Privacy Notice
1. Controller Identity, Data Protection Officer, Contacts
This website is operated by Roche (Philippines), Inc. -Diabetes Care, 16th Floor One World Place, 32nd Street, Bonifacio Global City, Taguig, Philippines. (“Roche” or “we”). In case of any questions or suggestions, you can contact us at [email protected] and +63 2 7187555 / +63 917 8978000.
Alternatively, you may contact our data protection officer at [email protected].
2. How we use your personal information
Protecting your privacy is very important to us and we understand that information about your health is sensitive. We are committed to processing your personal information in compliance with applicable laws.
This Privacy Notice explains how we use any personal information we collect about you when you
a) Browse public pages on our websites
b) Register for and use an account
c) Use our e-Commerce offerings
d) Participate in surveys
e) Communicate with us by telephone, e-mail or webforms
a) Browse public pages on our websites
If you browse public pages on our websites, i.e. content that you can access without being logged in to an account you may have with us, we collect and process only non-sensitive information about you. In particular, we will not collect any health related information about you when you browse public pages on our websites. We will however process your personal information to the extent required to deliver the public content you request from us e.g. to format it for your browser. We will also process your personal information to meet our legitimate interests to protect the security of our website systems and to measure the audiences for the various types of content provided. To do this, we use:
IP Addresses. An IP address is a number assigned to your computer to enable communication – similar to a telephone number. Roche collects IP addresses for the legitimate purposes of ensuring system security and reporting aggregate information to conduct website analysis and performance review. System log files will be analyzed within 7 days and non-suspicious data will be deleted thereafter. Other data will be retained for as long as it is required to prove a security incident.
Cookies. A cookie is a small text file that is placed onto your system by our web server. As a rule, our cookies are only used for the length of your session for the purpose of audience measurement. We also use cookies to improve user-friendliness, e.g. to store your language preferences. You can review and delete or disable cookies at any time via the settings in your browser, in this case you may lose settings you have made for a website.
Web Beacons. Web beacons (or "action tags") are small graphic elements to help analyze the effectiveness of websites by measuring, for example, the number of visitors or how many visitors clicked on content elements of a website. We analyze the statistics provided through web beacons on an anonymous and aggregated basis only.
Piwik PRO Analytics Suite: We use Piwik PRO Analytics Suite as our website/app analytics software and consent management tool. We collect data about website visitors based on cookies. The collected information may include a visitor’s IP address, operating system, browser ID, browsing activity and other information. See the scope of data collected by Piwik PRO.
We calculate metrics like bounce rate, page views, sessions and the like to understand how our website/app is used. We may also create visitors’ profiles based on browsing history to analyze visitor behavior, show personalized content and run online campaigns.
We host our solution on Microsoft Azure in Germany/Netherlands/United States/Hong Kong/ElastX in Sweden, and the data is stored for 14/25 months.
The purpose of data processing: analytics and conversion tracking based on consent. Legal basis: Art. 6 (1)(a) GDPR.
Piwik PRO does not send the data about you to any other sub-processors or third parties and does not use it for its own purposes. For more, read Piwik PRO’s privacy policy.
Social Plugins, Shariff. We use social plugins (“Plugins”) provided by the social networks Facebook and Google +1 as well as by the microblogging platform Twitter. The respective services are operated by Facebook Inc., Google Inc. and Twitter Inc. (each an “Operator”).
- Facebook’s (facebook.com) Operator is Facebook Inc., 1601 S. California Avenue, Palo Alto, CA 94304, USA. Its Plugins are identifiable by a Facebook logo (white letter f on blue background or a thumb up icon) or the notice “Facebook Social Plugin”. For a full list of all Plugins, please see http://developers.facebook.com/plugins. Facebook’s privacy notice is available at https://www.facebook.com/policy.php.
- The Operator of Google+ (plus.google.com) is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States. Its Plugins are labeled with the Google logo, the Google +1 logo or with the addition “Google Social Plugin” as can be reviewed at http://plus.google.com. Google’s relevant privacy notice may be loaded at https://developers.google.com/+/web/buttons-policy.
