Last Updated: September 2020
Viatris Inc. and its affiliates and subsidiaries (collectively “Viatris,” “Company,” “we,” “our,” and “us”) are fully committed to protecting the information relating to identified or identifiable natural persons (“Personal Data”) that we process.
This Viatris Privacy Notice (“Notice”) describes our collection, use, disclosure, and retention of Personal Data in relation to our websites, apps, services, and platforms, and your use of them, our marketing and provision of products and services, our interactions with you in-person, by calling us, or by mail, and otherwise during the operation of our business. The Notice also explains the ways in which you may, under applicable laws, be able to control our processing of your Personal Data and exercise other rights. This Notice does not apply to Personal Data of members of our workforce in the context of that relationship.
Depending on the way you interact with us, we may occasionally provide you additional information about our processing of your Personal Data addressing specific processing activities and circumstances. For example, where we sponsor clinical trials or offer training or other services to healthcare providers, separate privacy notices may apply to our processing of Personal Data for those and other circumstances. We refer to such notices here as “Supplemental Disclosures”. Supplemental Disclosures should be read together with this Notice. However, in the event of any conflict or inconsistency between the terms of the Supplemental Disclosure and this Notice, the Supplemental Disclosure will prevail, but only for the Personal Data processing subject to that disclosure.
The Viatris subsidiary or affiliate with which you interact is, where applicable, the data controller (or equivalent under applicable law) responsible for the processing of your Personal Data. You can find a list of the relevant legal entities that act as data controllers in Appendix 1 to this Notice. Such entities may also have separate Supplemental Disclosures.
We have appointed a Data Protection Officer (“DPO”) for jurisdictions where one is required under applicable law. However, anyone in any jurisdiction can contact our DPO with questions about our Personal Data processing activities or the contents of this Notice. Please see the “ Contact Us” Section below for information on how to contact our DPO.
Anonymous, de-identified, and aggregate data, as those terms may be defined under applicable law, are not considered “Personal Data” within the meaning of this Notice.
This Notice is comprised of the following sections:
1. Personal Data We Collect 2. Why We Process Personal Data 3. Lawful Bases of Processing 4. Disclosures of Personal Data 5. Cross-border Transfers of Personal Data 6. Data Security and Retention 7. Your Choices and Rights 8. Children’s Data 9. Revisions to this Notice 10. Contact Us 11. California Disclosures 12. Appendix 1
Please note that our websites, apps, or platforms may link to content provided by third parties that we do not control and for which we are not responsible. When you navigate to such content, the relevant third parties may process your Personal Data. We encourage you to read the third parties’ privacy and cookies notices when you leave our website, app, or platform.
1. Personal Data We Collect
Viatris or third parties acting on our behalf may collect Personal Data about you from a number of sources. We may collect Personal Data that you provide, such as when you register for an account on our website, submit an employment application to us, or sign up for a webinar or training session. We may also automatically collect Personal Data as you interact with us, such through cookies and similar technologies, including information such as collecting the IP address from which you visited our site (see further discussion of cookies at the end of this section). We also collect Personal Data from third party sources, such as obtaining information about healthcare licenses from third-party suppliers.
The types and amount of Personal Data that we collect about any particular individual would depend on the nature of our relationship with that individual and the purposes for which we use the individual’s Personal Data. We collect Personal Data from different categories of individuals, including but not limited to the following:
• Visitors to our digital properties (such as our websites and applications)
• Healthcare professionals
• Workforce members and representatives of our service providers, suppliers, contractors, and business partners
• Researchers and members of the scientific community
• Job applicants
• Trial participants
Personal Data That You Provide
We collect Personal Data that you choose to provide us, such as when you are registering to participate in a clinical trial, completing surveys, speaking with our customer support agents, reporting pharmacological concerns and other complaints, visiting our offices, or applying for employment, among other interactions.
Depending on your relationship with us, you might provide us the following categories of Personal Data:
• Identifiers and Contact Data, such as your name, alias, postal address, email address, telephone number, city, state, and country of residence, government-issued
identifiers (such as passport number or driver’s license), account name and password, health insurance number, financial account numbers, and similar identifiers.
