Privacy Notice for Roche Diabetes Care
(Last updated : July 1, 2023)
1) When we engage with you as a customer or prospective customer
2) When you use our digital solutions
3) When you visit our websites and/or interact with us as customer or prospective customer and/or use our digital solutions
4) Recipients of your Personal Data
5) International Transfers of Your Personal Data
6) Information About Your Rights Regarding Your Personal Data
7) Updates to This Privacy Notice
8) Country Specific Section
This notice provides information on our activities (column “what we do” and then one activity per row), the categories of information collected for each activity (column “what we collect”), as well as the legal basis of processing for each of them (column “why we do it”) including for processing health information (column “if you are a patient”), and the retention period for the data (column “how long”).
Our activities are aimed at an adult audience; if we learn that someone has not yet reached the legal age for valid processing, we will not collect any personal data from that person until their legal representative has given their consent in a verifiable form.
1. When we engage with you as a customer or prospective customer
The controller is Roche Diagnostics International AG, Basel Branch Diabetes Care - Grenzacherstrasse 124, 4058 Basel, Switzerland, acting as the parent company of affiliates engaged in the diabetes care business unit. The local affiliate in your country of residency will be considered a joint controller unless indicated otherwise (more information about Roche’s affiliate in your country of residency is available at your local Accu-Chek website). EU representative is Roche Privacy GmbH, Emil-Barell-Str. 1, D-79639 Grenzach-Wyhlen, [email protected].
2. When you use our digital solutions
The data controller is Roche Diabetes Care GmbH, Sandhofer Strasse 116, 68305 Mannheim/Germany as the manufacturer of these applications and software. mySugr GmbH, Trattnerhof 1/5 OG, 1010 Vienna/Austria also acts as data controller in relation to data processed by the mySugr app and in the Roche Diabetes Care apps and professional software.
3. When you visit our websites and/or interact with us as customer or prospective customer and/or use our digital solutions
When you visit our websites, the data controller is the entity identified as the publisher for the website. For other use cases, controllers remain as mentioned above. Please note that, when you navigate our public websites, the notices found in the footer of the landing page take precedence over this privacy notice.
4. Recipients of your Personal Data
We may share your Personal Data with Roche’s affiliates around the world. Roche affiliates will use your Personal Data for the same purposes as mentioned above. We may also share your Personal Data with our logistic, IT, market research, customer support service providers and carriers, insurance providers or partners, for the following purposes:
- To help fulfill Roche business transactions;
- To conduct technical operation, maintenance, administration, hosting of our websites, web platforms, and IT systems in general;
- To facilitate a merger, consolidation, transfer of control or other corporate reorganization in which Roche participates, or pursuant to a financial arrangement undertaken by Roche;
- To respond to appropriate requests of legitimate government authorities, or where required by applicable laws, court orders, or government regulations; and
- To allow data sharing with the recipients you designate when you use the data sharing functionalities of our digital products; and
- Where needed for corporate audits or to investigate or respond to a complaint or security threat.
Third parties generally act on our behalf and under our instructions however certain providers (especially carriers and electronic communications providers) also process your data for their own purposes (e.g. compliance with their legal obligations).
5. International Transfers of Your Personal Data
We primarily select cooperation partners who are based in or whose servers are located in the European Union (EU) or European Economic Area (EEA). Any Personal Data you provide to us may be transferred to or stored in a geographic region that imposes different privacy obligations than your country of origin. This means that your Personal Data may be sent to a country with less restrictive data protection laws than your own. Any such transfer will be conducted in compliance with applicable law.
If your Personal Data is covered by the GDPR: For transfers of Personal Data to a third country outside the European Union (EU), European Economic Area (EEA) or in absence of an adequacy decision (e.g. Switzerland, Israel, and New Zealand), within the Roche Group, business partners and service providers, we establish the contracts containing the EU Standard Contractual Clauses, which according to the EU Commission constitute appropriate and suitable safeguards to ensure compliance with GDPR. If you have further questions on this topic or if you want to obtain a copy of the safeguards, please reach out to [email protected].
In addition, we ensure that our partners have additional security standards in place, such as individual security measures and data protection provisions or certifications.
Generally speaking, on top of the local affiliate in your country and global functions located in the EU and Switzerland, our internal Roche support services may be granted access to your data, in priority in your region. All the internal accesses are covered by our internal data transfer agreement which contains the warranties to ensure your data is securely managed.
6. Information About Your Rights Regarding Your Personal Data
If your Personal Data are covered by the GDPR, you have the following rights with respect to your Personal Data:
- The right to request access to the Personal Data that Roche has about you;
- The right to rectify or correct any Personal Data that is inaccurate or incomplete;
- The right to request a copy of your Personal Data in electronic format so that you can transmit the data to third parties, or to request that Roche directly transfer your Personal Data to one more third parties;
- The right to object to the processing of your Personal Data for marketing and other purposes;
- The right to erasure of your Personal Data when it is no longer needed for the purposes for which you provided it, as well as the right to restriction of processing of your Personal Data to certain limited purposes where erasure is not possible.
To exercise any of these rights, please contact us at [email protected].
Please note that erasure or restriction of processing is only possible if and to the extent that the processing of Personal Data is based on your consent or our legitimate interests. If data processing is based on consent, note that you have the right to withdraw your consent at any time, but that the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal. In the event of an erasure request, we may retain a copy of your Personal Data for our record-keeping purposes and to avoid entering your personal data in our systems after your request.
Please note that revocation of your consent to the necessary processing (or deletion of your account or data) may make it impossible to use our products and services because we can no longer process your data. We therefore interpret this revocation as termination.
In the event that you believe that our data processing does not comply with the GDPR, you are entitled to lodge a complaint with the authority of your country of residency as stated here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
7. Updates to This Privacy Notice
From time to time, we may revise this Privacy Notice. Any such changes to this Privacy Notice will be reflected on this page. Roche recommends that you review this Privacy Notice regularly for any changes. The date on which this notice was last revised is located at the top of this notice.
8. Country Specific Section
When we engage with you as a customer or prospective customer (see Sec. 2):
- Roche Diagnostics International AG, Basel Branch Diabetes Care - Grenzacherstrasse 124, 4058 Basel, Switzerland, acting as the parent company of affiliates engaged in the diabetes care business unit. The local affiliate in your country of residency will be considered a joint controller unless indicated otherwise.
- Local Affiliate: Roche Diabetes Care Asia Pacific Pte. Ltd. - 8 Kallang Avenue #11-07/09 Aperia Tower 1 Singapore 339509