Privacy Statement

Last revised: April 2019.

1. Who we are

Roche has been a pioneer in providing innovation in diabetes technology and services for more than 40 years, helping people with diabetes to live their lives as active and unrestricted as possible.

Under the brand Accu-Chek and in collaboration with partners, Roche creates value by providing integrated diabetes management solutions to monitor glucose levels, deliver insulin and track relevant data points for successful glucose management.

By establishing a leading open digital platform, connecting devices and digital solutions, Roche will enable personalised diabetes care and improve therapy outcomes.

This website is operated by Roche Diabetes Care UK and Ireland (“Roche”, “we”, “us” “our”). The data controller is Roche Diabetes Care Limited (company number 09055599), Charles Avenue, Burgess Hill, West Sussex, RH15 9RY.

2. Contact us

If you have any questions or concerns about privacy or would like to exercise your rights in relation to your personal information, please contact our Data Protection Officer on [email protected] or write to us at the address above.

If you are not satisfied with the way Roche handles your data or responds to your requests, you may also complain to your local Data Protection Authority in the United Kingdom or Republic of Ireland.

3. Personal information we collect

We collect and process a range of information about you. This includes:

  • your name, address and contact details, including email address and telephone number, and date of birth;
  • sensitive health information (including your hospital and information regarding your pump or meter),
  • your IP address when you browse our websites;
  • information you provide when you agree to participate in any market research
  • testimonials you provide to us

Some information is compulsory for us to provide the service you have requested. We will always notify you if providing the information is compulsory or optional.

We collect this information in a variety of ways. For example, data is collected through forms on our website, from correspondence with you, or through telephone calls.

In some cases, we collect personal data about you from third parties, such as details from your health care provider.

4. Why we process your personal information

Roche collects personal information from you to

  • perform our business operations,
  • provide you with, and improve products and services, and
  • personalise your experience when you use our products and services.

Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. However, we will normally collect personal information from you only:

  • where we have your consent to do so,
  • where we need the personal information to perform a contract with you, or
  • where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms (for example, in some cases for direct marketing, fraud prevention, network and information systems security).

In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.

If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).

Similarly, if we collect and use your personal information in reliance on our legitimate interests (or those of any third party), we will make clear to you at the relevant time what those legitimate interests are.

We may process your personal data as required to prepare or protect against legal claims; including litigation, anti-fraud measures, and technical and organisational measures to protect our networks and technology against attacks.

We may process your personal information to the extent necessary for the purposes of preventive medicine, for medical diagnosis, the provision of health care or treatment or the management of health care systems and services pursuant to contract with a health care professional subject to professional secrecy (such as your treating care giver at a hospital).

We may process your personal information for scientific research purposes or statistical purposes in accordance with applicable law, provided it is proportionate to the aim pursued, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard your fundamental rights and interests. As a rule, we will still ask for your consent when we would like you to participate e.g. in a study.

The following sections advise of the reason(s) we rely on for processing your personal information and list the ways that we may use your personal information.

Legitimate InterestLegal ObligationConsentContractual
Browsing public pages on our website
Notifying you of your order status and any issues relating to your order
Undertake website administration and personalisation
Managing network and data security
Logistics planning, demand forecasting, product improvement, management information and research
Providing customer services to you
Processing and responding to complaints received from you
Inform you of service and price changes
Contacting you for a Welcome Call to introduce you to the product
Providing details of your product; including warranty information and your contact details to your healthcare provider
Internal training and monitoring purposes (call recording)
Credit Management
Contacting you with product safety updates
To detect, investigate and report financial crime (e.g. fraud)
Registering your interest in products or services
Subscribing to the Accu-Chek Commitment
Marketing Communications
Contacting you to undertake customer satisfaction surveys, invite you to review a product, invite you to enter a competition or for market research
Use of the diabetes management system
Processing your order
Creating, updating or managing your Accu-Chek online account and registering associated products.
Testimonials

Further information regarding the processing of personal information that we undertake can be found below, however if you have questions about, or need further information concerning, the legal basis on which we collect and use your personal information, please contact us using the contact details provided above in section 2.

5. How we use your personal information

This Privacy Statement explains how we use any personal information we collect about you when you:

  • Browse public pages on our websites
  • Register for and use an account
  • Participate in surveys
  • Order or registering for services and products
  • Communicate with us by telephone, e-mail, webforms or otherwise in respect of our products and services or during the purchasing of any such products
  • Complain about our services and products
  • Use our diabetes management software
  • Use our Social Media Channels
  • Service communications
  • Consent to marketing
  • Testimonials

a) Browse public pages on our websites

If you browse public pages on our websites, i.e. content that you can access without being logged in to an account you may have with us, we collect and process only non-sensitive information about you.

In particular, we will not collect any health related information about you when you browse public pages on our websites.

In order to undertake website personalisation, we will automatically collect information about the devices you use to access our website or use our connected products and diabetes management system, which may include your IP address.

