A. GENERAL PART
A.1. COLLECTION AND PROCESSING OF USER DATA
In connection with the provision of the website hosted at https://neuroimaging-ms.devfloat.pt/ ("Site") and of the information and means of contact integrated therein, ROCHE Farmacêutica Química, Lda., with registered office at Estrada Nacional 249-1 Venteira, Amadora and with Tax ID No. 500 233 810, as responsible for the processing of personal data (hereinafter "ROCHE"), may request and process the user's personal data.
The term "personal data" shall refer to any information of any nature regardless of its support-basis, which includes sound and image, concerning an identified or identifiable natural person ("Data Subject" or "User"). A person who can be identified directly or indirectly, by reference to an identification number or to more specific elements of their physical, physiological, mental, economic, cultural or social identity, shall be considered identifiable.
A.2. PERSONAL DATA COLLECTED
Through this Privacy Notice, ROCHE provides the User with detailed information about the nature of the collected data, and the purpose and processing that will be carried out in relation to their data.
The personal data collected and processed includes information regarding the name, e-mail address, country, field/specialty and hospital where the User performs his/ her functions.
ROCHE also collects and processes information about the User's hardware and software, as well as information about the pages visited within the Site. This information may include: the browser type, domain name, access times and the links through which the User accessed the Site ("Usability Information"). We use this information only to improve the quality of your visit to our Site.
A.3. DATA PROCESSORS AND THIRD PARTIES
Within the scope of the processing of the User's personal data, ROCHE uses or may use Data Processors so that, on behalf of ROCHE, and in accordance with the instructions given by the latter, the User's data may be processed, in strict compliance with the provisions of the General Data Protection Regulation (hereinafter, "GDPR") and the GDPR Implementation Act (Law No. 58/2019, August 8), as well as this Privacy Notice.
No outsourced entity within the present scope can transmit the personal data to other entities without ROCHE's prior written consent, being equally prevented from contracting with other entities without ROCHE's prior consent.
ROCHE undertakes to only subcontract entities that provide sufficient guarantees of execution of the appropriate technical and organisational measures, in order to ensure the protection of the User's rights. All entities subcontracted by ROCHE shall be bound to a written contract in which the object and duration of the processing, its nature and purpose, the type of personal data, the categories of data subjects and the rights and obligations of the Parties are regulated.
In particular, ROCHE subcontracts the company Float - Publicidade, Unipessoal, Lda., with registered office at Rua Luís de Camões, n.º 118-A, 1300-362 Lisboa, with Tax ID No. 506 275 906, to proceed on its behalf with the organisation, management, programming, presentation, development, maintenance and support of the Site.
In accordance with the applicable law, ROCHE may transmit or communicate the user's personal data to other entities, in case such transmission or communication is necessary for the performance of the contract established between the Data Subject and ROCHE, or for pre-contractual diligences at the user's request, in case it is necessary for the fulfillment of a legal obligation to which ROCHE is subject, or in case it is necessary for the purpose of pursuing the legitimate interests of ROCHE or of a third party. This may include communicating the personal user data to companies of the Roche Group, when legally permissible.
A.4. DATA COLLECTION CHANNELS
ROCHE may collect data either directly (i.e., directly from the Data Subject on the Site) or indirectly (i.e., through other channels). The collection may take place through the following channels:
- Direct collection: through the Site.
- Indirect collection: via the area reserved for RocheNet healthcare professionals, available at https://www.rochenet.pt/.
B. GENERAL PRINCIPLES APPLICABLE TO THE PROCESSING OF DATA OF THE DATA SUBJECT
As a general principle, concerning the processing of its personal data, ROCHE undertakes to ensure that the processed data of the user is:
- Treated in a lawful, fair and transparent manner in relation to its user;
- Collected for specified, explicit and legitimate purposes, and not further processed in a way incompatible with those purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and up-to-date where necessary, with every reasonable step being taken to ensure that inaccurate data, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form suitable for the User to be identified, only for the period necessary for the purposes for which the data is processed;
- Processed in a manner that ensures their safety, including protection against unauthorized/unlawful processing, and also against accidental loss, destruction or damage, with appropriate technical or organisational measures being taken.
