This Privacy Notice is addressed to:
Novo Nordisk Limited is required by law to protect your personal data. This Notice explains how we process (e.g. collect, use, store, and share) your personal data. We will process any personal data about you in accordance with this Notice and with applicable law.
1. WHO ARE WE?
The company responsible for processing your personal data is:
Novo Nordisk Limited
3 City Place, Beehive Ring Road
Gatwick, West Sussex
Registration number 1118740
You can always contact Novo Nordisk Limited or the UK Novo Nordisk Data Privacy Officer or UK Data Protection Responsible at email@example.com with questions or concerns about how we process your personal data.
2. HOW DO WE COLLECT PERSONAL DATA ABOUT YOU?
We get your personal data from the following sources:
3. WHY DO WE PROCESS YOUR PERSONAL DATA?
We process personal data about you for the following purposes:
4. WHAT PERSONAL DATA DO WE PROCESS ABOUT YOU?
For the purposes described above in Section 3, we may process the following types of personal data:
If you intend to provide us with personal data about other individuals (e.g. your colleagues), you must provide a copy of this Privacy Notice to the relevant individuals, directly or through your employer.
5. WHY ARE WE ALLOWED BY LAW TO PROCESS YOUR PERSONAL DATA?
Personal data are collected only to the extent required. Under no circumstances are the collected data sold on to third parties for any reason.
We will not process your personal data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal data if:
Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such ‘legitimate interests’ are data processing activities performed:
6. HOW DO WE SHARE YOUR PERSONAL DATA?
We will not sell, share, or otherwise transfer your personal data to third parties other than those indicated in this Privacy Notice.
In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal data can be accessed by or transferred to the following categories of recipients on a need to know basis to achieve such purposes:
7. WHEN DO WE TRANSFER YOUR PERSONAL DATA OUTSIDE THE EU/EAA?
The personal data we collect from you may also be processed, accessed or stored in a country outside the UK, which may not offer the same level of protection of personal data.
If we transfer your personal data to external companies in other jurisdictions, we will make sure to protect your personal data by (i) applying the level of protection required under the local data protection/privacy laws applicable to the UK, (ii) acting in accordance with our policies and standards and, (iii) for entities located in the European Economic Area (i.e. the EU Member States plus Iceland, Liechtenstein and Norway, the "EEA"), unless otherwise specified, only transferring your personal data on the basis of standard contractual clauses approved by the European Commission. You may request additional information in relation to international transfers of personal data and obtain a copy of the adequate safeguard put in place by exercising your rights as set out in Section 9 below. For transfer to external companies based in United States of America, we ensure the EU-US Privacy Shield Framework for transfers to Privacy Shield-certified and US-based companies and organisations will apply. More information and a list of Privacy Shield-certified companies and organisations are available at https://www.privacyshield.gov/welcome. For intra-group transfers of personal data, the Novo Nordisk Group has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection relating to transfers of personal data outside the EEA and Switzerland. Read more about the Novo Nordisk Binding Corporate Rules https://www.novonordisk.com/about-novo-nordisk/corporate-governance/personal-data-protection.html.
8. HOW LONG WILL WE KEEP YOUR PERSONAL DATA?
We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.
The retention period is the term of your (or your company’s) supply or service contract, plus the period of time until the legal claims under this contract become time-barred, unless overriding legal or regulatory schedules require a longer or shorter retention period. When this period expires, your personal data is removed from our active systems.
Personal data collected and processed in the context of a dispute are deleted or archived (i) as soon as an amicable settlement has been reached, (ii) once a decision in last resort has been rendered or (iii) when the claim becomes time barred.
9. WHAT ARE YOUR RIGHTS?
In general, you have the following rights:
Under applicable law, there may be limits on these rights depending on the specific circumstances of the processing activity. Contact us as described in Section 1 with questions or requests relating to these rights.