Privacy Notice

General Privacy Statement

At F. Hoffmann-La Roche Ltd (“Roche”), we are committed to protecting your personal information. This Privacy Notice outlines the types of personal information Roche may collect; the means by which Roche may collect, use, or share your personal information; steps Roche takes to protect your personal information; and choices you are provided with respect to the use of your personal information.

This Notice only applies to Roche websites that link to this Notice. Our websites also may contain links to third-party websites. We do not endorse and are not responsible for the content of third-party websites or resources, and our privacy notice does not apply to any sites that are not affiliated with Roche, even if you access them via a link on our site. You should review the privacy policies of any third-party site before providing any information.

For purposes of this Privacy Notice, “Personal Data” is any information by which you can be individually identified both directly and indirectly, including, but not limited to, your name, address, e-mail address, and telephone number.

Please refer to the California Supplemental Privacy Notice for more information about how this term is defined for the purposes of California law and for more information about how Roche uses such information.

Minors

This website is not designed or intended for use by children under the age of 16. We do not knowingly collect any Personal Data on this website from anyone under the age of 16 without the prior, verifiable consent of a parent or guardian. Such parent or guardian may have the right, upon request, to view the information provided by the child and require that it be deleted. Moreover, all minors should seek their parent’s or guardian’s permission prior to using or disclosing any Personal Data on this website or online resource.

Identity and Contact Details of the Data Controller and Data Protection Officer

The data controller is Roche Diagnostics GmbH, Sandhofer Str. 116, 68305 Mannheim (Contact: mannheim.rsdc@roche.com).

The Data Protection officer can be contacted via the the address stated above (“c/o Datenschutzbeauftragter”) and via E-mail (mannheim.datenschutz@roche.com). The Data Controller can be contacted via mannheim.rsdc@roche.com.

The California Supplemental Privacy Notice provides the appropriate channels for contacting Roche with questions, requests, and inquiries in scope of California law.

How and Why We Process Your Personal Data

In the Reference Standards Ordering Tool, we may request personal Data about you. In order to be able to order a material, contact data has to be provided. The Data we collect for contact creation includes your first and last name, a self-chosen username, e-mail address, phone number, department and cost center. This data is necessary to be able to link the order to you in further order processing and contact you if necessary. In the contact form it is up to you if you provide us private or business information, however we strongly recommend to use your business information. Further data collected in the “Place an Order”-Form is not directly personal data, but can be linked to you and the contacts you link to this order. Sensitive personal data like health data, religion, sexuality etc. is not gathered in the tool.

The Reference Standards Ordering Tool only asks for data which is absolutely necessary and limits its use to the ordering purpose as described above. Legal basis for the data processing is your request prior to entering into a contract (Art. 6 (1) b GDPR). We value your privacy and design the tool to both respect your privacy and have a pleasant experience with the Reference Standards Ordering Process.

Cookies and use of our website

Our websites and online resources also collect other basic information about you which may not directly identify you, but which may correspond with you or a particular device. The Reference Standards Ordering Tool only uses cookies necessary for an optimal user experience. Therefore, we use two different cookies. The “csrftoken” is a security cookie which prevents malicious homepages from performing harmful actions to the Reference Standards Ordering Tool via your browser. The second “sessionid” cookie is a session cookie, which allows the tool to remember that you’re logged in. Both cookies are not used for user tracking, marketing or analytics in any way and will be deleted automatically after two weeks without interaction with the Reference Standard Ordering Tool. If you visited www.roche.com before, additional cookies will be saved that can also appear in the tool, since www.roche.com is it’s parent domain. For more information about these cookies please see the privacy policy of www.roche.com.

We use this information to secure our websites, network systems, and other assets. This may include information concerning your IP Address, geographic location, resources you have accessed, and similar information. We collect this information automatically, for our legitimate business interests to run, maintain, and secure our websites, based on Article 6(1)(f).

Information Sharing / Recipients of Personal Data

Recipients of your Personal Data

We may share your personal data with our carriers, which is necessary for a flawless delivery process. Furthermore we may share your Personal Data with Roche’s affiliates around the world. Our Roche affiliates will use your Personal Data for the same purposes as we do. A list of Roche’s affiliates is available in the current annual report, which can be found in the Investors section of www.roche.com.

We may also share your Personal Data with third parties, such as our service providers, for the following purposes:

• To help fulfill Roche business transactions;
• To conduct technical maintenance of our websites and other web platforms;
• To facilitate a merger, consolidation, transfer of control or other corporate reorganization in which Roche participates, or pursuant to a financial arrangement undertaken by Roche;
• To respond to appropriate requests of legitimate government authorities, or where required by applicable laws, court orders, or government regulations; and
• Where needed for corporate audits or to investigate or respond to a complaint or security threat.

International Transfers of Your Personal Data

Any Personal Data you provide to us through your use of this website may be transferred to or stored in a geographic region that imposes different privacy obligations than your country of origin. This means that your Personal Data may be sent to a country with less restrictive data protection laws than your own. Any such transfer will be conducted in compliance with applicable law.

If your Personal Data is covered by the GDPR: For transfers of data within the Roche Group, contracts containing the EU Standard Contractual Clauses according to the EU Commission decisions of 27 December 2004 (2004/915/EC) and 05 February 2010 (C(2010)593) constitute appropriate and suitable safeguards to ensure compliance with GDPR. In addition to Standard Contractual Clauses, Roche may also use data processors that are certified under the EU-U.S. Privacy Shield, which establishes appropriate and suitable safeguards to ensure compliance with the GDPR according to the EU Commission decision of 12 July 2016 (C(2016) 4176).

Retention / Storage Period of Your Personal Data

We process and store master and contract data only as long as it is necessary for the fulfilment of our contractual and legal obligations. After the end of our business relationship, we will store your data for an appropriate period of time if this is necessary for the fulfilment of commercial and tax law retention periods (in particular § 257 HGB and § 147 AO) or if it cannot be excluded that your data may be necessary for the assertion, exercise and defence of legal claims. We check annually when your last order was placed and delete your data if the last order was more than five (5) years ago.

Information About Your Rights Regarding Your Personal Data

You may have certain rights regarding our use and processing of your Personal Data.

Your Rights If Your Data is Covered by the GDPR

If your Personal Data are covered by the GDPR (that is, if you are an individual within the European Economic Area), you have the following rights with respect to your Personal Data:

• The right to request access to the Personal Data that Roche has about you;
• The right to rectify or correct any Personal Data that is inaccurate or incomplete;
• The right to request a copy of your Personal Data in electronic format so that you can transmit the data to third parties, or to request that Roche directly transfer your Personal Data to one more third parties;
• The right to object to the processing of your Personal Data for marketing and other purposes;
• The right to erasure of your Personal Data when it is no longer needed for the purposes for which you provided it, as well as the right to restriction of processing of your Personal Data to certain limited purposes where erasure is not possible.

To exercise any of these rights, please contact us using the information provided above.

Please note that erasure or restriction of processing is only possible if and to the extent that the processing of Personal Data is based on your consent or our legitimate interests. If data processing is based on consent, note that you have the right to withdraw your consent at any time, but that the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal. In the event of an erasure request, we may retain a copy of your Personal Data for our record-keeping purposes and to avoid entering your personal data in our systems after your request.

In the event that you believe or have the impression that our data processing does not comply with the GDPR, you are entitled to lodge a complaint with the responsible supervisory authority.

Your Rights If Your Data is Covered by California Law

If you are a California resident as defined by the California Consumer Privacy Act (CCPA), you can find a description of these rights covered in the California Supplemental Privacy Notice. That privacy notice contains information on how to contact Roche to exercise any of your rights under that law.

California Civil Code Section 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please use the contact information provided in the California Supplemental Privacy Notice.

Data Security

Roche and its service providers and collaboration partners take reasonable steps to protect Personal Data we access or receive through this website from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. Nevertheless, Roche makes no guarantee as to the security of your Personal Data and disclaims, to the fullest extent permitted by law, all liability and damages caused by loss, misuse, and unauthorized access, disclosure, alteration, or destruction. We recommend that you take any available precautions to protect Personal Data you submit on this website.

Updates to This Privacy Notice

From time to time, we may revise this Privacy Notice. Any such changes to this Privacy Notice will be reflected on this page. Roche recommends that you review this Privacy Notice regularly for any changes. The date on which this notice was last revised is located at the top of this notice.