Chatbot Privacy Notice
Personal information collected
The information collected from you by the chatbot may include a unique Web customer identifier code, a unique Facebook identifier code (if you are accessing the chatbot via Facebook), your first and last names, location, your recorded DLQI score, your reminder preferences, your patient type, the topics in which you have expressed interest during the conversation with the chatbot, the timestamp of your interactions and your acceptance of these terms and conditions. Additionally, Novartis Pharma AG may record your conversation history, including any manually inputted text and responses to questions from the chatbot, feedback ratings and comments you have made in the chat.
Data controller of personal information collected. Purpose and justification for collecting personal information
Based on your consent, this information will be used by Novartis Pharma AG and its affiliates (“Novartis”) for the purpose of providing the most relevant experience to you. Novartis will remember your selections to tailor answers, remember your preferences to send you appropriate reminders, provide location-specific resources and will record your DLQI scores over time and prompt you to take the test intermittently if you have chosen to be reminded. Novartis may, if necessary, store additional information to ensure compliance with all adverse event and product testing complaint regulatory requirements, but only if you manually type in text to the Facebook Messenger or Web channels.
Your information will be stored in two formats:
Information stored by Facebook:
Specific information related to your Facebook profile will be shared by Facebook with the chatbot for the duration of your session (i.e. your interaction with the chatbot), in order to personalise the chat. The information that Facebook will share is: a unique identifier code; your first name; location; and Facebook profile image. This information will not be stored outside of the specific chatbot session. Once you have ended the chatbot session, the information will be deleted automatically, and Novartis will have no further access.
Information stored by Novartis:
Information related to inputs you make into the chat and the personal preferences you record will be stored in a database by agents acting on behalf of Novartis. The information that Novartis will record is: your inputted DLQI score; your requested reminder preferences; your conversation history; any manually inputted text; and conversation timestamp.
If a user submits any manually inputted text, that text will be automatically forwarded to appropriate Novartis contacts, which may be required by regulation to follow up either in Facebook Messenger, the Web channel or through another communication channel, such as email if provided - and only if the text contains an adverse event or a product testing complaint. In these instances, additional information about you must be stored until all appropriate communication has occurred, which may include mandatory reporting to regulatory agencies. Information will also include a Facebook or Web channel-created user identification, your name, a timestamp of the event, and all of the text that was inputted into the chat. This information will only be used in connection with the related event and will be encrypted and deleted once allowed by regulatory bodies. This information will be encrypted and stored in a dedicated document database and will only be accessed for the specific purpose of responding to, or otherwise resolving, an adverse event or product testing complaint.
Personal information disclosure to third parties
Your personal information will be processed by third parties who act for or on Novartis’ behalf, in accordance with the purposes described in this notice. These third parties may be located in countries or territories that may not offer the same level of data protection as the country in which you reside. Where the processing of your Personal Data is delegated to such a third party, Novartis will ensure that such third party provides sufficient guarantees with respect to the technical and organizational security measures governing the processing of your Personal Data.
Novartis will not access directly your personal data and only receive aggregated and anonymized information from third parties acting on its behalf, unless Novartis is required to do so because of an applicable law, court order or governmental regulation, or if such disclosure is otherwise necessary in support of any criminal or other legal investigation or proceeding here or abroad.
Novartis has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection for sharing personal information within Novartis, in particular relating to transfers of personal information outside the EEA and Switzerland.
Novartis will not share your information with anyone who is not directly connected with this purpose.
Retention of personal information
Your data will be deleted automatically if you are not active within the chatbot for 365 days. As soon as the threshold of 365 days has been reached all data related to your use of the chatbot will be deleted from the Novartis database.
There may be cases when your personal information or part of it may be stored for a longer time period if Novartis is required to do so because of an applicable law, court order or governmental regulation or if such retention is otherwise necessary in support of any criminal or other legal investigation or proceeding here or abroad.
Protection of your personal data
Novartis has implemented appropriate technical and organizational measures to provide an adequate level of security and confidentiality to your personal data, taking into account the nature of the data and the risk of processing such data. The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of processing. Moreover, when handling your personal data, Novartis complies with the following obligations:
- Novartis only collects and processes personal data, which is adequate, relevant and not excessive, as required to meet the above purposes;
- Novartis ensures that your personal data remains up to date and accurate. For the latter, we may request you to confirm the personal data we hold about you. You are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up-to-date.
Exercise of access rights and contact details
You may exercise the following rights under the conditions and within the limits set forth in the law:
- the right to access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
- the right to request the erasure of your personal data or the restriction thereof to specific categories of processing;
- the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
- the right to object, in whole or in part, to the processing of your personal data;
- the right to object to a channel of communication used for direct marketing purposes; and
- to the extent applicable the right to request its portability, i.e. that the personal data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations.
If you wish to query the data that is held on you at any time, you can do so by selecting the menu item in the Facebook Messenger or Web Channel that is labelled “Manage my data”. This will present you with options to:
- Immediately request a log the data held in relation to your user profile. The data will be presented to you via the chat interface, whether Facebook Messenger or Web.
- Request deletion of the data held about you. The chat interface will provide instructions to email the Novartis AG Data Privacy Officer to request data deletion. The email address for this request is email@example.com. The privacy officer will delete all the data that has been recording during your conversations with the chatbot from Novartis databases and will inform you when the request has been processed. Please note that when you request the deletion of data held about you, Novartis Pharma AG will remove your user profile, preferences and history from its databases, however; your conversation history will still be retained by Facebook in line with the Facebook platform user agreement.
If you have a question, if you are not satisfied with how Novartis processes your personal data, or if you want to exercise the above rights, you may send an email to firstname.lastname@example.org. When contacting Novartis, please add a description of your relationship and/or your interactions with us. If you wish to receive information related to your personal data, please also add a scan of your identity card for identification purpose, it being understood that we shall only use such data to verify your identity. When sending such a scan, please make sure to redact your picture and national registry number or equivalent from the image.