Sorry, you need to enable JavaScript to visit this website.
hamburger overlay

Legal and Privacy

Privacy Notice for Roche Diabetes Care Covering customers, end users of digital solutions and website visitors

(Last updated: December 1, 2023)

This notice provides information on our activities (column “what we do” and then one activity per row), the categories of information collected for each activity (column “what we collect”), as well as the legal basis of processing for each of them (column “why we do it”) including for processing health information (column “if you are a patient”), and the retention period for the data (column “how long”).

Our activities are aimed at an adult audience; if we learn that someone has not yet reached the legal age for valid processing, we will not collect any personal data from that person until their legal representative has given their consent in a verifiable form.

1) When we engage with you as a customer or prospective customer

The controller is Roche Diagnostics International AG, Basel Branch Diabetes Care - Grenzacherstrasse 124, 4058 Basel, Switzerland, acting as the parent company of affiliates engaged in the diabetes care business unit. The local affiliate in your country of residency will be considered a joint controller unless indicated otherwise (more information about Roche’s affiliate in your country of residency is available at your local AccuChek website). EU representative is Roche Privacy GmbH, Emil-Barell-Str. 1, D-79639 Grenzach-Wyhlen, [email protected].

  What we do What we collect Why we do it If you are a patient How long
Primary use: providing our products and services
i
Answer requests
Support, cases and non regulatory complaints Feedback via phone, emails, social media, etc. Free samples or maintenance requests Product returns Trainings
Your contact information (such as name, mailing address, telephone number, job title), your interests and preferences (such as products or areas of interest), and other information provided
We collect this information for our legitimate business interests to answer customers and prospective customers’ requests

Your health status may be revealed so we will need your explicit consent to use your data

we cannot provide the services without consent to this use of your data
Unless local specifics apply or we need to retain data for another purpose, we would keep it for the time within which proceedings may be brought.
ii
Contract
Manage subscriptions Complete transactions Deliver product/service Order fulfilment Transactional messages Activate warranties
Your contact information as well as a history of your previous transactions with us (such as order history, customer account information), information on prescriptions
We use this information to perform our agreement with you
Unless local specifics apply or we need to retain data for another purpose, we would keep it for the time within which proceedings may be brought.
iii
Unique customer ID
Better identification Avoid duplication Avoid inconsistent data
LOGIC: We use an algorithm which merges records that present sufficient similarities.
Your identity and contact details as well as your status as a professional or individual and address verification data
SOURCES: We use an address verification service to obtain a GPS location

We collect this information for our legitimate business interests to optimize data management
As long as we retain your data for the purposes mentioned in this section.
Secondary use: improving our products and services
iv
Internal training
Review and analyze our interactions with you to understand what we can improve
Call recordings associated with your phone number
We will collect and process this information if you agree to this activity

You can refuse without impacting services

Your health status may be revealed so we will ask your explicit consent to use your data.

You can refuse without impacting services
Unless local specifics apply or we need to retain data for another purpose, 90 days after the recording
v
Marketing
Newsletters Customer surveys Marketing emails that may be adapted to your interests
Organization of webinars or events
Your identity and contact details as well as your status as a professional or individual
We will collect and process this information if you agree to this activity.

You can refuse without impacting services

If you are a professional, we may rely on our legitimate interest to reach out.
Unless local specifics apply or we need to retain data for another purpose, as long as we maintain interactions with you and a few years after the last contact (to resume interactions if you wish so).
vi
Patient program
Register you to the program you select Evaluate your needs as informed by you Provide support during the duration of the program by providing personalized contents
(Patients only)
Information about your contact and product preferences, languages, marketing preferences, health and demographic data
We will collect and process this information if you agree to this activity.

You can refuse without impacting services
Unless local specifics apply or we need to retain data for another purpose, as long as we maintain interactions with you and a few years after the end of the program (to re-enlist you if you wish so)
vii
Complaint
Keep track and report incidents
Retain archives for regulatory purposes Monitoring of our social media pages
Any personal data provided to Roche related to adverse events or issues related to services / products
We collect your information to comply with our legal obligations and may be required to report the data to regulatory authorities

This information includes health data by nature which will only be processed to the extent we have a legal obligation to do so
Unless local specifics apply or we need to retain data for another purpose, we would keep it for the time within which proceedings may be brought or in line with regulatory obligations.
viii
Business intelligence
Run reports on our activities
Improve and administer our business
Reporting as required by law e.g. on complaint handlings in relation to our medical devices
Same data as mentioned above
Business intelligence is for our legitimate interest in understanding how we are doing
See retention period as mentioned above for each concerned activity
ix
Social media
Animation of our pages Social listening of publicly posted information, which is used in an aggregated form to create insights Targeted advertising via social media to persons who subscribed to our pages or other audiences (for examples your interests, age or country)
Any information you make public online, which will however generally be used in a pseudonymized anonymous, or aggregated way
We collect this information for our legitimate business interests to understand and reach out to our audience on social media
We may be joint controllers with the social media company hosting our page, please see their respective policies: Facebook ; Instagram ; Linkedin ; Youtube

This processing will only use sensitive information that you have manifestly chosen to disclose publicly for anyone to see. We will not target individuals based on their health status.
Unless local specifics apply or we need to retain data for another purpose, we do not retain social listening or targeted advertising data after the insights are obtained / campaign is realized

2) When you use our digital solutions

The data controller is Roche Diabetes Care GmbH, Sandhofer Strasse 116, 68305 Mannheim/Germany as the manufacturer of these applications and software. mySugr GmbH, Trattnerhof 1/5 OG, 1010 Vienna/Austria also acts as data controller in relation to data processed by the mySugr app and in the Roche Diabetes Care apps and professional software.

  What we do What we collect Why we do it If you are a patient How long
Primary use : providing our products and services
A
Diabetes solutions
Provide services and functionalities in accordance with specific user manuals, terms and condition and privacy notice applicable to the solution
Please refer to such documents for more details.
Profile data; commercial and activity data For patient, medical including therapy and diagnostic data as inputted manually or sent by your medical devices (BGM, CGM, pump, connected pen), technical data of your medical devices
Smartphone identifier is collected as strictly required to send push notifications if you have requested so

We use this information to perform our agreement with you

If you are a patient and we provide services to your doctor, we process your data as instructed by your doctor, therefore control lies with such professional users

This information includes health data by nature and we will need your explicit consent to use your data

we cannot provide the services you request without your consent to this use of your data

When we process your data as instructed by your doctor, he is responsible for ensuring he is entitled to use your data
As indicated in the privacy notice applicable to the concerned solution
B Allow data sharing
Organize the sharing of health data across solutions and with professional electronic health records, always in accordance with your preferences
Data uploaded or inputted by you in the solution will be available to the recipients you designate, who may also download it.
We use this information to perform our agreement with you

Data sharing with third parties happens upon request from you, therefore only if you agree to this activity

we cannot share data without your consent
Until you deactivate data sharing
C
Ancillary services
Deliveries including to a patient as requested by his doctor
Invoice use of the tool or related services Other services you request
If needed, we may process data above mentioned to the extent needed under section 1 on customers See section 1 on customers

If you are a patient and we provide services to your doctor, we process your data as instructed by your doctor, therefore control lies with such professional users
See section 1 on customers

When we process your data as instructed by your doctor, he is responsible for ensuring he is entitled to use your data
See section 1
Secondary use : improving healthcare (statistics / research)
D
Performance reports
Issue aggregated reports for internal use or for our professional users to understand how our digital solutions are used and perform e.g. number of active users, time in range, etc.
Aggregated user data contained in or generated by use of digital solutions
We rely on our legitimate interest to analyze and improve the service

If you are a patient and we provide services to your doctor, we process your data as instructed by your doctor, therefore control lies with such professional users

We will use data in an aggregated (hence anonymous) form

When we process your data as instructed by your doctor, he is responsible for ensuring he is entitled to use your data
Without time limitation in an anonymous and/or aggregated form
E
Medical research and innovation
Replicate de-identified data in dedicated databases (anonymous or pseudonymous)
Population insights & scientific research Algorithms / product development Product evaluation & real world evidence
(Patients only)
De-identified user data (anonymous or pseudonymous) contained in the digital health applications and software or generated by its use
We anonymize this information as instructed by healthcare professionals

We will pseudonymise this information if you agree to this activity.

