Legal and Privacy
Privacy Notice for Roche Diabetes Care Covering customers, end users of digital solutions and website visitors
(Last updated: December 1, 2023)
This notice provides information on our activities (column “what we do” and then one activity per row), the categories of information collected for each activity (column “what we collect”), as well as the legal basis of processing for each of them (column “why we do it”) including for processing health information (column “if you are a patient”), and the retention period for the data (column “how long”).
Our activities are aimed at an adult audience; if we learn that someone has not yet reached the legal age for valid processing, we will not collect any personal data from that person until their legal representative has given their consent in a verifiable form.
1) When we engage with you as a customer or prospective customer
The controller is Roche Diagnostics International AG, Basel Branch Diabetes Care - Grenzacherstrasse 124, 4058 Basel, Switzerland, acting as the parent company of affiliates engaged in the diabetes care business unit. The local affiliate in your country of residency will be considered a joint controller unless indicated otherwise (more information about Roche’s affiliate in your country of residency is available at your local AccuChek website). EU representative is Roche Privacy GmbH, Emil-Barell-Str. 1, D-79639 Grenzach-Wyhlen, [email protected].
| What we do | What we collect | Why we do it | If you are a patient | How long | |
|---|---|---|---|---|---|
| Primary use: providing our products and services | |||||
| i |  Answer requests Support, cases and non regulatory complaints Feedback via phone, emails, social media, etc. Free samples or maintenance requests Product returns Trainings |
Your contact information (such as name, mailing address, telephone number, job title), your interests and preferences (such as products or areas of interest), and other information provided |  We collect this information for our legitimate business interests to answer customers and prospective customers’ requests |
 Your health status may be revealed so we will need your explicit consent to use your data  we cannot provide the services without consent to this use of your data |
Unless local specifics apply or we need to retain data for another purpose, we would keep it for the time within which proceedings may be brought. |
| ii |  Contract Manage subscriptions Complete transactions Deliver product/service Order fulfilment Transactional messages Activate warranties |
Your contact information as well as a history of your previous transactions with us (such as order history, customer account information), information on prescriptions |  We use this information to perform our agreement with you |
Unless local specifics apply or we need to retain data for another purpose, we would keep it for the time within which proceedings may be brought. | |
| iii |  Unique customer ID Better identification Avoid duplication Avoid inconsistent data LOGIC: We use an algorithm which merges records that present sufficient similarities. |
Your identity and contact details as well as your status as a professional or individual and address verification data SOURCES: We use an address verification service to obtain a GPS location |
We collect this information for our legitimate business interests to optimize data management |
As long as we retain your data for the purposes mentioned in this section. | |
| Secondary use: improving our products and services | |||||
| iv |  Internal training Review and analyze our interactions with you to understand what we can improve |
Call recordings associated with your phone number | We will collect and process this information if you agree to this activity  You can refuse without impacting services |
Your health status may be revealed so we will ask your explicit consent to use your data. You can refuse without impacting services |
Unless local specifics apply or we need to retain data for another purpose, 90 days after the recording |
| v |  Marketing Newsletters Customer surveys Marketing emails that may be adapted to your interests Organization of webinars or events |
Your identity and contact details as well as your status as a professional or individual | We will collect and process this information if you agree to this activity. You can refuse without impacting services  If you are a professional, we may rely on our legitimate interest to reach out. |
Unless local specifics apply or we need to retain data for another purpose, as long as we maintain interactions with you and a few years after the last contact (to resume interactions if you wish so). | |
| vi |  Patient program Register you to the program you select Evaluate your needs as informed by you Provide support during the duration of the program by providing personalized contents (Patients only) |
Information about your contact and product preferences, languages, marketing preferences, health and demographic data | We will collect and process this information if you agree to this activity. You can refuse without impacting services |
Unless local specifics apply or we need to retain data for another purpose, as long as we maintain interactions with you and a few years after the end of the program (to re-enlist you if you wish so) | |
| vii |  Complaint Keep track and report incidents Retain archives for regulatory purposes Monitoring of our social media pages |
Any personal data provided to Roche related to adverse events or issues related to services / products |  We collect your information to comply with our legal obligations and may be required to report the data to regulatory authorities |
This information includes health data by nature which will only be processed to the extent we have a legal obligation to do so |
Unless local specifics apply or we need to retain data for another purpose, we would keep it for the time within which proceedings may be brought or in line with regulatory obligations. |
| viii |  Business intelligence Run reports on our activities Improve and administer our business Reporting as required by law e.g. on complaint handlings in relation to our medical devices |
