Privacy notice for Roche Diabetes Care
Covering customers, end users of digital solutions and website visitors

(Last updated : 12 March 2024)

1.When we engage with you as a customer or prospective customer 
2.When you use our digital solutions 
3.When you visit our websites and/or interact with us as customer or prospective customer and/or use our digital solutions 
4.Recipients of your Personal Data 
5.International Transfers of Your Personal Data 
6.Information About Your Rights Regarding Your Personal Data 
7.Updates to This Privacy Notice 
8.Country Specific Section

This notice provides information on our activities (column “what we do” and then one activity per row), the categories of information collected for each activity (column “what we collect”), as well as the legal basis of processing for each of them (column “why we do it”) including for processing health information (column “if you are a patient”), and the retention period for the data (column “how long”).

Our activities are aimed at an adult audience; if we learn that someone has not yet reached the legal age for valid processing, we will not collect any personal data from that person until their legal representative has given their consent in a verifiable form.


1. When we engage with you as a customer or prospective customer

The controller is Roche Diagnostics International AG, Basel Branch Diabetes Care - Grenzacherstrasse 124, 4058 Basel, Switzerland, acting as the parent company of affiliates engaged in the diabetes care business unit. The local affiliate in your country of residency will be considered a joint controller unless indicated otherwise (more information about Roche’s affiliate in your country of residency is available at your local Accu-Chek website). EU representative is Roche Privacy GmbH, Emil-Barell-Str. 1, D-79639 Grenzach-Wyhlen, [email protected].

  What we do What we collect Why we do it If you are a patient How long
  Primary use: providing our products and services
i

Answer requests

Support, cases and non regulatory complaints
Feedback via phone, emails, social media, etc.
Free samples or maintenance requests
Product returns
Trainings

Your contact information (such as name, mailing address, telephone number, job title), your interests and preferences (such as products or areas of interest), and other information provided We collect this information for our legitimate business interests to answer customers and prospective customers’ requests

Your health status may be revealed so we will need your explicit consent to use your data

We cannot provide the services without consent to this use of your data

Unless local specifics apply or we need to retain data for another purpose, we would keep it for the time within which proceedings may be brought.
ii

Contract

Manage subscriptions
Complete transactions
Deliver product/service
Order fulfilment
Transactional messages
Activate warranties

Your contact information as well as a history of your previous transactions with us (such as order history, customer account information), information on prescriptions We use this information to perform our agreement with you Unless local specifics apply or we need to retain data for another purpose, we would keep it for the time within which proceedings may be brought.
iii

Unique customer ID

Better identification
Avoid duplication
Avoid inconsistent data

LOGIC: We use an algorithm which merges records that present sufficient similarities.

Your identity and contact details as well as your status as a professional or individual and address verification data

SOURCES: We use an address verification service to obtain a GPS location.

We collect this information for our legitimate business interests to optimise data management As long as we retain your data for the purposes mentioned in this section.
  Secondary use: improving our products and services
iv

Internal training

Review and analyse our interactions with you to understand what we can improve

Call recordings associated with your phone number

We will collect and process this information if you agree to this activity

You can refuse without impacting services

Your health status may be revealed so we will ask your explicit consent to use your data.

You can refuse without impacting services

Unless local specifics apply or we need to retain data for another purpose, 90 days after the recording
v

Marketing

Newsletters
Customer surveys
Marketing emails that may be adapted to your interests
Organization of webinars or events

Your identity and contact details as well as your status as a professional or individual

We will collect and process this information if you agree to this activity.

You can refuse without impacting services

If you are a professional, we may rely on our legitimate interest to reach out.

Unless local specifics apply or we need to retain data for another purpose, as long as we maintain interactions with you and a few years after the last contact (to resume interactions if you wish so).
vi

Patient program

Register you to the program you select
Evaluate your needs as informed by you 
Provide support during the duration of the program by providing personalised contents
(Patients only)

Information about your contact and product preferences, languages, marketing preferences, health and demographic data

We will collect and process this information if you agree to this activity.

