Privacy notice center

General privacy notice

Click here to download or print a copy of this BMS general privacy notice.

Our commitment

At Bristol Myers Squibb (BMS), your privacy matters to us. For us, data privacy goes beyond mere compliance with the law. BMS aims to collect, use, and share information that we obtain about you in a manner consistent with our company values, including high ethical standards, integrity, inclusion, fairness, and transparency. We have a dedicated internal team that reviews how BMS accesses, collects, uses, shares, stores, transfers, deletes and protects information about you. To safeguard your data, BMS employs reasonable and appropriate security measures. When upholding your rights as a data subject, you can contact us to respond to any questions you might have that are not answered in this Notice at dpo@bms.com or as described below.

1. WHO WE ARE

2. INTRODUCTION – HOW THIS NOTICE APPLIES TO YOU

3. HOW WE USE YOUR INFORMATION ONLINE

We may collect your Personal Information online when you use BMS or third-party operated websites and other online resources, including mobile applications, other digital means or platforms. This may also happen through collaborations that we have in place with third parties or companies that host websites for us or with whom we have partnerships for our products, services, or activities. Below, we give you additional information about how we use your information online.

You may interact with BMS or our partners’ websites and platforms that relate to BMS products and services, job application, patient recruitment, disease awareness, scientific research, alliance websites, or applications used in the context of patient support or management programs.

We enter into arrangements for those collaborations to require an appropriate protection of your Personal Information. Some areas of our websites and platforms may require you to submit information in order for BMS to respond to your request, permit you to access specific areas or participate in a particular activity. When visiting our websites, please also read our Legal Notice and if you are visiting our website for safety reasons, please visit our page for medical information.

We have identified examples where we Use your Personal Information online in the table below.

Online Information that we may collect when you use our sites
Contact information	If you communicate with us through the "contact us" link on our sites, we may ask you for your Personal Information, such as your name, telephone number, professional information and e-mail address so that we can verify your identity or respond to your questions and comments.
Website features	Our site offers various features, which we may change from time to time. We may ask you to submit certain Personal Information so we can communicate with you about these features and manage them properly.
Contacting Medical Information or reporting an adverse event	If you contact our medical information team (medinfo) or report an adverse event in relation to a BMS product, the information you provide (including your name, contact details, professional information and your questions) will be documented and retained on our databases for purposes of dealing with your enquiry and to comply with the law.
Connections and authentication	Some areas of our websites and platforms can be restricted. It may require you to log in with usernames, passwords and other authentication mechanisms that belongs to you, that you create or that we provide you. When using such features, this may automatically allow us to access certain of your account credentials or other personal user account details to verify your identity or that you have a valid licence to practice as a professional.
Other uses of information	We may Use the Personal Information you provide through BMS website or platforms for our internal purposes. These purposes include administration of the site, data analytics, compliance with our legal obligations or our internal policies and procedures.
Cookies and similar tracking technologies	When connecting to our various websites, applications, and other digital platforms, we may use cookies and other similar technologies that may allow us or third parties to collect Personal Information about you. Depending on the country where you reside, you may opt-in or opt-out from options or technologies that we use and display. Please read our cookies section below for more information.

Links to other third-party websites

As a convenience to users, our sites contain links to other third-party websites that may offer additional information, such as educational or professional materials, services and contacts. This Notice does not apply to your use of those other websites. Before using the linked websites, please review their privacy notices to understand how they use and protect your Personal Information.

4. WHAT INFORMATION WE MAY PROCESS ABOUT YOU

The information that we Process about you may include various categories of Personal Data depending on your interactions with BMS, third parties with whom we collaborate, or external sources that provide us with your Personal Data. We have outlined below the main categories of Personal Information and, where applicable categories of sensitive Personal Information that we may collect about you.

Examples of general categories of Personal Information
Contact information	Full name, postal and/or email address, phone number and other contact details about you, your organisation, or staff.
Identification information	Full name, initials, date of birth, photographs, or government-issued identification, such as driving licence, passport, professional licence number, or government ID number.
Financial information	Payment-related information, such as your bank address or account details and number, tax-related information for business purposes, creditworthy information (such as to enter into a contract with you or to comply with the law), or other information about you, your relatives, connections, your suppliers or third parties for example to verify the absence of conflicts of interest or to comply with anti-bribery laws.
Professional information	Job title, CVs and resume, educational information, professional qualifications, position, work experience, background checks, criminal records, professional networks, programs, publications and activities, referrals and, other relevant professional information where needed.
Categorization and classification data	In some cases, we may classify, organize, rank, rate or create profiles relating to our audiences (for example, via our customer relationship management system or other similar tools). When doing so, those activities are conducted with human intervention by BMS staff or authorised third-party employees to capture: data relating to how you behave using our technologies (for example websites, mobile applications, platforms, or care programs); data used to categorize, analyse, or predict performance and preferences. You can read more about this activity in section 10 below
Sentiment analysis and analytics, social media and data from publicly available sources	We may obtain information from publicly available sources, third-party service providers specialized in social media listening, or from the Internet to understand how the general public or influencers perceive our brand, products and activities. This may include collecting information about: the volume of coverage, reach and popularity, sentiments (negative/positive), most frequent words and topics that you use, engagement (amount of likes, favourites, comments, shares of users on a specific topic), contributors’ demographics (native language, country of origin and gender), and data and time of posts to see development over time, which we may either collect via our channels, websites, social media or via third-party providers. When conducting such activity, we do not make individual decisions on users unless we inform you otherwise. We have agreements in place with third parties to protect and limit information Used for this purpose to aggregate reports. If we need to specifically identify you, we will use reasonable efforts to inform you about our Use of your Personal Information. You can read more about this activity in section 10 below.
Data from social media activities and monitoring	BMS uses social media channels to share important news about our research and commercial activities, programs, and initiatives to improve the life of patients. You may connect using your login details on such platforms or visit publicly available pages. When monitoring our channels, we may receive aggregate information or access Personal Information about you, such as your username, profile, and what you say, like or comment on our channel. When monitoring our channels, BMS may also receive information about potential adverse events about someone using a BMS product. If we identify or receive safety information about patients, we may be required to notify competent authorities about pharmacovigilance cases. You should consider carefully what information about yourself and others (such as colleagues, friends, customers, or patients) you choose to share when you use social media. If you need to report any concern about our products, we encourage you to contact us via our contact forms on our official BMS sites. Because the information you may share becomes public and often cannot be permanently erased on those platforms, we recommend that you do not report sensitive information, including health information through BMS social media platforms. We may provide additional notice and choices to you about how BMS may Use Personal Information on social media platforms, our web sites and other online resources that we utilize.
Information technology-related data	The information we may collect might originate from your use of BMS’s sites, websites, mobile applications, and other connected devices (such as medical devices and Apps) and includes: Internet Protocol (IP) address, geolocation data, your browser, operating systems, device ID; data captured by cookies and similar tracking technologies, which may include analytics information and information about the date and time of your request (read our 0 below); or Information that we may collect that describes and gives information about other data ("metadata”). This Notice applies to the extent such metadata allows us to draw precise conclusions about your private life, to identify you or to further Use your Personal Information for our purposes.

In some situations, we may collect sensitive Personal Information about you. When doing so, we apply stronger safeguards to protect your privacy. Depending upon the country in which you reside and the particular context for the collection of such Personal Information, this may include the following information:

Examples of special categories of data / sensitive Personal Information
General types of sensitive Personal Information	Data revealing race or ethnicity (such as for diversity and inclusion initiatives); Political opinions (such as for employment purposes); Religious or philosophical beliefs (such as for tax purposes); or trade/labour union membership (such as to comply with labor laws); or Data related to a person's sex life or sexual orientation
Health information (if permitted or required by law)	We may collect data relating to your health in limited contexts, which includes: health data or status needed for managing accidents cases or for disease prevention in the context of public health; dietary preferences or restrictions (such as food allergies), special conditions or disabilities when attending an event; genetic or biometric information, (for example, for identification and safety purposes, in relation to BMS’s risk management and drug safety programs, for accessibility purposes for visitors to BMS facilities and manufacturing sites, or for security or fraud prevention or detection purposes); or other health data, combined with other identifiers that we may collect to provide you with cell therapies, personalized medicines and other innovative therapies or devices that we use to manufacture our products, ensure product quality, safety, performance, vigilance and to ensure patient safety. Such Personal Information may include your initials, name, key-coded or pseudonymized data, and other related information necessary for the provision of our products when necessary to protect your health safety or to comply with the law.

Examples of special categories of data / sensitive Personal Information

General types of sensitive Personal Information

Data revealing race or ethnicity (such as for diversity and inclusion initiatives);
Political opinions (such as for employment purposes);
Religious or philosophical beliefs (such as for tax purposes); or trade/labour union membership (such as to comply with labor laws); or
Data related to a person's sex life or sexual orientation

Health information
(if permitted or required by law)

We may collect data relating to your health in limited contexts, which includes:

health data or status needed for managing accidents cases or for disease prevention in the context of public health;
dietary preferences or restrictions (such as food allergies), special conditions or disabilities when attending an event;
genetic or biometric information, (for example, for identification and safety purposes, in relation to BMS’s risk management and drug safety programs, for accessibility purposes for visitors to BMS facilities and manufacturing sites, or for security or fraud prevention or detection purposes); or
other health data, combined with other identifiers that we may collect to provide you with cell therapies, personalized medicines and other innovative therapies or devices that we use to manufacture our products, ensure product quality, safety, performance, vigilance and to ensure patient safety. Such Personal Information may include your initials, name, key-coded or pseudonymized data, and other related information necessary for the provision of our products when necessary to protect your health safety or to comply with the law.

Please note: The categories of Personal Data listed above are not exhaustive and may vary depending on the way that you interact with us or the type of Personal Data that BMS needs to Process for particular activities. In the event that BMS Uses Personal Data about you which is not listed in this Notice, we will use our best efforts to inform you of the information that we will Use at the time of collection or when we communicate with you.

5. WHERE DO WE GET YOUR INFORMATION FROM

In many cases, BMS will collect Personal Information directly from you (such as when we collaborate with you) although sometimes we will obtain information about you indirectly from public or third-party information sources, databases or third-party providers. We have outlined below the main ways BMS collects and Processes Personal Data when interacting directly or indirectly with you.

We may collect information from you directly:

Such as when:

when we interact with you in the course of our activities or when you participate in a BMS activity, event or program (such as diversity and inclusion, ambassador or patient support programs);
in the context of a specific treatment, such as for personalized medicines, using medical devices or digital platforms or applications;
when we engage service providers, business partners or institutions for services, collaborations or operations;
when you sign up to receive our communications to become a member of our databases or when registering to receive our press releases, e-mail alerts, marketing communications or more information about our activities;
when you share information with us through our various contact points, such as through our company products, commercial, clinical or alliance websites, mobile applications, contact forms, call centers, career application websites, during offices or manufacturing site visits, or for product inquiries;
when we collect information about you from your computer or other devices you use when visiting BMS’s website or mobile applications, or other products, our offices and facilities; or
when you share medical information with us relating to adverse events, pharmacovigilance or incidents involving devices or applications. These disclosures can be communicated in-person or remotely, including by calling us, or via our websites and other digital channels or means of communication.

We may collect Information about you indirectly:

when we receive information about you through a healthcare professional where necessary for pharmacovigilance, incident management, risk management, investigation, or litigation purposes;
when we obtain information that is accessible from public registries, databases, or other third-party sources, such as service providers, agencies or private organisations;
when you have made information about you publicly available on the Internet, including websites, social media platforms, scientific reviews, articles and publications and other sources, in which case we may either inform you, anonymize the data or get your prior consent;
when necessary to verify your credentials, professional information (such as by accessing publicly accessible information, national registries or third-party databases) or your identity for compliance, security or ID verification purposes;
when you make public posts on social media platforms that we follow (for example, so that we can understand public opinions); or
when conducting pharmacovigilance monitoring activities, or in the context of incidents or other post-market surveillance obligations.

We may also collect information about you automatically, such as for security and systems monitoring (e.g. through video (CCTV) recording) and building access control logs when you visit our offices or in other contexts made apparent to you at the time.

6. DATA MINIMIZATION

7. FOR WHAT PURPOSES DOES BMS PROCESS YOUR INFORMATION

This is a global Notice. BMS Processes your information in the context of our regular activities, and in accordance with the purposes as set out in this Notice, a separate notice, or when Applicable Data Protection Laws either permit or require us to do so. These purposes may vary depending on where you live and where BMS operates. Where the laws of a country restrict or prohibit certain activities described in this Notice, we will comply with such requirements. This may include refraining or not Using your Information for those purposes restricted or prohibited in that country.

Below, we list some of the main, but not all, of our purposes for which we may Use Personal Information about you.

