Data Protection

The Data Controller in the meaning of the General Data Protection Regulation (GDPR), of other data protection laws applicable in the Member States of the European Union, and of other regulations of a data-protection nature is:

 

Roche Diagnostics GmbH
Sandhofer Straße 116
D-68305 Mannheim

 

Roche is a global undertaking whose Diagnostics, Diabetes Care, and Pharma business units are active in the production and distribution of a variety of medical products and drugs, as well as related services.

Roche is aware of the fact that the privacy and thus, also the protection of our customers’ personal data is very important, and the company accords great importance to this. Consequently, Roche has taken the necessary precautions for doing justice to the globally applicable data protection requirements, complying with the provisions of the EU and of Germany, as well as respective other applicable standards. Processing of your personal data will exclusively be performed within the scope permitted by the law, and taking into account applicable laws, in particular, the obligation to maintain transparency.

Name and address of the Data Protection Officer

The Data Protection Officer of the entity responsible for processing is:

Roche Diagnostics GmbH
c/o Datenschutzbeauftragter
Sandhofer Straße 116
D-68305 Mannheim
mannheim.datenschutz@roche.com

Rights of the data subject

Right of access

You can request a confirmation from the data controller whether we process personal data about you.

If such processing exists, you can request information about the following information from the data controller:

a. the purposes for which the personal data is processed;

b. the category of personal data processed;

c. the recipient or category of recipients to whom the personal data about you have been disclosed or are still being disclosed;

d. the planned storage duration of the personal data about you or, if providing factual information in this regard is not possible, criteria for determining the storage duration;

e. the existence of a right to correction or erasure of the personal data about you, a right of limiting the processing by the data controller,  or of a right to object to this processing;

f. the existence of a right to complain to a regulatory authority;

g. all available information about the origin of the data, if the personal data are not collected from you;

h. the existence of an automated decision mechanism including profiling according to Art. 22(1) and (4)GDPR and, at least in these cases, useful information about the logic involved, as well as the scope and the intended effects of such processing on the person affected.

You do not have the right to request information about whether the personal data about you are transmitted to a third country or to an international organization. In this context, you may request to be notified of the suitable guarantees according to Art. 46 GDPR in the context of the transmission.

Right to correction

You have a right to correction and/or completion vis-a-vis the data controller, to the extent the processed personal data affecting you are incorrect or incomplete. The data controller must perform the correction promptly.

Right to limiting the processing

Under the following conditions, you may request that the processing of the personal data about you be limited:

a. if you contest the correctness of the personal data about you for a period of time that allows the data controller to review the correctness of the personal data;

b. the processing is unlawful, and you reject the erasure of the data and instead request that the use of the personal data be limited;

c. the data controller no longer needs the personal data for the purposes of processing, but you need the data for asserting, exercising or defending legal claims, or

d. if you have objected to the processing according to Art. 21(1)GDPR and it has not yet been decided whether the data controller’s justified reasons take precedence over your reasons.

If the processing of the personal data about you has been limited, these data may only be processed, apart from being stored, with your consent, or for asserting, exercising or defending legal claims, or for protecting the rights of another natural or legal person, or for reasons of a significant public interest of the EU or of a Member State.

If the limitation of processing has been restricted according to the above conditions, you will be notified by the data controller before the restriction is removed.

Right to erasure

1. You may request that the data controller promptly erase the personal data about you, and the data controller is obliged to delete these data promptly if one of the following reasons applies:

a. the personal data about you are no longer necessary for the purposes for which they were collected or otherwise processed;

b. You revoke your consent on which the processing was based according to Art. 6(1) lit. a or Art. 9(2) lit. a GDPR, and there is no other legal basis for the processing;

c. you raise an objection according to Art. 21(1)GDPR against the processing and there are no justified reasons that take precedence for processing, or you object to processing according to Art. 21(2)GDPR.

d. the personal data about you have been processed unlawfully;

e. The erasure of the personal data about you is required for complying with a legal obligation according to EU law or the law of the Member States that the data controller is subject to.

f. the personal data about you have been collected with regard to information society services offered according to Art. 8(1)GDPR.

2. If the data controller has publicly disclosed the personal data about you, and if the former is obliged to the erasure of these data according to Art. 17(1)GDPR; the data controller shall take appropriate measures, including those of a technological nature, taking into account the technology available and the cost of implementation, in order to notify the data processors processing the personal data that you, as the person affected, have requested the erasure of all links to these personal data, or of copies or replicas of these personal data.

3. The right to erasure does not exist to the extent that the processing is necessary

a. for exercising the rights to freely express an opinion and information;

b. for complying with a legal obligation requiring the processing according to EU law or the law of the Member States that the data controller is subject to, or for performing a task that lies in the public interest or is performed in the exercise of public authority conferred on the data controller;

c. for reasons of public interest in the public health sector according to Art. 9(2) litt. h and i as well as Art. 9(3)GDPR;

d. for archiving purposes in the public interest, scientific or historical research purposes, or for statistical purposes according to Art. 89(1)GDPR, to the extent that the right mentioned under (1)will probably make the implementation of the goals of this processing impossible, or seriously hamper it, or

e. for asserting, exercising or defending legal claims.

