Effective Date: November 30th, 2020
Roche Diabetes Care GmbH (“Roche” or “us”, “our”, “we”) recognizes the importance of data protection and privacy and is committed to protecting personal data, including health-related data. This Privacy Notice describes how the personal data you provide to us about you and your colleagues at the healthcare center (“Healthcare Center”), is processed and used by Roche through the Roche Diabetes Care Platform (the “Platform”). For the avoidance of doubt, personal data of your patients is not addressed by this Privacy Notice, as we either process such data on your behalf pursuant to the Data Processing Agreement (“DPA”) or have a direct, consent-based relationship with the patient.
Please read this Privacy Notice carefully before creating a Platform account as it applies to your use of the Platform and to the processing, transfer and storage of the personal data you provide to us. Certain of our affiliated companies may have access to personal data if required to resolve a customer service issue you may have with Platform.
This Privacy Notice only applies to the use of the Platform. This Privacy Notice does not apply to personal data collected through the use of other websites controlled by other Roche affiliates or subsidiaries or via other methods, such as other Roche websites, other Roche customer call centers, or use of SmartPix Desktop Software. Other privacy policies may apply to the personal data processed or collected through these methods.
- About Us and Controller Information
Roche Diabetes Care GmbH, Sandhofer Strasse 116, 68305 Mannheim/Germany, is the responsible entity under the data protection regulations for all data processing activities on the Platform that are not in scope of the DPA.
We differentiate as follows: Roche is only data controller
- where processing is necessary for the performance of the Platform contract with you and/or analysis of the performance of the Platform and where no patient personal data is involved;
- where we contact you for marketing purposes, with your consent, e.g. by email, notifications etc. Here too you may use the products without consent but with your consent you will receive personalized information on our products;
- where we use data for other purposes set out explicitly in this Privacy Notice (see Use of Personal Data for product improvement purposes and Use of Personal Data for Statutory Purposes.
- Personal Data Categories
As controller, we collect and process the following personal data when you use the Platform:
- personal data you submit when creating a Platform account as an HCP (either independently or in response to an invitation from a health care professional in your Healthcare Center), which may include your name, date of birth (optional), mobile phone number (optional), email address, and the name and ID of your healthcare organization and address;
- the email addresses of other health care professionals in your Healthcare Center, where you invite them to join the Platform; and
- personal data relating to your use of the Platform.
- Use of Personal Data to perform our contract
Roche will use the personal data collected via the Platform to provide you with a Platform account, including:
- to enable you to open and log into the Platform account
- to enable you to set up and manage a Healthcare Center through your Platform account, manage your patient personal data therein and instruct us how to process your patient personal data within the functionality of the Platform and in accordance with the user documentation
- to provide user support and fix technical issues as well as user handling issues with the Platform, including where we contact you regarding important product or performance issues, or where we respond to your questions or respond to your request for support, troubleshooting or any performance issues; and
- to handle and invoice for optional subscriptions such as the Premium Service, if you subscribe.
The legal basis for this is Article 6 (1) point (b) GDPR (performance of a contract).
- Use of Personal Data with your consent
We would like to send you interesting information on products and services in addition to the contractual scope (including information from carefully selected partners) and invitations to participate in surveys or other sales promotions and marketing activities (“Newsletter”).
You can select whether you want to subscribe to our Newsletter (opt in). You can revoke your consent at any time via the link in the Newsletter or the account settings.
Other consents (if needed), e.g. for surveys, notifications, or customized offers, are obtained as required when you are logged in. We always explain to you why we need certain data and also how you can revoke the consent.
Please be aware that we may show you offers within the Platform without processing your personal data. You will also see these non-customized advertisements if you have not provided your consent.
The legal basis for this processing is Article 6 (1) point (a) GDPR (consent). Unless we inform you otherwise in a specific case, the provision of our services does not depend on your consent. You may manage and withdraw any consent granted in your account settings, with effect for the future.
- Use of Personal Data for product improvement purposes
As a result of fast-moving technological progress, we have to continually analyze, develop, test, and improve our products and their interactions, in order to ensure that our content benefits users in the most effective way. To achieve this, we conduct usage and security tests and the knowledge gained is incorporated into improved new versions of the Platform. These improvements are provided to you via regular updates.
Therefore, we also process your personal data to better understand how you interact with and use the Platform, including its functionality and features and key performance indicators, including contacting you in order to obtain further information about you and your use of the Platform.
The legal basis for this processing is Article 6 (1) point (f) GDPR (legitimate interest). You may opt out of this use at any time and we will then only process anonymous data in this respect.