• Demographic Data, such as your income levels, marital status, ethnicity, sex, gender, age, sexual orientation, national origin, disability status, citizenship, and work authorization status.
• Health Data, such as conditions with which you have been diagnosed, symptoms that you have experienced after taking a Viatris product, drug usage, dietary restrictions, and other data relating to your physical, mental, or emotional health.
• Commercial Data, such as invoices, payment terms and schedules, financial account information, and information about services rendered.
• Biometric Data, such as facial geometry, iris patterns, and other biological measurements.
• Professional Data, such as healthcare license numbers, current and previous employers, current and previous salaries, educational history, information provided on your resume or CV, and images and recordings of your likeness or voice.
• Preferences and Survey Responses, such as your preferences regarding communication means and your responses to surveys, including customer satisfaction surveys.
Personal Data That We Collect Automatically
We may automatically collect information that constitutes Personal Data when you interact with us, such as when you visit our digital properties, read our marketing communications including emails, contact us, purchase a product from us, apply for a job, or attend events that we are hosting, among other interactions.
Depending on your interaction with us, we might collect the following categories of Personal Data:
• Identifiers and Contact Data, such as device identifiers (e.g., IP and MAC addresses, cookie identifiers, device advertising identifiers), username and password, email address, phone number, and similar identifiers.
• Usage and Device Data, such as websites visited, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, other technology on the devices used to access our websites and apps, volume of transferred data, location data (e.g., inferred by IP address or obtained through GPS), and interactions with advertisements.
• Health Data, such as inferences about the conditions that you might be experiencing based on your browsing activity.
• Commercial Data, such as details of products and services purchased or sampled.
• Biometric Data, such as facial geometry, iris scans, and other biological measurements.
We use cookies and related digital tracking technologies (“Cookies”) in our emails and on our digital properties. This may involve us or third parties collecting Personal Data about online activities over time and across third party websites or online services. Please read our Cookie Notice for more information about our use of Cookies. We do not currently respond to web browser Do Not Track signals or similar mechanisms.
Personal Data That We Collect from Third Parties
We may obtain Personal Data relating to you from third parties, such as when we obtain contact data from marketing list suppliers to support our marketing and sales initiatives or when we obtain professional license information to confirm information provided by healthcare providers.
The third parties from which we obtain Personal Data generally fall within the following categories:
• Government sources
• Publicly accessible data
• Social media platforms
• Marketing list suppliers
• Advertising partners
• Analytics providers
• Payment processors
• Data supplementation suppliers
• Business partners, such as event co-sponsors
We collect the following categories of Personal Data from third parties:
• Identifiers and Contact Data, such as name, postal address, email address, telephone number, general location (such as city, state, and country), username, and device identifiers (including cookie identifiers and device advertising identifiers).
• Demographic Data, such as information about income levels, age, sex, gender, sexual orientation, national origin, and disability status.
• Usage and Device Data, such as browsing and search history and interactions with advertisements.
• Health Data, such as information about reactions to Viatris products that are made available on social media platforms.
• Usage and Device Data, such as websites visited, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, other technology on the devices used to access our websites and apps, volume of transferred data, location data (e.g., inferred by IP address or obtained through GPS), and interactions with advertisements.
• Commercial Data, such as details of products and services purchased or sampled and inferences regarding the population segments to which you might belong.
2. Why We Process Personal Data
The specific purposes for which Viatris processes an individual’s Personal Data differs based on our relationship with the individual. In general, Viatris processes Personal Data for the following purposes:
• To conduct legitimate business activities, including but not limited to marketing, promotion, sales to customers, customer support, receiving payments, entering into contractual agreements, contracting with third party service providers, identifying investigators for clinical trials, preventing fraud, and procuring goods or services.
• To deliver our products, goods, or services, including to fulfil your requested transactions and, where necessary, to confirm that you meet an eligibility criteria if the requested product, good, or service is limited to certain groups.
• To communicate with individuals, including responding to questions, queries, and complaints from customers, users, and other individuals, responding to requests for donations, sponsorships, scholarships, or charity, and informing individuals about job opportunities with Viatris.
• To provide information and advertising, such as digital advertising or direct marketing, about goods, services, and products that we think may be useful, relevant, or of interest to you.
