Privacy notice for associates

Please refer below the legal privacy policy for your country.

Privacy Notice for Switzerland (English)

​​Novartis Employee Privacy Notice for Switzerland

Nov-18

The Employee Privacy Notice for Switzerland ("Privacy Notice") is addressed to associates employed by a Swiss legal entity of the Novartis group of companies.

Novartis in Switzerland ("Novartis" – the company of the Novartis Group by which you are employed) is responsible for the processing of your personal information ("personal data") as it decides why and how it is processed, thereby acting as the "controller". In this Privacy Notice, "we" or "us" refers to Novartis.

Should you have any further question related to the processing of your personal data, we invite you to contact your HR Manager or privacy.switzerland@novartis.com.

1          What information do we have about you?

We may collect various types of personal data about you, which may include:

• your general and identification information (e.g. name, first name, middle name, last name, gender or gender identity, your picture, date and place of birth, nationality, ID card or passport numbers, email and/or postal address, landline and/or mobile phone number and car registration number, emergency contact name and details);
• your family information (e.g. registered partnership or marital status, personal information about your children and spouse or registered partner);
• your financial and administrative information (e.g. work conditions, salary level and amount, years of service, incentive, stocks, options, expenses information, insurance and other benefits, pension entitlements, bank account details, fiscal registration number, garnishments, claims, credit card information);
• your education and experience (e.g. employment and education history, other details included in CVs, professional qualifications and experience, information necessary to complete a background check, performance and development programs and reviews, career development plans and objectives);
• information related to function and information necessary for the administration of your employment (e.g. employer's name and location, unit, department, supervisor and subordinates, employment dates such as dates of hiring/promotion/demotion/position change, work schedule, performance evaluation, including self-appraisals with ratings, values and behavior evaluation, position information such as position title and reference number, attendance information including illness or leaves of absence, language skills, career aspirations and insights or badges provided by other associates);
• your electronic identification data (e.g. login credentials, access rights, badge number, IP address, online identifiers/cookies, logs, access and connection times, sound or images such as security camera  or voice recordings);
• your social security information (e.g. social security code, status, insurance details, sickness leave, disability);
• insofar as strictly necessary and legally permitted, your sensitive information (e.g. health and medical information and other sensitive information such as religion or church affiliation where required for statutory tax deductions, diversity related information or labor union membership, data collected with regard to complaints and investigations of misconduct, judicial data and investigation data, identification of persons involved in proceedings, witnesses and victims, facts of a dispute, information, documentation, nature of proceedings, date, amounts at stake and convictions); and
• more generally, information about the activities you are carrying out in your professional capacity.

2          For which purposes do we use your personal data?

2.1       Legal basis for the processing

We will only process your personal data if either:

• the processing is necessary to perform our contractual obligations towards you;
• the processing is necessary for our legitimate interest and does not unduly affect your interests or fundamental rights and freedoms. Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interests and your privacy;
• the processing is necessary to comply with our legal or regulatory obligations;
• the processing is necessary to protect your vital interests or those of another person; or
• we have obtained your prior consent.

Examples of above mentioned 'legitimate interests' are data processing activities performed:

• to benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers to process data);
• to offer our products and services to our customers (e.g. we may communicate professional contact details of one of our employees to a customer or supplier, indicating that this person is the contact person within our organization);
• to prevent fraud or criminal activity, misuses of our products or services as well as the security of our IT systems, architecture and networks;
• to sell any part of our business or its assets, or to enable the acquisition of all or part of our business or assets by a third party; and
• to meet our corporate and social responsibility objectives.

2.2       Purposes of the processing

We may process your personal data for the following purposes:

• to undertake recruitment activities;
• personnel administration (including, benefits and absence management, performing employment and background checks, creating and maintaining employee directories, travel arrangements);
• to implement tasks in preparation of or to perform existing contracts;
• to train our staff and to manage professional development and skills;
• payroll management (such as administration of remuneration and other contractual benefits, salaries and pay reviews and other awards such as stock options, stock grants and bonuses, pensions and saving plans, benefits to families, business expenses);
• to carry out performance reviews (such as appraisals, promotions, performance calibration, career and succession planning, staffing and talent management);
• security and safety monitoring, where required (e.g. production monitoring for product safety, monitoring of electronic devices, internet or email traffic for security threats, security cameras in sensitive areas);
• record keeping;
• communications and emergencies (such as facilitating communication with employees for business purposes and for global initiatives, including employee surveys, facilitating communication in case of emergency);
• handling internal complaints relating to misconduct;
• if legally required, to conduct health risk appraisals;
• management of disciplinary action or judicial proceedings;
• to ensure compliance and reporting (such as income tax and national insurance deductions, management of alleged cases of misconduct or fraud; audits, litigation);
• to ensure business continuity;
• to manage mergers and acquisitions involving our company; and
• for any other purposes imposed by law and authorities.

3          Who has access to your personal data and to whom are they transferred?

We may share or transfer your personal data within the Novartis group of companies or with third parties outside the Novartis Group, including those indicated in this Privacy Notice.

In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal data can be accessed by, or transferred to the following categories of recipients, on a need to know basis to achieve such purposes:

• Our personnel (including personnel, departments or other companies of the Novartis group);
• Our independent agents or brokers (if any);
• Our service providers (including IT, cloud storage, software and database providers, payroll providers, consultants, insurance agencies);
• Any third party to whom we may assign or novate any of our rights or obligations;
• Our advisors and external lawyers, including in the context of the sale or transfer of any part of our business or its assets.

The above-mentioned third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.

For transfers of personal data between our group companies, Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland. Read more about the Novartis Binding Corporate Rules

We may have to disclose your personal data to government agencies, courts, and designated third parties specified if we are required to do so by applicable law, regulations, court orders or decisions;

The personal data we collect from you may also be processed, accessed or stored in a different country, which may not offer the same level of protection of personal data.

When we transfer your personal data to above-mentioned recipients in other jurisdictions, we will apply the level of protection required under Swiss law and in accordance with our policies and standards.

4          How do we protect your personal data?

We have implemented appropriate technical and organizational measures to provide an adequate level of security and confidentiality to your personal data.

More information on the Novartis Information Security & Risk Management Policies can be found following this link http://go/imf

5          How long do we store your personal data?

Your personal data will only be retained for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.

When this period expires, your personal data are removed from our systems and repositories.

Personal data collected and processed in the context of a dispute are deleted or archived (i) as soon as a settlement has been reached, (ii) once a decision in last resort has been rendered or (iii) when the claim becomes time-barred.

6          What are your rights and how can you exercise them?

If you wish to exercise your privacy rights, such as requesting information about your personal data, a copy thereof its correction or deletion, or if you wish to object to processing of your personal data, please contact HR Operations. Your inquiry is subject to the conditions and limits set forth in the law, and to obligations or legitimate business interest that Novartis may have.

If you wish to know more about privacy at Novartis visit http://go/privacy . If you have further data privacy related questions, please contact your Data Privacy Office at privacy.switzerland@novartis.com.