You can refuse without impacting services

We will process data used by healthcare professionals in an anonymous form

When pseudonymous data is used, it includes health data by nature so we will ask your explicit consent to product improvement.

You can refuse without impacting services
Without time limitation in an anonymous form Until you revoke your consent in a pseudonymous form

3) When you visit our websites and/or interact with us as customer or prospective customer and/or use our digital solutions

When you visit our websites, the data controller is the entity identified as the publisher for the website. For other use cases, controllers remain as mentioned above. Please note that, when you navigate our public websites, the notices found in the footer of the landing page take precedence over this privacy notice.

We may use cookies or other tracking technologies that are necessary (authentication, preferences, security), allow us to obtain usage statistics or in some cases to do targeted advertising, or allow you to play videos or share information on social media. For non necessary cookies, a pop up on each website will ask your consent for each category before any implementation.

  What we do What we collect Why we do it If you are a patient How long
Primary use : providing our products and services
1
Security
To secure, run and maintain our systems Security monitoring Bug / crash reporting Logs retention
IP Address, geographic location, resources you have accessed, and similar information collected via cookies and web trackers.
Technical activities are for our legitimate interest in operating a secure business and associated cookies are necessary.

This information will generally not reveal your status or health information

In our patient apps, crash reporting data may reveal health status but will be processed to the extent we have a legal obligation to do so
As required by applicable laws in a non aggregated form
2
Personal account
Account creation and access to all our online services, including identity and consents management
Transactional message, support, troubleshooting, or security advice
First and last name, email and password, other contact information, account ID, registration date and status of consents, language, country and time zone, IP address
We use this information to perform our agreement with you

This information includes health data by nature and we will need your explicit consent to use your data

we cannot provide the services you request without your consent to this use of your data
Until you delete your account.
Other possible uses
3
Legal hold
Litigation or any other procedure related to our rights or your rights
Archiving to comply with our duties medical device manufacturer, e.g. inform you about an incident or recall
Any data mentioned above that may become necessary for this objective
Evidencing claims is for our legitimate interest of establishing our rights or your rightsr

Retaining some information as archive may be required to comply with our legal obligations

This information may include health data by nature or reveal it and will be processed only as necessary for the establishment, exercise or defense of legal claims, or to the extent we have a legal obligation to do so
Until the claim has been closed or legal obligation has expired
4
Usage statistics
Learn how our tools are used & improve them Understand your uses and ask your feedback
IP Address, geographic location, resources you have accessed, and similar information collected via cookies and web trackers.
Data we hold about our relationship with you

Analytics is for our legitimate interest in understanding how we are doing

We will only use cookies and trackers if you agree to this activity

You can refuse without impacting services

We only process anonymous data which will not reveal your status or health information

Your health status may be revealed if you are logged in in which case we will ask your explicit consent

You can refuse without impacting services
Unless local specifics apply or we need to retain data for another purpose, we would keep the data 1 year after collection in a non aggregated form

4) Recipients of your Personal Data

We may share your Personal Data with Roche’s affiliates around the world. Roche affiliates will use your Personal Data for the same purposes as mentioned above. We may also share your Personal Data with our logistic, IT, market research, customer support service providers and carriers, insurance providers or partners, for the following purposes:

- To help fulfill Roche business transactions;
- To conduct technical operation, maintenance, administration, hosting of our websites, web platforms, and IT systems in general;
- To facilitate a merger, consolidation, transfer of control or other corporate reorganization in which Roche participates, or pursuant to a financial arrangement undertaken by Roche;
- To respond to appropriate requests of legitimate government authorities, or where required by applicable laws, court orders, or government regulations; and
- To allow data sharing with the recipients you designate when you use the data sharing functionalities of our digital products; and
- Where needed for corporate audits or to investigate or respond to a complaint or security threat.
Third parties generally act on our behalf and under our instructions however certain providers (especially carriers and electronic communications providers) also process your data for their own purposes (e.g. compliance with their legal obligations).

