General Patient Privacy Notice
Find the General Patient Privacy Notice in your language HERE.
When you contact us (such as through our patient support platform UCBCares), take part in our various patient programmes (e.g., image sharing, controlled access, patient support programmes (PSPs), etc.), provide us with testimonials about your experience with UCB and our products, participate in our market studies (to the extent we are able to identify you/your input), interact with us regarding our services and products, when we comply with our reporting and other legal obligations, or when you otherwise interact with us or our representatives for other purposes listed below – we may process some information (personal data) related you (the Patient).
This General Patient Privacy Notice (the Notice) informs you about how we process your personal data in the context of our relationship. This Notice may be supplemented by additional privacy notices, which we provide in order to give you more detailed information about specific programmes or initiatives, involving your personal data.
The Notice consists of the following parts:
- Who We Are and How Can You Contact Us
- What Personal Data We Process
- Source of your Personal Data
- Purposes & Legal Bases for Our Processing
- How Long Do We Keep Your Personal Data
- Who We Share Your Personal Data With
- Your Rights and How to Exercise Them
We may update this Notice to reflect changes in our data processing practices in response to legal, regulatory, technical, or business developments.
1. WHO WE ARE AND HOW YOU CAN YOU CONTACT US
When we refer to UCB or we in this Notice, we mean UCB SA, with its registered office at Allée de la Recherche 60, 1070 Brussels, Belgium and its affiliates.
For personal data collected subject to Economic Area (EEA), United Kingdom (UK) or Swiss data protection laws, UCB is the data controller, i.e., the legal entity that decides why and how information relating to you (personal data) is processed. We will inform you if other UCB group entities act as data controllers for processing of your personal data (either independently, or together with us, as joint controllers), through additional privacy notices, as appropriate. If we act as joint controllers with our third-party partners, we will inform you as required through such additional privacy notices as well.
For any data privacy-related questions, including if you would like to exercise your data protection rights, please contact our Data Protection Officer (DPO):
E-mail
dataprivacy@ucb.com
Regular mail
UCB SA
To the attention of the Data Protection Officer
Allée de la Recherche 60
1070 Brussels
Belgium
For relevant local contact details (if applicable), please refer to the respective country version of this Notice, available on our websites.
2. WHAT PERSONAL DATA WE PROCESS
The categories of personal data we may process about you, for the purposes described in Section 4 below:
- Personal Details, such as first name, last name, age, information about consents given, including signature and its date, date of birth, information about your healthcare professional.
- Demographic Data, such as your age, gender, education, occupation, family status, household income.
- Contact Details, including your postal address, and landline and/or mobile phone number(s), and your e-mail address (depending on your preferred way to be contacted).
- Preferences, including for calls, we collect your preferred time of the day to be contacted (mornings, afternoons or evenings) and for e-mails, we retain your choice regarding receiving e-mails from us. We also collect your preferences regarding support services we provide to you.
- Interactions, including recording your interactions with us, like time and date of calling you, and of us sending, and you receiving and opening of e-mails, and otherwise capturing content of our interactions (such as in call notes, etc.), or when you confirm your acknowledgement/agreement, which we record for evidentiary purposes (e.g., when you give us your consent with processing your data, or you acknowledge being informed about a treatment).
- Requests, including your requests for information about our programmes, products and services.
- Adverse Event Information, including Patient’s information, seriousness, date, unique identification number, and any other information that may be legally required. For more information about adverse event reporting related to our products, see our Pharmacovigilance Privacy Policy.
- Feedback, such as your feedback about your participation in our programme and other interactions with UCB (such as in the form of your testimonials – these may also include your photographs and videos), and your opinions and other input about our services and products.
- Payment Information, such as your banking and transfer amounts details.
- Product Diagnostics, such as product service and error data, usage, and other diagnostics data, to the extent it relates to you.
- Health Data relating to your condition/disease, its diagnosis, diagnosis time, age at diagnosis, condition/disease duration, treatment received (including timing of treatment and confirmation that any preconditions for such treatment have been met), images/videos of parts/areas of your body; challenges you have faced in your condition/disease and/or treatment; the outcome of the treatment for your condition/disease; and unique IDs you may be assigned as part of treatment (e.g., to track compliance with preconditions for participation in the treatment); other health data we may collect as a consequence of your participation in a programme and; any other additional information you decide to provide to us.
Note: If you participate in a patient programme that involves image sharing, please do not share images which contain your face, eyes, fingerprints, or other unique identifying marks (e.g., tattoos, unique birth marks, etc.) with us. Where this is unavoidable, please ensure that your face/eyes/ fingerprints/other unique identifying marks are sufficiently obscured, e.g., blurred out, showing only the limited view of the affected area.