Main purposes for which BMS may Use your Personal Information
Contracting purposes	We may Use Personal Information about you, your staff and third parties with whom you collaborate in the context of the services that you provide to us. Such Personal Information may include: when you need access or authorisation to connect to our systems, devices or enter our facilities; to protect our systems and IT infrastructure; when assisting us in our activities; or when we conduct audits or assessments of your organisation. This includes obtaining Personal Information before, during and after we enter into a contract with your, your organisation and your staff.
Collaborations and research purposes	We may Use Personal Information about you when we partner with other organisations, including private or public alliances, institutions, regional or local discussions, or life science industry groups associations and consortiums.
Patient advocacy and support programs	When we exchange, interact or establish partnerships with service providers, local, regional or global patient advocacy associations or organisations, or other life sciences companies, including in the context of patient-related support or management programs.
Providing innovative products, such as devices or personalized medicine	As we develop and manufacture innovative therapies, we may Use Personal Information, which may include sensitive Personal Information about you when providing: personalized medicines, such as cell-therapies, or other innovative therapies; or digital health platforms, digital or medical devices, medical equipment, tools or applications. In this context, we may keep Personal Information, including health information, about you for manufacturing, quality or safety purposes.
Managing BMS’s relationship with you	For example, when we: respond to your questions, comments, application and requests; manage your access to our systems, devices and facilities; conduct due diligence (including for compliance with anti-bribery laws and to avoid conflict of interests) or audits activities; invite you to our events, activities, initiatives or programs; conduct assessments, provide training, perform background checks or identity verification, send invoices; or have to disclose information to competent authorities.
Commercial and marketing activities	When conducting our business operations, we may interact with you in person or digitally or to improve our brand and products, such as through the following activities: Market Research and surveys: we collect Personal Information about individuals for market research purposes. We collect this information through surveys and interviews with patients and healthcare professionals or other stakeholders to help us improve our products and understand the market; Direct Marketing: we Process Personal Information to provide marketing information to individuals, including in-person, by electronic or remote means; or Websites and social media platforms: we may use social media to inform the public about our activities. We might collect aggregate information about social media users when you comment on BMS-related topics or use BMS media channels. See more details in our section 4.
In the context of clinical operations, studies and programs	BMS Uses limited Personal Information before, during and after we place a pharmaceutical product or a medical device on the market. This includes during our sponsored clinical trials and studies, such as for drug safety (pharmacovigilance), or incident or post-market surveillance monitoring (materiovigilance), or when interacting with authorities, regulatory agencies and bodies. We may also conduct real-world evidence activities in compliance with regulatory requirements.
Job application	When we Process professional information to assess individual's suitability for roles at BMS or collaboration purposes, such as when you apply on our career websites, through a job offer posted online or through agencies with whom we have partnerships. You can read more information in section 14 “Applying to work at BMS”.
Patient recruitment activities and websites	When we conduct in-person and activities to inform the general public, healthcare professionals and patients about our diseases, upcoming medicines and treatments or studies that may enable individuals to apply to such clinical trials or studies that we conduct.
Regulatory and compliance	When we Process information to comply with regulatory obligations particularly where they relate to drug safety and risk management obligations, and obligations related to spend-transparency and similar requirements specific to the pharmaceutical sector.
Investigations or defence of legal claims	For example, we may have to keep, preserve Personal Information about you in order to protect our rights, or for the protection of third-party rights. In certain situations, we may have to submit or transfer such information to authorities, courts, or other third-parties, including outside your country of residence.
Other purposes: BMS will Process your Personal Information for other purposes, where permitted or when required such as reporting information for BMS’s risk management and drug safety obligations.

8. HOW BMS JUSTIFIES USING YOUR INFORMATION

In this section, we describe our legal justifications (commonly referred to as “legal basis”) for the Use of your Personal Information related to each of our main Processing activities. We will use the legal basis that is most appropriate for the purpose and circumstances related to such Processing. Below, we have explained which legal bases we may choose or have to use when Using your Personal Information.

There may be times where we must use your consent to Process your Personal Information. We may also decide to ask your permission to Process your Personal Data, such as in the context of voluntary initiatives or activities.

Please note: depending on the country where you reside, the law of your country may not require that BMS use a specific legal basis to justify Using your Personal Information, including transfers of your Personal Information outside your country. However, when Applicable Law requires a legal basis, we will inform you about what legal basis we use at the time of the collection or when we communicate with you.  If your jurisdiction requires consent to Process your Personal Information when you interact with us, we will obtain your consent prior to the Use of such Information.

In the following table, you can read more details about what legal basis or combination of legal bases we use when Processing your Personal Information.

Our legal bases	Examples of activities that we conduct with your Personal Information
We may use our legitimate business interest or private interest to Process your Personal Information for	conducting our regular commercial activities; scientific and statistical research purposes; registering BMS visitors and supplier personnel visiting our offices; improving our products and services; interacting with contractors, patients and the general public; keeping you informed about our regular activities, such as with newsletters; conducting market research and surveys; collecting information that you decide to share on the internet or social media platforms, collecting responses from surveys, sending you newsletters, and inviting you to events; responding to your enquiries; engaging with you whether in-person, remotely, or digitally to organize our activities, or exchange information with you about our products or initiatives, or services; conducting profiling activities, such as tiering of individuals, our customers, key opinion leaders, visitors of our websites, through the use of applications and devices, and for other similar activities or through other means; conducting research activities alone or together with other third parties; to prevent crime (such as fraud, financial crime, and theft of intellectual and industry property) and to ensure the integrity of our manufacturing and other operations, or when necessary to enable us to operate as a pharmaceutical company.
When rely on our contractual relationship with you	when Using Personal Information about you, your staff, suppliers and third parties with whom you collaborate, for example to: send you requests for proposals or suggest of partnership and collaboration; conduct due diligence, assessments or audits of your organization; assess the feasibility of a study with your institution and to contract with you, your institution and staff; generally manage the contractual relationship with you as a partner, supplier or a third party service provider, such as for billing and payment purposes.
To comply with applicable laws	We may Use your Personal Information, including keeping or sharing it with authorities as required by Applicable Data Protection Laws, such as to: respond to or notify authorities about pharmacovigilance monitoring activities, incidents or other post-market surveillance obligations, for spend transparency; tax or accounting; anti-bribery and other laws that prohibits conflicts interest;
We use the public interest	when law of your country enables us to rely on it, in particular in situations that will be of significant public interest, such as for: scientific research that leads to medical breakthroughs or new medicines, seeking for a better understanding of diseases or to improve our products; to provide early access to our medicines; the prevention of diseases (such as in a pandemic situation); or preventing or the detection of crime.
We may use your Vital interests	In limited situations, BMS may have to collect information, which includes the use of sensitive Personal Data about you to protect your life or against incidents or other threats.
Other legal exceptions	In some instances, the law of your country may allow BMS to use a legal exception. This may apply, for example, when Using your health data to conduct research projects or to ensure high standards of quality and safety of health care and of medicinal products or medical devices.
With your consent	We may use your prior permission when the law of your country requires us to do so, for example to Use your Personal Information, disclose it, transfer it to, or share it with, third parties, including outside your country of residence. In other instances, we may require your prior consent to: to engage with you remotely or in-person, to send you commercial communications electronically (via an opt-in or a right to opt-out), such as for direct marketing, market research, surveys, propose collaborations, or for general interactions with you; to invite you to events or to propose you participate in various BMS activities and initiatives; to use your media content and your images (such as your photographs, audio or video recordings) for interviews, events or other BMS initiatives.

When you consent to the Processing of your Personal Information, you may have the right to withdraw that permission at any time. In such case, we will cease to Use your information in the future and, unless BMS has an obligation to keep it for a longer period, we will employ reasonable measures to limit or prevent further Use of it. This includes archiving, blocking, or employing encryption, anonymization, or erasure techniques.

9. WITH WHOM DO WE SHARE YOUR INFORMATION

As a multinational company operating worldwide, your Personal Information may be shared with, or accessed by, parties located outside your country of residence. If you are located outside of the United States, BMS may share your Personal Information with parties located in countries that provide less protection than in your country, which includes the United States. We may also Process and share your Personal Information with some of our affiliates and other members of the BMS group including selected and approved third parties (vendors and business partners) that help us operate worldwide. When doing so, we implement appropriate measures to prevent unauthorised access or Use of your Personal Information.

Below you can find more information about how BMS shares your Personal Information within its group of entities and with third parties.

Sharing your Personal Information within the BMS group

Often, we share your Personal Information within the BMS group of companies (“BMS Group”). This may include the Bristol Myers Squibb Company headquarters in the United States and all of its current and future subsidiaries, branch offices, affiliates, entities and other companies that are part of, owned or controlled by, the BMS Group. When exchanging information internally, we rely on appropriate arrangements and mechanisms to cover any transfer of your Personal Information within our corporate structure, such as binding corporate rules (BCRs), contractual arrangements approved by authorities, based on consent, or as otherwise permitted by applicable in your jurisdiction.

Sharing your Personal Information with third parties

To conduct our business, we share with, or disclose Personal Information to, third parties, such as:

Third-party service providers for the purpose of outsourcing specific business activities to request external support and resources. This may include companies that provide information technology services, clinical trials and studies support, marketing or market research services, events, meeting and planning services, or services related to talent acquisition or consultancy;
business partners such as external scientists and healthcare professionals to review and assist us with healthcare compliance activities and institutions and other organisations with whom we collaborate to support our clinical or commercial activities (such as for clinical studies, patient support programs, and so on);
Regulatory and health authorities including governmental bodies (such as the FDA, EMA, NHS), data protection authorities, tax authorities, or courts in case of disputes, when permitted or required by Applicable Data Protection Law; and
third parties to whom BMS is legally obligated to provide such information, such as other parties in litigation or legal disputes, guardians, conservators, or individuals with powers of attorney.

When engaging with third parties, we enter into agreements with them for the Processing of Personal Data so that such Processing is carried out in accordance with our instructions, in a confidential, secure, and transparent manner in order to protect your privacy rights. When it is not possible to enter into an agreement with a third party, such as when engaging, reporting or interacting with regulatory or health authorities or courts, and when legally possible, we will use our best efforts to implement appropriate security measures and controls (such as pseudonymisation) to protect your Personal Information.

If you are in the European Economic Area (“EEA”) and Switzerland

Whenever we transfer your Personal Information within the EEA, Switzerland or to countries that are deemed “adequate”, such countries are deemed to offer the same level of protection as given by the law of your country. When accessing your Personal Data from, or transferring it, outside of the EEA or Switzerland to countries that may not provide the same level of protection as your own country, we will use appropriate safeguards to protect your right to privacy. For example, such safeguards may consist of using Standard Contractual Clauses (to exchange information with third parties outside of the EEA and Switzerland), Binding Corporate Rules (for data transfer within the BMS group of companies) as approved by the European Commission or the competent authority, data transfer agreements or your consent.

If you are outside the EEA and Switzerland

Where possible, we will allow access to or the transfer of your Personal Information outside your country of residence:

to countries that provide a reasonable high level of data protection;
using the most appropriate data transfer mechanisms available to BMS; or
where required by Applicable Data Protection Laws, after we get your prior permission, for the collection, disclosure to third parties and the transfer of your Personal Information to a country which does not provide an adequate protection equivalent to the laws of your country of residence.

10. AUTOMATED DECISION-MAKING AND INDIVIDUALS’ RIGHTS

11. WHAT ARE MY RIGHTS AND HOW TO EXERCISE THEM

12. HOW LONG WE RETAIN YOUR INFORMATION

13. HOW DO WE PROTECT YOUR INFORMATION

14. APPLYING TO WORK AT BMS

BMS may Process your Personal Data to evaluate your application to work at BMS. When applying for an opportunity at BMS, we may collect and Process Personal Information about you directly or indirectly from our official websites, third parties or when you make this information publicly available or accessible by third parties for recruitment purposes. You can consult our career opportunities on this page: https://careers.bms.com/. Below, you can find more information about how BMS Processes your Personal Information when you apply to work for us.

To consider your application we may collect:

your professional experience, such as job title, education information, professional qualifications, work experience, publications, and professional networks, programs and activities in which you participated;
your contact details, such as your e-mail address, full name, date of birth and other information necessary to submit your application;
information gathered from agencies, such as information from recruitment agencies, reference providers, and (where permitted by law) background screening providers;
publicly available information from a company website, internet searches or social media platforms such as LinkedIn or other social media platforms, and publicly available profile information (such as your experience, skills, and interests);
information that you allow us to access, for example, if you choose to simplify your login Process to the job platform to allow direct access once you have signed in to your third party social media user account, (such as Gmail or Yahoo!), or if you want to upload information to the platform (such as from LinkedIn) instead of manually completing an application; and
other information (which may contain your sensitive Personal Information) that you submit to us, such as criminal records, or credit worthiness data that we require you to provide for certain roles, obtain indirectly or that we access when looking for new hires or career opportunities.