- Twitter’s (twitter.com) Operator is Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA. Its Plugins are identified by the Twitter logos and an overview is available at https://twitter.com/about/resources/buttons. Twitter’s privacy notice is available at https://twitter.com/privacy.
We have implemented the "Shariff” solution to protect your privacy when you visit our website. Shariff ensures that no data is transferred to the Operator when you load a page of our website. Only after you activate the Plugin of your choice and thus consent to the data transmission, will your browser make a direct connection to the Operator’s servers. Shariff replaces the Operators’ customary “Share” buttons and protects your surfing behavior from being tracked by the Operator. For further information, please see the popup information next to the activation toggles visit the Shariff developer (https://github.com/heiseonline/shariff).
Once you activate a Plugin, we have no influence on the data gathered by it. For the information on the purpose and scope of data collection and procession by the respective Operators, as well as your rights in this respect and settings options for protecting your privacy, please visit the Operators’ privacy policies linked above.
Services. We may use third party applications and content tools on certain Roche Websites to provide additional information to you, e.g. Google Maps. When you interact with them, these third parties may receive your personal information including your IP address. We will clearly indicate where we use such third party services so that you can decide whether or not to use them.
b) Register for and use an account
To use non-public content on our websites, you will first need to register for an account and then log in to your account. We use accounts wherever we process sensitive data such as in particular your health related personal information. We also use accounts wherever we process your personal information with your consent. This is because accounts allow us to better protect your personal information in access controlled systems and to establish your identity in order to obtain and manage your consents.
When you register for an account, we will collect your personal contact details (such as name, address, telephone number, e-mail address) and other identifying information that you will see on the registration form. We will also process health information that you provide to us. Unless where marked as compulsory on the registration form, providing the information is optional.
Within your account, Roche processes your personal information:
With your consent. Where we process your health data, we will obtain your explicit consent before we start the respective processing activity. For regulatory reasons and in order to obtain valid consent from you, we will have to establish your real name and identity upon account creation. You will then be able to manage, change or withdraw your consents given within your account settings. You may also withdraw your consent by contacting us at the address above. You may withdraw your consent at any time, however this will not affect the lawfulness of our consent based processing before such withdrawal. We will separate required consents that we need to be able to provide a service to you from other consents that do not have a service dependency. If you withdraw a consent that has a service dependency, we may not be able to continue providing the service to you – we will tell you when this is the case.
As required for the establishment, exercise or defense of legal claims. We may process your personal data as required to prepare or protect against legal claims; including litigation, anti-fraud measures, and technical and organizational measures to protect our networks and technology against attacks.
Under the responsibility of a professional health care provider. We may process your personal information to the extent necessary for the purposes of preventive medicine, for medical diagnosis, the provision of health care or treatment or the management of health care systems and services pursuant to contract with a health care professional subject to professional secrecy (such as your treating care giver at a hospital).
For research. We may process your personal information for scientific research purposes or statistical purposes in accordance with applicable law, provided it is proportionate to the aim pursued, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard your fundamental rights and interests. As a rule, we will still ask for your consent when we would like you to participate e.g. in a study.
c) Use our e-Commerce offerings
When you use our e-Commerce offerings, e.g. to purchase medical consumables or devices, you will first need to register for and log into your account. In addition to the information described above for registering and using an account, we will have to do the following further processing of your personal information in order to enter into, fulfil and invoice e-Commerce contracts with you – and will need your respective explicit consent prior to being able to accept your order:
Processing payments. We work with external payment providers that are established within your region and licensed to provide payment services. They may derive your health status from product details contained in the transaction for billing purposes but are subject to banking secrecy and may not use the data further than required to process your payment. Our credit card payment processors are also certified for PCI DSS compliance and have to store your credit card data in encrypted form. The respective payment provider is visible when you proceed to checkout and select your preferred payment option, you may therefore change your preferred payment if you do not wish us to provide your transaction data to a specific payment provider. If you are using our e-Commerce offering in a country that does not offer other payment methods, we can unfortunately not process your order. Please stop the check-out process and contact us if you have difficulty in making your selection.