5) International Transfers of Your Personal Data

We primarily select cooperation partners who are based in or whose servers are located in the European Union (EU) or European Economic Area (EEA). Any Personal Data you provide to us may be transferred to or stored in a geographic region that imposes different privacy obligations than your country of origin. This means that your Personal Data may be sent to a country with less restrictive data protection laws than your own. Any such transfer will be conducted in compliance with applicable law.

If your Personal Data is covered by the GDPR: For transfers of Personal Data to a third country outside the European Union (EU), European Economic Area (EEA) or in absence of an adequacy decision (e.g. Switzerland, Israel, and New Zealand), within the Roche Group, business partners and service providers, we establish the contracts containing the EU Standard Contractual Clauses, which according to the EU Commission constitute appropriate and suitable safeguards to ensure compliance with GDPR. If you have further questions on this topic or if you want to obtain a copy of the safeguards, please reach out to [email protected].

In addition, we ensure that our partners have additional security standards in place, such as individual security measures and data protection provisions or certifications.

Generally speaking, on top of the local affiliate in your country and global functions located in the EU and Switzerland, our internal Roche support services may be granted access to your data, in priority in your region. All the internal accesses are covered by our internal data transfer agreement which contains the warranties to ensure your data is securely managed.

6) Information About Your Rights Regarding Your Personal Data

If your Personal Data are covered by the GDPR, you have the following rights with respect to your Personal Data:

  • The right to request access to the Personal Data that Roche has about you;
  • The right to rectify or correct any Personal Data that is inaccurate or incomplete;
  • The right to request a copy of your Personal Data in electronic format so that you can transmit the data to third parties, or to request that Roche directly transfer your Personal Data to one more third parties;
  • The right to object to the processing of your Personal Data for marketing and other purposes;
  • The right to erasure of your Personal Data when it is no longer needed for the purposes for which you provided it, as well as the right to restriction of processing of your Personal Data to certain limited purposes where erasure is not possible.

To exercise any of these rights, please contact us at [email protected].

Please note that erasure or restriction of processing is only possible if and to the extent that the processing of Personal Data is based on your consent or our legitimate interests. If data processing is based on consent, note that you have the right to withdraw your consent at any time, but that the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal. In the event of an erasure request, we may retain a copy of your Personal Data for our record-keeping purposes and to avoid entering your personal data in our systems after your request.

Please note that revocation of your consent to the necessary processing (or deletion of your account or data) may make it impossible to use our products and services because we can no longer process your data. We therefore interpret this revocation as termination.

In the event that you believe that our data processing does not comply with the GDPR, you are entitled to lodge a complaint with the authority of your country of residency as stated here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.html

7) Updates to This Privacy Notice

From time to time, we may revise this Privacy Notice. Any such changes to this Privacy Notice will be reflected on this page. Roche recommends that you review this Privacy Notice regularly for any changes. The date on which this notice was last revised is located at the top of this notice.

8) Country Specific Section

When we engage with you as a customer or prospective customer (see Sec. 2): Data Controller:

  • Roche Diagnostics International AG, Basel Branch Diabetes Care - Grenzacherstrasse 124, 4058 Basel, Switzerland, acting as the parent company of affiliates engaged in the diabetes care business unit. The local affiliate in your country of residency will be considered a joint controller unless indicated otherwise.
  • Local Distributor: Hemas Surgicals & Diagnostics (Pvt) Ltd, No. 12, Glen Aber Place, Colombo 03