As your job application proceeds

We may ask you to share additional Personal Information with us, such as:

official information, such as government issued identification number or tax status;
financial information, such as bank account details;
special categories of Personal Data / sensitive Personal Data, including (where it is permitted, necessary or required for your application) information about your health, marital status, trade union membership religion,; or
other information necessary for your interview or providing you with a job offer, such as details of any known disability or workplace accessibility needs, background information, travel and expenses, performance management, emergency contact details, compensation, hours of work, holidays and benefits-related information.

Where do we Use your Personal Information for job application

As a multinational organisation, our affiliates transfer information globally. When you upload information to a job search platform, you provide it to all our affiliates, each of which may Process it for its own recruitment purposes. This is the case even where you respond to a job posting that mentions a particular BMS affiliate. Accordingly, we may transfer globally information about you (for example, if you are in the European Economic Area ("EEA"), your information may be transferred outside the EEA; if you are in Australia, your information may be transferred outside Australia).

We will not keep your Personal Information for longer than needed to consider your application. However, we may ask your permission to keep some information about you for a longer period (for example your CV or resume, work experience, cover letters and so on) to consider your eligibility for further job opportunities.

15. WHAT INFORMATION DO WE COLLECT ABOUT OUR PATIENTS

BMS Processes Personal Information about patients that use our treatments and in the context of our clinical research activities. We may also Use patient Personal Information in connection with certain activities, such as through our services, patient websites, collaborations or consortium agreements with third parties (for example genetic data), during events interviews, for advocacy related activities, or for clinical trials, studies or research projects linked to our products (for example to recruit you through our websites or business partners).

Note, this section, together with this Notice, does not apply to participants to clinical trials.

This Notice applies to how BMS may Use Personal Information about you when you participate in non-clinical activities. Below, you will find out more information about Personal Data that we collect about patients in contexts other than clinical studies or research projects.

Patients participating in non-clinical research activities with BMS

In the context of non-clinical research activities, BMS generally does not collect patient data, except in certain occasions, such as where we have reporting obligations to authorities, when we engage directly with you, via third parties, when you contact us, when accessing websites or other platforms, or if you agree to share such information with us. In some instances, we may have interactions with you or access information about you outside of our clinical research activities. This may happen when:

accessing our personalized medicines, other innovative therapies or devices;
BMS collaborates with patient organisations;
we recruit you for our clinical studies;
inviting you to our events;
we propose patient support programs; or
when conducting surveys, market research, interviews or propose ambassador programs.

When doing so, BMS will either collect information that does not allow us to identify you or use technical measures to limit the risk of identification. For example, we may use measures that could include:

replacing your information such as name, identification number or any other information with a code (key-coded study data);
using a third party provider who will only share your Personal Information in an aggregate manner with BMS;
anonymizing your Personal Information after its collection; or
requesting your prior consent.

If BMS accesses Personal Information about you that is sensitive, we will protect it adequately. For more information about our Use of sensitive data, please refer to section 4.

16. CHILDREN

17. COOKIES AND TRACKING TECHNOLOGIES

Depending on the country where you reside, you may manage your preferences on cookies and similar tracking technologies through the use of consent management tools that are available on our websites. This section applies to cookies and similar tracking technologies and we explain what our use of cookies and similar tracking technologies means to you and how to disable tracking (such as using opt-in or opt-out preferences). When we collect information that may enable us to identify you, the other sections of this Notice will apply.

What are cookies?

A cookie is a small piece of data that a website asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Such cookies when set by us are called first-party cookies. We may also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting (for example, those used by social media, instant messaging, CRM or marketing platforms, or advertising companies). For more information about cookies, types of cookies and how to manage cookies, including how to block them and delete them, please visit http://www.allaboutcookies.org.

Below, we list the main categories of cookies and similar tracking technologies that we may use when you connect to our websites, use our web-based platforms, applications, devices, or when you interact with us electronically or when you receive electronic communications from us (“Online Use”). You can learn more about the purposes for which BMS may use such technologies for your Online Use.

What categories of cookies may BMS use?

We generally use certain types of cookies during your session on our website (“session cookies”). To improve your experience or remember your preferences or choices, we may use cookies that will remain on your device unless you remove them (“persistent cookies”). When using cookies on our websites and other digital services, such technology may include:

Categories of cookies and tracking technologies that BMS may use
Strictly necessary cookies (“required”)	Those cookies and tracking technologies enable our websites to operate and to improve the security of our website for your Online use, such as when you have to authenticate or use login functionalities to access restricted part of our websites (such as using patient or physician login or page selection to restricted pages or areas of a website or application).
Performance cookies	Those cookies may allow BMS to: improve our websites; remember language or other preferences when you navigate; or use other features on our websites, applications, platforms and devices to improve your Online use.
Social media cookies	On certain BMS websites, we may use social media plugins for you to share interesting content or to connect to certain accounts to share your Personal Information with us. Such platforms may access your history of navigation and collect information about your browsing journey under their own terms. You can access more information when connecting to our sites.
Analytics cookies	These cookies enable us to better know the use of our websites, establish statistics on their uses and visits (e.g. information on each visited page, how long a user navigates on a specific page, how long it takes to download a specific page, what are the users’ actions on each page (click, selection, etc.).

Other tracking technologies

When using third-party software or websites, mobile applications, devices, web-based platforms or through other Online use, the technology may involve certain built-in tracking technologies. This may include:

web beacons, web server data and similar technologies;
tracking pixels, which we may include as an image in our communications to you.
This may allow us to understand when you read electronic communications that we send you, to send you more accurate and relevant content and improve our communications to you. When using such technology, we may receive aggregate or anonymized information. In certain cases, we may collect Personal Information about you that includes:
- location data (such as the city, region and from where you opened your e-mail);
- your IP address;
- browser and device information: such as your mobile or desktop Operating System (OS), e-mail software type, device and user agent; or
- time and date of when you open our electronic communications.
other trackers that enables functionalities such as remote interactions with you through chatbots, instant messaging and other online features on our websites or third-party software that we use for our activities.

Why do we use cookies on our website?

In addition to the explanation provided in this Notice and the section above, we use cookies or similar tracking technologies in various instances, such as for the following purposes:

Making your experience more efficient, faster and easier: by remembering your preferences, like preferred language, display and other settings, maintaining your session, and for authentication purposes. This helps us to provide you with a better user experience. These cookies are also referred to as Session-Id cookies, authentication cookies, and User Interface customization cookies.
Gain useful knowledge about how the site is used: by collecting information about the number of visitors and other uses. This helps us improve our sites. These cookies are also referred to as analytics cookies. For this purpose, we use services such as Google Analytics which means that Google and similar suppliers will also have access to this information (including your IP address and any other equipment identifiers such as the IMEI number and the MAC address).
Provide easy access to our websites. This helps us to direct you, share with you our content within sites such as Facebook, Twitter, LinkedIn, YouTube or Pinterest or allow you to share content that is of your interest. To the extent we use such technology, these ‘social media plug-ins’ may store cookies and similar technology on your computer or other device. This means that the social media sites may access this information (including your IP address), may identify that you interacted with the BMS site.
Improve our marketing communications to you. Certain cookies, such as web beacons or tracking pixels, may be used by third party systems, such as customer relationship management systems or other service providers who help us manage e-mail campaigns. Those trackers enable us to better understand the success of our communications and the relevance of the content that we share with you. This may allow us to reduce the number of e-mails that we send you and provide you with content, scientific information, or initiatives that are more tailored to your interests.

How can you object or refuse cookies?

Subject to the law of your country, in particular in the European Union, we will either inform you, ask your prior permission (opt-in) before placing tracking technologies on your device, or provide you with a right to object (opt-out) for the purposes that we describe in this section. Your web browser, e-mail software (such as Microsoft outlook, or Google Gmail) and other clients that you use can be set to manage cookies and similar trackers and even reject them by default. Do bear in mind that if you set your browser to automatically reject cookies, your user experience when visiting websites will not be the same: your preferences may not be remembered, some functionality may be lost and you may not be able to access certain areas or features of the sites.

18. CHANGES TO THIS PRIVACY NOTICE

19. CONTACT US

Healthcare professionals privacy notice

If you are not a healthcare professional, or if you want to read additional information about our general processing activities, you can access our General Privacy Notice or here: https://www.bms.com/th/en/privacy-policy.html.

Click here to download or print a copy of this BMS healthcare professionals privacy notice.

Our commitment

1. WHO WE ARE

2. INTRODUCTION – HOW THIS NOTICE APPLIES TO YOU

3. HOW WE USE YOUR INFORMATION ONLINE

We have identified examples where we Use your Personal Information online in the table below.

Online Information that we may collect when you use our sites
Contact information	If you communicate with us through the "contact us" link on our websites, we may ask you for your Personal Information, such as your name, telephone number, professional information and e-mail address so that we can verify your identity or respond to your questions and comments.
Website features	Our website offers various features, which we may change from time to time. We may ask you to submit certain Personal Information so we can communicate with you about these features and manage them properly.
Contacting Medical Information or reporting an adverse event	If you contact our medical information team (medinfo) or report an adverse event in relation to a BMS product, the information you provide (including your name, contact details, professional information and your questions) will be documented and retained on our databases for purposes of dealing with your enquiry and to comply with the law.
Connections and authentication	Some areas of our websites and platforms can be restricted. It may require you to log in with usernames, passwords and other authentication mechanisms that belong to you, that you create or that we provide you. When using such features, this may automatically allow us to access certain of your account credentials or other personal user account details to verify your identity or that you have a valid license to practice as a professional.
Other uses of information	We may Use the Personal Information you provide through BMS websites or platforms for our internal purposes. These purposes include administration of the website, data analytics, compliance with our legal obligations or our internal policies and procedures.
Cookies and similar tracking technologies	When connecting to our various websites, applications, and other digital platforms, we may use cookies and other similar technologies that may allow us or third parties to collect Personal Information about you. Depending on the country where you reside, you may opt-in or opt-out from options or technologies that we use and display. Please read our cookie section below for more information.
Interest-Based Advertising (IBA).	We may use 3rd party advertising companies to tailor online and mobile advertisements to you based on predictions about your interests. We explain how we may Use your Personal Information in this context in our section about cookies.

Links to other third-party websites

As a convenience to users, our websites contain links to other third-party websites that may offer additional information, such as educational or professional materials, services and contacts. This Notice does not apply to your use of those other websites. Before using the linked websites, please review their privacy notices to understand how they use and protect your Personal Information.

4. WHAT INFORMATION WE MAY PROCESS ABOUT YOU

We interact with you as an HCP and Use information about you during our activities, such as to conduct clinical trials, for collaborations or commercial activities, for scientific projects, to understand the market or improve our medicines and products. When doing so we may Process various categories of Personal Information depending on your interactions with BMS or third parties with whom we collaborate, or external sources from where we obtain your Personal Data. We have outlined below the main categories of Personal Information and, where applicable categories of sensitive Personal Information that we may collect about you.

