Bristol Myers Squibb the Netherlands, and its subsidiaries and affiliated companies (collectively, the “Company”, “We”, or “Us”) strives to properly address applicable data protection laws and requirements.
This Privacy Notice (“Notice”) provides the individuals who receive our services, including but not limited to, healthcare professional product related information and services (“Customer”), with certain important information about how the Company handles their Personal Data. The Company is the primary data controller for processing of Personal Data.
TYPES OF DATA Processed
Personal Data processed includes the following types of data: Name, Date of Birth, Address, Email Address, Telephone Number (landline and mobile), CV, Employment History, Education History, Referee Contacts, Registration number, Gender, Nationality, Place of Birth, Marital Status, Health Data, Banking Data, Biometric Data.
PURPOSE OF Data Processing, legal bases, AND DISCLOSURES of personal Data
The Company will use and otherwise process Personal Data of Customers e.g.:
- to improve our services;
- for marketing and communications;
- to fulfil our contract with Customers.
The Company’s legal basis to process Personal Data includes processing that is necessary for the Company’s legitimate interests, including those described above, to conduct internal analysis and market research, improve the quality of the goods and services we offer; necessary for compliance with Company’s legal obligations, including the transparency obligation (Sunshine Act); necessary for the performance of the contract between the Company and the Customers; necessary for carrying out the obligations and exercising rights under employment law; necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of employees; necessary for medical diagnosis, the provision of healthcare or management of healthcare services; necessary for the establishment, exercise or defense of legal claims; necessary in order to protect the vital interests of the Customer or of another natural person; necessary for the performance of a task carried out in the public interest or in the exercise of official authority; necessary for reasons of public interest in the area of public health; necessary for archiving purpose in the public interest, scientific, or historical research or statistical purposes; based on consent by Customers, which may subsequently be withdrawn at any time by contacting us at the address listed below in the “Contact Information” section without affecting the lawfulness of processing based on consent before its withdrawal.
Customers may be required, as a statutory requirement or as a necessity to enter into a contract, to provide us with Personal Data for processing as described above. If Customers do not provide us with Personal Data, we may terminate the contract between us. If Customers provide the Company with data of third parties, such as CVs, email addresses, etc., it is the responsibility of the Customers to ensure that the communication of such data to, and further processing by the Company is lawful.
As necessary in connection with these purposes, authorized third-party vendors such as contractors, researchers, cloud service providers and limited members of e.g. HR department, IT department, senior management may access and otherwise process Personal Data in connection with their job responsibilities or contractual obligations. Some of these personnel and third-party vendors are located outside of the EEA, including in countries that may not provide the same level of data protection as the home country of our Customers. The Company takes appropriate steps to ensure that such personnel and third-party vendors are bound to duties of confidentiality and the Company implements measures such as standard data protection contractual clauses to ensure that any transferred Personal Data, remains protected and secure. A copy of these clauses can be obtained by contacting us at the address listed below in the “Contact Information” section.
RETENTION OF PERSONAL DATA
Personal Data will be retained only for so long as reasonably necessary for the purposes set out above, in accordance with applicable laws.
Data Security and Data Integrity
The Company maintains reasonable security measures to safeguard Personal Data from loss, interference, misuse, unauthorized access, disclosure, alteration or destruction. The Company also maintains reasonable procedures to help ensure that such data is reliable for its intended use and is accurate, complete and current.
Customers are entitled, in accordance with applicable law, to object to or request restriction of processing of their Personal Data, and to request access to, rectification, erasure and portability of their own Personal Data. Requests should be submitted in writing to the address listed below in the “Contact Information” section.
If a Customer is aware of changes or inaccuracies in his or her Personal Data, he/she should inform us of such changes so that the Personal Data may be updated or corrected.
Customers may lodge a complaint with a supervisory authority if they consider that Company’s processing of their Personal Data infringes applicable law.
Disclosures Required or Permitted By Law
Regardless of any other provisions in this Notice, the Company may disclose or otherwise process Personal Data in the context of any sale or transaction involving all or a portion of the business, or as may be required or permitted by law or required for the purposes of any regulatory audit to which the Company may be subject from time to time.
You may contact our EU Data Protection Officer at EUDPO@BMS.com to exercise any data privacy rights that you may have, as well as to raise any concerns or questions in relation to the handling of your personal data by Bristol-Myers Squibb Company.
You may also write to us at the following address : Bristol-Myers Squibb B.V., Orteliuslaan 1000, 3528 BD Utrecht, The Netherlands.