You can refuse without impacting services

Unless local specifics apply or we need to retain data for another purpose, as long as we maintain interactions with you and a few years after the end of the program (to re-enlist you if you wish so)
vii

Complaint

Keep track and report incidents
Retain archives for regulatory purposes
Monitoring of our social media pages

Any personal data provided to Roche related to adverse events or issues related to services / products We collect your information to comply with our legal obligations and may be required to report the data to regulatory authorities This information includes health data by nature which will only be processed to the extent we have a legal obligation to do so Unless local specifics apply or we need to retain data for another purpose, we would keep it for the time within which proceedings may be brought or in line with regulatory obligations.
viii

Business intelligence

Run reports on our activities
Improve and administer our business
Reporting as required by law e.g. on complaint handlings in relation to our medical devices

Same data as mentioned above Business intelligence is for our legitimate interest in understanding how we are doing See retention period as mentioned above for each concerned activity
ix

Social media

Animation of our pages
Social listening of publicly posted information, which is used in an aggregated form to create insights
Targeted advertising via social media to persons who subscribed to our pages or other audiences (for examples your interests, age or country

Any information you make public online, which will however generally be used in a pseudonymised anonymous, or aggregated way

We collect this information for our legitimate business interests to understand and reach out to our audience on social media

We may be joint controllers with the social media company hosting our page, please see their respective policies: Facebook ; Instagram ; Linkedin ; Youtube

This processing will only use sensitive information that you have manifestly chosen to disclose publicly for anyone to see. We will not target individuals based on their health status. Unless local specifics apply or we need to retain data for another purpose, we do not retain social listening or targeted advertising data after the insights are obtained / campaign is realised

2. When you use our digital solutions

The data controller is Roche Diabetes Care GmbH, Sandhofer Strasse 116, 68305 Mannheim/Germany as the manufacturer of these applications and software. mySugr GmbH, Trattnerhof 1/5 OG, 1010 Vienna/Austria also acts as data controller in relation to data processed by the mySugr app and in the Roche Diabetes Care apps and professional software.

  What we do What we collect Why we do it If you are a patient How long
  Primary use : providing our products and services
A

Diabetes solutions

Provide services and functionalities in accordance with specific user manuals, terms and condition and privacy notice applicable to the solution
Please refer to such documents for more details.

Profile data; commercial and activity data For patient, medical including therapy and diagnostic data as inputted manually or sent by your medical devices (BGM, CGM, pump, connected pen), technical data of your medical devices 
Smartphone identifier is collected as strictly required to send push notifications if you have requested so

We use this information to perform our agreement with you

If you are a patient and we provide services to your doctor, we process your data as instructed by your doctor, therefore control lies with such professional users

This information includes health data by nature and we will need your explicit consent to use your data

We cannot provide the services you request without your consent to this use of your data

When we process your data as instructed by your doctor, he is responsible for ensuring he is entitled to use your data

As indicated in the privacy notice applicable to the concerned sol-ution
B

Allow data sharing

Organise the sharing of health data across solutions and with professional electronic health records, always in accordance with your preferences

Data uploaded or inputted by you in the solution will be available to the recipients you designate, who may also download it. We use this information to perform our agreement with you

Data sharing with third parties happens upon request from you, therefore only if you agree to this activity

We cannot share data without your consent

Until you deactivate data sharing
C

Ancillary services

Deliveries including to a patient as requested by his doctor
Invoice use of the tool or related services
Other services you request

If needed, we may process data above mentioned to the extent needed under section 1 on customers

See section 1 on customers

If you are a patient and we provide services to your doctor, we process your data as instructed by your doctor, therefore control lies with such professional users

See section 1 on customers

When we process your data as instructed by your doctor, he is responsible for ensuring he is entitled to use your data

See section 1
  Secondary use : improving healthcare (statistics / research)
D

Performance reports

Issue aggregated reports for internal use or for our professional users to understand how our digital solutions are used and perform e.g. number of active users, time in range, etc.