Examples of general categories of Personal Information
Contact information	Full name, personal or professional postal and/or email address, phone number and other contact details about you, your organisation, or staff. Examples: We may use your contact details, in particular when you interact or work with us, when we communicate with you or share news, materials or invite you to participate in our activities.
Identification information	Full name, initials, date of birth, photographs, or government-issued identification, such as driving licence, passport, professional licence number, or government ID number. Examples: To provide you with information on our products or diseases, we may verify your license to practice in your specialisation area (for example through our internal platforms or third-party services.
Financial information	Payment-related information, such as your bank address or account details and number, tax-related information for business purposes, or other information about you, your relatives, connections, your suppliers or third parties. Examples: We Use such data to verify the absence of conflicts of interest, conduct due diligence, to comply with anti-bribery laws, for billing purposes when you collaborate with us, participate in advisory boards or render services to us.
Your professional and background information	Such information may include for example your: Job title, position, educational information, professional qualifications, referrals, prescribing history, work experience, professional licenses or medical ID number, networks and affiliates, programs and activities you participated in, resume; or publications authored or co-authored, awards, board memberships, professional conference and events, employment status, influence rankings, individual travel and expense information and other information needed, such as to evaluate or initiate collaborations with you. Examples: We Use such information to engage or work with you when BMS evaluates the feasibility of a clinical study in a healthcare organisation where you work or with whom you collaborate, when we use your publications, organise or invite you to expert panels and advisory boards or when we get your data from databases or other available sources.
Spend transparency information (Transfer of Value)	Such information may include: city and country where you practice; date, nature and the value of the payment we have made to you or your organisation, which includes amounts and other advantages that you may receive in the context of your services or collaborations with us; information related to your organisation and your staff; or information about payments and services you provided to BMS, including invoices and other tax-related information, or VAT number. Depending on the country where you reside, BMS Uses and discloses such information based on your consent, transparency codes, the law or our legitimate interest to conduct our regular business activities. This information is generally made publicly available on our official BMS websites.
Categorization and classification data	In some cases, we may Use your Personal Information in order to classify, organise, rank or otherwise create profiles relating to you as a healthcare professional, key opinion leader or as an influencer. This activity may include collecting data about: your professional history, background, recognitions, number of publications; or other information that we may collect from you or obtain from third-party databases or other sources. Example: We may process such information via certain software, our customer relationship management system (CRM) or other analytics tools. You can read more about this activity in section 10 below.
Publicly available data or data accessible from databases	We may obtain information about you from publicly available sources, public or private registries, or third-party databases. When obtaining such information, we may Use your professional contact, identification information and other professional and background information for pharmacovigilance reporting purposes and, for example, to create categories or classifications based on your area of specialization, assess if your institution is qualified for a clinical study, to personalize your e-mails and provide relevant scientific or interact with you in the most efficient and relevant manner.
Media data and your image rights	We may Use media content, that may include Personal Information about you, such as your pictures, photographs, audio or video recordings. Examples: Such content may originate from events, programs, interviews or other initiatives that we organise.
Information technology-related data	When using the internet, websites, devices or platforms, we may collect data, including metadata, that originates from your use of BMS’s websites, websites, mobile applications, social media channels and other connected devices (such as medical devices and Apps). This may include: Internet Protocol (IP) address, geolocation data, your information about your device, browser, operating system, or device ID; data captured through the use of cookies and similar tracking technologies, which may include analytics information; or information about the date and time of your request. To read more about our Use of such information, read our cookie section.
Special category / sensitive Personal Data (if permitted or required by law)	In limited circumstances, we may collect data concerning your health or sensitive Personal Information about you, such as: health data that relates to special conditions, dietary preferences or restrictions (such as food allergies) or disabilities when attending an event or when you visit our offices; aggregate and/or de-identify information about you; or driver’s licence number, or where permitted or required, your social security number or bank account number; for example where needed for identification, accessibility and safety purposes for visitors to BMS facilities and manufacturing sites or institution, or for security, fraud prevention or detection purposes; use suggestions, comments, and ideas that are not personally identifiable. depending on the law of your country, text messages or e-mail content (such as unsolicited communications), your precise geolocation, when using our applications, software, devices or through the use of tracking technologies, your driving licence, bank account details.
Other categories of Personal Data	For more categories of Personal Data that we may collect about you, you can read our BMS general privacy notice.

Examples of general categories of Personal Information

Contact information

Full name, personal or professional postal and/or email address, phone number and other contact details about you, your organisation, or staff.

Examples: We may use your contact details, in particular when you interact or work with us, when we communicate with you or share news, materials or invite you to participate in our activities.

Identification information

Full name, initials, date of birth, photographs, or government-issued identification, such as driving licence, passport, professional licence number, or government ID number.

Examples: To provide you with information on our products or diseases, we may verify your license to practice in your specialisation area (for example through our internal platforms or third-party services.

Financial information

Payment-related information, such as your bank address or account details and number, tax-related information for business purposes, or other information about you, your relatives, connections, your suppliers or third parties.

Examples: We Use such data to verify the absence of conflicts of interest, conduct due diligence, to comply with anti-bribery laws, for billing purposes when you collaborate with us, participate in advisory boards or render services to us.

Your professional and background information

Such information may include for example your:

Job title, position, educational information, professional qualifications, referrals, prescribing history, work experience, professional licenses or medical ID number, networks and affiliates, programs and activities you participated in, resume; or
publications authored or co-authored, awards, board memberships, professional conference and events, employment status, influence rankings, individual travel and expense information and other information needed, such as to evaluate or initiate collaborations with you.

Examples: We Use such information to engage or work with you when BMS evaluates the feasibility of a clinical study in a healthcare organisation where you work or with whom you collaborate, when we use your publications, organise or invite you to expert panels and advisory boards or when we get your data from databases or other available sources.

Spend transparency information

(Transfer of Value)

Such information may include:

city and country where you practice;
date, nature and the value of the payment we have made to you or your organisation, which includes amounts and other advantages that you may receive in the context of your services or collaborations with us;
information related to your organisation and your staff; or
information about payments and services you provided to BMS, including invoices and other tax-related information, or VAT number.

Depending on the country where you reside, BMS Uses and discloses such information based on your consent, transparency codes, the law or our legitimate interest to conduct our regular business activities. This information is generally made publicly available on our official BMS websites.

Categorization and classification data

In some cases, we may Use your Personal Information in order to classify, organise, rank or otherwise create profiles relating to you as a healthcare professional, key opinion leader or as an influencer. This activity may include collecting data about:

your professional history, background, recognitions, number of publications; or
other information that we may collect from you or obtain from third-party databases or other sources.

Example: We may process such information via certain software, our customer relationship management system (CRM) or other analytics tools. You can read more about this activity in section 10 below.

Publicly available data or data accessible from databases

We may obtain information about you from publicly available sources, public or private registries, or third-party databases. When obtaining such information, we may Use your professional contact, identification information and other professional and background information for pharmacovigilance reporting purposes and, for example, to create categories or classifications based on your area of specialization, assess if your institution is qualified for a clinical study, to personalize your e-mails and provide relevant scientific or interact with you in the most efficient and relevant manner.

Media data and your image rights

We may Use media content, that may include Personal Information about you, such as your pictures, photographs, audio or video recordings.

Examples: Such content may originate from events, programs, interviews or other initiatives that we organise.

Information technology-related data

When using the internet, websites, devices or platforms, we may collect data, including metadata, that originates from your use of BMS’s websites, websites, mobile applications, social media channels and other connected devices (such as medical devices and Apps). This may include:

Internet Protocol (IP) address, geolocation data, your information about your device, browser, operating system, or device ID;
data captured through the use of cookies and similar tracking technologies, which may include analytics information; or
information about the date and time of your request.

To read more about our Use of such information, read our cookie section.

Special category / sensitive Personal Data (if permitted or required by law)

In limited circumstances, we may collect data concerning your health or sensitive Personal Information about you, such as:

health data that relates to special conditions, dietary preferences or restrictions (such as food allergies) or disabilities when attending an event or when you visit our offices;
aggregate and/or de-identify information about you; or
driver’s licence number, or where permitted or required, your social security number or bank account number;
for example where needed for identification, accessibility and safety purposes for visitors to BMS facilities and manufacturing sites or institution, or for security, fraud prevention or detection purposes;
use suggestions, comments, and ideas that are not personally identifiable. depending on the law of your country, text messages or e-mail content (such as unsolicited communications), your precise geolocation, when using our applications, software, devices or through the use of tracking technologies, your driving licence, bank account details.

Other categories of Personal Data

For more categories of Personal Data that we may collect about you, you can read our BMS general privacy notice.

Please note: The categories of Personal Data listed above are not exhaustive and may vary depending on the way that you interact with us or the type of Personal Data that BMS needs to Process for particular activities. In the event that BMS Uses Personal Data about you which is not listed in this Notice, we will inform you of the information that we will Use at the time of collection or when we communicate with you.

5. WHERE DO WE GET YOUR INFORMATION FROM

In most cases, BMS will collect Personal Information directly from you (such as when we collaborate with you) although sometimes we will obtain information about you indirectly from public or third-party information sources, databases or from use of web-based, devices or other technologies which automatically generate such information. We have outlined below the main ways BMS collects and Processes Personal Data when interacting directly or indirectly with you.

We may collect information from you directly:

Such as when:

we conduct clinical trials, studies, research projects;
we enable early access programs to patients or when you request us to provide patients with a BMS product at an early stage, or for compassionate use;
we provide innovative products or devices to patients, such as cell therapies or personalized medicines;
you use or visit about offices and facilities;
you connect to or use our websites, applications, devices or other digital platforms in the context of clinical or commercial activities;
you contact us through our different means of communication (email, call centers, medical information), such as to obtain information about BMS products, diseases or treatments;
you notify, or report medical information to, BMS that may relate to adverse events or incidents, in the context of pharmacovigilance or risk management programs via other similar channels (via pharmacovigilance or risk management touch points), which may include incidents or other post-market surveillance obligation;
we exchange or when you request, information before entering into a contract with you, and thereafter during the term of such arrangement;
we conduct due diligence, assessments, or when we evaluate your institutions’ eligibility to conduct a clinical study and thereafter if we select your institution;
you interact with our BMS representatives in the course of our activities and interactions with you;
you subscribe to our newsletters or want to remain informed about our activities or collaboration opportunities or where the law requires it, you agree to receive promotional materials; or
we conduct in-person or remote visits or exchange information with you about our products and activities.

We may collect Information about you indirectly:

when obtaining it from, or when you make your Personal Information available on, the website of your institution or your office, the Internet, social media, and other digital platforms;
when we access public or private registries, or publication databases, journals, societies, editorial board websites, national registries, professional directories and third-party HCP databases;
when conducting pharmacovigilance, incident management, risk management, monitoring activities, or, investigation, or litigation purposes;
when we need to verify or obtain verification from third parties about your professional status, medical licence, such as by accessing publicly accessible information, national registries or third-party databases) or your identity for compliance, security or ID verification purposes;
when you make public posts on social media platforms that we follow (for example, so that we can understand public opinions).

6. DATA MINIMIZATION

7. FOR WHAT PURPOSES DOES BMS PROCESS YOUR INFORMATION

Main purposes for which BMS Uses your Personal Information
For collaborations and research purposes	We may Use your Personal Information in that context for example: to enable BMS to make more informed and objective decisions when identifying and engaging with healthcare professionals and key opinion leaders or influencers or managing the collaboration relationship with you, your organisation or your staff; to partner with other organisations including private or public alliances, institutions, regional or local discussions, life science industry groups, associations and consortiums; or when obtaining and assessing feasibility, capability and performance data from you, your institution and your staff, to conduct clinical trials or studies with your institution.
To manage our relationship with you as an HCP	to engage with you about sciences and our activities; respond to questions and comments; or to manage our client contractual relationship, including our collaborations or payments we make to you.
In the context of events and congresses	We Use your Personal Data for events and congresses, in particular: to invite you to our events or to participate in our congresses or advisory boards; or to manage international or business travel, hotel reservations and other arrangements necessary for organisational purposes; when we ask you to participate in interviews, panel discussions, to act as an ambassador or as speaker in a particular area; or when using media content (i) internally for educational and compliance purposes, to promote public health, disease awareness, (ii) externally on our company websites, social media, or on external documentation that we may use as testimony, ambassadorship, advisory or support to our brands, products or other initiatives. When conducting these activities, we comply with applicable codes of conducts, laws and regulations that may prohibit certain types of promotional activities.
To support and improve our products and medicines or how you deliver healthcare	Those activities may include when we: conduct patient support or management programs; send you links to surveys, questionnaires or studies; conduct specific market researches activities; collaborate with other companies, industry associations, authorities, patient advocacy organisations, for example creating databases or when conducting research activities, including on real-world evidence studies; or propose, fund, offer grants or donation, or otherwise make the use of medical devices or digital health capabilities available to help you better treat patients; These activities allow us to better understand how to improve the safety and quality of our products, the way you provide healthcare to your patients.
Using your data in the context of our clinical operations	Our clinical activities may include: advising on activities involving you, healthcare organisations (HCOs) or patient organisations; involving patients and clinical studies organisations; engaging, assessing, and contracting with, your institution to conduct scientific research and clinical trials; providing you with literature required to decide on treatment; or engaging in other commercial activities such as but not limited to the provision of scientific information.
Marketing, commercial and interest-based communications	We conduct this activity when BMS or other third parties engage with you remotely or via digital means, in-person or through newsletters on: content that relates to healthcare, medical and scientific information; or invitations to events or to participate in other initiatives that may include market research, patient support programs or surveys); When sending such communication to you, we may personalize such content to your professional area and interests. You can read more in our cookies section
Categorization and classification purposes	Categorisation and classification enable us to engage with you, provide you with more relevant information and news, invite you to speak to ad-boards or propose collaborations with us. This may include: conducting internal assessments or analytics about you that are based on your feedback, evaluations, classifications, what you publish on social media, or performance ratings of your professional activities and outcomes; creating professional profiles based on your publications, expertise and scientific recognition in your community; or making classification or other rankings about you among other professionals in your area of specialisation. You can read more information in our section 10 below.
We comply with legal, industry best practices and ethical obligations or codes of conducts	Using Personal Information about you when we: disclose to authorities how much we pay you (spend transparency / Transfer of Value) or what advantages or benefit that you may receive when collaborating with us; enforce our terms of use or other legal rights; conduct pharmacovigilance monitoring and reporting activities; comply with requests from governmental agencies, such as for pharmacovigilance and reporting purposes, or risk management programs; have to comply with industry standards, our internal policies or anti-bribery or corruption laws; or conduct due diligence, avoid conflict of interests or perform audit, to detect, prevent, investigate misconduct, or in case of investigations or disputes.
Achieve strategic and research purposes	For example, when we engage with Key Opinion Leaders or influencers to enable us to make more informed and objective decisions or in the context of scientific research.
Communicate with you in the context of our business operations	For example, communications, with the individuals, entities, and institutions in the context of our business activities, including to provide training courses and awareness about our products.
Conduct security, fraud or crime detection and prevention programs	For example, to ensure security and confidentiality of your data, ensuring a safe environment at our events, facilities, or networks.
Investigations, prosecutions, or defence of legal claims	When keeping and preserving information about you in order to protect our rights, or for the protection of third-party rights. In certain situations, we may have to submit or transfer such information to third parties, courts, or governmental bodies. Where permitted and feasible, and to protect your right to privacy, BMS will take reasonable steps to remove or anonymize information that may directly or indirectly identify you, and restrict to the minimum the amount of Personal Information that BMS submits or transfers to third parties, courts, or governmental bodies.
Any other purpose that is relevant in the relationship between Bristol Myers Squibb and HCPs.