Same data as mentioned above | Business intelligence is for our legitimate interest in understanding how we are doing |
See retention period as mentioned above for each concerned activity | |
| ix |  Social media Animation of our pages Social listening of publicly posted information, which is used in an aggregated form to create insights Targeted advertising via social media to persons who subscribed to our pages or other audiences (for examples your interests, age or country) |
Any information you make public online, which will however generally be used in a pseudonymized anonymous, or aggregated way | We collect this information for our legitimate business interests to understand and reach out to our audience on social media We may be joint controllers with the social media company hosting our page, please see their respective policies: Facebook ; Instagram ; Linkedin ; Youtube |
 This processing will only use sensitive information that you have manifestly chosen to disclose publicly for anyone to see. We will not target individuals based on their health status. |
Unless local specifics apply or we need to retain data for another purpose, we do not retain social listening or targeted advertising data after the insights are obtained / campaign is realized |
2) When you use our digital solutions
The data controller is Roche Diabetes Care GmbH, Sandhofer Strasse 116, 68305 Mannheim/Germany as the manufacturer of these applications and software. mySugr GmbH, Trattnerhof 1/5 OG, 1010 Vienna/Austria also acts as data controller in relation to data processed by the mySugr app and in the Roche Diabetes Care apps and professional software.
| What we do | What we collect | Why we do it | If you are a patient | How long | |
|---|---|---|---|---|---|
| Primary use : providing our products and services | |||||
| A |  Diabetes solutions Provide services and functionalities in accordance with specific user manuals, terms and condition and privacy notice applicable to the solution Please refer to such documents for more details. |
Profile data; commercial and activity data For patient, medical including therapy and diagnostic data as inputted manually or sent by your medical devices (BGM, CGM, pump, connected pen), technical data of your medical devices Smartphone identifier is collected as strictly required to send push notifications if you have requested so |
We use this information to perform our agreement with you  If you are a patient and we provide services to your doctor, we process your data as instructed by your doctor, therefore control lies with such professional users |
This information includes health data by nature and we will need your explicit consent to use your data we cannot provide the services you request without your consent to this use of your data When we process your data as instructed by your doctor, he is responsible for ensuring he is entitled to use your data |
As indicated in the privacy notice applicable to the concerned solution |
| B | Allow data sharing Organize the sharing of health data across solutions and with professional electronic health records, always in accordance with your preferences |
Data uploaded or inputted by you in the solution will be available to the recipients you designate, who may also download it. | We use this information to perform our agreement with you |
Data sharing with third parties happens upon request from you, therefore only if you agree to this activity we cannot share data without your consent |
Until you deactivate data sharing |
| C |  Ancillary services Deliveries including to a patient as requested by his doctor Invoice use of the tool or related services Other services you request |
If needed, we may process data above mentioned to the extent needed under section 1 on customers | See section 1 on customers If you are a patient and we provide services to your doctor, we process your data as instructed by your doctor, therefore control lies with such professional users |
See section 1 on customers When we process your data as instructed by your doctor, he is responsible for ensuring he is entitled to use your data |
See section 1 |
| Secondary use : improving healthcare (statistics / research) | |||||
| D |  Performance reports Issue aggregated reports for internal use or for our professional users to understand how our digital solutions are used and perform e.g. number of active users, time in range, etc. |
Aggregated user data contained in or generated by use of digital solutions | We rely on our legitimate interest to analyze and improve the service If you are a patient and we provide services to your doctor, we process your data as instructed by your doctor, therefore control lies with such professional users |
 We will use data in an aggregated (hence anonymous) form When we process your data as instructed by your doctor, he is responsible for ensuring he is entitled to use your data |
Without time limitation in an anonymous and/or aggregated form |
| E |  Medical research and innovation Replicate de-identified data in dedicated databases (anonymous or pseudonymous) Population insights & scientific research Algorithms / product development Product evaluation & real world evidence (Patients only) |
De-identified user data (anonymous or pseudonymous) contained in the digital health applications and software or generated by its use | We anonymize this information as instructed by healthcare professionals We will pseudonymise this information if you agree to this activity. You can refuse without impacting services |
We will process data used by healthcare professionals in an anonymous form When pseudonymous data is used, it includes health data by nature so we will ask your explicit consent to product improvement. You can refuse without impacting services |
Without time limitation in an anonymous form Until you revoke your consent in a pseudonymous form |
3) When you visit our websites and/or interact with us as customer or prospective customer and/or use our digital solutions
When you visit our websites, the data controller is the entity identified as the publisher for the website. For other use cases, controllers remain as mentioned above. Please note that, when you navigate our public websites, the notices found in the footer of the landing page take precedence over this privacy notice.
