Roche Directive on the Protection of Personal Data

Similar documents
Guidelines on Data Protection. Draft. Version 3.1. Published by

How To Protect Your Data In European Law

Corporate Policy. Data Protection for Data of Customers & Partners.

Proposal of regulation Com /4 Directive 95/46/EC Conclusion

Data Processing Agreement for Oracle Cloud Services

AlixPartners, LLP. General Data Protection Statement

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

PRESIDENT S DECISION No. 40. of 27 August Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

Data protection compliance checklist

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

ATMD Bird & Bird. Singapore Personal Data Protection Policy

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES

Binding Corporate Rules Privacy (BCRP) personal Telekom Group rights in the handling of personal data within the Deutsche Telekom Group

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

The supplier shall have appropriate policies and procedures in place to ensure compliance with

Corporate ICT & Data Management. Data Protection Policy

CORK INSTITUTE OF TECHNOLOGY

Data Protection Standard

Data Protection Policy.

DATA PROTECTION POLICY

HERTSMERE BOROUGH COUNCIL

FIDELITY APPLICANT PRIVACY AND PROTECTION NOTICE

Little Marlow Parish Council Registration Number for ICO Z

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

University of Limerick Data Protection Compliance Regulations June 2015

Table of contents: ***

RPM INTERNATIONAL INC. AND ITS SUBSIDIARIES AND OPERATING COMPANIES SAFE HARBOR PRIVACY NOTICE. EFFECTIVE AS OF: August 12, 2015

Data Compliance. And. Your Obligations

PRIVACY STATEMENT OF THE WEBSITE Page 1 of 7

Data protection policy

DATA PROTECTION ACT 1998 COUNCIL POLICY

TABLE OF CONTENTS. Maintaining the Quality and Integrity of Information. Notification of an Information Security Incident

Merthyr Tydfil County Borough Council. Data Protection Policy

Data Protection Policy

INERTIA ETHICS MANUAL

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

GSK Public policy positions

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014

Appendix 11 - Swiss Data Protection Act

CPA Global North America LLC SAFE HARBOR PRIVACY POLICY. Introduction

STANDARDS OF PRACTICE (2013)

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS

AIRBUS GROUP BINDING CORPORATE RULES

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data

The primary responsibility for the data processing lies within the Administration Department, which the FINCOP Unit is part of.

singapore american school

on the transfer of personal data from the European Union

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Data Protection for the Guidance Counsellor. Issues To Plan For

Data Protection Good Practice Note

BRING YOUR OWN DEVICE

Article 29 Working Party Issues Opinion on Cloud Computing

ETHICS GUIDE FCT INVESTIGATOR PROGRAMME. 25 July 2013

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Johnson Controls Privacy Notice

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

Data Protection in Ireland

AMENDMENTS TO THE DRAFT DATA PROTECTION REGULATION PROPOSED BY BITS OF FREEDOM

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

The potential legal consequences of a personal data breach

Principles Concerning the Protection of Personal Data in the Workplace: Guidelines for Employee Monitoring *

Estée Lauder Companies Global Jobs Website Privacy Policy

Data Protection Consent Clause and Policy Background

CROATIAN PARLIAMENT 1364

Data Protection and Privacy Policy

Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

How To Understand The Data Protection Act

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

CHAPTER I GENERAL PROVISIONS

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Office 365 Data Processing Agreement with Model Clauses

An Executive Overview of GAPP. Generally Accepted Privacy Principles

JOB APPLICANT PRIVACY NOTICE

Transcription:

Roche Directive on the Protection of Personal Data PREAMBLE As a Group that operates around the globe, Roche uses systems in all sectors to process data and to exchange data between units within the Group and with third parties. Increasing economic and scientific cooperation and the mutual provision of data-processing services also entails the exchange of personal data, a trend reinforced by the increasing use of modern telecommunications resources. Therefore, it is necessary that personal data are carefully processed. The European Union ("EU") prohibits the transfer of personal data outside the EU unless there is an adequate level of protection on the side of the recipient of the personal data. 1. UNDERTAKING Roche declares that compliance with data protection principles in the processing of personal data (e.g. data on customers, suppliers and employees) is a corporate objective. As such, Roche is committed to respect the personality rights and privacy of these individuals. As a healthcare Group, Roche treats personal medical data (e.g. data collected in connection with clinical trials) with special care.

