Data Protection – Privacy Notice

At Roche, we are committed to protecting your personal information. This Privacy Notice outlines the types of personal information Roche may collect; the means by which Roche may collect, use, or share your personal information; steps Roche takes to protect your personal information; and choices you are provided with respect to the use of your personal information.

For purposes of this Privacy Notice, “Personal Data” is any information by which you can be individually identified both directly and indirectly, including, but not limited to, your name, address, e-mail address, and telephone number.

Please refer to the California Supplemental Privacy Notice for more information about how this term is defined for the purposes of California law and for more information about how Roche uses such information. The California Supplemental Privacy Notice is available at: https://www.roche.com/ccpa-privacy-notice.htm

Data controller

The Data Controller in the meaning of the General Data Protection Regulation (GDPR), of other data protection laws applicable in the Member States of the European Union, and of other regulations of a data-protection nature is:

Roche Diagnostics GmbH
Sandhofer Straße 116
68305 Mannheim

healthcare.xplorers@roche.com

Data Protection Officer

Our Data Protection Officer may be contacted via the above mentioned address with the addition “Data Protection Officer” or via email germany.privacy@roche.com.

The California Supplemental Privacy Notice provides the appropriate channels for contacting Roche with questions, requests, and inquiries in scope of California law. The California Supplemental Privacy Notice is available at: https://www.roche.com/ccpa-privacy-notice.htm

Roche is a global undertaking whose Diagnostics, Diabetes Care, and Pharma business units are active in the production and distribution of a variety of medical products and drugs, as well as related services

Roche is aware of the fact that the privacy and thus, also the protection of our customers’ personal data is very important, and the company accords great importance to this. Con­sequently, Roche has taken the necessary precautions for doing justice to the globally applicable data protection requirements, complying with the provisions of the EU and of Germany, as well as respective other applicable standards. Processing of your personal data will exclusively be performed within the scope permitted by the law, and taking into account applicable laws, in particular, the obligation to maintain transparency.

Information on the processing of personal data

If you visit our website without requesting further information (e.g. by subscribing to our newsletter) we collect and process the following information automatically in the webserver-log: Information related to your internet connection (such as IP-address, domain of the internet service provider, bit rate, mobile network operator, URL, time of access and previously visited websites (Referrer)) and information related to your device (such as data about the software ecosystem (operating system, type of browser and browser configuration settings/abilities/display size/resolution, colour depth of the displaying device), and the hardware you use).
We collect and process your Personal Data for this purpose based on our legitimate interest to secure safety when using our website and the integrity of the content we offer (Art. 6(1) lit. f GDPR).

 

In the context of an application and selection process and in order to get in contact with you, Roche will process your personal data, based on the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6(1) lit. b GDPR and para. 26(1) sentence 1 BDSG).
In order to fulfil the purposes just mentioned, we process the following information from you:

  • Contact information: first and last name, e-mail address
  • Your pitch idea.

 

It is necessary to provide the data as part of the application and selection process. If you do not provide the data, we will consequently not be able to longer consider your application.

 

Depending on your consent (Art. 6(1) lit. a GDPR), we also process your IP-address/location, cookies, browsing history, as well as Information regarding interaction with the website, for analytic purposes to ensure the constant improvement and evolution of our service for you.

 

Please visit the California Supplemental Privacy Notice for more information about Personal Data processing activities as they relate to California residents. The California Supplemental Privacy Notice is available at: https://www.roche.com/ccpa-privacy-notice.htm 

Processing/storage period

Personal Data in connection to the webserver-logs is processed only for as long as necessary for the purpose for which we have collected and are processing the data, or to fulfill contractual, legal, or public obligations. We will automatically delete the webserver-logs after seven days unless a longer storage period is individually necessary (e.g. if there is an attack on the security of our systems). After the IP-addresses have been deleted, only anonymised data (no Personal Data) is stored.

 

Your data will only be processed for as long as it is necessary to achieve the purpose or as long as is required by law. After completion of the application procedure, your data will be deleted within six months (applications from individuals), unless we hire you as an employee.

Forwarding and transmitting data

The publisher of this website forwards certain data about you to various external undertakings or agents that are charged with performing technical maintenance, or work on our behalf, helping us perform business transactions. We may also forward personal data to our subsidiaries and group companies. All of these undertakings and agents are obliged to comply with the provisions of our data protection guidelines.