We may use cookies or other tracking technologies that are necessary (authentication, preferences, security), allow us to obtain usage statistics or in some cases to do targeted advertising, or allow you to play videos or share information on social media. For non necessary cookies, a pop up on each website will ask your consent for each category before any implementation.
| What we do | What we collect | Why we do it | If you are a patient | How long | |
|---|---|---|---|---|---|
| Primary use : providing our products and services | |||||
| 1 |  Security To secure, run and maintain our systems Security monitoring Bug / crash reporting Logs retention |
IP Address, geographic location, resources you have accessed, and similar information collected via cookies and web trackers. | Technical activities are for our legitimate interest in operating a secure business and associated cookies are necessary. |
This information will generally not reveal your status or health information In our patient apps, crash reporting data may reveal health status but will be processed to the extent we have a legal obligation to do so |
As required by applicable laws in a non aggregated form |
| 2 | Personal account Account creation and access to all our online services, including identity and consents management Transactional message, support, troubleshooting, or security advice |
First and last name, email and password, other contact information, account ID, registration date and status of consents, language, country and time zone, IP address | We use this information to perform our agreement with you |
This information includes health data by nature and we will need your explicit consent to use your data we cannot provide the services you request without your consent to this use of your data |
Until you delete your account. |
| Other possible uses | |||||
| 3 | Legal hold Litigation or any other procedure related to our rights or your rights Archiving to comply with our duties medical device manufacturer, e.g. inform you about an incident or recall |
Any data mentioned above that may become necessary for this objective | Evidencing claims is for our legitimate interest of establishing our rights or your rightsr Retaining some information as archive may be required to comply with our legal obligations |
This information may include health data by nature or reveal it and will be processed only as necessary for the establishment, exercise or defense of legal claims, or to the extent we have a legal obligation to do so |
Until the claim has been closed or legal obligation has expired |
| 4 |  Usage statistics Learn how our tools are used & improve them Understand your uses and ask your feedback |
IP Address, geographic location, resources you have accessed, and similar information collected via cookies and web trackers. Data we hold about our relationship with you |
Analytics is for our legitimate interest in understanding how we are doing We will only use cookies and trackers if you agree to this activity You can refuse without impacting services |
We only process anonymous data which will not reveal your status or health information Your health status may be revealed if you are logged in in which case we will ask your explicit consent You can refuse without impacting services |
Unless local specifics apply or we need to retain data for another purpose, we would keep the data 1 year after collection in a non aggregated form |
4) Recipients of your Personal Data
We may share your Personal Data with Roche’s affiliates around the world. Roche affiliates will use your Personal Data for the same purposes as mentioned above. We may also share your Personal Data with our logistic, IT, market research, customer support service providers and carriers, insurance providers or partners, for the following purposes:
- To help fulfill Roche business transactions;
- To conduct technical operation, maintenance, administration, hosting of our websites, web platforms, and IT systems in general;
- To facilitate a merger, consolidation, transfer of control or other corporate reorganization in which Roche participates, or pursuant to a financial arrangement undertaken by Roche;
- To respond to appropriate requests of legitimate government authorities, or where required by applicable laws, court orders, or government regulations; and
- To allow data sharing with the recipients you designate when you use the data sharing functionalities of our digital products; and
- Where needed for corporate audits or to investigate or respond to a complaint or security threat.