Aggregated user data contained in or generated by use of digital solutions

We rely on our legitimate interest to analyse and improve the service

If you are a patient and we provide services to your doctor, we process your data as instructed by your doctor, therefore control lies with such professional users

We will use data in an aggregated (hence anonymous) form

When we process your data as instructed by your doctor, he is responsible for ensuring he is entitled to use your data

Without time limitation in an anonymous and/or aggregated form
E

Medical research and innovation

Replicate de-identified data in dedicated databases (anonymous or pseudonymous)
Population insights & scientific research Algorithms / product development
Product evaluation & real world evidence 
(Patients only)

De-identified user data (anonymous or pseudonymous) contained in the digital health applications and software or generated by its use

We anonymise this information as instructed by healthcare professionals 
We will pseudonymise this information if you agree to this activity.

You can refuse without impacting services

We will process data used by healthcare professionals in an anonymous form

When pseudonymous data is used, it includes health data by nature so we will ask your explicit consent to product improvement. 
You can refuse without impacting services

Without time limitation in an anonymous form Until you revoke your consent in a pseudonymous form

3. When you visit our websites and/or interact with us as customer or prospective customer and/or use our digital solutions

When you visit our websites, the data controller is the entity identified as the publisher for the website. For other use cases, controllers remain as mentioned above. Please note that, when you navigate our public websites, the notices found in the footer of the landing page take precedence over this privacy notice. 
We may use cookies or other tracking technologies that are necessary (authentication, preferences, security), allow us to obtain usage statistics or in some cases to do targeted advertising, or allow you to play videos or share information on social media. For non necessary cookies, a pop up on each website will ask your consent for each category before any implementation.

  What we do What we collect Why we do it If you are a patient How long
  Primary use : providing our products and services
1

Security

To secure, run and maintain our systems
Security monitoring
Bug / crash reporting
Logs retention

IP Address, geographic location, resources you have accessed, and similar information collected via cookies and web trackers. Technical activities are for our legitimate interest in operating a secure business and associated cookies are necessary.

This information will generally not reveal your status or health information

In our patient apps, crash reporting data may reveal health status but will be processed to the extent we have a legal obligation to do so

As required by applicable laws in a non aggregated form
2

Personal account

Account creation and access to all our online services, including identity and consents management
Transactional message, support, troubleshooting, or security advice

First and last name, email and password, other contact information, account ID, registration date and status of consents, language, country and time zone, IP address We use this information to perform our agreement with you This information includes health data by nature and we will need your explicit consent to use your data 
we cannot provide the services you request without your consent to this use of your data
Until you delete your account.
  Other possible uses
3

Legal hold

Litigation or any other procedure related to our rights or your rights
Archiving to comply with our duties medical device manufacturer, e.g. inform you about an incident or recall

Any data mentioned above that may become necessary for this objective Evidencing claims is for our legitimate interest of establishing our rights or your rights 
Retaining some information as archive may be required to comply with our legal obligations
This information may include health data by nature or reveal it and will be processed only as necessary for the establishment, exercise or defense of legal claims, or to the extent we have a legal obligation to do so Until the claim has been closed or legal obligation has expired
4

Usage statistics

Learn how our tools are used & improve them
Understand your uses and ask your feedback

IP Address, geographic location, resources you have accessed, and similar information collected via cookies and web trackers. Data we hold about our relationship with you

Analytics is for our legitimate interest in understanding how we are doing

We will only use cookies and trackers if you agree to this activity

You can refuse without impacting services

We only process anonymous data which will not reveal your status or health information

Your health status may be revealed if you are logged in in which case we will ask your explicit consent

You can refuse without impacting services

Unless local specifics apply or we need to retain data for another purpose, we would keep the data 1 year after collection in a non aggregated form

4. Recipients of your Personal Data

We may share your Personal Data with Roche’s affiliates around the world. Roche affiliates will use your Personal Data for the same purposes as mentioned above. We may also share your Personal Data with our logistic, IT, market research, customer support service providers and carriers, insurance providers or partners, for the following purposes:

  • To help fulfill Roche business transactions;
  • To conduct technical operation, maintenance, administration, hosting of our websites, web platforms, and IT systems in general;
  • To facilitate a merger, consolidation, transfer of control or other corporate reorganisation in which Roche participates, or pursuant to a financial arrangement undertaken by Roche;
  • To respond to appropriate requests of legitimate government authorities, or where required by applicable laws, court orders, or government regulations; and
  • To allow data sharing with the recipients you designate when you use the data sharing functionalities of our digital products; and
  • Where needed for corporate audits or to investigate or respond to a complaint or security threat. 
    Third parties generally act on our behalf and under our instructions however certain providers (especially carriers and electronic communications providers) also process your data for their own purposes (e.g. compliance with their legal obligations)

5) International Transfers of Your Personal Data

We primarily select cooperation partners who are based in or whose servers are located in the European Union (EU) or European Economic Area (EEA). Any Personal Data you provide to us may be transferred to or stored in a geographic region that imposes different privacy obligations than your country of origin. This means that your Personal Data may be sent to a country with less restrictive data protection laws than your own. Any such transfer will be conducted in compliance with applicable law. 
If your Personal Data is covered by the GDPR: For transfers of Personal Data to a third country outside the European Union (EU), European Economic Area (EEA) or in absence of an adequacy decision (e.g. Switzerland, Israel, and New Zealand), within the Roche Group, business partners and service providers, we establish the contracts containing the EU Standard Contractual Clauses, which according to the EU Commission constitute appropriate and suitable safeguards to ensure compliance with GDPR. If you have further questions on this topic or if you want to obtain a copy of the safeguards, please reach out to [email protected]
In addition, we ensure that our partners have additional security standards in place, such as individual security measures and data protection provisions or certifications. 
Generally speaking, on top of the local affiliate in your country and global functions located in the EU and Switzerland, our internal Roche support services may be granted access to your data, in priority in your region. All the internal accesses are covered by our internal data transfer agreement which contains the warranties to ensure your data is securely managed.

6. Information About Your Rights Regarding Your Personal Data

If your Personal Data are covered by the GDPR, you have the following rights with respect to your Personal Data:

  • The right to request access to the Personal Data that Roche has about you;
  • The right to rectify or correct any Personal Data that is inaccurate or incomplete;
  • The right to request a copy of your Personal Data in electronic format so that you can transmit the data to third parties, or to request that Roche directly transfer your Personal Data to one more third parties;
  • The right to object to the processing of your Personal Data for marketing and other purposes;
  • The right to erasure of your Personal Data when it is no longer needed for the purposes for which you provided it, as well as the right to restriction of processing of your Personal Data to certain limited purposes where erasure is not possible.

To exercise any of these rights, please contact us at [email protected]
Please note that erasure or restriction of processing is only possible if and to the extent that the processing of Personal Data is based on your consent or our legitimate interests. If data processing is based on consent, note that you have the right to withdraw your consent at any time, but that the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal. In the event of an erasure request, we may retain a copy of your Personal Data for our record-keeping purposes and to avoid entering your personal data in our systems after your request. 
Please note that revocation of your consent to the necessary processing (or deletion of your account or data) may make it impossible to use our products and services because we can no longer process your data. We therefore interpret this revocation as termination. 
In the event that you believe that our data processing does not comply with the GDPR, you are entitled to lodge a complaint with the authority of your country of residency as stated here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

7. Updates to This Privacy Notice

From time to time, we may revise this Privacy Notice. Any such changes to this Privacy Notice will be reflected on this page. Roche recommends that you review this Privacy Notice regularly for any changes. The date on which this notice was last revised is located at the top of this notice.

8. Country Specific Section

When we engage with you as a customer or prospective customer (see Sec. 1): 
Data Controller:

  • Roche Diagnostics International AG, Basel Branch Diabetes Care - Grenzacherstrasse 124, 4058 Basel, Switzerland, acting as the parent company of affiliates engaged in the diabetes care business unit. The local affiliate in your country of residency will be considered a joint controller unless indicated otherwise.
  • Local Affiliate: Roche Diabetes Care UK and Ireland, Roche Diabetes Care Limited (company number 09055599), Charles Avenue, Burgess Hill, West Sussex, RH15 9RY