• To provide training, education, and grants, such as our training and education programs that we provide to health care professionals or where we offer grants to which health care professionals can apply.
• To evaluate an individual’s candidacy, such as when processing an application for an opening on Viatris’ team or when evaluating whether to award a grant.
• To conduct research and development, including to improve existing products and services and to develop new ones.
• To provide, maintain, develop, and improve our digital properties, including our websites, apps, services, and platforms.
• To maintain, improve, and investigate the security of our systems and digital properties.
• To comply with legal obligations, such as obligations relating to research, development, pharmacovigilance, marketing, and promotion of medicinal products and other healthcare products, and to respond to legal process or inquiries from authorities.
• To protect the rights, interests, and safety of us, you, and any third parties, and to exercise and defend our rights.
• To create anonymous, de-identified, or aggregated datasets. Such datasets would not be “Personal Data” subject to this Notice. We may use anonymous, de-identified, or aggregated datasets for any purpose.
The additional purposes for which we may process what are deemed special categories of personal data under certain jurisdictions’ laws are as follows to the extent relevant, necessary and permitted by applicable local law:
• Demographic data - We will use information about your sexual orientation, race, ethnicity and disability for specific reasons, such as necessary for clinical trials or to ensure meaningful equal opportunity monitoring and reporting as required by some jurisdictions’ laws.
• Biometric data - We will use biometric data for specific reasons, such as necessary for clinical trials.
• Health data - We will use health data for patient support programs and in some cases may receive health data for clinical trials and related activities.
3. Lawful Bases of Processing
Certain jurisdictions require that we have a lawful basis to justify our processing of your Personal Data. Where applicable, the lawful bases that Viatris relies upon to justify a particular processing activity may differ from the lawful basis used to justify a different processing activity. Viatris relies on the following lawful bases to process Personal Data, as permitted under applicable law:
• Processing necessary for the negotiation, execution, or performance of contracts
• Processing to comply with legal and regulatory obligations
• Processing for reasons of public interest in the area of public health
• Processing in furtherance of our legitimate interests, including our interests to conduct legitimate business activities (such as improving our products and services, to communicate with you, to secure our systems, among other legitimate interests)
• Processing based on your consent
We may obtain your consent to collect and use certain types of Personal Data when we are required to do so by law (for example, in relation to our direct marketing activities and our use of cookies). If we ask for your consent to process your Personal Data, you may withdraw your consent at any time by contacting us using the details at the end of this Notice. Withdrawing your consent will not affect the lawfulness of processing based on consent before its withdrawal.
Where required by law, we may obtain your explicit consent to collect and use special category data (see the end of section 2 above) about you. Other legal bases for our processing of special category data may include, as permitted by applicable law, for scientific research, for purposes of preventative or occupational medicine or based on a contract with a health care provider or other health professional, for employment, social security or social protection law, for reasons of substantial public interest, or as necessary for the establishment, exercise or defense of legal claims.
You can contact our DPO for more information about our processing of your Personal Data.
4. Disclosures of Personal Data
Where required by applicable law, Viatris does not rent, sell, or share Personal Data about you with non-affiliated persons for their direct marketing purposes unless we have your permission. Otherwise, however, we may disclose your Personal Data to the following categories of third parties without your consent as permitted by applicable law:
• Members of the Viatris Corporate Group, including our affiliates, subsidiaries, and Viatris Inc. in the United States.
• Service Providers, which are entities that process Personal Data on behalf of Viatris.
• Persons with legal rights to access Personal Data, including, as the case may be, law enforcement agencies, intelligence services, competent administrative and judicial authorities, and persons with validly-issued subpoenas, warrants, or other forms of legal process; and
• Parties involved in potential business transactions, including potential acquirers and other stakeholders in the event of a merger or legal restructuring operation such as an acquisition, joint venture, assignment, spin-off, divestiture, or bankruptcy.
We may also disclose your Personal Data to third parties such as social networking and other sites if you direct us to share your Personal Data with such sites or to other entities that do not fall in one of the above categories with your permission.
