data.

This Privacy Notice (“Notice”) is intended to explain how Roche collects and processes your personal data for the purposes of pharmacovigilance and/or medical information inquiries and/or product quality related activities. The scope of this Notice is limited to the collection and processing of your personal data for pharmacovigilance and/or medical information inquiries and/or product quality. For general information about data processing at Roche, please visit the Roche Privacy Notice.

Purposes and legal basis for processing – Pharmacovigilance and Product Quality

Any personal data provided to Roche related to adverse events or other activities related to pharmacovigilance will be used solely for these purposes. This information is very important for public health and will be used for the detection, assessment, understanding and prevention of adverse effects or any other medicine-related problem.

We collect and process your data for these purposes in order to comply with our privacy policy. We may also be required to report the data to regulatory authorities. Your data will not be used for any other purposes.

Purposes and legal basis for processing – Medical Inquiries

Any personal data provided to Roche related to a medical inquiry may be used to answer the inquiry, follow up on such requests and maintain the information in a Medical Information database for reference. Where required by law (such as for pharmacovigilance), we may also be required to report the data to regulatory authorities. Your data will not be used for any other purposes.

We collect and process your data to respond to your inquiries based on legitimate interests and, where applicable, your consent. If reporting of adverse event is required, your data may be processed to comply with Roche legal pharmacovigilance (GVP) obligations.

Categories of personal data processed

The type of information that we collect from you will depend on the data subject and the type of processing activity:

·     Pharmacovigilance: We collect the name, contact details, and affiliations/profession of the reporting individual. We may collect some additional personal data related to health and medical history of the individual experiencing an adverse event if required for processing of adverse event for pharmacovigilance purposes.

·     Medical Inquiries: We may collect the name, contact details and affiliation/profession of the individual making the inquiry.

·     Product Quality: We collect the name, contact details, and affiliations/profession of the reporting individual.

Recipients of your personal data

Roche may share the data you provided to us among Roche Group companies and affiliates, business partners and service providers, where required to operate Roche global pharmacovigilance database and fulfill obligation of pharmacovigilance legislation.

Roche is also obliged to report certain pharmacovigilance and product relevant information to Health Authorities worldwide, including those with different level of data protection compared to EU. The reports contain details about the incident but will only contain limited personal data:

·     Patients: Information as provided, including age or date/year of birth (where permitted by regulations) and gender (note that patient name will never be provided)

·     Reporting Individuals: Information as provided to allow the regulatory authority to follow up with the reporting individual, including name, profession, initials, address, email, phone number

It is possible that in the exchange of data within the Roche Group, business partners and service providers, your personal data may be transferred to countries that do not provide the same level of protection as your own. Additional information in case your data is covered by GDPR: In this case, contracts containing the EU Standard Contractual Clauses according to EU Commission decisions of 27 December 2004 (2004/915/EC) and 05 February 2010 (C(2010) 593) constitute appropriate and suitable safeguards to ensure compliance with GDPR.

Retention / Storage Period of Your Personal Data

The length of time in which we will store your Personal Data will differ depending on the purpose for which we have collected in accordance with Roche policies and we are processing your data in a manner to ensure data is not kept longer than is necessary for the fulfilment of the purpose for which the data is or is to be used. 

Information About Your Rights Regarding Your Personal Data

You have the following rights with respect to your Personal Data under PDPO:

(a) The right to request access to the Personal Data that Roche has about you.

(b) The right to be given reasons if a request for access to your Personal Data is refused.

(c) The right to object to Roche’s refusal to provide reasons for denying your access to your Personal Data.

(d) The right to rectify or correct any Personal Data that is inaccurate or incomplete.

(e) The right to be given reasons if a request to rectify or correct your Personal Data is refused.

(f) The right to object to Roche’s refusal to provide reasons for denying your request to rectify or correct your Personal Data.

(g) The right to lodge a formal data access request: (i) to be informed by Roche whether they hold your personal data; and (ii) to be supplied with a copy of any such data.

(h) The right to be informed of the purpose for which the data is to be used and the classes of persons whom the data may be transferred.

(i) The right to be informed of your right to request access to and the correction of the data and the name or job title, and address, of the individual who will handle the request made by you.

(j) The right to consent or object to any intended use of your Personal Data for direct marketing.

If your personal data is covered by GDPR, please note that you have the right to request from Roche information on which personal data we store and the purpose for which we process them. You can also request access to and rectification of your personal data as well as the right to data portability, if applicable (which means if the legal basis for collecting your data is consent). Erasure or restriction of processing is only possible if and to the extent the processing of personal data is based on consent or legitimate interest. Please note that due to our legal obligations for on pharmacovigilance legislation, Roche may not be able to erase or restrict processing of your data if processed for pharmacovigilance.

If data processing is based on consent, kindly note that you have the right to withdraw your consent at any time, however, without affecting the lawfulness of processing based on consent before its withdrawal. If you would like to contact us to exercise your right to withdraw consent, please see find our contact details in the section “Identity and contact details of the data controller” below.

To prevent your data from being entered into our systems again after your request for erasure, in your interest and for us to comply with GDPR, we may keep your name and e-mail address with a flag “Don’t contact anymore” in our systems.

Identity and contact details of the data controller

Roche Hong Kong Limited, 22/F., FTLife Tower, 18 Sheung Yuet Rd, Kowloon Bay, Hong Kong, email: hongkong.medinfo@roche.com is the data controller.