 

Entities that are involved in processing personal data from HealthcareXplorers (www.healthcare-xplorers.com):

  1. Roche Diagnostics GmbH, Sandhofer Straße 116, 68305 Mannheim
  2. For the technical website support: BSKOM GmbH, Herzogspitalstraße 5, 80331 München
  3. For the hosting of the website and the Matomo analytics tool: Getflywheel, WPEngine Inc. (registered offices: Irongate House, 22-30 Duke’s Place, London, EC3A 7LP England, and 504 Lavaca St Ste 1000, Austin, TX-78701, USA)), server location: Saint-Ghislain, Belgium.
  4. For providing our Cookie-Consent-Management-Tool: OneTrust, LLC (registered offices: 1200 Abernathy Rd NE, Building 600, Atlanta, GA 30328, USA, and Dixon House, 1 Lloyd’s Avenue, London, EC3N 3DQ, England). We use this tool based on our legitimate interest (Article 6(1)(f) GDPR) to ensure your and our control over adjusting and administering the use of cookies and similar technologies. For this purpose your IP-address is being processed and cookies are being used to memorise your cookie preferences. Further information is available in the Privacy Policy of OneTrust: https://www.onetrust.de/datenschutzerklaerung/

 

Since Roche is a global company, your data may also be transferred to other Roche Group companies for specific purposes. A list of all Roche companies can be found in the current version of the Roche Group Annual Report, which is available on the website www.roche.com. Contact details may be provided upon request.

 

Data protection outside the EU or the European Economic Area, e.g. in the USA, where there may not exist a comparable level of data protection, will be ensured by an adequacy decision of the EU Commission or by EU standard contractual clauses. For further information, please contact us using the contact details above.

Information on the processing of personal data in the context of newsletter registration

In the context of registering and mailing our newsletter, Roche will process your personal data (email address), provided you have given us your express consent in each case (Art. 6(1) lit. a).

 

The data for the purpose mentioned above is provided voluntarily. If you do not provide the data, we will consequently not be able to provide you with the registration for and mailing of the newsletter without your consent to the processing of your personal data.

 

Your data will be stored in our systems for as long as it is necessary for mailing the newsletter, and you have not revoked your consent to the processing of your data for this purpose.

Automatically collected information

Certain types of information are collected automatically by us whenever you communicate with us via our websites, as well as in the context of emails sent to each other. The automated processes we use may include, e.g., logging by web servers or IP addresses, cookies, and web beacons.

 

Webserver logs/ IP addresses

An IP address is a number assigned to your computer for accessing the Internet. On the Internet, each computer is identified by means of an IP address; this allows computers and servers to recognize each other on the network and to communicate with each other. Roche collects the IP-address for purposes of system administration, in order to supply group companies, business partners and/or suppliers with statistics, for analyzing websites, and for reviewing the performance of a website.

 

Cookies

Roche’s internet pages use cookies. A cookie is a piece of information that is placed automatically on your computer’s hard drive when you access certain websites. Cookies allow the server to uniquely recognise your browser. Cookies may contain information to identify your computer or browser, including your device’s ID, your IP-Address, and/or an Ad-ID, as well as information about your browsing history. The information we obtain from using cookies may be combined with other Personal Data related to you.

 

In order to give you control over the cookies and other technologies used on our website, we implement the “Cookie-Consent-Management-Tool”. It will appear as soon as you visit our website for the first time in a so-called Cookie Banner. It enables you to individually adjust  your settings and provides concrete information about the cookies we use, including further information on their providers and the pursued purposes.

 

If using cookies or other technologies is necessary, our websites will do so also without your consent. For all other cookies and comparable tracking technologies we will ask for your consent. In the Cookie-Consent-Management-Tool you can individually configure, for which purposes you consent to the use of cookies and other technologies, or withdraw your consent. Moreover in many cases you can adjust in your browser settings whether cookies are being accepted or blocked. Please note that some areas of our website may not function properly if you block cookies. The following links will lead you to instructions for the most popular browsers:

For Chrome: https://support.google.com/chrome/answer/95647
For Safari: https://support.apple.com/de-de/HT201265
For Firefox: https://support.mozilla.org/de/kb/Cookies-blockieren
For the Internet Explorer: https://support.microsoft.com/de-de/topic/l%C3%B6schen-und-verwalten-von-cookies-168dab11-0753-043d-7c16-ede5947fc64d

 

The cookies we use can be split up into the following categories:

 

Strictly necessary cookies. These are cookies that are required for the operation of our website. They include cookies that enable you to log into secure areas of our website (if applicable).