5. Cross-border Transfers of Personal Data
Viatris operates globally and consistent with applicable laws may process your Personal Data in jurisdictions that are not regarded as providing the same level of protection to Personal Data as the jurisdiction in which you are based.
When transferring Personal Data across borders, we take steps to put in place safeguards to protect such Personal Data as required by applicable laws. These safeguards may include:
• Transferring Personal Data to recipients located in countries deemed to provide an adequate level of protection for Personal Data including where Personal Data originates in the European Union, to countries which the European Commission has deemed to provide an adequate level of protection for Personal Data; and
• Entering into agreements containing contractual safeguards, such as the Standard Contractual Clauses that have been approved by the European Commission.
Please do not hesitate to contact us if you have any question concerning the transfer of your Personal Data (see the “Contact Us”).
6. Data Security and Retention
Viatris implements various technical, administrative, physical, and organisational measures to protect the security and confidentiality of Personal Data. While we take measures to safeguard your Personal Data, we cannot guarantee that the Personal Data we process will remain secure.
Where required by law, Viatris will retain Personal Data only for as long as necessary to accomplish the purposes for which the Personal Data was collected or for the period required by the applicable laws (whichever is longer).
To determine the appropriate retention period for your Personal Data, Viatris considers the following factors:
• The volume, nature, and sensitivity of the Personal Data;
• The potential risk of harm from its unauthorized use or disclosure;
• The purposes for which we process it and whether we can achieve those purposes through other means; and
• Applicable legal requirements.
When the retention of your Personal Data is no longer necessary for the purposes for which it was collected or our retention of such Personal Data is no longer required by law, we will delete, anonymize, de-identify, or aggregate the Personal Data such that it is no longer associated with you.
7. Your Choices and Rights
Some jurisdictions have provided individuals with certain rights in relation to the processing of their Personal Data. This is the case where you or the Viatris subsidiary or affiliate with which you interact is located in the European Union or United Kingdom, though these rights may be available in other jurisdictions too. These rights are not available to everyone, and they do not necessarily apply in all contexts. Depending on applicable law, you may have the rights to:
• Request access to your Personal Data.
• Request correction of your Personal Data (should your Personal Data be inaccurate, incomplete, or obsolete).
• Request deletion of your Personal Data.
• Withdraw your consent to processing (where we processed Personal Data on the basis of your consent). Please note that withdrawing your consent applies only to future processing activities.
• Object to the processing of your Personal Data.
• Request restrictions on the processing of your Personal Data.
• Request the transfer of your Personal Data to you or a third party.
• Opt-out of certain transfers to third parties.
To exercise a right that you believe you may be entitled to under applicable law, please contact our DPO. We may need to verify your identity before we fulfil your request (see also the California disclosures section below if you are a California resident).
If you feel that we have failed to comply with your request or have not addressed a complaint that you have, you may also have the right to complaint to the competent data protection or other regulatory authority in your jurisdiction.
8. Children’s Data
We do not knowingly process Personal Data relating to individuals younger than 16 without the permission of the minor’s guardian, except where permitted under applicable law. If you have reason to believe that we are processing Personal Data relating to a minor without permission from the minor’s guardian, please notify us at dataprivacy@viatris.com. Please note that in certain situation we may process minors’ Personal Data for specific activities such as clinical trials. Such processing will be subject to separate policies and procedures, including Supplemental Disclosures.
9. Revisions to this Notice
We may update this Notice from time to time. You are encouraged to consult this Notice on a regular basis and check the date on which the Notice was last updated, as shown in the beginning and end of the Notice. When we make a material change to the Notice, we will endeavour to notify you by placing a notice on our website or we will provide notice as otherwise required by law.
10. Contact Us
To exercise your rights or make a request concerning the processing of your Personal Data, you may contact us by:
• Emailing us at dataprivacy@Viatris.com;
• Mailing us at Head of Global Privacy, 1000 Mylan Boulevard, Canonsburg, PA 15317, United States; or
• Using the Viatris compliance line via the phone number indicated at www.viatriscomplianceline.ethicspoint.com
11. California Disclosures
Click here for a Supplemental Disclosure for California Residents.
12. APPENDIX - List of Controllers
Click here for a table of applicable controllers and responsible entities.