Data protection 
Novartis is committed to respecting your privacy and to duly protecting your personal information when gathering and sharing data with other persons for the development of its legitimate commercial activities.
In addition to Novartis’ Policy on Personal Data Protection, Novartis has adopted the Binding Corporate Rules (BCR), a set of principles that regulates the international transfer of the personal data of collaborators, clients and commercial partners of Novartis, as well as that of other persons whose data is gathered and processed in the EU and Switzerland. Novartis’ approval of the Binding Corporate Rules from the EU and the Swiss authorities on Data Protection allows Novartis to comply with data protection rules in EU countries and Switzerland when your personal information is sent from these countries to its subsidiaries worldwide.
Which personal data protection principles apply?
Novartis companies that send your personal information from the EU or Switzerland to other countries must comply with applicable laws, in addition to Novartis policies and the Binding Corporate Rules. In particular, these companies:
- gather and process your personal information using transparent and legal methods;
- only process your personal information for specific and legitimate purposes and don’t use it for any other purpose;
- inform you of the transfer of your personal information and, if necessary, request your consent, when local laws so require.
- keep your personal information only for the necessary length of time, unless the law requires or allows for longer or shorter periods of data storage.
- ensure the confidentiality of your personal information and adopt suitable and reasonable security measures to protect it from any unauthorised access, damage or accidental loss, improper use and unauthorised modification or deletion.
What are my rights?
If you are a collaborator, client or commercial partner of Novartis or another person whose
personal information has been gathered and processed by Novartis in the EU or Switzerland, you have the following rights:
- you can ask Novartis to inform you about how they gather and use your personal information in accordance with local applicable laws;
- you can ask Novartis to correct, delete or not use your personal information if it is incomplete or incorrect;
- you can oppose the processing of your personal information and require Novartis to stop processing your data as long as you have a legitimate reason for doing so.
- you can request that decisions made during the automatic processing of your personal information be reviewed, if these decisions affect you significantly.
How can I exercise my rights?
If your personal information has been sent to a Novartis company that is located in a country that is not a member of the EU or Switzerland and this company does not provide a suitable level of protection and you believe that your personal information has not been processed in line with the Binding Corporate Rules, you can do the following:
submit a complaint to the Novartis Business Practices Office (BPO) by sending an e-mail to: firstname.lastname@example.org . Your complaint will be investigated in line with our internal procedures.
submit a complaint to the relevant data protection authority or present a request to the courts in Switzerland or the EU country from which your personal information was sent.