1. WHO ARE WE?

The companies responsible for processing your personal data are:

Novo Nordisk Kenya Limited

3rd Floor, Avenue 5

Rose Avenue, Off Lenana Road

P.O Box 18663-00100

Nairobi, Kenya

Nordisk Pharma Limited

4th Floor GIL Group Building,

10, Gbolahan Lawal close, Off Ashabi Cole Street,

Alausa CBD, Ikeja,

You can always contact the Novo Nordisk Data Privacy Officer or Middle Africa Data Protection Responsible at privacyma@novonordisk.com with questions or concerns about how we process your personal data.

2. HOW DO WE COLLECT PERSONAL DATA ABOUT YOU? 

We get your personal data from the following sources:

• from you directly
• from publicly available publications, websites, or social media
• from other Novo Nordisk entities that have prior received your consent
• from vendors/providers that have prior received your consent

3. WHY DO WE PROCESS YOUR PERSONAL DATA?

We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. We process your personal data for the following purposes:

• manage our relationship with you (e.g. through our databases);
•  implement tasks in preparation of or to perform existing contracts;
•  evidence transactions and ensuring transparency on transfers of value;
•  provide you with appropriate, adequate and updated information about disease, drugs as well as our products and services;
•  improve the quality of our interactions and services by adapting our offering to your specific needs;
•  answer your requests and provide you with efficient support;
•  send you surveys (e.g. to help us improve your future interactions with us);
•  send you communications regarding products, therapeutic areas or services that we promote;
•  Send the information to providers of online training for HCPs supported by Novo Nordisk
•  plan, manage and execute communications and interactions with you (e.g. through the operation of a database
  keeping records of interactions with health care professionals or managing call planning as well as call reporting);
•  track our activities (e.g. measuring interactions or sales, number of appointments/calls);
•  target and do segmentation exercise in order to best address your professional needs;
•  invite you to events or promotional meetings sponsored by us (e.g. medical events, speaker events, conferences);
•  grant you access to our training modules allowing you to provide us with certain services;
•  manage our IT resources, including infrastructure management and business continuity;
•  preserve the company’s economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud; conducting audits and defending litigation and disclosing transfers of value as required by law, relevant authorities and/or industry codes of practice);
•  manage mergers and acquisitions involving our company;
•  archiving and record keeping;
•  billing and invoicing; and
•  any other purposes imposed by law and authorities

4. WHAT PERSONAL DATA DO WE PROCESS ABOUT YOU?

For the purposes described above in Section 3, we may process the following types of personal data:

• your general and identification information (e.g. name, first name, last name, gender, email and/or postal address, fixed and/or mobile phone number);
• your function (e.g. title, position, name of company, as well as, for healthcare professionals, first specialty, second specialty, year of graduation from medical school, publications, congress activities, awards, biography, education, links to universities, expertise and participation in/contribution to clinical trials, guidelines, editorial boards and organizations, engagements in therapies and treatment);
• payment information (e.g. credit card details, bank account details, VAT or other tax identification number and transfers of value to you, including but not limited to support to attend scientific events, fees, grants or benefits in kind);
• your electronic identification data where required for the purpose of delivering products or services to our company (e.g. login, access right, passwords, badge number, IP address, online identifiers/cookies, logs, access and connection times, image recording or sound such as badge pictures, CCTV or voice recordings);
• information regarding your utilization, responses and/or preferences including in terms of types of messages discussed, channels of communication and frequency;
• data you provide to us for example when you fill in forms or during events you attend, or when you answer questions during a conversation or in a survey;
• data which relate to our products and services; and
• information about the promotional, scientific and medical activities/interactions you have with us, including potential future interactions.
  
  If you intend to provide us with personal data about other individuals (e.g. your colleagues), you must provide a copy of this Privacy Notice to the relevant individuals, directly or through their employer.

5. WHY ARE WE ALLOWED BY LAW TO PROCESS YOUR PERSONAL DATA?

Personal data are collected only to the extent required. Under no circumstances are the collected data sold on to third parties for any reason. Our processing of your personal data requires a legal basis. We will not process your personal data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal data if:

• we have obtained your prior consent;
• the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request;
• the processing is necessary to comply with our legal or regulatory obligations; or
• the processing is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms.
  
  Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such ‘legitimate interests’ are data processing activities performed:
  
• To develop a transparent and professional relationship with health care professionals including but not limited to, disclosing transfers of value as required by law, relevant authorities and/or industry codes of practice;
• To promote Novo Nordisk innovation in the pharmaceutical field;
• To manage Novo Nordisk human and financial resources and optimize interactions with health care professionals;
• To ensure that the right medicine according to a well-informed health care professional technical and professional opinion reaches the patient.
• to benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers to process data);
• to offer our products and services to our customers;
• to prevent fraud or criminal activity, misuses of our products or services as well as the security of our IT systems, architecture and networks;
• to sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party; and
• to meet our corporate and social responsibility objectives. 

6. HOW DO WE SHARE YOUR PERSONAL DATA?

We may share your personal data with: In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal data can be accessed by, or transferred to the following categories of recipients, on a need to know basis to achieve such purposes:

• our personnel (including personnel, departments or other companies of the Novo Nordisk group);
• our independent agents or brokers (if any);
• our suppliers and services providers that provide services and products to us;
• our IT systems providers, cloud service providers, database providers and consultants;
• our business partners who offer products or services jointly with us or with our subsidiaries or affiliates;
• any third party to whom we assign or novate any of our rights or obligations; and
• our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets.
• to providers of online training for HCPs supported by Novo Nordisk.
  
  The above third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law. We may also make public disclosures of transfers of value, where required by law, relevant and/or international regulatory, enforcement, public body or court, where we are required to do so by applicable law or regulation or at their request.

7. HOW LONG WILL WE KEEP YOUR PERSONAL DATA?

We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements. For contracts, the retention period is the term of your (or your company’s) contract with us, plus the period of time until the legal claims under this contract become time-barred, unless overriding legal or regulatory schedules require a longer or shorter retention period. When this period expires, your personal data is removed from our active systems. Personal data collected and processed in the context of a dispute are deleted or
archived (i) as soon as an amicable settlement has been reached, (ii) once a decision in last resort has been rendered or (iii) when the claim becomes time barred. 

8. WHAT ARE YOUR RIGHTS?

In general, you have the following rights:

• You can get an overview of what personal data we have about you
• You can get a copy of your personal data in a structured, commonly used and machine-readable format
• You can get an update or correction to your personal data
• You can have your personal data deleted or destroyed
• You can have us stop or limit processing of your personal data
• If you have given consent for us to process your personal data (see Section 5), you can withdraw your consent at any time. Your withdrawal will not affect the lawfulness of the processing carried out before you withdrew your consent
•  You can submit a complaint about how we process your personal data to a Data Protection Authority.
  
  Under applicable law, there may be limits on these rights depending on the specific circumstances of the processing activity. Contact us as described in Section 1 with questions or requests relating to these rights.