Third parties generally act on our behalf and under our instructions however certain providers (especially carriers and electronic communications providers) also process your data for their own purposes (e.g. compliance with their legal obligations).
5) International Transfers of Your Personal Data
We primarily select cooperation partners who are based in or whose servers are located in the European Union (EU) or European Economic Area (EEA). Any Personal Data you provide to us may be transferred to or stored in a geographic region that imposes different privacy obligations than your country of origin. This means that your Personal Data may be sent to a country with less restrictive data protection laws than your own. Any such transfer will be conducted in compliance with applicable law.
If your Personal Data is covered by the GDPR: For transfers of Personal Data to a third country outside the European Union (EU), European Economic Area (EEA) or in absence of an adequacy decision (e.g. Switzerland, Israel, and New Zealand), within the Roche Group, business partners and service providers, we establish the contracts containing the EU Standard Contractual Clauses, which according to the EU Commission constitute appropriate and suitable safeguards to ensure compliance with GDPR. If you have further questions on this topic or if you want to obtain a copy of the safeguards, please reach out to [email protected].
In addition, we ensure that our partners have additional security standards in place, such as individual security measures and data protection provisions or certifications.
Generally speaking, on top of the local affiliate in your country and global functions located in the EU and Switzerland, our internal Roche support services may be granted access to your data, in priority in your region. All the internal accesses are covered by our internal data transfer agreement which contains the warranties to ensure your data is securely managed.
6) Information About Your Rights Regarding Your Personal Data
If your Personal Data are covered by the GDPR, you have the following rights with respect to your Personal Data:
- The right to request access to the Personal Data that Roche has about you;
- The right to rectify or correct any Personal Data that is inaccurate or incomplete;
- The right to request a copy of your Personal Data in electronic format so that you can transmit the data to third parties, or to request that Roche directly transfer your Personal Data to one more third parties;
- The right to object to the processing of your Personal Data for marketing and other purposes;
- The right to erasure of your Personal Data when it is no longer needed for the purposes for which you provided it, as well as the right to restriction of processing of your Personal Data to certain limited purposes where erasure is not possible.
To exercise any of these rights, please contact us at [email protected].
Please note that erasure or restriction of processing is only possible if and to the extent that the processing of Personal Data is based on your consent or our legitimate interests. If data processing is based on consent, note that you have the right to withdraw your consent at any time, but that the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal. In the event of an erasure request, we may retain a copy of your Personal Data for our record-keeping purposes and to avoid entering your personal data in our systems after your request.
Please note that revocation of your consent to the necessary processing (or deletion of your account or data) may make it impossible to use our products and services because we can no longer process your data. We therefore interpret this revocation as termination.
In the event that you believe that our data processing does not comply with the GDPR, you are entitled to lodge a complaint with the authority of your country of residency as stated here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.html
7) Updates to This Privacy Notice
From time to time, we may revise this Privacy Notice. Any such changes to this Privacy Notice will be reflected on this page. Roche recommends that you review this Privacy Notice regularly for any changes. The date on which this notice was last revised is located at the top of this notice.
8) Country Specific Section
When we engage with you as a customer or prospective customer (see Sec. 2): Data Controller:
- Roche Diagnostics International AG, Basel Branch Diabetes Care - Grenzacherstrasse 124, 4058 Basel, Switzerland, acting as the parent company of affiliates engaged in the diabetes care business unit. The local affiliate in your country of residency will be considered a joint controller unless indicated otherwise.
- Local Distributor: Hemas Surgicals & Diagnostics (Pvt) Ltd, No. 12, Glen Aber Place, Colombo 03