 

Analytical/performance cookies. These cookies allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. These cookies do not collect information that identifies a visitor. All information that these cookies collect is aggregated and therefore anonymous.

 

This website uses the analytic tool Matomo. Matomo is an open source project, and the tool is hosted in a cloud solution hosted by Getflywheel. We use Matomo based on your consent (Article 6(1) lit. a GDPR) in order to analyse how user use the public content on our website, to evaluate the use of the website, and for compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. In that context, your IP-address is being processed and cookies are being used. You can prevent the use of Matomo by not consenting to it in the cookie and consent management banner.
Further information is available in the Matomo privacy policy at: https://matomo.org/privacy-policy/

 

Functionality cookies. These are used to recognise you when you return to our website. This enables us to remember choices you make (such as language choices) and personalise our content for you.


Targeting or advertising cookies. These cookies record your visit(s) to our website, the pages you have visited and the links you have followed. They also collect information about your browsing habits, including the websites you visit, in order to make the information displayed on our website more relevant to you and your interests. We may also share this information with third parties working on our behalf for this purpose.

 

Some of our cookies are known as ‘session’ cookies and expire after you leave our website. Others are ‘persistent’ cookies that are stored on your device in between browser sessions and allow your preferences or actions to be remembered. They remain on your device for varying lengths of time, but in any event no longer than two years. Cookies can be removed manually before they expire via your browser settings.

 

Managing the Cookies: As described above, if you wish to prevent cookies from tracking you anonymously as you navigate our website, you can reset your browser to refuse all cookies or to indicate when a cookie is being sent.

 

All browsers allow you to fine-tune cookie settings and determine which ones to accept and which to disable or delete. Your browser can also notify you when you receive new cookies. Please consult your browser’s ‘help’ section for more information on adjusting your cookie settings.

 

Cookies allow you to take advantage of some of our website’s essential features, so we recommend you leave them turned on. If you block or otherwise reject cookies the website may not function correctly and you may not be able to access restricted parts of the website that require you to log in.

 

More information about the exact cookies used can be found in the following Cookie List.

 

Web beacons

On certain websites and in emails, Roche can use a popular Internet technology called “web beacon” (aka “action tag” or “clear GIF” technology). Web beacons help analyze the effective­ness of websites by measuring, e.g., how many visitors access a site, or how many visitors click on important parts of a site.

 

Web beacons, cookies and other technologies for tracking per se do not collect personal information about you. It is not until you voluntarily provide such information that identifies you personally, e.g., by registering or sending emails, that these automated processes can be used to collect personal information about your use of the websites and/or interactive emails in order to design these to be more useful to you.

Data protection declaration regarding children

Our website is intended for an adult audience. If we learn that someone is not yet 16 years old, we will not collect personal data from this person until the consent of their legal guardian in a verifiable format has been received. Upon request, such a legal guardian may inspect the information provided by the child and/or request that this data be erased.

Data security

Roche and its cooperation partners/service providers take reasonable steps to protect Personal Data we access or receive through this website from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. Nevertheless, Roche makes no guarantee as to the security of your Personal Data and disclaims, to the fullest extent permitted by law, all liability and damages caused by loss, misuse, and unauthorized access, disclosure, alteration, or destruction. We recommend that you take any available precautions to protect Personal Data you submit on this website.

Links to third-party websites

Our websites also may contain links to third-party websites. We do not endorse and are not responsible for the content of third-party websites or resources, and our privacy notice does not apply to any sites that are not affiliated with Roche, even if you access them via a link on our site. You should review the privacy policies of any third-party site before providing any information.

Rights of the data subject

Right of access

You can request a confirmation from the data controller whether we process personal data about you.

 

If such processing exists, you can request information about the following information from the data controller:

  1. the purposes for which the personal data is processed;
  2. the category of personal data processed;
  3. the recipient or category of recipients to whom the personal data about you have been disclosed or are still being disclosed;
  4. the planned storage duration of the personal data about you or, if providing factual information in this regard is not possible, criteria for determining the storage duration;
  5. the existence of a right to correction or erasure of the personal data about you, a right of limiting the processing by the data controller, or of a right to object to this processing;
  6. the existence of a right to complain to a regulatory authority;
  7. all available information about the origin of the data, if the personal data are not collected from you;
  8. the existence of an automated decision mechanism including profiling according to Art. 22(1) and (4) GDPR and, at least in these cases, useful information about the logic involved, as well as the scope and the intended effects of such processing on the person affected.

