Roche Directive on the Protection of Personal Data

Roche Directive on the Protection of Personal Data
Roche Directive
on
the Protection of Personal Data
PREAMBLE
As a Group that operates around the globe, Roche uses systems in all sectors to
process data and to exchange data between units within the Group and with third
parties. Increasing economic and scientific cooperation and the mutual provision of
data-processing services also entails the exchange of personal data, a trend
reinforced by the increasing use of modern telecommunications resources. Therefore,
it is necessary that personal data are carefully processed. The European Union ("EU")
prohibits the transfer of personal data outside the EU unless there is an adequate
level of protection on the side of the recipient of the personal data.
1. UNDERTAKING
Roche declares that compliance with data protection principles in the processing of
personal data (e.g. data on customers, suppliers and employees) is a corporate
objective. As such, Roche is committed to respect the personality rights and privacy
of these individuals.
As a healthcare Group, Roche treats personal medical data (e.g. data collected in
connection with clinical trials) with special care.
2.
OBJECTIVES
In adopting the present Roche Group Directive on the Protection of Personal Data
("Directive"), Roche is pursuing three objectives. First, the Directive establishes a
uniform minimum standard to be applied by all Roche companies in processing
personal data and to lay down a basis for contractual agreements with third parties.
Secondly, the Directive provides preventive safeguards against the infringement of
personality and privacy rights through the inappropriate processing of personal data.
Thirdly, the Directive provides an adequate level of protection of personal data as
required by the EU.
3.
DEFINITIONS For the purpose of this Directive the following definitions apply:
Data subject shall mean any natural person whose personal data are processed by
or on behalf of Roche.
Personal data shall mean any information that relates to an identified or identifiable
natural person and that is an expression of or about the person’s physical,
physiological, psychological, mental or economic status and cultural or social identity.
Processing shall mean any operation or set of operations performed on personal
data, including but not limited to collection, recording, storage, alteration, analysis,
use, transmission, combination, blocking, erasure and destruction.
4.
APPLICATION
2
This Directive applies to all Roche companies and their employees.
Where personal data are processed on Roche’s behalf by third parties, appropriate
measures shall be taken to ensure the compliance of said third parties with the
principles set forth in this Directive.
National legislation providing for more comprehensive safeguards of personal data
shall also be observed in all specific instances where such legislation applies.
5. PRINCIPLES
In general, data revealing a data subject’s racial or ethnic origin, political views,
religious or philosophical convictions or an affiliation with an organization that
represents the interests of employees are to be classed as highly sensitive, as are data
on a subject’s health or sexual behaviour. All personal data must be processed
lawfully. In particular, the following principles apply:
5.1 Criteria of lawfulness
•
Personal data may be processed if at least one of the following applies:
− the data subject has given consent;
− processing is necessary for the performance of a contract of which
the data subject is party;
− processing is necessary for compliance with a legal obligation;
− Roche is pursuing a legitimate interest, except where such interest is
overridden by the interest of the data subject concerned.
3
5.2 Principles relating to processing
•
Personal data must be processed in a manner compatible with the
purpose for which they were collected.
•
The principle of proportionality shall apply to the processing of personal
data. Among other things, this implies a duty to refrain from collecting
unnecessary personal data.
•
Personal data that are used shall be accurate and kept up to date.
•
Personal data that are used and that are no longer accurate or
complete shall be corrected or deleted.
•
Subject to legal provisions that require a longer retention period, personal
data are to be stored no longer than is necessary to effect the purposes
for which they were collected or processed.
•
Personal data are to be processed in a manner at all times consistent with
the principle of good faith. This means that data subjects can rely on
processors to exercise due care in all aspects of data processing.
6. RIGHTS OF DATA SUBJECTS
Persons from whom personal data have been processed are to be accordingly
informed upon request. In particular, they have a right to be informed of the purposes
for which the data are being processed, the category of data involved and the identity
of the recipients of the data. Where appropriate, data subjects also have a right to
require that data be corrected, blocked or deleted.
The aforementioned rights may be restricted only where such restriction is provided
for by law. This applies, in particular, to the conduct of scientific research.
4
7.
MEASURES
The companies of the Roche Group are to implement the technical and organizational
measures necessary to ensure the security of personal data.
In particular, personal data are to be protected against unauthorized disclosure and
any form of unlawful processing. The measures implemented must ensure a level of
security appropriate to the nature of the data to be protected and the risks arising
from processing the data.
Compliance with Roche’s IT Security Policy and other pertinent internal security
requirements is mandatory.
8.
IMPLEMENTATION
All individual Roche companies are responsible for implementing and enforcing
compliance with this Directive.
Roche employees involved in processing personal data are to be appropriately
informed.
The procedures for third-party processing of personal data pursuant to a contractual
agreement are to be defined in writing. The relevant Roche company shall satisfy
itself that the contracted third party is processing the data properly and that it is
complying with the principles set forth in this Directive. If at any time a third party is
determined to be unable to ensure the adequate security of personal data, Roche
shall terminate the collaboration.
9.
EFFECTIVE DATE
5
The present Directive was adopted by the Corporate Executive Committee on 11
September 2000, and went into effect on that date.
6
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising