This Privacy Notice (“Notice”) is intended to explain how Roche collects and processes your personal data for the purposes of pharmacovigilance related activities, medical information inquiries and product complaints. The scope of this Notice is limited to the collection and processing of your personal data for pharmacovigilance, medical information inquiries and/or product complaints. For general information about data processing at Roche, please visit the
Any personal data provided to Roche related to adverse events or other activities related to pharmacovigilance will be used solely for these purposes. This information is very important for public health and will be used for the detection, assessment, understanding and prevention of adverse effects or any other medicine-related problem.
If and to the extent the data processing is subject to GDPR, we collect and process your data for these purposes in order to comply with our legal obligations (GDPR Articles 6(1)(c) and 9(2)(i)). We may also be required to report the data to regulatory authorities. Your data will not be used for any other purposes.
Any personal data provided to Roche related to a medical inquiry may be used to answer the inquiry, follow up on such requests and maintain the information in a medical information database for reference. Where required by law (such as for pharmacovigilance and drug safety), we may also be required to report the data to regulatory authorities. Your data will not be used for any other purposes.
If and to the extent the data processing is subject to GDPR, we collect and process your data to respond to your inquiries based on legitimate interests (GDPR Article 6 (1)(f)) and, if you are a patient, your (explicit) consent (GDPR Articles 6(1)(a) and 9(2)(a)). If you are not a patient, your consent, if obtained by ticking the consent box, will not be regarded as consent to the processing of personal data as another legal basis, namely legitimate interests (GDPR Article 6 (1)(f)), is more appropriate and therefore applicable.
If and to the extent the data processing is subject to GDPR, if reporting of an adverse event is required, your data may be processed to comply with Roche legal pharmacovigilance (GVP) obligations (FDPR Articles 6(1)(c) and 9(2)(i)). If your medical inquiry consists of a product complaint, your data may be processed to comply with our legal obligations in the context of drug safety (GDPR Articles 6(1)(c) and 9(2)(i)).
Any personal data provided to Roche related to a product complaint will be used solely for these purposes. This information is very important for public health and will be used for the evaluation, classification and assessment of the product complaint, to follow up on such requests and to maintain the information in a product complaints database for reference.
If and to the extent the data processing is subject to GDPR, we collect and process your data for these purposes in order to comply with our legal obligations in the context (GDPR Articles 6(1)(c) and 9(2)(i)). We may also be required to report the data to regulatory authorities.
The type of information that we collect from you will depend on the data subject and the type of processing activity:
Pharmacovigilance: We collect the name, contact details, and affiliations/profession of the reporting individual. We may collect some additional personal data related to health and medical history of the individual experiencing an adverse event if required for processing of adverse event for pharmacovigilance purposes.
Medical Inquiries: We may collect the name, contact details and affiliation/profession of the individual making the inquiry.
Product Complaints: We may collect the name, contact details and affiliation/profession of the individual reporting the complaint. We may collect some additional personal data related to health and medical history of the individual affected by the product complaint if such information is relevant to evaluate, classify and assess the product complaint.
Roche may share the data you provided to us among Roche Group companies and affiliates, business partners and service providers, where required to operate Roche global pharmacovigilance database, the Roche product complaint database and fulfill obligation of pharmacovigilance legislation and/or legislation regarding drug safety.
Roche is also obliged to report certain pharmacovigilance and product relevant information to Health Authorities worldwide, including those with different level of data protection compared to EU. The reports contain details about the incident but will only contain limited personal data:
Patients: Information as provided, including age or date/year of birth (where permitted by regulations) and gender (note that patient name will never be provided)
Reporting Individuals: Information as provided to allow the regulatory authority to follow up with the reporting individual, including name, profession, initials, address, email, phone number
Additional information in case your data is covered by GDPR: It is possible that in the exchange of data within the Roche Group, business partners and service providers, your personal data may be transferred to countries that do not provide the same level of protection as your own. In this case, contracts containing the EU Standard Contractual Clauses according to EU Commission decisions of 27 December 2004 (2004/915/EC) and 05 February 2010 (C(2010) 593) constitute appropriate and suitable safeguards to ensure compliance with GDPR.
As information related to pharmacovigilance (reports about adverse events) are important for public health reasons, reports are kept for minimum of 10 years after the withdrawal of the product in the last country where the product is marketed.
Personal data retained as part of a medical information inquiry are kept for minimum of 10 and maximum of 15 years after receipt.
As information related to product complaints and drug safety are important for public health reasons, complaint records, including personal data contained, are kept for minimum of 15 years.
If the processing of your personal data is covered by GDPR, please note that you have the right to request from Roche information on which personal data we store and the purpose for which we process them. You can also request access to and rectification of your personal data as well as the right to data portability, if applicable (which means if the legal basis for collecting your data is consent). Erasure or restriction of processing is only possible if and to the extent the processing of personal data is based on consent or legitimate interest. Please note that due to our legal obligations for on pharmacovigilance legislation, Roche may not be able to erase or restrict processing of your data if processed for pharmacovigilance.
If data processing is based on consent, kindly note that you have the right to withdraw your consent at any time, however, without affecting the lawfulness of processing based on consent before its withdrawal. If you would like to contact us to exercise your right to withdraw consent, please see find our contact details in the section “Identity and contact details of the data controller” below.
To prevent your data from being entered into our systems again after your request for erasure, in your interest and for us to comply with GDPR, we may keep your name and e-mail address with a flag “Don’t contact anymore” in our systems.
In the event you have the impression that our data processing is non-compliant with GDPR: You are entitled to lodge a complaint with the responsible supervisory authority.
F. Hoffmann-La Roche Ltd, Grenzacherstrasse 124, CH-4070 Basel, Switzerland, email:
In the event that your personal data is covered by the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”): EU representative of F. Hoffmann-La Roche Ltd is Roche Privacy GmbH, Emil-Barell-Str. 1, D-79639 Grenzach-Wyhlen.
Please direct any questions and requests related to this information to F. Hoffmann-La Roche Ltd, Global Privacy Office, Grenzacherstrasse 124, CH-4070 Basel, Switzerland, email: