Sorry, you need to enable JavaScript to visit this website.
text sizeaaa
Singapore
hamburger overlay

Privacy Policy

 

Privacy Notice for Roche Diabetes Care

(Last updated : July 1, 2023)

 

 1) When we engage with you as a customer or prospective customer                

2) When you use our digital solutions                

3) When you visit our websites and/or interact with us as customer or prospective customer and/or use our digital solutions        

4) Recipients of your Personal Data                

5) International Transfers of Your Personal Data                

6) Information About Your Rights Regarding Your Personal Data                

7) Updates to This Privacy Notice                

8) Country Specific Section                 

 

This notice provides information on our activities (column “what we do” and then one activity per row), the categories of information collected for each activity (column “what we collect”), as well as the legal basis of processing for each of them (column “why we do it”) including for processing health information (column “if you are a patient”), and the retention period for the data (column “how long”). 

 

Our activities are aimed at an adult audience; if we learn that someone has not yet reached the legal age for valid processing, we will not collect any personal data from that person until their legal representative has given their consent in a verifiable form.

             1. When we engage with you as a customer or prospective customer

The controller is Roche Diagnostics International AG, Basel Branch Diabetes Care  - Grenzacherstrasse 124, 4058 Basel, Switzerland, acting as the parent company of affiliates engaged in the diabetes care business unit. The local affiliate in your country of residency will be considered a joint controller unless indicated otherwise (more information about Roche’s affiliate in your country of residency is available at your local Accu-Chek website). EU representative is Roche Privacy GmbH, Emil-Barell-Str. 1, D-79639 Grenzach-Wyhlen, [email protected].

 
 

What we do

What we collect

Why we do it 

If you are a patient

How long

 

Primary use: providing our products and services

i

Answer requests

Support, cases and non regulatory complaints

Feedback via phone, emails, social media, etc.

Free samples or maintenance requests

Product returns

Trainings

Your contact information (such as name, mailing address, telephone number, job title), your interests and preferences (such as products or areas of interest), and other information provided

We collect this information for our legitimate business interests to answer customers and prospective customers’ requests 

Your health status may be revealed so we will need your explicit consent to use your data 

we cannot provide the services without consent to this use of your data

Unless local specifics apply or we need to retain data for another purpose, we would keep it for the time within which proceedings may be brought.

ii

Contract 

Manage subscriptions

Complete transactions Deliver product/service

Order fulfilment

Transactional messages

Activate warranties

Your contact information as well as a history of your previous transactions with us (such as order history, customer account information), information on prescriptions

We use this information to perform our agreement with you 

Unless local specifics apply or we need to retain data for another purpose, we would keep it for the time within which proceedings may be brought.

iii

Unique customer ID

Better identification

Avoid duplication 

Avoid inconsistent data 

 

LOGIC: We use an algorithm which merges records that present sufficient similarities.

Your identity and contact details as well as your status as a professional or individual and address verification data

 

SOURCES: We use an address verification service to obtain a GPS location.

We collect this information for our legitimate business interests to optimize data management 

As long as we retain your data for the purposes mentioned in this section.

 

Secondary use: improving our products and services

iv

Internal training 

Review and analyze our interactions with you to understand what we can improve

Call recordings associated with your phone number

We will collect and process this information if you agree to this activity 

You can refuse without impacting services










 

Your health status may be revealed so  we will ask your explicit consent to use your data.

You can refuse without impacting services

Unless local specifics apply or we need to retain data for another purpose, 90 days after the recording

v

Marketing

Newsletters

Customer surveys

Marketing emails that may be adapted to your interests

Organization of webinars or events

Your identity and contact details as well as your status as a professional or individual

We will collect and process this information if you agree to this activity.

You can refuse without impacting services

 

If you are a professional, we may rely on our legitimate interest to reach out.

Unless local specifics apply or we need to retain data for another purpose, as long as we maintain interactions with you and a few years after the last contact (to resume interactions if you wish so).

vi

Patient program

Register you to the program you select

Evaluate your needs as informed by you

Provide support during the duration of the program by providing personalized contents

 

(Patients only)

Information about your contact and product preferences, languages, marketing preferences, health and demographic data

We will collect and process this information if you agree to this activity.

You can refuse without impacting services

Unless local specifics apply or we need to retain data for another purpose, as long as we maintain interactions with you and a few years after the end of the program (to re-enlist you if you wish so)

vii

Complaint 

Keep track and report incidents

Retain archives for regulatory purposes

Monitoring of our social media pages

Any personal data provided to Roche related to adverse events or issues related to services / products 

We collect your information to comply with our legal obligations and may be required to report the data to regulatory authorities 






 

This information includes health data by nature which will only be processed to the extent we have a legal obligation to do so 

Unless local specifics apply or we need to retain data for another purpose, we would keep it for the time within which proceedings may be brought or in line with regulatory obligations.

viii

Business intelligence

Run reports on our activities

Improve and administer our business

Reporting as required by law e.g. on complaint handlings in relation to our medical devices

Same data as mentioned above

Business intelligence is for our legitimate interest in understanding how we are doing 

See retention period as mentioned above for each concerned activity

ix

Social media

Animation of our pages

Social listening of publicly posted information, which is used in an aggregated form to create insights

Targeted advertising via social media to persons who subscribed to our pages or other audiences (for examples your interests, age or country)

Any information you make public online, which will however generally be used in a pseudonymized anonymous, or aggregated way 

We collect this information for our legitimate business interests to understand and reach out to our audience on social media

 

We may be joint controllers with the social media company hosting our page, please see their respective policies:

Facebook ; Instagram ; Linkedin ; Youtube

This processing will only use sensitive information that you have manifestly chosen to disclose publicly for anyone to see. We will not target individuals based on their health status.

Unless local specifics apply or we need to retain data for another purpose, we do not retain social listening or targeted advertising data after the insights are obtained / campaign is realized

 

              2. When you use our digital solutions

The data controller is Roche Diabetes Care GmbH, Sandhofer Strasse 116, 68305 Mannheim/Germany as the manufacturer of these applications and software. mySugr GmbH, Trattnerhof 1/5 OG, 1010 Vienna/Austria also acts as data controller in relation to data processed by the mySugr app and in the Roche Diabetes Care apps and professional software.

 
 

What we do

What we collect

Why we do it 

If you are a patient

How long

 

Primary use : providing our products and services

A

Diabetes solutions

Provide services and functionalities in accordance with specific user manuals, terms and condition and privacy notice applicable to the solution 

 

Please refer to such documents for more details.

Profile data; commercial and activity data 

For patient, medical including therapy and diagnostic data as inputted manually or sent by your medical devices (BGM, CGM, pump, connected pen), technical data of your medical devices

 

Smartphone identifier is collected as strictly required to send push notifications if you have requested so

We use this information to perform our agreement with you

 

If you are a patient and we provide services to your doctor, we process your data as instructed by your doctor, therefore control lies with such professional users

This information includes health data by nature and  we will need your explicit consent to use your data 

we cannot provide the services you request without your consent to this use of your data

 

When we process your data as instructed by your doctor, he is responsible for ensuring he is entitled to use your data

As indicated in the privacy notice applicable to the concerned sol-ution

B

Allow data sharing 

Organize the sharing of health data across solutions and with professional electronic health records, always in accordance with your preferences

Data uploaded or inputted by you in the solution will be available to the recipients you designate, who may also download it.

We use this information to perform our agreement with you

Data sharing with third parties happens upon request from you, therefore only if you agree to this activity 

we cannot share data without your consent

Until you deactivate data sharing

C

Ancillary services 

Deliveries including to a patient as requested by his doctor

Invoice use of the tool or related services

Other services you request

If needed, we may process data above mentioned to the extent needed under section 1 on customers

See section 1 on customers 

 

If you are a patient and we provide services to your doctor, we process your data as instructed by your doctor, therefore control lies with such professional users

See section 1 on customers 

 

When we process your data as instructed by your doctor, he is responsible for ensuring he is entitled to use your data

See section 1

 

Secondary use : improving healthcare  (statistics / research)

D

Performance reports

Issue aggregated reports for internal use or for our professional users to understand how our digital solutions are used and perform e.g. number of active users, time in range, etc.