Right to information

If you have asserted the right to correction, erasure, or limitation of processing vis-a-vis the data controller, the latter is obliged to inform all of the recipients to whom the personal data about you have been disclosed of this correction or erasure of the data or limitation of the processing unless this proves to be impossible or requires unreasonable effort and expense.

You have the right vis-a-vis the data controller to be informed of these recipients.

Right to data portability

You have the right to receive the personal data about you that you have provided to the data controller in a structured, commonly used, and machine-readable format. In addition, you have the right to transmit these data to another data controller without being hindered by the data controller to whom the data were provided when doing so, if

a. the processing is based on consent according to Art. 6(1) lit. a GDPR or Art. 9(2) lit. a GDPR, or on a contract according to Art. 6(1) lit. b GDPR, and

b. the processing is performed by means of automated processes.

While exercising this right, you also have the right to effect that the personal data about you are directly transmitted from one data controller to another data controller to the extent this is technologically feasible. Freedoms and rights of other persons must not be impacted negatively by this.

The right to data portability does not apply for processing of personal data required for performing a task that is in the public interest or performed in exercising public authority conferred to the data controller.

Right to object

For reasons arising from your special situation, you have the right at any time to object to the processing of personal data about you, which is performed based on Art. 6(1) lit. e or f GDPR; this also applies to profiling based on these provisions.

The data controller will no longer process the personal data about you unless the data controller can document compelling reasons worth protecting for processing that supersede your interests, rights and freedoms, or if the processing is used for asserting, exercising, or defending legal claims.

If the personal data about you are processed for direct mail purposes, you have the right to object at any time against the processing of the personal data about you for purposes of such advertising; this also applies to profiling to the extent it is related to such direct mail.

If you object to processing for the purposes of direct mail, the personal data about you will no longer be processed for these purposes.

In the context of using information society services – notwithstanding Directive 2002/58/EC – you have the option to exercise your right to objection by means of automated processes in which technical specifications are used.

Right to revocation of consent according to data protection law

You have the right to revoke your declaration of consent under data protection law at any time. Revoking the consent does not affect the lawfulness of the processing performed based on the consent up until the time of revocation.

Automated decisions in individual cases, including profiling

You have the right not to be subjected to a decision based exclusively on automated processing, including profiling, that has a legal effect for you, or otherwise significantly impacts you negatively in a similar manner. This does not apply if the decision

a. is necessary for entering or performing a contract between you and the data controller;

b. is admissible based on legal regulations of the EU or the Member States that the data controller is subject to, and these legal regulations include appropriate measures for guarding your rights and freedoms, as well as your justified interests, or

c. is made with your express consent.

However, these decisions must not be based on special categories of personal data according to Art. 9(1) GDPR, unless Art. 9(2) lit. a or g applies and appropriate measures for guarding your rights and freedoms as well as your justified interests have been taken.

With regard to the cases listed in a. and c., the data controller will take appropriate measures to guard the rights and freedoms, as well as your justified interests, which include, at a minimum, the right to have a person from the data controller intervene, to present your own position, and to appeal the decision.

Right to complain to a regulatory authority

Notwithstanding another remedy under administrative law or through the courts, you have the right to complain to a regulatory authority, in particular in the Member State of your residence, your workplace, or the location of the presumed infringement, if you believe that the processing of the personal data about you violates the GDPR.

The regulatory authority where the complaint was filed shall notify the complainant about the status and the results of the complaint, including the option of judicial redress according to Art. 78 GDPR.

Legal basis for processing

To the extent we request a consent from the person affected for the processing of personal data, Article 6(1) lit. a of the EU General Data Protection Regulation (GDPR) is the legal basis.

When the processing of personal data is necessary for performing a contract to which the person affected is a contractual party, Article 6(1) lit. b GDPR shall be the legal basis. This also applies for processing processes necessary for performing pre-contractual measures.

To the extent processing of personal data is necessary for performing a legal obligation our company is subject to, Article 6 (1) lit. c GDPR shall be the legal basis.

In a case where vital interests of the person affected or another natural person require processing of personal data, Article 6(1) lit. d GDPR shall be the legal basis.

If the processing is necessary for protecting a justified interest of our company or of a third party, and if the interests, fundamental rights and freedoms of the affected person do not have precedence over the interest mentioned first, Article 6(1) lit. f GDPR shall be the legal basis for processing. Our company’s justified interest lies in performing our business activities.

Information on the processing of personal data in the context of newsletter registration

In the context of registering and mailing our newsletter, Roche will process your personal data (email address), provided you have given us your express consent in each case (Art. 6(1) lit. a).

The data for the purpose mentioned above is provided voluntarily. If you do not provide the data, we will consequently not be able to provide you with the registration for and mailing of the newsletter without your consent to the processing of your personal data.

In addition, Roche processes your data in the context of tracking, in order to be able to provide you with a better service offering. We primarily use these data to find out which topics you are interested in by tracing whether our newsletters are opened, and on which links in them you click. Newsletter tracking is performed by using Cookies.