Logistics. We use renowned international logistics providers established in your region to fulfil your orders. The logistics providers will not be provided with details of your order (i.e. contents of the delivery) but may be able to indirectly derive your health status e.g. in case you return a defective product. Roche has data processing agreements in place with logistics providers to ensure that they do not use your personal information beyond what is required to perform the logistics service and to apply adequate technical and organization measures to protect your personal information.
d) Participate in surveys
If you consent to participate in one of our surveys, we will process your submitted input for research and marketing purposes. Unless otherwise stated in the respective survey, you may participate on an anonymous basis and we will not be able to relate your input to you personally but will only assess it on an aggregate basis together with the input of others.
Surveys that rely on your personal information will be marked accordingly and be conducted from within your account area. You are always free to consent or to not participate; your refusal to participate will not have a negative impact on the scope of your services, unless otherwise stated in the invitation to the survey.
e) Communicate with us by telephone, e-mail or webforms
If you communicate with us by telephone, e-mail, webforms or similar, we will process your contact details and the personal information you give to us even if you do not have an account with Roche. We will process such information only to the extent required to answer your enquiry, and will delete the information when no longer required as evidence (normally three years), unless you have consented for us to use your data for other purposes, of which its purpose will be specified at time of you giving us consent.
3. Security
Roche takes appropriate technical and organizational measures to protect your personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
4. Who receives your information
Roche shares your personal information with your consent and further as necessary in relation to the above purposes, as required by applicable laws, court orders, or government regulations. Roche uses group internal and external providers and agents e.g. for IT systems operation and maintenance or to fulfill business transactions, such as providing customer services, or sending communications. In all these cases, access to unencrypted data is restricted to those who have a need to know. Also, Roche has entered into data processing agreements in order to ensure that providers and agents process the personal information only on Roche’s behalf and subject to appropriate technical and organizational measures.
Roche will not sell or otherwise transfer your personal information to any third parties for their own use unless with your explicit consent.
5. Transfers to other countries
We may transfer the personal information we collect about you through the website to countries that may not have the same data protection laws as the country in which you initially provided the information. When we transfer your information to other countries, we will protect that information as described in this Privacy Notice. In particular, we will base such data transfers on adequate standards such as data protection clauses approved by the European Commission or the US-EU Privacy Shield, as applicable. You may receive a copy of the clauses by contacting us as described above (see section 1 above).
6. Your Rights and how to exercise them
You may, in accordance with applicable data protection law,
- request information about your personal information we process, obtain a copy of such data, and have inaccurate data rectified or completed;
- have your personal information erased or its processing restricted, each to the extent one of the grounds provided for by statutory law applies;
- receive the personal information you provided to us under contract or consent in a structured, commonly used and machine-readable format, to the extent the statutory requirements are fulfilled;
- object, for reasons relating to your particular situation and in accordance with applicable law, to any of our legitimate interest based processing of your personal data; and
- withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
You have the right to not be subject to any automated individual decision making processes. We do not use such processes without your prior consent.
If you have an account, you can exercise your rights by visiting your account and adjusting your privacy preferences, manage your consents, download and upload corrected data.
If you do not have an account or have difficulties or other enquiries, please approach us or our data protection officer using the above contact details (see section 1 above).
If you are not satisfied with the way Roche handles your data or responds to your requests, you may also complain to a competent data protection authority in the country of your habitual residence.
7. Privacy of Children
Our websites are directed at an adult audience. We do not knowingly collect any personally identifiable information from anyone we know to be a child without the prior, verifiable consent of his or her legal representative.
8. Updates to Privacy Notice
We keep this Privacy Notice under regular review and we will place any updates on this website. This Privacy Notice was last updated on Dec. 20 2018. When we change any processing that is based on consent, we will ask you for a new consent.
9. Third Party Resources
This Privacy Notice does not apply to third party sites to which our website may link, where we do not control the content or the privacy practices of such third parties. We will tell you when you follow a link to such a third party site.