 

You do not have the right to request information about whether the personal data about you are transmitted to a third country or to an international organization. In this context, you may request to be notified of the suitable guarantees according to Art. 46 GDPR in the context of the transmission.

Right to correction

You have a right to correction and/or completion vis-a-vis the data controller, to the extent the processed personal data affecting you are incorrect or incomplete. The data controller must perform the correction promptly.

Right to limiting the processing

Under the following conditions, you may request that the processing of the personal data about you be limited:

  1. if you contest the correctness of the personal data about you for a period of time that allows the data controller to review the correctness of the personal data;
  2. the processing is unlawful, and you reject the erasure of the data and instead request that the use of the personal data be limited;
  3. the data controller no longer needs the personal data for the purposes of processing, but you need the data for asserting, exercising or defending legal claims, or
  4. if you have objected to the processing according to Art. 21(1) GDPR and it has not yet been decided whether the data controller’s justified reasons take precedence over your reasons.

 

If the processing of the personal data about you has been limited, these data may only be processed, apart from being stored, with your consent, or for asserting, exercising or defending legal claims, or for protecting the rights of another natural or legal person, or for reasons of a significant public interest of the EU or of a Member State.

 

If the limitation of processing has been restricted according to the above conditions, you will be notified by the data controller before the restriction is removed.

Right to erasure

You may request that the data controller promptly erase the personal data about you, and the data controller is obliged to delete these data promptly if one of the following reasons applies:

  1. the personal data about you are no longer necessary for the purposes for which they were collected or otherwise processed;
  2. you revoke your consent on which the processing was based according to Art. 6(1) lit. a or Art. 9(2) lit. a GDPR, and there is no other legal basis for the processing;
  3. you raise an objection according to Art. 21(1) GDPR against the processing and there are no justified reasons that take precedence for processing, or you object to processing according to Art. 21(2) GDPR.
  4. the personal data about you have been processed unlawfully;
  5. the erasure of the personal data about you is required for complying with a legal obligation according to EU law or the law of the Member States that the data controller is subject to.
  6. the personal data about you have been collected with regard to information society services offered according to Art. 8(1) GDPR.

 

If the data controller has publicly disclosed the personal data about you, and if the former is obliged to the erasure of these data according to Art. 17(1) GDPR; the data controller shall take appropriate measures, including those of a technological nature, taking into account the technology available and the cost of implementation, in order to notify the data processors processing the personal data that you, as the person affected, have requested the erasure of all links to these personal data, or of copies or replicas of these personal data.

 

The right to erasure does not exist to the extent that the processing is necessary

  1. for exercising the rights to freely express an opinion and information;
  2. for complying with a legal obligation requiring the processing according to EU law or the law of the Member States that the data controller is subject to, or for performing a task that lies in the public interest or is performed in the exercise of public authority conferred on the data controller;
  3. for reasons of public interest in the public health sector according to Art. 9(2) litt. h and i as well as Art. 9(3) GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes, or for statistical purposes according to Art. 89(1) GDPR, to the extent that the right mentioned under (1)will probably make the implementation of the goals of this processing impossible, or seriously hamper it, or
  5. for asserting, exercising or defending legal claims.

Right to information

If you have asserted the right to correction, erasure, or limitation of processing vis-a-vis the data controller, the latter is obliged to inform all of the recipients to whom the personal data about you have been disclosed of this correction or erasure of the data or limitation of the processing unless this proves to be impossible or requires unreasonable effort and expense.

 

You have the right vis-a-vis the data controller to be informed of these recipients.

Right to data portability

You have the right to receive the personal data about you that you have provided to the data controller in a structured, commonly used, and machine-readable format. In addition, you have the right to transmit these data to another data controller without being hindered by the data controller to whom the data were provided when doing so, if

  1. the processing is based on consent according to Art. 6(1) lit. a GDPR or Art. 9(2) lit. a GDPR, or on a contract according to Art. 6(1) lit. b GDPR, and
  2. the processing is performed by means of automated processes.

 

While exercising this right, you also have the right to effect that the personal data about you are directly transmitted from one data controller to another data controller to the extent this is technologically feasible. Freedoms and rights of other persons must not be impacted negatively by this.

 

The right to data portability does not apply for processing of personal data required for performing a task that is in the public interest or performed in exercising public authority conferred to the data controller.

Right to object

For reasons arising from your special situation, you have the right at any time to object to the processing of personal data about you, which is performed based on Art. 6(1) lit. e or f GDPR; this also applies to profiling based on these provisions.