2. OBJECTIVES In adopting the present Roche Group Directive on the Protection of Personal Data ("Directive"), Roche is pursuing three objectives. First, the Directive establishes a uniform minimum standard to be applied by all Roche companies in processing personal data and to lay down a basis for contractual agreements with third parties. Secondly, the Directive provides preventive safeguards against the infringement of personality and privacy rights through the inappropriate processing of personal data. Thirdly, the Directive provides an adequate level of protection of personal data as required by the EU. 3. DEFINITIONS For the purpose of this Directive the following definitions apply: Data subject shall mean any natural person whose personal data are processed by or on behalf of Roche. Personal data shall mean any information that relates to an identified or identifiable natural person and that is an expression of or about the person s physical, physiological, psychological, mental or economic status and cultural or social identity. Processing shall mean any operation or set of operations performed on personal data, including but not limited to collection, recording, storage, alteration, analysis, use, transmission, combination, blocking, erasure and destruction. 4. APPLICATION 2

This Directive applies to all Roche companies and their employees. Where personal data are processed on Roche s behalf by third parties, appropriate measures shall be taken to ensure the compliance of said third parties with the principles set forth in this Directive. National legislation providing for more comprehensive safeguards of personal data shall also be observed in all specific instances where such legislation applies. 5. PRINCIPLES In general, data revealing a data subject s racial or ethnic origin, political views, religious or philosophical convictions or an affiliation with an organization that represents the interests of employees are to be classed as highly sensitive, as are data on a subject s health or sexual behaviour. All personal data must be processed lawfully. In particular, the following principles apply: 5.1 Criteria of lawfulness Personal data may be processed if at least one of the following applies: the data subject has given consent; processing is necessary for the performance of a contract of which the data subject is party; processing is necessary for compliance with a legal obligation; Roche is pursuing a legitimate interest, except where such interest is overridden by the interest of the data subject concerned. 3

5.2 Principles relating to processing Personal data must be processed in a manner compatible with the purpose for which they were collected. The principle of proportionality shall apply to the processing of personal data. Among other things, this implies a duty to refrain from collecting unnecessary personal data. Personal data that are used shall be accurate and kept up to date. Personal data that are used and that are no longer accurate or complete shall be corrected or deleted. Subject to legal provisions that require a longer retention period, personal data are to be stored no longer than is necessary to effect the purposes for which they were collected or processed. Personal data are to be processed in a manner at all times consistent with the principle of good faith. This means that data subjects can rely on processors to exercise due care in all aspects of data processing. 6. RIGHTS OF DATA SUBJECTS Persons from whom personal data have been processed are to be accordingly informed upon request. In particular, they have a right to be informed of the purposes for which the data are being processed, the category of data involved and the identity of the recipients of the data. Where appropriate, data subjects also have a right to require that data be corrected, blocked or deleted. The aforementioned rights may be restricted only where such restriction is provided for by law. This applies, in particular, to the conduct of scientific research. 4

7. MEASURES The companies of the Roche Group are to implement the technical and organizational measures necessary to ensure the security of personal data. In particular, personal data are to be protected against unauthorized disclosure and any form of unlawful processing. The measures implemented must ensure a level of security appropriate to the nature of the data to be protected and the risks arising from processing the data. Compliance with Roche s IT Security Policy and other pertinent internal security requirements is mandatory. 8. IMPLEMENTATION All individual Roche companies are responsible for implementing and enforcing compliance with this Directive. Roche employees involved in processing personal data are to be appropriately informed. The procedures for third-party processing of personal data pursuant to a contractual agreement are to be defined in writing. The relevant Roche company shall satisfy itself that the contracted third party is processing the data properly and that it is complying with the principles set forth in this Directive. If at any time a third party is determined to be unable to ensure the adequate security of personal data, Roche shall terminate the collaboration. 9. EFFECTIVE DATE 5

The present Directive was adopted by the Corporate Executive Committee on 11 September 2000, and went into effect on that date. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information