3. SOURCES OF YOUR PERSONAL DATA
- Directly from You
We generally collect personal data directly from you (electronically, in writing, verbally). Our UCB personnel may, in some instances, also meet you in-person, exchange e-mails with you or call you to ask for/discuss information listed in Section 2 of this Notice.
- From Third Parties
In certain instances, we may receive your personal data from your healthcare professional treating your condition/disease, or from your caregivers.
- From us
In some cases, we may infer other information about you based on personal data we process about you (such as the data about your condition and treatment with UCB medication, information about you as a Patient, or other types of information) and create records about such inferences.
4. PURPOSES & LEGAL BASES FOR OUR PROCESSING
We may process your personal data for the following purposes:
- To enable you to register and participate in our programmes, and use our services and products
For example, this may mean that we will add your personal data to our database so we can determine your eligibility to participate in these, monitor and report on the outcomes of various treatment paths you may experience while using our medications, services, their effectiveness, potential benefits, and progress over time, as well as your compliance with applicable policies and procedures.
We rely on the following legal bases for the processing: your consent as far as Health Data is concerned; necessity to perform a contract with you for other personal data such as your Personal and Contact Details, Demographic Data, Interactions and Feedback.
- To contact you and maintain patient engagement platforms (like UCBCares), in order to provide you with custom support, communicate product safety information to you, and answer your questions in general, in relation to our programmes, services or products
If we have any question about personal information you/healthcare professional who is treating you provided to us/we have otherwise collected in the context of our programmes/other activities you participate in, we may need to contact you to clarify them. We may also contact you to respond to your questions or provide you with personalized support based on your preferences (such as based on personalization questionnaires you respond to) and needs (such as treatment reminder SMS/emails, self-injection trainings, coaching calls, nurse support, or other services personalized to you), or communicate safety information about products you are using.
We rely on the following legal bases for the processing: your consent as far as Health Data is concerned; necessity to perform a contract with you and consent (as appropriate) for other personal data such as your Personal and Contact Details, Preferences, Interactions and Feedback.
- Reporting and other legal obligations
There are certain instances, where we are obliged to process your personal data by law. For example, as part of reporting on your use of our medication, we process and report on adverse events (e.g., safety information and side effects) to competent authorities to allow monitoring of the safety of the product, in compliance with our legal obligations. We may also be required to record/track (often with assistance from your healthcare professional) that all mandatory preconditions for your use of our medication have been met (e.g., use of certain medication may require prior vaccination or use of complementary medication as part of its risk management). Other examples include maintaining certain legally mandated product registries, including tracking use of certain medical devices, and administration of your legal rights (including those under this Notice).
For such processing, we rely on our legal obligations to comply with pharmacovigilance, other adverse events reporting requirements, controlled access recording/tracking obligations and other legal obligations we are subject to; and necessity for reasons of public interest in the area of public health to process your Personal and Contact Details, Adverse Event Information, Interactions, Feedback, Product Diagnostics and Health Data.
- To send you personalized materials and other information about our programmes, studies, products and services
For example, we may send you starter kits, newsletters you subscribed to, and other materials, including about general health information (such as information on certain health conditions).
We rely on your consent as a legal basis for such processing of your Personal and Contact Details. Alternatively, we may rely on our legitimate interest if you provide us with your Personal and Contact Details in the context of a product or service (for example if you requested a support service from us). You can always change your preferences/opt-out of these communications via the unsubscribe link in commercial communication from us or by contacting us using the below details, or as otherwise outlined on our platform you are using.
- To measure effectiveness of our communications (e.g., by email) and other engagement with you
We always aim to manage our relationship efficiently and we may measure our interactions with you in order to make sure they stay relevant as well as to avoid any duplications.
We rely on our legitimate interests as a legal basis for the processing and consent when/if needed to process your Personal and Contact Details and Interactions.
- Enable treatment or post-treatment monitoring of your condition/disease by the healthcare professional, who is treating you
For example, we may provide your healthcare professional with milestone reporting.
We rely on your consent as a legal basis for the processing of your Health Data and other data you request us to share with your healthcare professional.
- To collect your input and feedback about our programmes, services and products, so we can improve them
In order to improve, benchmark and quality-control our current/future programmes, services and products, we may ask you to provide us with feedback on these, or otherwise survey your satisfaction with them.
We rely on the following legal bases for the processing: your consent as far as Health Data is concerned; our legitimate interest and consent when/if needed for processing of your Personal and Contact Details, Interactions and Feedback.