- Use of Personal Data for statutory purposes
Roche must use personal data where legally required and where possible we will de-identify, pseudonymize, aggregate and/or anonymize information to comply with our legal obligations as a medical device manufacturer. This data is securely held by Roche and will not be used to identify you individually by your name, mobile phone number or email address, except where we are under a legal obligation to include this data.
The legal requirements for which Roche will use this data are:
- to monitor and improve the quality, security and effectiveness of medical devices and systems as part of the vigilance monitoring;
- to validate upgrades, and to keep the Platform safe and secure; and
- where otherwise required by law, including to respond to any competent regulatory, law enforcement body, governmental authorities, to address national security or epidemics, judicial proceeding, court order, government request or legal process served on us, or to protect the safety, rights, or property of our customers, the public,
- Roche or others, and to exercise, establish or defend Roche’s legal rights or where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of this Privacy Notice, or as evidence in litigation in which we are involved.
The legal basis for this is Art 6 (1) point c) GDPR (legal obligation) or Article 9 (2) point (i) GDPR (reasons of public interest in the area of public health).
- Data Storage
Roche uses Amazon Web Services, Inc. (AWS) to host your Platform accounts in the cloud. The servers that host Platform accounts may be located in North America, Europe, and Asia. If you reside in a member country of the European Union (EU), your personal data will be stored on servers within the territory of the European Union. The personal data you upload to your Platform account will be stored in the region closest to your country of residence or otherwise in accordance with the data storage and privacy requirements of your selected country/region. When your personal data is hosted in a country other than the country you selected, it may become subject to the laws of the host country, which may not be equivalent to the laws of the country you selected. Roche has implemented appropriate security measures and controls to protect your personal data.
- Retention of Personal Data
Roche will continue to store personal data associated with your Platform account while you have an active account. Your Platform account will be considered to be inactive once there has been no activity on it for six (6) months. If your Platform account is considered inactive, all personal data associated with that account will be deleted through anonymization. Consequently the personal data you uploaded to your account will then be permanently and irrevocably deleted, subject to compliance with applicable law. The deletion of your Platform account will not have an impact on any individual user account (e.g. on mySugr app) created by any of your patients separately. We will notify you in advance by sending an email to the email address associated with your Platform account so that you have an opportunity to ensure your account stays current and available for your use.
- Disclosure of Personal Data by Us
Our products are subject to complex processes that we have to manage and keep up-to-date. For technical support we therefore use affiliated companies of the Roche Group – F. Hoffmann-La Roche Ltd. - and third-party suppliers (“Processors”) in order to offer you a comprehensive and optimal use of our products.
Our Processors are bound by the data processing agreements signed with us as well as by the GDPR and only process data according to our instructions. We transfer personal data to Processors exclusively within the framework of this privacy notice and only to fulfill the purposes stated in it. Processors work according to our specifications and instructions; they are not permitted to use the personal data of our users for their own or other purposes.
We use Processors offering sufficient guarantees that suitable technical and organizational measures are undertaken in a way that the processing of personal data complies with the statutory requirements and our privacy notice. The transfer of data to our Processors and service providers is protected by guarantees such as adequacy decisions, certifications or EU standard contractual clauses. A copy of such guarantees or information on these can be requested from firstname.lastname@example.org. The protection of the rights of our users is ensured by concluding binding contracts that meet the strict requirements of GDPR.
The third-party suppliers appointed by us may only use other processors (subcontractors) with our prior consent. If a subcontractor does not comply with the same data protection obligations and all of the appropriate security measures that we impose on our Processors, then we will prohibit the hiring of such a subcontractor.
We provide personal data - if and to the extent necessary - only to fulfill the contract to the following categories of recipients:
- Manufacturers and suppliers require personal data to handle orders for goods. A typical example is the delivery of a blood glucose meter and test strips to you as part of a bundle.
- Bookkeeping and payment service providers support us in the ongoing billing of our chargeable products and services, such as the Premium Service.
- Customer support services and their tools help our customer support to quickly and efficiently handle our users’ inquiries. Here, for example, queries are recorded from various communication channels and grouped according to topics using ticket systems.
- Analysis service providers and their tools help us to understand how users use our products in order for us to provide customized communication and product improvements in the future.
- Marketing service providers support us in creating, sorting, customizing, and sending newsletters, emails, and other messages about our products.
- Hosting and cloud services and their tools are used to store data and to produce anonymized analyses.
Finally please note that you have the option to directly share certain data with a third party from within our products. This relates, for example, to reports generated in the Platform and communication with your patient. You are solely responsible for such data sharing.
- Security of Your Personal Data
We have implemented administrative, technical and physical safeguards to protect personal data, including health-related information, from unauthorized or unlawful access, accidental loss, destruction, damage, misuse, disclosure and alteration, including the use of cryptographic technologies. Roche restricts access to personal data by its employees on a need to know basis. Personal data including health-related information may only be accessed by duly authorized personnel.
For controllers residing in the EU/EEA: Our processing activities are governed by the DPA in accordance with Article 28 (3) GDPR.
Part of the Platform solution might include Universal Series Bus USB), Near Field Communication (NFC) and Bluetooth technologies. USB, NFC and Bluetooth are secure means of transferring information from the devices to the platform. USB connects the device directly to the personal computer. NFC has the added level of protection by requiring very close physical proximity. Bluetooth connections are encrypted.
You are responsible for protecting against unauthorized access to your Platform account including the Healthcare Center and patient profiles. We recommend securing access to Platform and thereby your Healthcare Center and patient profile by always logging-out, choosing a robust password for your Platform account that nobody else knows or can easily guess, implementing security settings your mobile device or computer such as a password to access it, keeping your device locked when not in use and keeping your account information and password private. Roche is not responsible for any lost, stolen or compromised passwords or for any activity on your Platform account from unauthorized users where caused by you. If you think your Platform account has been compromised, please contact us as soon as you are able at email@example.com.
- How HCPs Can Access and Correct Personal Data and Your Rights
You may correct your Platform account data (your name, date of birth, email address, phone number and language) through the Platform account settings which can be accessed through Platform. We are not able to correct or amend any data uploaded from a device by you or your patients, but we will assist you with deleting your Platform account and creating a new one so that you can reload the correct information.
You have the right to: (a) access the personal data we hold about you; (b) request we correct any inaccurate personal data we hold about you; (c) delete any personal data we hold about you; (d) restrict or cease the processing of personal data we hold about you; (e) object to the processing of personal data we hold about you; and/or (f) receive any personal data you have provided to us on the basis of your consent in a structured and commonly used machine-readable format or have such personal data transmitted to another company by using the export function in your Platform account, where accessible. Please note that Roche is not required by law to adopt or maintain systems that are technically compatible with other companies. It may not be possible for Roche to directly transmit your personal data to another company.
Your patients may also have these rights in relation to the personal data held about them through the Platform. Roche will provide reasonable assistance and cooperation in assisting you to respond to any request by your patient to exercise their rights.
- Third Party Links on Platform
Platform may contain links to third-party websites, which will be clearly marked. Any access to and use of such linked websites is not governed by this Privacy Notice, but instead is governed by the privacy notices of those third-party websites. We are not responsible for the information of such clearly marked third-party websites.
- Contact Us
Our data protection officer is available to answer all data protection questions at firstname.lastname@example.org. The data protection officer monitors‒independently and not bound by instructions ‒ compliance with all data protection regulations and is subject to strict statutory secrecy and confidentiality obligations.
The data protection officer is widely involved in all questions associated with protecting the personal data of our users. As a trained expert, he monitors our processing on an ongoing basis, informs and regularly advises the entire Roche team in order to ensure the best possible protection of your personal data.
- Changes to this Privacy Notice
If we make material changes to our Privacy Notice, an updated version of this Privacy Notice will reflect those changes. You will be alerted to updates to this Privacy Notice by email or when you next log into Platform. You will be notified if there is a new version of this Privacy Notice and - if necessary - will be prompted to read and accept it so that you can continue to access and use your Platform account via Platform.
Without prejudice to your rights under applicable law, we reserve the right to update and amend this Privacy Notice without prior notice to reflect technological advancements, legal and regulatory changes, and good business to the extent that it does not change materially your rights as set out in this Privacy Notice.
If you do not agree to the changes to this Privacy Notice, you should delete your Platform account by logging into your account and using the delete account functionality.
- COUNTRY SPECIFIC PROVISIONS
EU/EEAWithout prejudice to any other administrative or judicial remedy, you have the right to file a complaint with a supervisory authority, in particular in the Member State in which you are resident, your place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you is in breach of the GDPR. The supervisory authority will inform the complainant of the status and the results of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.
In accordance with HIPAA, any use or disclosure of protected health information by Roche or any subcontractor will be governed by the respective service agreement and a Business Associate Agreement executed between you and Roche.
Your Rights If Your Data is Covered by California Law
If you are a California resident as defined by the California Consumer Privacy Act (CCPA), you can find a description of these rights covered in the California Supplemental Privacy Notice. That privacy notice contains information on how to contact Roche to exercise any of your rights under that law.
California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please use the contact information provided in the California Supplemental Privacy Notice.