Your data will be stored in our systems for as long as it is necessary for mailing the newsletter, and you have not revoked your consent to the processing of your data for this purpose.

Automatically collected information

Certain types of information are collected automatically by us whenever you communicate with us via our websites, as well as in the context of emails sent to each other. The automated processes we use may include, e.g., logging by webservers or IP addresses, cookies, and web beacons.

Webserver logs/ IP addresses

An IP address is a number assigned to your computer for accessing the Internet. On the Internet, each computer is identified by means of an IP address; this allows computers and servers to recognize each other on the network and to communicate with each other. Roche collects IP address for purposes of system administration, in order to supply group companies, business partners and/or suppliers with statistics, for analyzing websites, and for reviewing the performance of a website.

Cookies

Roche’s Internet pages use cookies. A cookie is an entry that is made automatically on your computer’s hard drive when you access specific websites. Cookies allow the server to uniquely recognize your browser. Cookies enable us to store information on the server that can be used to make visiting websites more convenient for you, and they allow analyzing sites and reviewing the performance of a website.

Most web browsers are set to accept cookies by default. But you can also change the settings of your browser to reject all cookies, or to show you when a cookie is to be placed. However, please note that some areas of our sites may not function properly if you reject cookies.

Web beacons

On certain websites and in emails, Roche can use a popular Internet technology called “web beacon” (aka “action tag” or “clear GIF” technology). Web beacons help analyze the effectiveness of websites by measuring, e.g., how many visitors access a site, or how many visitors click on important parts of a site.

Web beacons, cookies and other technologies for tracking per se do not collect personal information about you. It is not until you voluntarily provide such information that identifies you personally, e.g., by registering or sending emails, that these automated processes can be used to collect personal information about your use of the websites and/or interactive emails in order to design these to be more useful to you.

Services

On certain Roche websites, services (e.g., Google Maps) may be offered that are based on third-party applications and content tools. These third parties may automatically receive certain information contents if you communicate with us via our websites using such third-party applications and tools.

Forwarding and transmitting data

The publisher forwards certain data about you to various external undertakings or agents that are charged with performing technical maintenance, or work on our behalf, helping us perform business transactions; e.g., by providing customer service, mailing the Newsletter and offers. We may also forward personal data to our subsidiaries and group companies. All of these undertakings and agents are obliged to comply with the provisions of our data protection guidelines.

Entities that are involved in processing personal data from Future X Healthcare (https://fxh2019.com):

  • Roche Diagnostics GmbH, Sandhofer Straße 116, D-68305 Mannheim
  • For the technical website support: BSKOM GmbH, Herzogspitalstraße 5, D-80331 München
  • For hosting the website: Flywheel (www.getflywheel.com)
  • For anonymized website tracking: Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
  • For mailing the newsletter: BSKOM GmbH, Herzogspitalstraße 5, D-80331 München

External service providers

Google Analytics

This website uses Google Analytics, a web analysis service from Google Inc. (“Google”). The supplier is Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Analytics uses so-called “cookies”, text files that are saved on your computer and allow analyzing your use of the website. The information about your use of the website generated by the cookie is generally transmitted to a Google server in the USA and stored there. If IP anonymization is activated on this webpage Google will, however, first abbreviate your IP address within Member States of the European Union or in other contractual states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and abbreviated there. On behalf of the operator of this website, Google will use this information for analyzing your use of the website, compile reports on the website activities, and provide additional services related to the use of the website and the Internet to the website operator. The IP address transmitted in the context of Google Analytics by your browser will not be merged with other Google data. You can prevent cookies from being saved by a corresponding setting in your browser software; we would, however, like to point out that you may not be able to use all of the functions of this website. In addition, you can prevent the collection of the data related to your use of this website (including your IP address) generated by the cookie by downloading and installing the browser plugin available at the following link  (http://tools.google.com/dlpage/gaoptout?hl=de).

You can prevent collection by means of Google Analytics by clicking on the following link. This will set an opt-out cookie that prevents future collection of your data when you visit this website: Deactivate Google Analytics. This alternative is particularly suitable for mobile consumer devices. If you select this, do not delete the opt-out cookie. Otherwise you will lose the protection provided by this opt-out cookie until you install it again.

You can find more detailed information on the conditions for use and data protection at http://www.google.com/analytics/terms/de.html. http://www.google.com/intl/de/analytics/privacyoverview.html We would like to point out that Google Analytics has been expanded with the code “anonymizeIp” on this webpage in order to guarantee anonymized collection of IP addresses (so-called IP masking).

We also use Google Analytics for analyzing data from AdWords for statistical purposes. If you do not want this, you can deactivate it via the ad settings manager (//www.google.com/settings/ads).

Storage of the data by Google Analytics is limited to14months, and they will be deleted at the end of this period.

Data protection declaration regarding children

Our website is intended for an adult audience. If we learn that someone is not yet 16 years old, we will not collect personal data from this person until the consent of their legal guardian in a verifiable format has been received. Upon request, such a legal guardian may inspect the information provided by the child and/or request that this data be erased.