- Enrich and enable access to the knowledge about possibilities for treatment paths for your condition/disease and its possible outcomes
We can achieve this thanks to you allowing us to process your Health Data, and provide access to your pseudonymized (i.e., data which does not directly identify you without being combined with other personal data we hold about you) Health Data with a wider healthcare community/general public. When we share your pseudonymized Health Data, such as images and information about your condition/disease and treatment, the recipients will typically not be able to identify you solely based on this information (unless this is a part of the program, in which case, we will implement additional measures to minimise identifiability when processing such data, as appropriate).
We rely on your consent for such processing.
- Payment processing
In instances, where we may need to provide payments to you, such as agreed remuneration under a contract with you.
We rely on the necessity to perform a contract with you for such processing of your Payment Information.
- Verify your identity in your interactions with us
In order to ensure we are interacting with the right person and to protect you, we may need to verify your identity for various purposes. Depending on the purpose, such verification may have different forms (such as providing a dedicated reference code or providing your identification documents).
We rely on our legitimate interest and your consent when/if needed for processing of your Personal and Contact Details.
- Run diagnostics
We may need to run diagnostics on certain devices and applications you may be using, which may therefore be associated with your use of the device/application.
We rely on our legitimate interest and your consent when/if needed for processing of your Personal Details and Product Diagnostics.
- To the extent this is possible, anonymize your personal data
We rely on our legitimate interest for the process of anonymization. We will no longer be able to identify you, using such anonymized data.
We may also combine information that we receive from the various channels for the purposes outlined above.
5. HOW LONG DO WE KEEP YOUR PERSONAL DATA
We will retain your personal data for as long as necessary to fulfil the purposes for which we collected it for and for as long as we have a legal requirement to do so.
If you participate in patient programmes, we will typically retain your personal data for one year from the day you register in the programme. Please note that this retention period may vary, depending on the length of the programme in which you participate, e.g., the length of support period we may offer and follow up analysis that is part of some of our programmes; where you provided a testimonial to us, this may depend on how long we offer certain medication on the market.
We retain your personal data processed on our patient engagement platforms for as long as you have your account open on these/you have a contractual relationship with us.
If you provided us with your feedback/input about our programmes, services or products, we retain such information for as long as it helps us implement relevant changes and improvements. We typically aim to anonymize such data within one year, but this period may vary in particular cases, where such identifiable feedback/input helps us e.g., provide long-term targeted support/improvements.
When we measure effectiveness of our communications and other engagement with you, we generally retain this information we will typically retain your personal data for one year or otherwise for as long as we have a direct relationship with you.
If you asked us to provide you with materials related to our programmes, services, products or general information about health conditions, such as through our newsletters, we keep your personal data for this purpose for the length of your subscription to these communications.
We retain your payment and contractual information for the period we are required to retain such information for accounting purposes or otherwise for the applicable statute of limitations period for contractual claims.
When we are required to report, track or otherwise record our obligations related to your use of our medication, we will keep such records for as long as we may be required to produce them as evidence of our compliance.
If you would like to know more about retention periods applicable to your particular circumstance, you can contact us using details provided above.
6. WHO WE SHARE YOUR PERSONAL DATA WITH
Principle. We will disclose your personal data (including with our own personnel) only on a need-to-know basis, as described in this Notice, and as may be updated from time-to-time.
We may share your personal data with the following categories of recipients, for the purposes set out in Section 4 above:
- Sharing with Data Processors. We may share your personal data with other UCB affiliates in the European EEA, UK and Switzerland (intra-group) acting as data processors for us, and/or with the following categories of third-party service providers:
- IT service providers, such as those providing services related to hosting/storage, back-up, and more generally guaranteeing a continued service in case of major IT issues and providing technical and administrative support for underlying IT systems.
- Providers of e-mail/text message services.
- Providers of image/video processing/anonymization services.
- Providers of data analytics and diagnostics services.
- Providers of internal communication channels (such as intra-company chat and file sharing tools).
- Providers that assist us with complying with adverse event reporting requirements, and recording/tracking our compliance with obligations to control access to certain medication.
- Homecare service providers.
- Confidential waste management and physical document safekeeping and storage providers.
- Sharing with Data Controllers. In some instances, we share your personal data with other UCB affiliates in the European EEA, UK and Switzerland (intra-group), and/or the below third-party recipients which determine the purposes and means of the data processing on its own. In particular:
- We may share your pseudonymized personal data with other UCB entities, healthcare professionals, stakeholders in the healthcare industry, and general public.
- We may also share your personal data (including Health Data) with healthcare professional who is treating you, pharmacies dispensing medication (in particular when they need to verify certain mandatory treatment preconditions have been met), in the context of your condition/disease treatment or post-treatment monitoring.
- Payment services providers.
- We may share your personal data when/if a third party acquires all (or part) of our business and/or assets, or UCB merges with such third party; their lawyers and various professional advisors.
- We may provide grouped/particularized reporting to third party entity sponsors who fund the underlying treatment, which may include personal data (such as Health Data).
- Logistics services providers.
- In some cases, we may share personal data with a regulatory or governmental body, a public authority, a law enforcement agency, courts, tribunals, opposing or other related parties to the proceedings and where their professional advisors request so; accountants, auditors, lawyers, and other outside professional advisors who request so in relation to compliance and corporate governance functions, enforcement and defence of our rights, property or safety of others.
- International Transfers
Some of our entities may be based and the third-party service providers may provide their services from locations outside the EEA, United Kingdom and Switzerland (Non-European Countries). Such Non-European Countries may not offer the same level of personal data protection as the EEA, United Kingdom and Switzerland. In such cases, we will put in place appropriate safeguards to ensure that your personal data is adequately protected and transferred in compliance with applicable data protection law. Most often, we will execute the EU Standard Contractual Clauses (EU SCCs) and/or the UK Addendum to the EU SCCs with the relevant third-party service provider. For intra-group transfers between our entities, we will generally rely on our EU Binding Corporate Rules (link available here), as well as EU SCCs and/or the UK Addendum, where appropriate. If you want to receive more information on the appropriate safeguards we apply to data transfers, or, where applicable, a copy of the relevant data transfer mechanism, please contact us as set out in Section 1 above.
7. YOUR RIGHTS AND HOW TO EXERCISE THEM
Under the conditions set by applicable EEA, UK and/or Swiss data protection laws, you may exercise the following rights regarding your personal data.
If you wish to exercise your rights under this Notice that apply to you, please contact the Data Protection Officer by e-mail or by post, as indicated in Section 2 of this Notice. Please clearly identify the right(s) you wish to exercise and include your contact details (including a valid e-mail or postal address) so that we can respond to your request. Please note that you may be asked to provide proof of your identity. When you contact us to exercise your rights and EEA, UK and/or Swiss laws apply to you, we will respond to your request within one month following receipt of the request. This period may be extended by two additional months where necessary, in which case we will inform you thereof.
- Access: You have the right to obtain from us confirmation if your personal data are being processed, and if so, access it and obtain related information, as well as request a copy of your personal data undergoing processing.
- Rectification: You have the right to request the rectification of inaccurate personal data and to have incomplete data completed.
- Erasure: You have the right to request to erase your personal data if (a) it is no longer necessary for the purposes for which we have collected it or otherwise processed; (b) you have withdrawn your consent and no other legal ground for processing exists; (c) you objected and no overriding legitimate grounds for the processing exist; or (d) the processing is unlawful, or erasure is required to comply with a legal obligation.
- Restriction: You may request to restrict the processing of your personal data in certain cases.
- Data portability: You may request to receive your personal data that you have provided to us, in a structured, commonly used and machine-readable format, and have the right to transmit it to another controller without hindrance. The right only exists if the processing is based on your consent or a contract, and the processing is carried out by automated means.
- Objection: You may have the right to object to the processing of your personal data if it has been processed under the legitimate interest legal basis, or for the performance of a task carried out in the public interest. We shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the data is needed for the establishment, exercise or defence of legal claims.
- Right to withdraw consent: In case we ask you for your consent to processing of your personal data, you have the right to withdraw your consent at any time without detriment. The lawfulness of any processing of your personal data that occurred prior to withdrawal of your consent will not be affected.
Please note that if you withdraw your consent(s) to the processing of your Health Data, you may no longer be able to participate in (a part of) certain programme, to the extent these depend on such Health Data (such as where the programme’s core purpose is to process it).
We may ask you for separate consents for other (additional) specific purposes, withdrawal of which will not prevent your continued participation in our patient programmes. The only consequence will be that we will stop processing your personal data for that specific, additional purpose. - Right to lodge a complaint: You also have the right to lodge a complaint with a supervisory authority, in particular in the country of the EEA, Switzerland or the United Kingdom where you reside, is the place of your work, or where the issue that is the subject of the complaint occurred. Please visit the website of the relevant national supervisory authority for more information on how to submit such a complaint.
Last Updated: 23 November 2023