Privacy Notice for use of personal data, including human biosamples, for scientific research
1 WHAT IS THIS ABOUT?
At Novo Nordisk, we are open about how we use and protect personal data. This notice explains:
-
which types of personal data we collect,
-
why we collect it, and
-
what we do with it.
The protection of your data and rights is of high importance to us. We are required by law to protect your personal data, including human biosamples (tissues, blood and blood derivatives such as plasma, serum and cells).
2 WHO IS RESPONSIBLE FOR YOUR DATA?
The company responsible for processing your personal data is:
- Novo Nordisk A/S
- Novo Allé, 2880 Bagsværd Denmark
- Company number 24256790
- Tel: +45 44 44 88 88
You can always contact Novo Nordisk or the Novo Nordisk Data Privacy Officer at privacy@novonordisk.com with questions or concerns about how we process your personal data.
3 HOW DO WE COLLECT YOUR PERSONAL DATA?
- Hospitals and clinics
- Research organisations
- Suppliers and partners we collaborate with
- Research institutions and practitioners as part of our clinical studies
- Universities
- Public and private databases
- Medical devices, apps and eDevices
- Your relatives, if they participated in one of our clinical studies
- From you directly
4 PURPOSE – WHY DO WE USE YOUR DATA?
We will only use your personal data for scientific research to find out more about the study medicines, the specific disease or related diseases.
Examples of scientific research are:
- Investigation of a new potential medicine or new use of an approved medicine
- To demonstrate that is medicine works and is safe to use
- To learn more about a disease area
- To make a study design better
- Quality controls of medicine
- To develop new diagnostic tools and methods
- To analyse and identify correlations in your data set
In addition, Novo Nordisk will whenever possible, seek to use anonymised data for research purposes. See figure 1 below that illustrates the difference between coded and anonymised data.
5 WHAT TYPES OF DATA DO WE USE?
Novo Nordisk uses both non-sensitive personal data and sensitive personal data for scientific research purposes as described in section 4. Examples of this are listed below. Such personal data will be coded or anonymised. This means that all personal data that can be linked directly to you (for example name, address) will be removed and we will not be able to identify you.
| Examples of non-sensitive data | Such as: |
| Demographic data | Age, sex and nationality |
| Information about the use of a Novo Nordisk product or service | Preferences for use of product or service |
| Job related information | Title, educational level |
| Other non-sensitive personal data collected during our research activities | Family relationship |
| Examples of sensitive data | Such as: |
| Health-related information | BMI, glucose level, diagnose (Diabetes, Cancer, Alzheimer etc.), genetic data, biometric data and data originating from the analysis of human biosamples. |
| Use of a Novo Nordisk product or service | Preferences, if it relates to other sensitive data |
| Biosamples that you have donated for use in research activities | Blood, skin, hair, urine, saliva, plasma, serum, primary cells, stem Cells, urine, tissues |
| Other sensitive personal data | Race or ethnic origin, religious beliefs, sexual orientation |
6 WHAT IS OUR LEGAL BASIS TO USE YOUR DATA?
At Novo Nordisk we use personal data for several reasons. When doing so we follow the relevant data protection laws and are allowed to use your data because:
-
Our core expertise is to do scientific research. The legal bases for this are our legitimate interests to understand and develop medicines and scientific research. These legal bases are found in the GDPR art. 6(1)(f), GDPR art. 9(2)(j) and/or section 10 of the Danish Data Protection Act.
-
We will share study results to demonstrate safety and efficacy of medicine with relevant authorities. The legal bases for this are to meet the legal obligations of Novo Nordisk and public interest in the area of public health. These legal bases are found in the GDPR art. 6(1)(c) and GDPR art. 9(1)(i).
-
In some cases, you have given your consent to share your personal data for specific research purposes. This could be the consent you have provided to our suppliers, partners, research institutions or directly to Novo Nordisk to use your personal data. These legal bases for our processing are found in the GDPR art. 6(1)(a) and GDPR art. 9(2)(a).
It is important to Novo Nordisk to respect your rights and to keep your personal data private. We have processes in place to protect your rights. We will only process your data for ethical and lawful purposes.
7 WITH WHOM DO WE SHARE YOUR PERSONAL DATA?
In line with the purpose as stated above in section 4, we may share your coded personal data with the following external parties.
| External party | Such as: |
| Suppliers or vendors assisting Novo Nordisk | Consultants, IT service providers, law firms and Contract Research Organisations (CROs) |
| Other Novo Nordisk entities | Novo Nordisk affiliates in other countries |
| Public authorities if required | Health care authorities |
| Hospitals and clinics | Public, private or university hospitals, speciality clinics |
| Partners | Researchers from universities and other pharmaceutical companies who we collaborate with. |
| External researchers | Researchers who are investigating the same or related disease area or drug product |
8 HOW WE ENSURE THAT YOUR DATA STAYS SAFE WHEN TRANSFERRED OUTSIDE THE EU?
For the purposes described above in section 4, we may transfer your personal data to countries outside the European Economic Area (EEA).
We use one of the below safeguards, as required by law, to protect your personal data in case of such transfer
| Situation | Safeguards protecting your data |
| Data is transferred from Novo Nordisk entity in the EEA to Novo Nordisk entity outside the EEA | Protected by the Novo Nordisk’s Binding Corporate Rules, available at: Novo Nordisk Binding Corporate Rules |
| Data is transferred from Novo Nordisk entity in the EEA to an external party outside the EEA | Protected by Standard Contractual Clauses for the transfers of data to third countries entered into by Novo Nordisk or; Adequate data protection is in place in destination country or recipient has certified under a relevant data privacy framework according to the European Commission |
9 HOW CAN YOU CONTROL THE USE OF YOUR PERSONAL DATA?
You have specific rights in relation to Novo Nordisk’s processing of your personal data. In general, you have the below rights.
| You have right to: | How you can use your rights |
| Get insight into data | You can get information of what identifiable personal data we have about you |
| Overview of your data | Ask for a copy of your personal data, which we provide in a structured format, readable to a machine |
| Withdraw consent (legal basis) | Where the personal data is processed on the basis of your consent you may withdraw your consent. |
| Restrict use of your data | Request that we stop or limit the use of your personal data |
| Have your data deletion | Request that your personal data is deleted or destroyed |
| Have your data corrected | Ask us to update or correct information about you |
| Complain about how we use the data | Submit a complaint to your local Data Protection Authority |
These rights might be limited when data is used solely for scientific
research purposes. This means that the right to get insight into the
data, right to correction or deletion of data and the right to
restrict use are limited if Novo Nordisk only uses your data for
scientific research. In addition, your possibilities to exercise your
rights might be limited due to the fact that Novo Nordisk is not able
to identify you or link your identity to the applicable personal
data
Please contact us as described under section
2 if you have questions or requests relating to these
rights.
You can also contact the Danish Data Protection Agency if you would like more information or if you wish to make a complaint: https://www.datatilsynet.dk/kontakt
10 HOW LONG WILL WE KEEP YOUR DATA?
We will keep your personal data as long as relevant for the intended use for which it was collected and in accordance with Novo Nordisk’s data retention and deletion procedures.
Examples:
| Type of data | Retention period |
| Data related to technical complaints | 12 years |
| Human biosamples | As long as we are allowed, depending on the arrangement we have with our external parties. Sometimes it is for 3 years, but it can also go up to 15 years. |
| Pharmacovigilance data and regulatory documents relating to individual authorised medicinal products | As long as the marketing authorisation exists and for at least a further 20 years after the marketing authorisation has ceased to exist. |
| Personal data collected as part of a Novo Nordisk sponsored clinical trial | For scientific research for at least 25 years |