Aggregated user data contained in or generated by use of digital solutions

We rely on our legitimate interest to analyze and improve the service

 

If you are a patient and we provide services to your doctor, we process your data as instructed by your doctor, therefore control lies with such professional users

We will use data in an  aggregated (hence anonymous) form 

 

When we process your data as instructed by your doctor, he is responsible for ensuring he is entitled to use your data

Without time limitation in an anonymous and/or aggregated form 

E

Medical research and innovation

Replicate de-identified data in dedicated databases (anonymous or pseudonymous)

Population insights & scientific research

Algorithms / product development 

Product evaluation & real world evidence

 

(Patients  only)

De-identified user data (anonymous or pseudonymous) contained in the digital health applications and software or generated by its use

We anonymize this information as instructed by healthcare professionals

 

We will pseudonymise this information if you agree to this activity.

You can refuse without impacting services

We will process data used by healthcare professionals in an  anonymous form 

 

When pseudonymous data is used, it includes health data by nature so we will ask your explicit consent to product improvement.

You can refuse without impacting services

Without time limitation in an anonymous form 

Until you revoke your consent in a pseudonymous form

  3. When you visit our websites and/or interact with us as customer or prospective customer and/or use our digital solutions

When you visit our websites, the data controller is the entity identified as the publisher for the website. For other use cases, controllers remain as mentioned above. Please note that, when you navigate our public websites, the notices found in the footer of the landing page take precedence over this privacy notice. 

 

We may use cookies or other tracking technologies that are necessary (authentication, preferences, security), allow us to obtain usage statistics or in some cases to do targeted advertising, or allow you to play videos or share information on social media. For non necessary cookies, a pop up on each website will ask your consent for each category before any implementation.

 
 

What we do

What we collect

Why we do it 

If you are a patient

How long

 

Primary use : providing our products and services

1

Security

To secure, run and maintain our systems

Security monitoring

Bug / crash reporting

Logs retention

IP Address, geographic location, resources you have accessed, and similar information  collected via cookies and web trackers.

Technical activities are for our legitimate interest in operating a secure business and associated cookies are necessary.

This information will generally not reveal your status or health information

 

In our patient apps, crash reporting data may reveal health status but will be processed to the extent we have a legal obligation to do so 

As required by applicable laws in a non aggregated form

2

Personal account

Account creation and access to all our online services, including identity and consents management

Transactional message, support, troubleshooting, or security advice

First and last name, email and password, other contact information, account ID, registration date and status of consents, language, country and time zone, IP address

We use this information to perform our agreement with you

This information includes health data by nature and  we will need your explicit consent to use your data 

we cannot provide the services you request without your consent to this use of your data

Until you delete your account.

 

Other possible uses

3

Legal hold

Litigation or any other procedure related to our rights or your rights

Archiving to comply with our duties medical device manufacturer, e.g.  inform you about an incident or recall

Any data mentioned above that may become necessary for this objective

Evidencing claims is for our legitimate interest of establishing our rights or your rights

Retaining some information as archive may be required to comply with our legal obligations 

This information may include health data by nature or reveal it and will be processed only as necessary for the establishment, exercise or defense of legal claims, or to the extent we have a legal obligation to do so 

Until the claim has been closed or legal obligation has expired

4

Usage statistics 

Learn how our tools are  used & improve them

Understand your uses and ask your feedback

IP Address, geographic location, resources you have accessed, and similar information collected via cookies and web trackers.

Data we hold about our relationship with you 

Analytics is for our legitimate interest in understanding how we are doing 

 

We will only use cookies and trackers if you agree to this activity 

You can refuse without impacting services

We only process anonymous data which will not reveal your status or health information

 

Your health status may be revealed if you are logged in in which case we will ask your explicit consent 

You can refuse without impacting services

Unless local specifics apply or we need to retain data for another purpose, we would keep the data 1 year after collection in a non aggregated form

     

            4. Recipients of your Personal Data

We may share your Personal Data with Roche’s affiliates around the world. Roche affiliates will use your Personal Data for the same purposes as mentioned above. We may also share your Personal Data with our logistic, IT, market research, customer support service providers and carriers, insurance providers or partners, for the following purposes:

- To help fulfill Roche business transactions;

- To conduct technical operation, maintenance, administration, hosting of our websites, web platforms, and IT systems in general;

- To facilitate a merger, consolidation, transfer of control or other corporate reorganization in which Roche participates, or pursuant to a financial arrangement undertaken by Roche;

- To respond to appropriate requests of legitimate government authorities, or where required by applicable laws, court orders, or government regulations; and

- To allow data sharing with the recipients you designate when you use the data sharing functionalities of our digital products; and

- Where needed for corporate audits or to investigate or respond to a complaint or security threat.

