Sandoz – General Web Privacy Notice

This Privacy Notice is intended for individuals who are visiting a website or using a mobile application (”app”) from one of the companies of the Sandoz group. As a result, this company is processing information about you which constitutes “personal data” and Sandoz considers the protection of your personal data and privacy a very important matter.

Lek d.d., Verovškova ulica 57, 1526 Ljubljana is responsible for the processing of your personal data as it decides why and how it is processed, thereby acting as the “controller”. In this Privacy Notice, “we” or “us” refers to Lek d.d.

This Privacy Notice is divided into two parts. Part I contains practical information about the specific personal data we process when you visit our website www.lek.si, why we process this data and how. Part II contains more general information about the standard technical or transactional personal data which we are processing about visitors of our websites and users of our apps, the legal basis for using your personal data, as well as your rights in respect to all personal data collected about you.

We invite you to carefully read this Privacy Notice, and for any further question in relation to the processing of your personal data, we invite you to contact local data protection officer at sandoz_global.dpo@sandoz.com.

Part I – Key information

Lek d.d. is processing personal data about you when you are visiting our website www.lek.si.

Specific personal data to be collected

For this purpose, we can collect the specific personal data about you e.g. general and identification information such as name, gender, date of birth, email and/or postal address, phone number etc.

This information may either be directly provided by you (e.g. when filling a web form or interacting with a website or app), provided by third parties or obtained through trusted publicly available sources.

For inquiries via our contact form, you must provide your name, postal address, e-mail address, telephone number, the reason for contacting you and your message. You may provide your social media profile information including name, email address, contact details, comments, and reactions when you interact with us on social media platforms or using your social media login credentials to authenticate on our website.

When ordering products and services via the website (such as information materials, brochures, etc.), you will need to provide your name, email address and postal address and, if applicable, your payment details.

We do not usually collect Sensitive Personal Information for purposes other than monitoring and management of adverse events where we have a regulatory obligation. You are requested to not disclose your Sensitive Personal Information to us unless we specifically ask for it (e.g., national identification card numbers, information related to racial or ethnic origin, political opinions, religion or philosophical beliefs, health, sex life or sexual orientation, criminal background, or trade union membership, or biometric or genetic data for the purpose of uniquely identifying an individual).

Specific purposes for which we require your personal data

The collected information will be used by us for the following specific purposes:

We process and save the personal information provided during registration exclusively to enable you to access the content specifically relevant to you.

We process and save the Personal Information provided in the contact request only to process and answer your request regarding our products and services and to get in touch with you.

We will be able to obtain and use your personal information to provide you with information about our products, programs, services, your accounts and notifications to enable you to participate in surveys, promotions or other interactive features (such as chat).

We process and save the Personal Information provided when placing an order in order to provide you with the products and services you have ordered and for our business purposes including improving our products and services and tailoring your experiences when interacting with the Services.

Please note that the collected data may also be used by us for a number of other standard purposes (e.g. to measure the usage of our website and app), as set out in Part II below.

Specific third parties with whom we share your personal data

We may disclose your personal data to other Sandoz affiliates worldwide that agree to treat it in accordance with this Privacy notice. Personal Data may also be transferred to third parties who act for or on our behalf, for further processing in accordance with the purpose(s) for which the data were originally collected or may otherwise be lawfully processed, such as services delivery, evaluating the usefulness of this website, marketing, data management or technical support. These third parties have contracted with us to only use Personal Data for the agreed upon purpose, and not to sell your Personal Information to third parties, and not to disclose it to third parties except as may be required by law, as permitted by us or as stated in this Privacy Notice.

Please note that we may also have to share your data with a number of other recipients (e.g. another entity of the Sandoz Group if the entity collecting the data is not the same as the one using it) but always under strict conditions, as further explained in Part II.

Duration of storage

We will only store the above personal data and the personal data listed in Part II for a period as indicated in each case before the start of the processing or when the purpose is archived.