 

The data controller will no longer process the personal data about you unless the data controller can document compelling reasons worth protecting for processing that supersede your interests, rights and freedoms, or if the processing is used for asserting, exercising, or defending legal claims.

 

If the personal data about you are processed for direct mail purposes, you have the right to object at any time against the processing of the personal data about you for purposes of such advertising; this also applies to profiling to the extent it is related to such direct mail.

 

If you object to processing for the purposes of direct mail, the personal data about you will no longer be processed for these purposes.

 

In the context of using information society services – notwithstanding Directive 2002/58/EC – you have the option to exercise your right to objection by means of automated processes in which technical specifications are used.

Right to revocation of consent according to data protection law

You have the right to revoke your declaration of consent under data protection law at any time. Revoking the consent does not affect the lawfulness of the processing performed based on the consent up until the time of revocation

Right to complain to a regulatory authority

Notwithstanding another remedy under administrative law or through the courts, you have the right to complain to a regulatory authority, in particular to the State Commissioner for Data Protection and Freedom of Information in the Member State of your residence, your workplace, or the location of the presumed infringement, if you believe that the processing of the personal data about you violates the GDPR.

 

The regulatory authority where the complaint was filed shall notify the complainant about the status and the results of the complaint, including the option of judicial redress according to Art. 78 GDPR.

 

To assert your rights, please contact the following address: Roche Diagnostics GmbH; Sandhofer Straße 116; 68305 Mannheim. The Data Protection Officer may be contacted at the above mentioned address with the addition “Data Protection Officer”.

Your Rights If Your Data is Covered by California Law

If you are a California resident as defined by the California Consumer Privacy Act (CCPA), you can find a description of these rights covered in the California Supplemental Privacy Notice, available at: https://www.roche.com/ccpa-privacy-notice.htm
That privacy notice contains information on how to contact Roche to exercise any of your rights under that law.

 

California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please use the contact information provided in the California Supplementary Privacy Notice.

Recipients of Personal Data

Your Personal Data may be, for the same specific purpose as the ones we process it for, transferred to third parties if this is necessary to perform or fulfil the above mentioned purposes. This applies especially to the transfer to other Roche affiliates, for example if the consultation of specialised experts in necessary who are employed by other Roche affiliates, as well as in cases where you are being forwarded to websites of other Roche affiliates on the Roche DiaLog Portal or if you access content of other Roche affiliates via the support feature. All those organisations are obliged to comply with the requirements of our privacy standards. Moreover in some cases, e.g. in connection with legal disputes, your data may be transferred to specialised service providers (such as consulting agencies and lawyers), and if there is a legal obligation or an obligation by an authority to such authorities or other third parties.

 

A list of Roche’s affiliates is available in the current annual report, which can be found in the Investors section of our website www.roche.com.

 

We have several service providers processing your Personal Data as Processors (Article 28 GDPR), who act on our behalf and according to our instructions. Those are mostly providers of technical services who carry out IT maintenance and support tasks on our behalf, as well as Cloud-providers or business representatives who help us to conduct business transactions, e.g. the provision of customer support, the shipping of marketing information concerning our products, services or offers. Please also note that some recipients are specified at the relevant sections of this Privacy Policy.

 

In case you register directly with one of our service providers or create a user account with them they might collect and process additional data. Roche can not influence that since the processing is performed by the service providers themselves. You can obtain more detailed information regarding data protection in those contexts with the respective service providers.

International Transfers of Your Personal Data

In order to pursue the above mentioned purposes your Personal Data may be transferred to countries within and outside of the European Union (EU), or the European Economic Area (EEA), especially to Switzerland, to the USA, and to India. For some of these countries the EU-Commission has issued an adequacy decision (at the moment for example Switzerland). In the case of an absence of such an adequacy decision (at the moment for example the USA and India), we provide appropriate safeguards: we especially establish the contracts containing the EU Standard Contractual Clauses, if need arises we apply additional measures. You can obtain more detailed information about these safeguards from the Data Protection Officer or on the website of the EU Commission.

Additional information regarding data protection

For additional information about data protection with Roche, especially how Roche processes your Data if you communicate with Roche employees, as well as support with legal terms in respect to data protection please visit the Datenschutz-Informationsportal available at www.roche.de/datenschutz.

Updates to this Privacy Policy

From time to time, we may revise this Privacy Notice. Any such changes to this Privacy Notice will be reflected on this page. Roche recommends that you review this Privacy Notice regularly for any changes.

 

This notice was last updated: December 2022