Chat Bot Privacy Notice

Personal information collected

The information collected from you may include a unique Facebook identifier, your first name, location, your inputted DLQI score, your requested reminder preferences, your patient type, the conversation history you have with the chatbot, including any manually inputted text and responses to bot questions, and the timestamp of your interaction.

Data controller of personal information collected. Purpose and justification for collecting personal information

Based on your consent, this information will be used by Novartis Pharma AG and its affiliates (“Novartis”) for the purpose of providing the most relevant experience to you: by remembering your selections to tailor answers, by remembering your preferences to send you appropriate reminders, to track your inputted DLQI scores over time, or to provide location-specific resources. Novartis may, if necessary, store additional information to ensure compliance with all adverse event and product testing complaint regulatory requirements, but only if you manually type in text to Facebook Messenger.

Your information will be stored in two formats. Specific information provided by Facebook for the duration of your session (interaction with the chatbot), which includes a unique identifier, first name, location, and Facebook profile image, will not be stored outside of the specific session. That is, once you have ended the chatbot session, data will be automatically deleted and Novartis will have no access to this information. Other information, which includes your inputted DLQI score, your requested reminder preferences, your conversation history, any manually inputted text, and conversation timestamp, will be stored into a database by agents acting on behalf of Novartis. If a user submits any manually inputted text, that text will be automatically forwarded to appropriate Novartis contacts, which may be required by regulation to follow up either in Facebook messenger or through another communication channel, such as email if provided, only if the text contains an adverse event or a product testing complaint. In these instances, additional information about you must be stored until all appropriate communication has occurred, which may include mandatory reporting to regulatory agencies. Information will also include a Facebook created user identification, your name, a timestamp of the event, and all of the text that was inputted. This information will only be used in connection to the event it was collected, and will be encrypted and deleted once allowed by regulatory bodies. This information will be encrypted and stored in a dedicated document database, and will only be accessed for the specific purpose of responding to or otherwise resolving an adverse event or product testing complaint.

Personal information disclosure to third parties

Your personal information will be processed by third parties who act for or on Novartis’ behalf, in accordance with the purposes described in this notice. These third parties may be located in countries or territories that may not offer the same level of data protection as the country in which you reside. Where the processing of your Personal Data is delegated to such a third party, Novartis will ensure that such third party provides sufficient guarantees with respect to the technical and organizational security measures governing the processing of your Personal Data.

Novartis will not access directly your personal data and only receive aggregated and anonymized information from third parties acting on its behalf, unless Novartis is required to do so because of an applicable law, court order or governmental regulation, or if such disclosure is otherwise necessary in support of any criminal or other legal investigation or proceeding here or abroad.

Novartis has adopted Binding Corporate Rules, a system of principles, rules and tools, provided by European law, in an effort to ensure effective levels of data protection for sharing personal information within Novartis, in particular relating to transfers of personal information outside the EEA and Switzerland.

Novartis will not share your information with anyone who is not directly connected with this purpose.

Retention of personal information

This data is retained by Novartis for a period of 1 year after which it is destroyed automatically. The period is defined from you last interaction with the bot for your given Facebook ID.

There may be cases when your personal information or part of it may be stored for a longer time period if Novartis is required to do so because of an applicable law, court order or governmental regulation or if such retention is otherwise necessary in support of any criminal or other legal investigation or proceeding here or abroad.

Protection of your personal data

Novartis has implemented appropriate technical and organizational measures to provide an adequate level of security and confidentiality to your personal data, taking into account the nature of the data and the risk of processing such data.

The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of processing.

Moreover, when handling your personal data, Novartis complies with the following obligations:

  • Novartis only collects and processes personal data, which is adequate, relevant and not excessive, as required to meet the above purposes;
  • Novartis ensures that your personal data remains up to date and accurate. For the latter, we may request you to confirm the personal data we hold about you. You are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up-to-date.

Exercise of access rights and contact details

You may exercise the following rights under the conditions and within the limits set forth in the law:

  • the right to access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;
  • the right to request the erasure of your personal data or the restriction thereof to specific categories of processing;
  • the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;
  • the right to object, in whole or in part, to the processing of your personal data;
  • the right to object to a channel of communication used for direct marketing purposes; and
  • to the extent applicable the right to request its portability, i.e. that the personal data you have provided to us be returned to you or transferred to the person of your choice, in a structured, commonly used and machine-readable format without hindrance from us and subject to your confidentiality obligations.

If you have a question, if you are not satisfied how Novartis processes your personal data or if you want to exercise the above rights, you may send an email to global.privacy_office@novartis.com.. When contacting Novartis, please add a description of your relationship and/or your interactions with us. If you wish to receive information related to your personal data, please also add a scan of your identity card for identification purpose, it being understood that we shall only use such data to verify your identity. When sending such a scan, please make sure to redact your picture and national registry number or equivalent on the scan.