The process of data carried out by ROCHE is done in a lawful way, when at least one of the grounds for lawfulness set out in Article 6 of the GDPR is met (combined, if applicable, with one of the exceptions of Article 9 or 10 of the GDPR).
ROCHE undertakes to ensure that the processing of the User's data is only carried out under the conditions listed above, respecting the aforementioned principles.
The time period for which data is stored and retained varies according to the purpose for which the information is processed. There are legal requirements for data to be kept for a minimum time period. Therefore, and whenever there is no specific legal requirement, the data shall be stored and kept only for the minimum time period necessary for the purposes for which it is being collected or subsequently processed, after which it shall be deleted.
In particular, the User's personal data will be kept on the Site for six (6) months after the account becomes inactive.
B.1. USE AND PURPOSES OF PROCESSING USER DATA
In general terms, ROCHE uses the User's data for the following purposes:
- To allow access to the course platform;
- To issue certificates;
- If the User's consents, to join the RocheNet platform;
- If the User's consents, to receive invitations and manage participation in events organized by Roche or by third parties.
- If the User's consents, to send scientific information relevant to the User's clinical practice or interest.
- If the User's consents, to send promotional information about Roche products.
- To send information and notifications about the course available on the Site.
- To contact the User as requested by her/him.
- To ensure that the Site meets the User's needs, namely that all of its functionalities are available, as well as to obtain aggregate or statistical information about the User's profile.
B.2. TECHNICAL, ORGANISATIONAL AND SAFETY MEASURES IMPLEMENTED
To ensure the safety of the User's data and its maximum confidentiality, ROCHE treats the information provided with absolute confidentiality, in accordance with its internal safety and confidentiality policies and procedures, which are periodically updated when deemed necessary, as well as in accordance with the legally provided terms and conditions.
Depending on the nature, scope, context and purposes of the data processing, as well as the risks for the rights and freedoms of the User arising from the processing, ROCHE undertakes to implement, when defining the means of processing and during processing itself, the necessary and appropriate technical and organisational measures to protect the User's data and to comply with the legal requirements.
ROCHE undertakes to ensure that, by default, only data that is necessary for each specific purpose of the processing shall be processed and that the data shall not be made available to an indefinite number of persons without human intervention.
In terms of general measures, ROCHE adopts the following:
- Regular audits to assess the effectiveness of technical and organisational measures implemented;
- Raising awareness and training staff involved in data processing operations;
- Pseudonymization and encryption of personal data;
- Mechanisms to ensure the ongoing confidentiality, availability and resilience of information systems;
- Mechanisms to ensure the timely restoration of information systems and access to Personal Data, in the event of a physical or technical incident.
B.3. TRANSFERS OF DATA TO THIRD COUNTRIES
The data processing operations associated with the interaction of the Data Subject with the Site shall not entail the transfer of data, or the processing thereof, outside the European Economic Area.
However, should it become necessary to transfer your data outside the European Economic Area, for example, in the context of using certain providers of computer systems support services, ROCHE will implement the necessary measures to ensure that these transfers comply with the law, in particular with Chapter V of the GDPR, and that an essentially equivalent level of protection is guaranteed to the Data Subjects' personal data. This may be achieved, for example, by ensuring the existence of an European Commission Adequacy Decision relating to the country of destination or by concluding Standard Contractual Clauses and, if necessary, implementing additional measures.
C. USER RIGHTS (DATA SUBJECTS)
C.1. PROCEDURES FOR THE EXERCISE OF USER RIGHTS
The right of access, the right of rectification, the right of erasure, the right of limitation, the right of portability and the right of opposition may be exercised by the User by contacting ROCHE through the page www.roche.pt/dataprivacy, the email email@example.com or by registered letter to the postal address Estrada Nacional 249 - 1, 2720-413 Amadora.
When the processing of the User's personal data is carried out by ROCHE based on the User's consent, the User shall be entitled to withdraw their consent at any time. The withdrawal of consent shall not, however, compromise the lawfulness of the processing carried out by ROCHE based on consent previously given by the User.