Third parties generally act on our behalf and under our instructions however certain providers (especially carriers and electronic communications providers) also process your data for their own purposes (e.g. compliance with their legal obligations).

           5. International Transfers of Your Personal Data

We primarily select cooperation partners who are based in or whose servers are located in the European Union (EU) or European Economic Area (EEA). Any Personal Data you provide to us may be transferred to or stored in a geographic region that imposes different privacy obligations than your country of origin. This means that your Personal Data may be sent to a country with less restrictive data protection laws than your own. Any such transfer will be conducted in compliance with applicable law. 

If your Personal Data is covered by the GDPR: For transfers of Personal Data to a third country outside the European Union (EU), European Economic Area (EEA) or in absence of an adequacy decision (e.g. Switzerland, Israel, and New Zealand), within the Roche Group, business partners and service providers, we establish the contracts containing the EU Standard Contractual Clauses, which according to the EU Commission constitute appropriate and suitable safeguards to ensure compliance with GDPR. If you have further questions on this topic or if you want to obtain a copy of the safeguards, please reach out to [email protected].

In addition, we ensure that our partners have additional security standards in place, such as individual security measures and data protection provisions or certifications.

Generally speaking, on top of the local affiliate in your country and global functions located in the EU and Switzerland, our internal Roche support services may be granted access to your data, in priority in your region. All the internal accesses are covered by our internal data transfer agreement which contains the warranties to ensure your data is securely managed.

          6. Information About Your Rights Regarding Your Personal Data

If your Personal Data are covered by the GDPR, you have the following rights with respect to your Personal Data:

  • The right to request access to the Personal Data that Roche has about you;
  • The right to rectify or correct any Personal Data that is inaccurate or incomplete;
  • The right to request a copy of your Personal Data in electronic format so that you can transmit the data to third parties, or to request that Roche directly transfer your Personal Data to one more third parties;
  • The right to object to the processing of your Personal Data for marketing and other purposes;
  • The right to erasure of your Personal Data when it is no longer needed for the purposes for which you provided it, as well as the right to restriction of processing of your Personal Data to certain limited purposes where erasure is not possible.

To exercise any of these rights, please contact us at [email protected].

Please note that erasure or restriction of processing is only possible if and to the extent that the processing of Personal Data is based on your consent or our legitimate interests. If data processing is based on consent, note that you have the right to withdraw your consent at any time, but that the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal. In the event of an erasure request, we may retain a copy of your Personal Data for our record-keeping purposes and to avoid entering your personal data in our systems after your request.

Please note that revocation of your consent to the necessary processing (or deletion of your account or data) may make it impossible to use our products and services because we can no longer process your data. We therefore interpret this revocation as termination.

In the event that you believe that our data processing does not comply with the GDPR, you are entitled to lodge a complaint with the authority of your country of residency as stated here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm 

        7. Updates to This Privacy Notice

From time to time, we may revise this Privacy Notice. Any such changes to this Privacy Notice will be reflected on this page. Roche recommends that you review this Privacy Notice regularly for any changes. The date on which this notice was last revised is located at the top of this notice.

         8. Country Specific Section

When we engage with you as a customer or prospective customer (see Sec. 2):

Data Controller:

  • Roche Diagnostics International AG, Basel Branch Diabetes Care - Grenzacherstrasse 124, 4058 Basel, Switzerland, acting as the parent company of affiliates engaged in the diabetes care business unit. The local affiliate in your country of residency will be considered a joint controller unless indicated otherwise.
  • Local Affiliate: Roche Diabetes Care Asia Pacific Pte. Ltd. - 8 Kallang Avenue #11-07/09 Aperia Tower 1 Singapore 339509