8. HOW BMS JUSTIFIES USING YOUR INFORMATION

In this section, we describe our legal justifications (commonly referred to as “legal basis”) for the Use of your Personal Information related to each of our main Processing activities. We will use the legal basis that is most appropriate for the purpose and circumstances related to such Processing. When Below, we have explained which legal bases we may choose or must use when Processing your Personal Information.

Please note: depending on the country where you reside, the law of your country may not require BMS to use a specific legal basis to justify Using your Personal Information, including transfers of your Personal Information outside your country. However, when Applicable Law requires a legal basis, we will inform you about what legal basis we use at the time of the collection or when we communicate with you. If your jurisdiction requires consent to Process your Personal Information when you interact with us, we will obtain your consent prior to the Use of such Information.

In the following table, you can read more details about what legal basis or combination of legal bases we use when Processing your Personal Information.

Our legal bases	Examples of activities that we conduct with your Personal Information
We may use our legitimate business interest to Process your Personal Information	in the context of our clinical and commercial activities and, depending on the law of your country of residence, we may rely on this legal basis: to conduct our commercial activities, business relationships and operations; where necessary for our, or a third party's, scientific and statistical research purposes; to interact with you (whether in-person or remotely) to present to you our products or research, send you educational or promotional materials, engage with you for market research, invite you to events, send you surveys, run patient support or management programs, or attend advisory boards meetings; to assess and understand how you are positioned within your field of specialization in comparison to other healthcare professionals, understanding your opinions about our brands, products and initiatives; for remote and in-person interactions, including for electronic marketing purposes (opt-out) and to maintain our databases which contain information about you; or where permitted, to conduct analytics, categorize or classify information about you.
Based on the contractual relationship with you	We Use and keep your Personal Information for example: when we assess the feasibility and evaluate the performance of your institution to conduct a study; when we grant permissions to access our systems; when we collaborate with you on projects and our clinical or commercial activities; for billing purposes, audit, or due diligence purposes; or for other purposes that relate to our contractual relationship with you.
To comply with applicable laws	We may Use your Personal Information, including keeping or sharing it with authorities when permitted or as required by Applicable Data Protection Laws, such as: to respond to or notify authorities about pharmacovigilance monitoring activities, incidents, or other post-market surveillance obligations; in the context of clinical studies and clinical research; when you contact us for medical information inquiries; when disclosing how much we pay you for spend transparency in compliance with applicable laws or industry codes of conduct; or to comply with industry standards, our internal policies or anti-bribery or corruption laws; to conduct due diligence activities, avoid conflict of interests; to perform audits, or for tax and accounting purposes to detect, prevent, or investigate misconducts; or to respond to government regulators, agencies, courts, or other third parties in legal proceedings, such as in case of investigations or disputes.
With your consent	We may use your prior permission when the law of your country requires us to do so, for example to Use your Personal Information, disclose it, transfer it to, or share it with, third parties, including outside your country of residence. In other instances, we may require your prior consent, or provide you with a right to object for example when: engaging with you, remotely or in-person, to send you commercial communications electronically (via an opt-in or a right to opt-out), such as for direct marketing, market research, surveys, propose collaborations, or for general interactions with you; inviting you to events, which may require us to collect certain health information, including special conditions, allergies or dietary preferences about you; or using media content containing your images (photographs, audio, or video) for interviews, events or other BMS initiatives.

9. WITH WHOM DO WE SHARE YOUR INFORMATION

Below you can find more information about how BMS shares your Personal Information within its group of entities and with third parties.

Sharing your Personal Information within the BMS group

Sharing your Personal Information with third parties

To conduct our business, we share with, or disclose Personal Information to, third parties, such as:

Third-party service providers for the purpose of outsourcing specific business activities to request external support and resources. This may include companies that provide information technology services, clinical trials and studies support, marketing or market research services, events, meeting and planning services, or services related to talent acquisition or consultancy;
business partners such as external scientists and healthcare professionals to review and assist us with healthcare compliance activities and institutions and other organizations with whom we collaborate to support our clinical or commercial activities (such as for clinical studies, patient support programs, and so on);
Regulatory and health authorities including governmental bodies (such as the FDA, EMA, NHS), data protection authorities, tax authorities, or courts in case of disputes, when permitted or required by Applicable Data Protection Law; and
third parties to whom BMS is legally obligated to provide such information, such as other parties in litigation or legal disputes, guardians, conservators, or individuals with powers of attorney.

If you are in the European Economic Area (“EEA”), Switzerland and the United Kingdom

Whenever we transfer your Personal Information within the EEA, Switzerland or to countries that are deemed “adequate”, such countries are deemed to offer the same level of protection as given by the law of your country. When accessing your Personal Data from, or transferring it, outside of the EEA or Switzerland to countries that may not provide the same level of protection as your own country, we will use appropriate safeguards to protect your right to privacy. For example, such safeguards may consist of using Standard Contractual Clauses (to exchange information with third parties outside of the EEA, Switzerland and the United Kingdom), Binding Corporate Rules (for data transfer within the BMS group of companies) as approved by the European Commission or the competent authority, data transfer agreements or your consent.

If you are outside the EEA, Switzerland and the United Kingdom

Where possible, we will allow access to or the transfer of your Personal Information outside your country of residence:

to countries that provide a reasonable high level of data protection;
using the most appropriate data transfer mechanisms available to BMS; or
where required by Applicable Data Protection Laws, after we get your prior permission, for the collection, disclosure to third parties and the transfer of your Personal Information to a country which does not provide an adequate protection equivalent to the laws of your country of residence.

10. CLASSIFICATION, AUTOMATED DECISION-MAKING AND INDIVIDUALS’ RIGHTS

11. WHAT ARE MY RIGHTS AND HOW TO EXERCISE THEM

12. HOW LONG WE RETAIN YOUR INFORMATION

13. HOW DO WE PROTECT YOUR INFORMATION

14. COOKIES AND TRACKING TECHNOLOGIES

What are cookies?

What categories of cookies may BMS use?

Categories of cookies and tracking technologies that BMS may use
Strictly necessary cookies (“required”)	Those cookies and tracking technologies enable our websites to operate and to improve the security of our website for your Online use, such as when you have to authenticate or use login functionalities to access restricted part of our websites (such as using patient or physician login or page selection to restricted pages or areas of a website or application).
Performance cookies	Those cookies may allow BMS to: improve our websites; remember language or other preferences when you navigate; or use other features on our websites, applications, platforms and devices to improve your Online use.
Social media cookies	On certain BMS websites, we may use social media plugins for you to share interesting content or to connect to certain accounts to share your Personal Information with us. Such platforms may access your history of navigation and collect information about your browsing journey under their own terms. You can access more information when connecting to our sites.
Analytics cookies	These cookies enable us to better know the use of our websites, establish statistics on their uses and visits (e.g. information on each visited page, how long a user navigates on a specific page, how long it takes to download a specific page, what are the users’ actions on each page (click, selection, etc.).

Other tracking technologies

web beacons, web server data and similar technologies;
tracking pixels, which we may include as an image in our communications to you.

This may allow us to understand when you read electronic communications that we send you, to send you more accurate and relevant content and improve our communications to you. When using such technology, we may receive aggregate or anonymized information. In certain cases, we may collect Personal Information about you that includes:
- location data (such as the city, region and from where you opened your e-mail);
- your IP address;
- browser and device information: such as your mobile or desktop Operating System (OS), e-mail software type, device and user agent; or
- time and date of when you open our electronic communications.
other trackers that enables functionalities such as remote interactions with you through chatbots, instant messaging and other online features on our websites or third-party software that we use for our activities.

Why do we use cookies on our website?

In addition to the explanation provided in this Notice and the section above, we use cookies or similar tracking technologies in various instances, such as for the following purposes:

Making your experience more efficient, faster and easier: by remembering your preferences, like preferred language, display and other settings, maintaining your session, and for authentication purposes. This helps us to provide you with a better user experience. These cookies are also referred to as Session-Id cookies, authentication cookies, and User Interface customization cookies.
Gain useful knowledge about how the site is used: by collecting information about the number of visitors and other uses. This helps us improve our sites. These cookies are also referred to as analytics cookies. For this purpose, we use services such as Google Analytics which means that Google and similar suppliers will also have access to this information (including your IP address and any other equipment identifiers such as the IMEI number and the MAC address).
Provide easy access to our websites. This helps us to direct you, share with you our content within sites such as Facebook, Twitter, LinkedIn, YouTube or Pinterest or allow you to share content that is of your interest. To the extent we use such technology, these ‘social media plug-ins’ may store cookies and similar technology on your computer or other device. This means that the social media sites may access this information (including your IP address), may identify that you interacted with the BMS site.
Improve our marketing communications to you. Certain cookies, such as web beacons or tracking pixels, may be used by third party systems, such as customer relationship management systems or other service providers who help us manage e-mail campaigns. Those trackers enable us to better understand the success of our communications and the relevance of the content that we share with you. This may allow us to reduce the number of e-mails that we send you and provide you with content, scientific information, or initiatives that are more tailored to your interests.

How can you object or refuse cookies?

15. CHANGES TO THIS PRIVACY NOTICE

16. CONTACT US

If you have questions about this Notice, or want to obtain more information about our privacy practices, please contact our Data Protection Officer at dpo@bms.com, via this form or contact us by postal mail at:

Contact

Name of the affiliate/ controller

To contact BMS

Bristol-Myers Squibb (Thailand) Ltd

388 Exchange Tower, 17th Floor,Sukhumvit Road, Klongtoey,

Bangkok, 10110, Thailand

Data Protection Office

Bristol Myers Squibb

Data Protection Office

P.O. Box 640

Palatine, IL 60078-0640

800-332-2056

United States

dpo@bms.com

BMS global employee privacy notice

If you are an applicant, you can read more details here: https://www.bms.com/th/en/privacy-policy.html#job.

For questions about this notice or data protection as a worker, please refer to the contact us section.

Click here to download or print a copy of this BMS employee privacy notice.

What You Will Learn in This Notice

This notice is specific to the use of your personal data by Bristol Myers Squibb (“BMS”, “we”, “us”, “our”) if you are or were part of our workforce. It explains what personal data processing activities are conducted at BMS worldwide covering BMS direct employees, consultants, contractors, interns and third parties as defined in this Notice – collectively called ‘workers’ or ‘employees’ (or “you”, “your”, “yours”) in this notice (“Employee Notice” or “Notice”). We use the term “processing activities” or “use” to refer to accessing, collecting, storing, transferring or any other use of your personal data.

Click on the icons or text below to find out more about how, why, and where BMS uses your data:

Who is the Controller disk icon

The type of data we process disk icon

How BMS protects your data magnifying icon

Legal reasons for using your data scale icon

Why we process your data rotating data icon

How we obtain your data pointer icon

How long we keep your data file folder icon

Who do we share your data with

Your privacy rights shield icon

1. INTRODUCTION – HOW TO READ THIS NOTICE

In this Notice, we provide you with an overview of how and why we collect your personal data - also known as personal information. We also inform you about your privacy rights related to our use of your data.

You should read this Employee Notice in combination with the BMS General Privacy Notice which explains the collective privacy standards and commitments that apply to all processing of personal data at BMS. It is available on the footer of our corporate www.bms.com websites for markets where we have a presence or operate.

Who it applies to and our other notices

Before you start reading this Notice
Who is the audience?	This notice applies to you during your employment and after its termination: as a new hire, a current or past worker, including an employee and a retiree; as a contractor, such as if you are an intern, consultant, autonomous or agency worker or a consultant; as a third party whose information is provided to us concerning the employment or work relationship (for example, referees, family members, relatives or emergency contact information).
Country-specific notices	As a supplement to this notice, there may be country specific BMS documentation covering individual country laws or processes that might impact the use of your personal data at your specific work location. These documents can be accessed through your local intranet or local HR contact.
Relevance of my personal data	The nature and the categories of the personal data that BMS processes about you can differ, depending on your role and your relationship with BMS. We try to point out these differences where possible but if there are processing activities specific to your role at BMS or to the country where you reside, we will provide you with additional ‘point in time information’ wherever possible.

Example: Most processing activities related to BMS employee benefits are not applicable to consultants, contractors, interns, agency workers or autonomous workers who are employed by third parties and then contracted by BMS. This notice covers personal data that BMS controls and processes. Contractors and consultants should therefore review privacy notices provided by their own employers to understand how their data is processed.

2. WHO IS THE CONTROLLER OF YOUR DATA

A controller decides why and how to process your personal data. However, central teams at BMS located in another country (for example, teams in the US and support services provided by our authorized business partners) may also access and process your personal data as described in this notice. For each activity, Bristol Myers Squibb Company and its affiliates will act as controller together or jointly for using your data.

Note: If you have an employment contract, the BMS legal entity who is your employer, or who has the contract with your employer, is the controller of your personal data. If you are a consultant, contractor, intern or independent worker), then the entity listed in your employer’s contract with BMS is the controller.

3. CATEGORIES – WHAT TYPE OF DATA BMS PROCESSES ABOUT YOU

This section describes the type of personal data and sensitive data we collect for our processing activities, which may vary depending on your role at BMS. We describe this personal data as “Work–Related Data” that BMS needs for the creation of your work contracts and to run our day–to–day work activities. Remember, depending on where you live, the relevant data protection law in your jurisdiction may define personal data differently from the descriptions used in this notice.

We use the categories of personal data in the following context:

Onboarding & HR day-to-day onboarding icon

Compensation, benefits & performance

Security, IT, devices, training Security icon

Surveys, events, images, videos

Sensitive data Sensitive data icon

Environmental, health & safety health monitor icon

Data for legal & compliance

Family & your relatives’ data

Roles & positions, relocation, leaving

Note: Most data we use about you is necessary for our day–to–day operations. In certain cases, you might decide to participate in activities that are not mandatory, such as attending events, accessing benefits, apply to internal jobs, responding to surveys or sharing your image or video recordings with BMS. In this case, we will let you know what your options are before processing your data.

You can learn more about our purposes and why we use your data in section 4.

The categories of Work-Related Data

When collecting and using your data as a BMS worker, most categories detailed below are relevant to you if you are an employee. If you don’t have a contract with us but provide services to us, the categories below will not be relevant to you, for example if you are hired by a third party agency, if you are a consultant or an independent worker.

Categories of Work Related Data
Onboarding data	Most of the personal data collected at BMS is done during the onboarding phase. The data collected during this stage allows BMS to build your profile and enables you to work at BMS. Examples of data collected are: CV, past experiences, external affiliations; BMS ID, login details, professional phone number; current and past roles within the organization; your hiring manager, HR business partner, department, functions; employment contract and current employment situation (temporary, permanent, practice), group and projects you belong to; initial and termination date, offer of employment, contractual conditions, signature, salary grade and bonus, promotions. You can read more information about the data we collected during your recruitment in our General Privacy Notice.
Contact and identification data	Your contact and ID information includes your: full name, title, location; postal code and/or personal email address, personal and professional phone numbers; date of birth; gender, nationality, photo; government-issued identification (national ID, driving license, passport, professional license number as applicable); unique personal identifiers, such as your assigned unique BMS ID.
Employment data	Data related to your previous or current role(s) at BMS, such as: previous or internal applications; resignation, termination dates; your resume or CV; office address, department; performance and disciplinary records; academic/professional qualifications; immigration status and documentation; residency permits and visas, occupational health assessments, work-related accidents, training data; occupational health assessments and work-related accidents, training information.
Educational and professional data	education information and professional qualifications; professional networks; training records; employment status; skills and work experience; programs, such as training, certifications, coaching, driving improvements if your role requires to drive a vehicle (i.e.: logistics, customer visits); publications and activities; awards and recognitions; teaching posts, board memberships, membership or directorship in various professional organizations, associations or other units, referrals and other relevant professional information where needed.
Family & data of your relatives and third parties	You may share contact details of family or relatives in case of relocation, services, accidents, or emergency situations, such as: family or your relatives’ contact data, including e-mail, personal phone number, home address; full name and specific needs for residence of partners and family members.
Conflict of interest data	BMS may also request to inform us about your potential conflict of interests which can include: contact details, positions of third parties with whom you belong or have professional interactions with; shares, stocks, participations in or partnerships with non-BMS affiliated organizations, including serving as director or officer of such organization; any potential gifts, financial interest or advantage, honorarium or other remuneration you may receive outside of BMS.
Sign-in, analytics and device data	When using BMS or third-party devices, platforms, intranet, systems and technologies, we use your personal data to provide you access to, tailor the services provided to, and to protect the security of, our systems. We use the following types of data: sign-in and log activity data; device ID and IP address, usage data; information accessible in your profile; abnormal use of devices warnings, for BMS platforms, intranet and systems for security and protection of BMS assets; application or interaction data in BMS or third-party platforms; personal data stored on BMS devices, platforms, intranet and systems, such as documents you upload and your emails. You can read more information about the use of your personal data online or digitally in section 5 below.
Financial information, compensation and benefits	We collect financial information about you for pay-roll, benefit and insurance purposes, which can include your: bank and account details; salary and compensation data; travel and expenses for work and authorized trips for reimbursement purposes; stock options, stocks, or company shares; pension fund related data; health plans, benefits and insurance allocations; severance package or benefits that apply when your contract with BMS comes to an end.
Data about you that we make public	There are instances when you agree or where we must disclose your personal information publicly on our corporate websites, public registries or public facing platforms – this will depend on your participation at BMS events, posts on social media, and your position and role at BMS. For example, your: full name, e-mail address; position within BMS, CV or professional background; compensation and benefits; position in a board of directors or your power to represent BMS; photos, audio or video recordings; quotes and posts on social media about corporate news, scientific research or events.
Other data	Tax status, information related to work attendance, travel and expenses, emergency contact details, compensation, hours of work, holidays and benefits related information, CCTV data and investigation related information.

The categories of Sensitive Work-Related Data

Sensitive Work-Related Data
Health, welfare and leave information	This information if needed for managing your leave and compensation: number of sick days; information contained in a doctor’s certificate / medical certificate for sick leave; details of any known disability / workplace accessibility needs, for purposes of salary payment, workforce planning, and compliance with legal obligations; work-related accident information, compensation, work safety and compliance with legal obligations (such as reporting obligations); personal health status for commercial insurance or participation in various activities for example if you participate in the work-out, health programs or for support of your critical illness.
Vaccination or health status	In certain occasions, where applicable and permitted by applicable law, in particular for public health or protection against diseases (i.e.: pandemic situations) BMS may collect your health data, such as: presence at work or at home; vaccination or health status. In most cases, BMS will collect your data only indirectly without the need to obtain health information to protect against the spread of infectious diseases or to ensure a safe working environment.
Background check data	This includes if relevant to your role and permitted by local law: background checks or criminal records in the context of logistics and packing using airline companies; creditworthy information; document certification authenticity; recommendations by previous employers or third parties.
Religious beliefs	This can be collected or required by applicable law: for tax declaration purposes; as written in your ID card or passport, or internal purposes if you share this information voluntarily;
Race and ethnicity data	We will usually only collect and store such sensitive data anonymously for equal opportunities monitoring purposes or if you decide to share it for a defined purpose. Only where permitted or required by applicable law and where relevant to your role.
Trade–union / labor–union membership	If applicable in your country, BMS or competent authorities may request you to provide your professional contact, membership of affiliation to works councils, trade–union details, or other employee representative bodies
Sexual orientation data	Where this is required or permitted by applicable laws or you have voluntarily provided the information to us. For example: marriage, maternity, paternity, parental, bereavement and other similar leaves relating to family or your personal situation; marital status, family or relatives contact related information. Most often this data will be stored anonymously unless you decide to share it for a defined purpose.
Other sensitive Work Related Data	Depending on the law of your country, BMS collects other categories of personal data about you that can be considered sensitive, such as: your health information if you participate in pilot or test programs in the context of digital health initiatives; bank details, social security number, driver’s license number, email content and text messages, State ID card number, passport number, creditworthy information, precise geolocation data; dietary restrictions or health conditions; on rare occasions, genetic or biological data in the context of laboratory tests to protect your health if you are exposed to biomaterials or chemical compounds; biometric data, such as your fingerprint data to enter into our premises or facilities. Only authorized teams and approved third parties will have access to your sensitive personal data.

4. PURPOSES – WHY WE PROCESS YOUR DATA AND IN WHAT CONTEXT

This section describes the main types of activities where BMS processes your personal data and the context in which BMS uses it. Our main processing activities consist of:

handling your data for day–to–day operations, such as for onboarding you as a new hire or worker, handling your payroll, requests, enabling access to our systems and intranet and BMS social media platforms to interact with other colleagues, for internal interactions, and if applicable performance reviews;
offering benefits, such as learning, career development programs, fitness, rebates on goods, well–being programs, BMS or external events/initiatives;
implementing appropriate security measures and infrastructures that prevent data losses, ensure compliance with applicable laws, maintain whistleblowing hotlines and channels to report misconducts, conflict of interest or unlawful behaviors which may require preserving information as evidence to comply with applicable employment legislation;
in the context of our working culture and environment as multinational company, such as participating in diversity and inclusion groups, activities or discussions, responding to surveys about the working environment at BMS.

Details about the context in which we use your data

Category of data

The Purpose for use

Relocation, local assignments of workers

BMS processes your data for the following reasons:

managing your relocation to other locations;
to apply for a working visa or residence permit;
for employment related information for compliance with applicable laws, such as tax filing purposes; passport or other citizenship and right to work documentation or information collected for visa and immigration purposes; or
family or relatives related data for insurance, travel, costs and expenses purposes.

Onboarding and administration

When joining BMS as a new hire, to:

register your emergency contacts and emergency notifications in the event of business continuity response measures or for workspace security;
determine incentive and corporate credit card eligibility;
establish worker location, to manage internal transfers within BMS and off-boarding/termination, for business travel purposes;
manage the workflow, such as assigning, managing, administering projects;
enable organizational development, preparation, management, and use of an internal business directory, organization charts;
record trade union membership where required by local law.

Talent acquisition and recruitment

After your application has succeeded, BMS will use your information necessary to process your job application, record your information in our systems, as an applicant to internal opportunities for roles, projects or initiatives.

Attendance administration

In some cases, BMS may record your on-site attendance in the workplace in compliance with internal policies and as permitted by local law. This includes data necessary to record and administer your working hours, attendance and overtime application, approval and reimbursement when applicable or compliance with the applicable BMS flexible way of working policy.

Leave management

To enable your leave application for paid annual leave and unpaid leave:

health and medical data, such as the number of sick days;
doctor’s certificate/medical certificate;
information on work-related accidents;
insurance claims;
information on disability;
information on marriage, maternity and parental, and bereavement leave.

Compensation and benefits

To comply with legal requirements and BMS labor policies related to compensation and benefits, which includes:

offering of social security insurance, pension, housing fund and other flexible benefit programs and wellness initiatives, such as commercial medical insurance, annual medical examination and other allowances, based on your jurisdiction;
offering well-being services, rebates or points for goods and services, car fleet services;
administering employee welfare activities that participants may voluntarily participate in (including welfare provided for former employees), such as team-building activities, recreative and event activities including with your family, labor union activities, and aid service, etc. when applicable.

Learning and development

To manage talent development, administer and track training and awareness activities.

Performance and recognition

to enhance performance evaluation, promote personnel development, improve worker efficiency;
to set performance objectives, evaluate performance;
provide you with recognition and awards, to manage promotions.

Working culture and BMS events, surveys and activities

to improve the working culture at BMS and provide you with a friendly working environment;
to conduct surveys, hold events and other activities that you could participate in voluntarily.

Travel and expense reimbursement

to book travel and accommodation;
to review and evaluate reimbursement applications and the supporting documents including transaction records for business expenses;
to make reimbursement payment to an employee’s bank account;
to ensure compliance with travel & business expenses policies.

Safe work environment, information security, acceptable usage purposes and fraud detection and prevention

The nature of the work at BMS requires to protect the health & safety of its employees, data, or infrastructures. BMS will access your data in particular to:

ensure security and systems monitoring (for example through video (CCTV) recording);
ensure the security and integrity of BMS facilities, IT systems and data;
notify you by phone or electronic notifications about events or incidents happening while you are traveling for work;
administer, monitor and/or manage appropriate usage of BMS premises, property, and equipment, such as requirements for identity verification and access control to device, hardware, software, internet, network, infrastructure, mobile phone, mail services, or other facilities.

Protecting health & safety of its workers or third parties

BMS may apply internal policies to protect against serious diseases or threats in the context of:

exposure to chemical or biological compounds in our manufacturing sites, or
global, regional, or national public health, for instances in the event of pandemic situations.

In such cases, BMS may collect, or require third parties to collect information that demonstrate your health or vaccination status.

Compliance and regulatory purposes

to ensure corporate compliance requirements and policies are met, including conflict of interest declaration and review, audit, completion of mandatory training;
to manage, review and respond to complaints, investigations and disciplinary matters, to establish, exercise or defend legal claims or other legal rights;
monitoring and tracking of the different cases and their resolution, and definition of the nature or cause of the investigation;
to comply with applicable laws (such as tax deductions and declarations), regulations and requests from governmental agencies, and to adhere to industry standards.

Equal opportunity and diversity monitoring / initiatives

When using this data in limited, permitted or required cases, we may collect:

race, gender or ethnicity data such as information contained in your passport or other citizenship and right to work documentation or information collected for visa and immigration purposes or to comply with local regulations;
sexual orientation, diversity data where this has been provided voluntarily to BMS.

Understanding the diversity of our workforce

We collect certain demographic data mostly in aggregate, such as:

race, gender, ethnicity, sexual orientation, veteran and disability status to help us understand the diversity of our workforce and to support core business diversity, equity, and inclusion initiatives;
in some circumstances, we may also need to use this data to comply with government regulations.

Note: we generally collect this information on an aggregate or on a voluntary basis, and you are not required to provide it unless it is necessary for us to comply with a legal obligation. We will not share your data without your permission unless we are legally required to do so.

Run security & compliance scans or verifications

In certain countries, BMS will monitor your individual activity only if we have a reasonable, proportionate, and robust legal reason in place. Typical examples of where BMS might monitor your activity are:

your physical movement using CCTV, badge data or sign-in sheets – this is for the security of our employees, visitors and BMS property;
your interactions with customers (for example HCPs) - this is only conducted for specific job roles at BMS and is done for training, verification, and quality assurance reasons;
network scans including your electronic activity when using our communications systems and networks. This can cover logfiles, use of BMS assets and systems. The reason for monitoring might be network and device management, protecting our intellectual property (IP), protection against cyber-attacks, certain legal obligations, but always where permitted by law;
for specific investigations, for example if an employee is strongly suspected of breaching BMS policies.

This type of monitoring will always fully comply with the law and will only process the least amount of data needed to complete the investigation.

Automated decision making

In general, BMS does not make employment decisions based solely on automated processing (including profiling) of employees. If this were to happen, for example using Artificial Intelligence, then BMS will make you aware of this activity before any of your personal data is processed.

You can learn more about the technologies we use in section 9.

Criminal records and background checks and verification

BMS run background verifications to confirm the accuracy of documentation you provide to BMS during and after your hiring process, but only where permitted by the law and where relevant to your role.

Examples: criminal records, education, employment verification, creditworthiness, conflict of interests checks.

Other processing activities

BMS may require you to provide certain personal data (such as your name, address, and ID number) of other individuals such as your family members, for other purposes such as:

managing your employment relationship with us;
contacting you or your personal contacts during emergency;
declaring conflict of interest;
filing tax returns;
processing any corporate group insurance plans;
participate in BMS activities or enjoy benefits provided by BMS.

Note: As a BMS Worker, you are responsible for any sharing with BMS of personal data about persons outside BMS – for example, providing BMS with information about family members for health insurance purposes, relocation services, conflict of interests, verification to past employers, emergency contacts and so on. Therefore, it is your responsibility to inform the third party about such disclosure or where required, obtain their prior permission, and provide them a copy of this privacy notice. When disclosing the personal data of these individuals, you will be acting on their behalf.

5. ENTERPRISE PLATFORMS & DEVICES – HOW WE USE YOUR DATA

As a BMS Worker, there are many times when we need to process or share your data using digital means. In most cases, your online connection to BMS systems is securely managed through the BMS single sign-on (SSO) process or through our VPN (virtual private network). You may access other systems, such as Outlook or Workday using double factor authentication.

For more information about how we collect personal data from visitors to our websites or users of our products and services, please review our General Privacy Notice.

Online information that we may collect when you use our sites

Type of activity

Data categories

Purpose for use

BMS intranet, websites and applications

Login data (BMS ID, login details for SSO), Analytics data

The main use of your personal data for our intranet sites are for:

enabling you to connect to our systems;
audience measurements and aggregate websites’ traffic and analytics.

Eligible programs, benefits or activities run by third parties

Eligibility contact data (BMS e-mail, BMS ID, full name, role if needed).

BMS shares your contact details with trusted third parties to offer various benefits to workers who are eligible to access such programs.

Matching your profile for internal opportunities

Application data (full name, BMS ID, your skills, interests, current role)

Professional data (such as your CV/resume, data from 3^rd party platforms such as LinkedIn).

When you enter your professional data into BMS HR systems, BMS can use that data to propose internal opportunities at BMS that might be relevant to you. When doing so, BMS sometimes uses third parties to help match your profile to the most suited available job roles. When we do use external providers and/or software for this activity, you will receive more information prior to our use of such data.

Read more in section 9 about artificial intelligence and section 10 about your privacy rights.

Bring your own device (BYOD)

Device ID and other data needed to secure the connection to BMS application and systems.

Where permitted under BMS policies, you may also use your own device (Bring Your Own Device (BYOD)) or other approved devices to perform your job at BMS. This requires BMS to access your personal data to enable your device, including the installation of BMS approved software for information protection purposes.

Cybersecurity & information protection

Aggregate security data, system monitoring data and contact details and usage data

BMS uses a variety of supporting applications and teams to ensure all data remains available, secure, and confidential when you use BMS approved, technologies and systems. To achieve this goal, BMS processes aggregate data for the purposes of updates, diagnostics, tests, and the security of your laptop or devices.

Example: To prevent data losses, phishing or scam attempts or for compliance purposes, we may send you notifications, or refresher training requests.

6. DATA SOURCES – HOW DO WE OBTAIN AND SHARE DATA ABOUT YOU

BMS collects personal data directly from you for most of our processing activities, although sometimes we obtain personal data automatically through certain internal BMS sites or indirectly from alternative sources.

For example: we collect personal data indirectly from service providers (such as recruitment agents and background checking services), online platforms, government bodies (criminal records, wage garnishments) or authorities where required by law (such as tax authorities) to manage your work relationship with us.

We also automatically collect information about you through physical or online security, systems monitoring (for example, through video (CCTV) recording), or building access control logs when you enter the workplace or in similar contexts. BMS will always strive to make you aware of this type of processing before collecting your personal information.

7. DATA TRANSFERS – WHO WE SHARE YOUR DATA WITH AND WHO CAN ACCESS IT

Only limited BMS teams and approved third parties or authorities who need to manage or obtain your information may access Work–Related Data. When your personal data is more sensitive, BMS will apply more restrictions and protections to protect it. For details on our cross–border transfer mechanisms, please see the relevant section in our General Privacy Notice available on all bms.com websites.

Work-Related Data we share inside the BMS group

Inside the BMS group
BMS locations	BMS is headquartered in the United States, with operations in Europe, Asia, Australia and in North and South America – all collectively known as the “BMS group” (of companies). Given the global nature of our company, processing of employee data occurs across several countries. Many of our HR processing activities are centralized in the United States (for example in our Tampa office), but we also have centralized HR activities in Australia, China, India and the United Kingdom. Your data will be accessed by local and central teams who may be located in such locations. You can also find the main locations from where we operate here: https://www.bms.com/about-us/our-company/worldwide-facilities.html.
Contracts and principles to secure the transfer	Binding Corporate Rules (BCRs) is a recognized mechanism that allows the transfer and disclosure of personal data across entities that are part of the same company group. Our Binding Corporate Rules Policy provide you with an overview of our global privacy program and commitment to maintaining high data protection standards when processing personal data transferred to different countries within the BMS Group of companies. Transfers of Work-Related Data also occur on the basis of appropriate arrangements including data transfer agreements, local or regional transfer schemes or, when appropriate or required, your consent.
Teams or function accessing your data	BMS teams who can access your information include: HR departments and hiring managers in the context of the employment relationship; BMS functions, such as finance, internal audit, IT, the law department and records management in the context of their functions and responsibilities; corporate directory (whitepages): all the employees of the BMS group of companies will have access to the business contact details (name and surname, role and function, manager, email, where applicable phone numbers and business address).

Work-Related Data we share outside the BMS group

Outside the BMS group
Why we need to disclose your data	BMS partners with many organizations that are specialized in areas such as IT, security, tax and accounting, payroll, providing benefits, running programs, insurance, pension or other services. In other cases, we disclose your data to authorities.
Approved third parties	BMS engages with a variety of third-party service providers to help support the services we provide to our workers. For many of our HR functions, the third-party service providers are embedded within our HR functions (for example as consultants providing IT Support services) but in other instances, you will have a direct relationship with the external vendor – for example, insurance providers, health, and wellness Apps and so on.
Governmental bodies or authorities	BMS may share Work-Related Data that includes your contact details, correspondence, internal or external communications with authorities or for dispute resolution purposes, claims or investigations, to comply with applicable laws or to protect BMS’ business or interests.
Security	BMS puts all third-party vendors through a series of rigorous security and privacy checks, rregardless of whether the vendor works directly for BMS providing a support service or whether the relationship with the vendor is directly between you and them. In addition, we have data protection clauses included in all our contracts with vendors, where needed, to ensure that the applicable data protection legislation is followed regardless of the country in which your data is processed.

8. OUR LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA

In this section, we describe our legal justifications (commonly referred to as “legal basis”) for the use of your data related to each of purpose for using it. We will use the legal basis that is most appropriate for the purpose and circumstances related to such processing. Below, we have explained which legal bases we may choose or have to use when using your personal information.

Note: Depending on the country or State where you reside, the law of your country may not require that BMS justifies how it uses your data (such as in the US or Hong–Kong). This applies to ordinary use of your data, transfers outside of your residence, or when sharing or disclosing your Work–Related Data with a third party. If you are from a jurisdiction or a State that requires a legal basis for processing personal data (such as China, the EEA, UK, or Brazil), our legal basis will depend on the personal data concerned and the context in which we collect it. Where required by applicable law, BMS will obtain your prior consent for certain processing activities – for example, using cookies or trackers, when using your images or recording materials, disclosing your personal data outside of your country of residence or disclosing it with BMS–approved third parties.

Specific examples of usual legal bases

BMS relies on a legal basis for each of our processing activities for most of the jurisdictions where BMS operates, whether relating to Work Related Data or Sensitive Work Related data. However, the privacy laws in some countries may not require the same legal basis for our processing activities as we have described in this notice. For instance, we may use consent or contractual necessity instead of legitimate interest when the local law does not recognize such a legal concept.

Our most used legal bases are:

contractual necessity: in practice, this means that BMS needs to process your data to honor our commitments as stated in your arrangement with BMS, for example providing your personal data to our third-party payroll, pension or insurance provider;
compliance with a legal obligation: there are many times where BMS has a legal obligation to use, retain or disclose your Work Related Data. We will make this clear at the time and inform you whether provision of your personal data is mandatory or not, as well as the possible consequences if it is not provided;
prior consent: where BMS conducts optional activities or when the law requires it, we will inform you and BMS may require your prior consent. Unless the nature of the activity or of the data requires it, your local law prescribes or allows otherwise, you will have the right to withdraw your consent at any time;
public disclosures: if you agree to disclose your Work Related Data publicly or if BMS has a duty to do so, then future control over that data may be compromised. BMS will provide you with a notice explaining the processing activity where your personal data may become publicly available and if you have a choice of whether to participate or not.

Legal basis

Description and examples when using our legal basis

Performance of a contract with you

In most cases, we justify using your data for HR management as described in our HR related policies, handbooks and other rules that may apply to your role at BMS.

Example: Compensation & benefits, performance, ensuring compliance with employee handbooks, SOPs, internal procedures, for sick leave, internal career development and opportunities, running our daily operations, login to and use our IT systems.

Legal obligations, investigations and compliance

We use your personal data when BMS complies with its legal obligations related to employment which can include Sensitive Work Related Data.

Example: in the context of tax laws, regulations preventing anti-bribery or conflict of interests, public health, for security, health & safety at work, investigations or internal or third party claims, audits, good clinical, laboratory and manufacturing practices (GxPs). This includes sharing your Work Related Data with third parties or competent authorities or bodies.

Legitimate interest or use

BMS has legitimate interests to use your personal data for identified purposes, always assessing that there is an appropriate balance between your right to privacy and BMS’s interest to conduct its business operations.

In general, BMS considers it has a legitimate interest to use your Work related Data to achieve its immediate and long-term business and commercial goals and outcomes, such as in the context of:

recruitment and candidate selection, HR management;
protecting our work case management, running investigations to evaluate misconducts or non-compliance with internal policies or procedures, retaining data for protecting against claims and disputes, business continuity, pension or retirement administration;
celebrations of special occasions (recognizing years of service, birthday), using intranets, corporate directories, make your BMS profile available internally or to our approved third parties;
prevention and detection of data loss, crime or fraud;
manage and forecasting our finances;
conduct surveys, analytics, improve facility accesses, workforce optimization, security of our systems or prevent data losses.

Note: BMS uses its legitimate interest when it is proportionate, aligned to, or would not conflict with, your reasonable expectations, and does not undermine your individual rights, interests or freedoms.

Consent

In the context of voluntary initiatives or benefits where we obtain your prior permission to use or share your personal data for a specific activity, such as events, picture or recordings, connecting to third party platforms or services.

Public interest

To protect against serious diseases or threats in the context of global, regional, or national public health, for instances in the event of pandemic situations. In most cases, accessing or disclosing your personal data in this context will be based directly on applicable laws.

Vital interest

On rare occasions, we use your vital interest to protect your, or the vital interest of third parties, for accident, security or to prevent imminent threats to your or third parties’ health and safety at the workplace or outside our premises for emergencies or insurance purposes.

The above list is not exhaustive and is intended to provide you with an overview of how we justify the processing of your personal data.

9. DO WE USE ARTIFICIAL INTELLIGENCE (AI) OR SIMILAR TECHNOLOGIES?

BMS has developed internal policies and guidance on responsible use of AI. When using AI tools involving Work-Related Data, we will apply globally recognized data privacy & protection principles. When using third party technology, we ensure to apply:

(i) BMS principles on responsible use of AI;
(ii) appropriate technical and security measures;
(iii) contractual arrangement to protect your personal data.

BMS will provide you with more detailed information in a privacy notice, and if required, obtain your prior consent before using such technologies. You can read more information about your rights, including your right to object or to request human intervention, in section 10.

More information and examples of our use of digital technologies

10. INDIVIDUAL CHOICES – RIGHTS AND ACCESS TO YOUR DATA

This section describes the rights you may have and the potential actions you can take in relation to how BMS processes your personal data.

You have several privacy rights in relation to the processing of your personal data at BMS, but these will depend on the country where you reside and on the legal basis that we used to process your personal data. Exercising your rights is usually free of charge, except if your request is excessive or requires disproportionate efforts, in which case we may ask you for a reasonable fee.

BMS assesses every request received based on who you are and the jurisdiction or State in which you are based. If we cannot comply with your request, we will let you know the reasons why. You can always contact BMS at dpo@bms.com to find out more about your rights and how you can exercise them.

You can read more about your individual rights

Actions you can take about your personal data

I would like to

Tools you can use to manage your data

Update my data

Workday, mybms & e-mail. If your personal data changes during the course of your time at BMS, please raise a ticket or connect to your Workday account to update that data or contact your HR business partner to note those changes.

Access my data or receive a copy of my data

Workday, mybms, & e-mail. Workday and the relevant applications available in mybms allows you to see the data that we hold about you and download a copy. If we have data that you cannot access via Workday, then you may make a request by emailing your HR Business Partner or by using the contact details provided in the contact us section below.

Note: we might need to refuse access to personal data in certain cases, such as when providing access might infringe someone else’s privacy rights.

Delete my data or withdraw consent

Workday, mybms & e-mail. You can ask that we delete personal data that you believe is inaccurate or no longer relevant by emailing your HR Business Partner or by using the contact details provided in the contact us section below.

In addition, you can go into Workday and remove some of the data you have chosen to share with us, such as your photo, demographic data, emergency contacts and so on. We might need to refuse deletion of personal data in certain cases, for example if there is an impact on our legal obligations.

11. DATA SECURITY – HOW WE PROTECT YOUR PERSONAL DATA

BMS uses appropriate technical and organizational measures to protect your personal data online and offline. We do this to prevent unauthorised processing, loss of data, disclosure, use, alteration, or destruction of your personal data. The measures that we deploy are dependent on the sensitivity of the personal data and the most recent advancements made in security technology. Where appropriate, we use encryption, pseudonymisation (such as key coding), de-identification and other technologies that can assist us in securing your data, including measures to restore access to your data. We also require our service providers to comply with reasonable and recognized data privacy and security requirements.

The measures we use to protect your data

12. DATA RETENTION – HOW LONG BMS RETAINS YOUR PERSONAL DATA

Data retention schedules

BMS will only retain your personal data for as long as necessary for the processing purposes listed in section 4. When retaining and storing data about you in our systems, we have put in place specific data retention schedules in accordance with our company policy and in compliance with applicable data protection and local employment laws.

More information on our retention periods

Criteria to keep your data

Typically, we retain data based on the following criteria, where we consider:

the quantity, nature and sensitivity of the personal data in question;
the potential risk of harm in the event of unauthorised use or disclosure;
the purposes of the processing;
whether or not these purposes can be achieved by other means, as well as the applicable legal obligations.

Note: the below retention schedules are not applicable across all countries - certain retention periods may differ from this table to meet local legal or regulatory requirements (such as China). Retention periods can also be adjusted in line with specific changes made through new legislation.

There are instances where BMS is legally obliged to adhere to specific retention periods. For example, when BMS must retain data for a set minimum period or to delete it after a set maximum time limit. Some common examples of these obligations normally relate to data needed for tax and accounting, anti-bribery, conflict of interest or investigation purposes.

Type of activity

Retention period

Benefit plan administration, reporting, and participant disclosure

Event + 10 years

Benefit enrolment and participation

Benefit plan development and management

Benefit plan texts and amendments

Event + 6 years

Education assistance, and work/life and diversity

Creation + 7 years

Workforce tracking and compliance

Creation + 5 years

Employee recruitment and selection

Creation + 3 years

Employment eligibility / verification & immigration

Duration of employment + 6 years

Personnel relations & investigations

Event + 3 years

Personnel records

Training completion – general

Duration of employment + 7 years

Labor arbitration / grievances

Labor relations records

Event + 50 years

Creation + 50 years

Compensation / salary, and incentive planning

Creation + 10 years

Training programs and materials

Training relating to BMS products in compliance with GxPs

Active + 5 years

Active + 2 years. Thereafter, the longer of 25 years or 10 years after the expiration of the drug’s marketing authorization.

Employee relocation and forgivable loans

Creation + 7 years

Payroll

Payroll tax records

Creation + 11 years

Employee time and attendance records

Creation + 8 years

For more specific information about the description of each activity, how long BMS retains your personal data for human resources management, or for other purposes as described in this privacy notice, please access this page: https://retention.bms.com. If your relationship with BMS does not allow you to access this page, please contact us at dpo@bms.com.

13. LEAVING BMS – WHAT HAPPENS TO MY DATA

After you end your employment with, BMS we will need to retain certain information about you, including your contact details, to fulfil certain business obligations, to administer or manage retirement plans, payment for outplacement services, respond to queries from your new employer.

Information about why we may retain your data after you leave BMS

Purpose

Categories of data

Details

Claims & disputes

For example, compensation, incident data, e-mail exchanges, investigation data.

To deal with claims or disputes involving you or others. This could include an accident at work. We do this because we have a legal obligation to provide the information, or it is in our interests to bring or defend a claim. We may also have an obligation to retain and preserve data or evidence that is subject to a legal hold obligation.

Retirement, e-mail communications or referrals

Years of service, compensation, e-mail exchanges, your applications and new role, third party contact details.

We may keep or share your information to administer or manage leave, severance or retirement packages, contact you in relation to your past role or work or to respond to queries to your new employer about your role at BMS.

Outplacement services

Professional and personal contact details, CV, professional background, role at BMS.

BMS may offer or pay for services after you leave our company. BMS will only keep your data necessary to pay the costs of packages you may be eligible for.

Business

continuity

E-mails and documentation, projects, and decisions you made, login and accesses to systems.

To understand and evidence decision making in your role and maintain knowledge within the business after you leave. We do this because it is in our interests to use this information to help run our business, or it may be to support a legal obligation we have.

Employee retention

Leave reasons, manager and employee evaluations, performance, role, position/title.

To understand why you left us. We do this because it is in our interests to use this information to help run our business or it may be to support a legal obligation we have.

Pension administration

Your contact details, compensation and benefits, years of service, payroll, and tax data.

To manage and administer your pension and related legal obligations.

Obligations to third parties

Your contact details, role, position, title, compensation & benefits.

To comply with our obligations to third parties in connection with your employment, such as tax authorities and professional bodies.

14. TRANSFER OF CONTROL

Data sharing in connection with a transfer of control

Circumstances may arise where we decide to reorganize or divest part (or all) of our business or a line of our business (or any portion of our assets). This can include our information databases and websites, through a sale, divestiture, merger, acquisition, in the event of a bankruptcy, or other means of transfer.

In such circumstances, your personal data may be shared with, sold, transferred, rented, licensed, or otherwise provided or made available by us or on our behalf to actual or potential parties to, and in connection with, the contemplated transaction (without your consent or any further notice to you). In such circumstances, we will seek written assurances that your personal data will be protected appropriately.

15. CHANGES TO THIS NOTICE

BMS may update its privacy notices from time to time. If there are any important revisions which might impact the way we process your personal data, BMS will notify you to inform you of these changes either directly or through our internal communication channels.

16. CONTACT US

If you have questions about this notice, or you want to obtain more information about our use of your personal data as a BMS Worker, you can ask a question by raising a ticket on myBMS. For current and previous employees, you can also contact us by email at eudpo@bms.com for the EU/EEA, Switzerland and the UK. If you are located elsewhere, please email the team at dpo@bms.com or by post at the contact details as described on the relevant footer of our corporate websites that applies in your own language under the contact section.

More information about data protection in your market

List of privacy notices for other jurisdictions
Argentina	Australia	Austria	Belgium EN Belgium NR Belgium FR	Brazil	Canada EN Canada FR
Chile	China	Colombia	Czech Republic	Denmark	Finland
France	Germany	Greece	Hong Kong	Hungary	India
Ireland	Israel	Italy	Japan	Korea	Luxembourg EN Luxembourg FR
Mexico	Netherlands NL Netherlands EN	New Zealand	Norway	Peru	Poland
Portugal	Romania	Saudi Arabia EN Saudi Arabia AR	Singapore	Spain	Sweden
Switzerland DE Switzerland FR	Taiwan	Thailand	Turkey	United Arab Emirates	United Kingdom

Privacy notice versions

Current	Comprehensive update in the layout and content to harmonise transparency across all BMS markets
2023

Right of access	You have the right to contact BMS and request confirmation that we process your personal data, why we process your data, and be provided with access to that data. Please remember that this is not an ‘absolute right’; there are situations where we must remove or redact data to protect other data subjects and company confidentiality.
Right to rectification	You may have the right to update/correct your personal data, for example if it is inaccurate, incomplete, or not up to date.
Right to erasure (right to be forgotten)	You may have the right to have your personal data deleted. There are exceptions to this right, for example when we are legally obliged to retain your personal data for a specific time-period, or when your data is disclosed publicly.
Right to restrict the processing	You have the right to request that we restrict, suspend, or cease the processing of your personal data. Exceptions also apply here. If BMS lifts the restriction, we will inform you beforehand and explain our reasoning.
Right to data portability	You have the right to receive or have your personal data transferred to a third party in a structured, commonly used, and machine-readable format. Note: This right may not apply when your data is processed based on the legitimate interest of BMS or in certain jurisdictions.
Right to withdraw consent	When we process your personal data based on your consent, you have the right to withdraw it at any time and BMS will stop processing your personal data. However, the withdrawal of consent does not impact our processing of your personal data prior to the removal of your consent.
Right to object	You may have the right to object to BMS processing your personal data. This is also not an absolute right and your right to object will depend on the nature of the processing by BMS..
Account deletion	Where applicable, you may have the right to request to delete your user account. This applies for example when using an account on a platform that is operated by a third party. In this case, please contact the platform directly to exercise your rights.
Right to complain to data protection authorities	In some countries, you may have the right to complain directly to the data protection authority in your jurisdiction, if you believe that BMS is processing your personal data unlawfully and/or is violating your rights. The privacy rights section of our BMS General Privacy Notice describes how to contact the competent authority or relevant contact in your country where you reside.

Americas

Argentina

Brazil

Canada

Chile

Colombia

Mexico

Peru

United States

Asia Pacific

Australia

China

India

Japan

Korea

New Zealand

Singapore

Taiwan

Thailand

Europe

Austria

Belgium

Czech Republic

Denmark

Finland

France

Germany

Greece

Hungary

Ireland

Italy

Luxembourg

Netherlands

Norway

Poland

Portugal

Romania

Spain

Sweden

Switzerland

United Kingdom

Middle East

Israel

Saudi Arabia

Turkey

United Arab Emirates

Other

Other Markets

Privacy notice center - Bristol Myers Squibb