Cookies and other similar technologies

Please note that we also rely on the usual cookies and other technologies for the standard purposes set out in Part II below (e.g. to ensure the proper functioning of our website or app).

Dedicated point of contact

Should you have any question in relation to the processing of your personal data in the above context, please write us at sandoz_global.dpo@sandoz.com.

Part II – General information

The second part of this Privacy Notice sets out in more detail in which context we are processing your personal data and explains your rights and our obligations when doing so.

1 On what basis do we use your personal data?

We will not process your personal data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal data:

if we have obtained your prior consent;
if the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request;
if the processing is necessary to comply with our legal or regulatory obligations; or
if the processing is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms.

Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such ‘legitimate interests’ are data processing activities performed:

to benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers to process data);
to offer our products and services to our customers;
to prevent fraud or criminal activity, misuses of our services and products as well as the security of our IT systems, architecture and networks;
to sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party; and
to meet our corporate and social responsibility objectives.

2 Who has access to your personal data and to whom are they transferred?

We will not sell, share, or otherwise transfer your personal data to third parties other than those indicated in this Privacy Notice.

In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal data can be accessed by or transferred to the specific third parties identified in Part I of this Privacy Notice and the following categories of recipients, on a need to know basis to achieve such purposes:

our personnel (including personnel, departments or other companies of the Sandoz group);
our other suppliers and services providers that provide products and services to us;
our IT systems providers, cloud service providers, database providers and consultants;
our business partners who offer products or services jointly with us;
any third party to whom we assign or novate any of our rights or obligations;
our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets

The above third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.

Your personal data can also be accessed by or transferred to any national and/or international regulatory, enforcement, public body or court, where we are required to do so by applicable law or regulation or at their request.

The personal data we collect from you may also be processed, accessed or stored in a country outside the country where Lek d.d. is located, which may not offer the same level of protection of personal data.

If we transfer your personal data to external companies in other jurisdictions, we will make sure to protect your personal data by (i) applying the level of protection required under the local data protection/privacy laws applicable to Lek d.d., (ii) acting in accordance with our policies and standards and, (iii) for Lek d.d. located in the European Economic Area (i.e. the EU Member States plus Iceland, Liechtenstein and Norway, the "EEA"), unless otherwise specified, only transferring your personal data on the basis of standard contractual clauses approved by the European Commission or another method in accordance with applicable law. You may request additional information in relation to international transfers of personal data and obtain a copy of the adequate safeguard put in place by exercising your rights as set out in Section 6 below.

For intra-group transfers of personal data, the Sandoz Group has adopted Intra-Group Data Transfer and Processing Agreement (IGDTA) in which Sandoz rely on Standard Contractual Clauses approved by the European Commission as the relevant transfer mechanism for transfers of Personal Information outside the EEA, United Kingdom, and Switzerland to ensure that this global exchange of Personal Information complies with data protection laws.

3 How do we protect your personal data?

We have implemented appropriate technical and organisational measures to provide a level of security and confidentiality to your personal data.

These measures take into account:

the state of the art of the technology;
the costs of its implementation;
the nature of the data; and
the risk of the processing.

The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of processing.

Moreover, when handling your personal data, we comply with the following obligations:

we only collect and process personal data which is adequate, relevant and not excessive, as required to meet the above purposes;
we ensure that your personal data remains up to date and accurate (for the latter, we may request you to confirm the personal data we hold about you and you are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up-to-date); and
we may process any sensitive data about yourself you voluntary provide in compliance with applicable data protection rules and strictly as required for the relevant purposes listed above, the data being accessed and processed solely by the relevant personnel, under the responsibility of one of our representatives who is subject to an obligation of professional secrecy or confidentiality.

4 How long do we store your personal data?

We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.

Unless otherwise indicated in Part I of this Privacy Notice, the retention period is [24] months after your last use of/access to the relevant website or app. When this period expires, your personal data is removed from our active systems.

5 How do we use cookies and other similar technologies on our websites and apps?

5.1 Cookies

We may collect and Process Information about your visit to this website, such as the pages you visit, the website you came from and the searches you perform. We may use such information to help improve the contents of the site and to compile aggregate statistics about people using our site for our internal usage statistics and market research purposes. In doing this, we may install "cookies" or similar technologies that collect the domain name of the user, your internet service provider, your operating system, and the date and time of access. Cookies are created and stored on the user's computer, phone or other devices when the user's browser loads a particular website. Every time the user goes back to the same website, the browser retrieves and sends this "cookie" file to the website. Cookies are useful because they serve key purposes like helping a website remember your preferences and settings, performing analytics to improve services, serving you relevant content or advertisements and authenticating you on the websites. Cookies do not damage your computer. You can set your browser to notify you when you receive a cookie, this will enable you to decide if you want to accept it or not. You can also refuse cookies altogether. However, if you do not accept our cookies, you may not be able to use all functionalities of our website. When you visit our websites, you may be presented with a cookie-setting banner that allows you to manage the settings and accept or deny the cookies. It is legally permitted to store cookies on your machine if they are essential to the operation of the website, but for all other types of cookies we need your permission to do so. On Sandoz websites, you have the option to consent to the use of cookies by using Cookie Settings banner that pops up while visiting the website for the first time or manage these settings anytime later. This cookie policy gives you the option of accepting or denying your consent to every category of cookies (except the necessary cookies). Please refer to our Cookie Settings to learn more about what types of cookies we use (the purpose they serve, their lifespan, and their provenance) and how you can manage your preferences.

In addition to the cookies listed in Part I of this Privacy Notice, we may also use the following types of usual cookies:

user interface customization cookies (i.e. cookies memorizing your preferences);
authentication cookies (i.e. cookies allowing you to leave and return to our websites without having to re-authenticate yourself);
video player cookies (i.e. cookies storing data needed to play back video or audio content and storing your preferences);
first party analytics cookies (i.e. cookies memorizing the pages you visited and providing information about your interaction with those pages); and
third party analytics cookies (i.e. cookies from third party suppliers tracking our website’s statistics and vice versa).

Certain of our websites also use OneTrust cookies to enable you to manage the cookies easily and help us to obtain your consent for our placement and use of cookies on your device. We need these cookies to remember the choices that you have made regarding cookie settings.

Please note that you can modify your browser so that it notifies you when cookies are sent to it. If you do not want to receive cookies, you can also refuse cookies altogether by activating the relevant settings on your browser. Finally, you can also delete cookies that have already been set.

For more information as to how to manage cookies on your device, please consult our <Cookie Settings> or the Help function of your browser or visit www.aboutcookies.org, which contains comprehensive information on how to do so on a wide variety of browsers (link is external).

5.2 Other tracking technologies

We may use cookies or other tracking technologies (also known as action tags, single-pixel GIFs, clear GIFs, invisible GIFs and 1-by-1 GIFs) provided by third party advertisement companies to provide relevant advertisements (interactive or non-interactive) to you based on your interests or browsing history. Typically, we use the services of social media companies and other third-party advertisement companies to collect information like your browser details, unique client ID etc. so that we may serve you ads on our websites and on other websites you may use. Please refer to our <Cookie Settings> to learn more about our marketing or advertisement cookies and manage your preferences.

Our Services, including websites, may use Google Tag Manager (“GTM”) which is a tag management system operated by Google to manage JavaScript and HTML tags used for tracking and analytics on websites. Tags are small code elements that, among other things, are used to measure traffic and visitor behavior: to understand the effect of online advertising and social channels; to set up remarketing and orientation towards target groups; and to test and optimize websites. GTM makes it easier for us to integrate and manage our tags.

We may also use other technologies on our websites and apps to collect and process your personal data for the same purposes as set out above, including Adobe Flash technology (including Flash Local Shared Objects, unless you set your setting otherwise).

5.3 Website preferences and security

We may collect certain information about you like your IP address, unique device identifiers like Media Access Control (MAC) address, computer type (Windows or Mac), browser type and version, screen resolution, operating system name and version. We may also derive your location information from your IP address. We use this information to secure our websites and network systems and to improve our services by recording your preferences, maintaining service levels, diagnosing and troubleshooting technical issues.

The legal basis for the processing of your Personal Information is our legitimate business interests.

6 What are your rights and how can you exercise them?

You may exercise the following rights under the conditions and within the limits set forth in the law:

the right to access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
the right to request the erasure of your personal data or the restriction thereof to specific categories of processing;
the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
the right to object, in whole or in part, to the processing of your personal data;
the right to object to direct marketing communications; and
the right to request its portability, i.e. that the personal data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations; and
the right to object to automated decision making including profiling resulting in a significant or legal effect, i.e. you can request an human intervention in any automated decision making process related to processing of your data resulting in a significant or legal effect, and where such processing is not based on your consent, authorized by law or necessary for the performance of a contract. However, we do not currently make decisions using automated processes only that result in significant or legal effects on individuals.

Please note however that, in certain circumstances, your refusal to accept cookies or your browser settings may affect your browsing experience and prevent you from using certain features on our websites or apps.

If you have a question or want to exercise the above rights, you may visit our Privacy portal or send an email to (sandoz_global.dpo@sandoz.com) or regular mail (Data protection officer, Verovškova ulica 57, 1526 Ljubljana) with a physical scan of your identity card for identification purpose, it being understood that we shall only use such data to verify your identity and shall not retain the scan after completion of the verification. When sending us such a scan, please make sure to redact your picture and national registry number or equivalent on the scan.

In any case, you also have the right to file a complaint with the competent data protection authorities, in addition to your rights above.

7 What technical and transactional data may we collect about you?

7.1 Categories of technical and transactional data

In addition to any information collected about you under Part I of this Privacy Notice, we may collect various types of standard technical and transactional personal data about you during your use of our websites and apps which are necessary to ensure a proper functioning of our websites and apps, including:

information regarding your browser and device (e.g. internet service provider’s domain, browser’s type and version, operating system and platform, screen resolution, device manufacturer and model);
statistics in relation to your use of our website and our app (e.g. information regarding the pages visited, information researched, time spent on our website);
usage data (i.e. date and time of access of our website and app, files downloaded);
your device’s location when using our app (unless you disabled this function by changing your device’s settings); and
more generally, any information you provide to us when using our website and app.

Please note that we will not knowingly collect, use or disclose personal data from a minor under the age of [15] without obtaining prior consent from a parent or legal guardian.

7.2 Why are we collecting technical and transactional data?

We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In addition to any purposes already communicated to you in Part I of this Privacy Notice, we also process your personal data collected during your use of one of our websites or apps for the following standard purposes:

manage our users (e.g. registration, account management, answer questions and provide technical support);
manage and improve our website and apps (e.g. diagnose server problems, optimize traffic, integrate and optimize web pages where appropriate);
measure the usage of our website and apps (e.g. by drawing up statistics about the traffic, by gathering information regarding the users’ behaviour and the pages they visit);
improve and personalize your experience and better tailor content to you (e.g. by remembering your selections and preferences, by using cookies);
send you personalized location-based services and content;
improve the quality of our products and services and expand our business activities;
monitor and prevent fraud, infringement and other potential misuse of our website and app;
reply to an official request from a public or judicial authority with the necessary authorisation;
manage our IT resources, including infrastructure management and business continuity;
preserve the company’s economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct fraud, conducting audits, defending litigation);
archiving and record keeping; and
any other purposes imposed by law and authorities.

8 How will you be informed of the changes to our Privacy Notice?

We keep this Privacy Policy under regular review and update it as and when required. We may change or update this Privacy Policy by posting a new privacy policy on this website. Please keep checking this policy occasionally so that you are aware of any changes.