The table below contains a summary of the User rights as referred to in the paragraphs above.
|Right of acess||It is possible to obtain confirmation that your personal data is being processed and to access it. For such effects, a copy of the data subject to processing will be made available to the User on your request, as long as there are no legal restrictions.|
|Right of rectification||The User may request for inaccurate personal data to be rectified or completed.|
|Right to erasure||Under the terms of the law, the User may also, at any time, request the deletion of their personal data. ROCHE may refuse to grant such request in certain situations, in particular when the data is still necessary for the purpose for which it was collected or when the processing is required for compliance with a legal obligation.|
|Right to restriction of processing||The Data Subject may obtain the limitation of the processing when: a) they contest the accuracy of the personal data; b) the processing is unlawful and the data subject requests limitation as an alternative to erasure; c) ROCHE no longer needs the data for its original purpose and the data is requested by the data subject for the purposes of declaring, exercising or defending a right in legal proceedings and; d) when the Data Subject has opposed the processing, until it is ascertained whether the legitimate interests of the controller override those of the data subject.|
|Right to data portability||When the ground for data processing is consent or the performance of the contract, and there is processing by automated means, the Data Subject shall have the right to request the portability of their data. This right may not, however, prejudice the rights and freedoms of third parties.|
|Right of opposition||When data is processed on the basis of legitimate or public interest, or for the purposes of direct marketing, the data subject shall have the right to object to the processing.|
|Right to withdraw consent||When consent is the lawful basis for data processing, the User has a right to withdraw consent at any time. This does not, however, invalidate the lawfulness of processing carried out up to that date based on consent previously given.|
ROCHE will respond in writing (including by electronic means) to the User's request without undue delay and, in any event, within a maximum period of one month from the receipt of the request, although this time period may be extended in cases of particular complexity or due to the number of requests.
If the requests submitted by the User are manifestly unfounded or excessive, particularly due to their repetitive nature, ROCHE reserves the right to charge administrative costs or to refuse following up the request.
Without prejudice to any other administrative or judicial remedy, the Data Subject has the right to lodge a complaint with the National Commission for Data Protection or with another competent authority under the law, when they consider that their data is not being lawfully processed by ROCHE, pursuant to the applicable legislation and this Notice.
C.2. PERSONAL DATA BREACHES
In case of a data breach and insofar as such breach is likely to involve a high risk to the rights and freedoms of the User, ROCHE undertakes to report the personal data breach to the Supervisory Authority within 72 hours from the knowledge of the incident.
In addition, ROCHE will communicate this breach to the User when required by law or when ROCHE deems it relevant. In legal terms, this communication to the User is not required in the following cases:
- When ROCHE has implemented adequate protection measures, both technical and organisational, and those measures have been applied to the personal data affected by the breach, especially measures rendering the personal data unintelligible to any person not authorised to access the referred data, such as encryption;
- If ROCHE has taken subsequent measures to ensure that the high risk to the User's rights and freedoms is no longer likely to materialise; or
- In case the communication to the User implies a disproportionate effort on behalf of ROCHE. In such case, ROCHE shall make a public communication or take a similar measure through which the User will be duly informed.
D. FINAL PART
If you have any questions or concerns regarding the way ROCHE handles your personal data, please contact your Data Protection Officer at firstname.lastname@example.org.
D.2. APPLICABLE LAW AND JURISDICTION
The Privacy Notice, as well as the collection, processing or transmission of User data, is governed by the provisions of the GDPR and the laws and regulations applicable in Portugal, in particular the GDPR Implementation Law.
Any disputes arising from the validity, interpretation or execution of the Privacy Notice, or that are related to the collection, processing or transmission of the User's data, shall be exclusively submitted to the jurisdiction of the courts of the district of ROCHE's headquarters (Tribunal Judicial da Comarca de Lisboa), without prejudice to the applicable legal rules.
D.3. CHANGES TO THE PRIVACY NOTICE
ROCHE reserves the right to change this Privacy Notice at any time. In case this Privacy Notice is modified, the date of the last modification, available at the top of this page, will be updated. If the change is substantial, a notice will be posted on the Site.