We will process your personal information to the extent required to deliver the public content you request from us e.g. to format it for your browser. We will also process your personal information to meet our legitimate interests to protect the security of our website systems and to measure the audiences for the various types of content provided. To do this, we use:

  • IP Addresses. An IP address is a number assigned to your computer to enable communication – similar to a telephone number. Roche collects IP addresses for the legitimate purposes of ensuring system security and reporting aggregate information to conduct website analysis and performance review. System log files will be analysed within 7 days and non-suspicious data will be deleted thereafter. Other data will be retained for as long as it is required to prove a security incident.
  • Cookies. A cookie is a small text file that is placed onto your system by our web server. As a rule, our cookies are only used for the length of your session for the purpose of audience measurement. We also use cookies to improve user-friendliness, e.g. to store your language preferences. You can review and delete or disable cookies at any time via the settings in your browser, in this case you may lose settings you have made for a website. Please refer to our Cookie Policy for more information.
  • Web Beacons. Web beacons (or "action tags") are small graphic elements to help analyse the effectiveness of websites by measuring, for example, the number of visitors or how many visitors clicked on content elements of a website. We analyse the statistics provided through web beacons on an anonymous and aggregated basis only.
  • Google Analytics. Google Analytics, is a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses cookies to help us analyse how users use the public content on our website. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google Analytics Cookies may exist up to two years, if you do not delete them earlier.
  • Google is certified under the US-EU Privacy Shield and we have agreed with Google a data processing agreement to ensure they operate Google Analytics on our behalf. We also use the IP-anonymisation feature of Google Analytics. If you visit the website from within states that form part of the European Economic Area, your IP address will be truncated before it leaves the European Economic Area. Only in exceptional cases (e.g. a failure of the EU based systems) will the whole IP address be first transferred to a Google server in the USA and truncated there.
  • Google will use this information on our behalf for the legitimate interest based purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google.
  • You may opt-out from Google Analytics with effect for the future by downloading and installing the Google Analytics Opt-out Browser Add-on for your current web browser (does not work with all mobile devices / browsers). Or you can deactivate Google Analytics on mobiles and other devices by clicking the following opt-out link: Click here to opt-out of Google Analytics. Note: Google Analytics is only active on the public pages of our websites, i.e. not on pages of our websites that you access when logged into your account.
  • Social Plugins, Shariff. We use social plugins (“Plugins”) provided by the social network Facebook as well as by the microblogging platform Twitter. The respective services are operated by Facebook Inc., Pinterest Ltd and Twitter Inc. (each an “Operator”).
  • We have implemented the "Shariff” solution to protect your privacy when you visit our website. Shariff ensures that no data is transferred to the Operator when you load a page of our website. Only after you activate the Plugin of your choice and thus consent to the data transmission, will your browser make a direct connection to the Operator’s servers. Shariff replaces the Operators’ customary “Share” buttons and protects your surfing behaviour from being tracked by the Operator. For further information, please see the popup information next to the activation toggles visit the Shariff developer (https://github.com/heiseonline/shariff).
  • Once you activate a Plugin, we have no influence on the data gathered by it. For the information on the purpose and scope of data collection and procession by the respective Operators, as well as your rights in this respect and settings options for protecting your privacy, please visit the Operators’ privacy policies linked above.
  • Services. We may use third party applications and content tools on certain Roche Websites to provide additional information to you, e.g. Google Maps. When you interact with them, these third parties may receive your personal information including your IP address. We will clearly indicate where we use such third party services so that you can decide whether or not to use them.

b) Register for and use an account

To access non-public content on our websites and to register your product, you will first need to create an account, and then log in to your account.

We use accounts wherever we process sensitive data such as in particular your health related personal information. We also use accounts wherever we process your personal information with your consent. This is because accounts allow us to better protect your personal information in access controlled systems and to establish your identity in order to obtain and manage your consents.

When you register for an account, we will collect your personal contact details as detailed above in section 3.

Within your account, Roche processes your personal information as follows:

  • With your consent. Where we process your health data (e.g. health related information about your medical status, therapy and devices used as required to be able to provide the services to you), we will obtain your explicit consent before we start the respective processing activity. For regulatory reasons and in order to obtain valid consent from you, we will have to establish your real name and identity upon account creation.
  • You may also withdraw your consent, and close your account by contacting us at the address above. You can manage, change or withdraw your marketing consents within your account settings.
  • You may withdraw your consent at any time, however this will not affect the lawfulness of our consent based processing before such withdrawal. We will separate required consents that we need to be able to provide a service to you from other consents that do not have a service dependency e.g. Marketing consents. If you withdraw a consent that has a service dependency, we may not be able to continue providing the service to you – we will tell you when this is the case.
  • Your personal health data will not be disclosed to any third party without your separate consent. We will however need to make your personal contact data accessible to agents that we use to operate our systems including system maintenance, to help us fulfill business transactions and render invoices and/or to provide customer support services to you. Some of these agents may be established outside the European Economic Area and countries that are considered to have equivalent standards of data protection. However, in these cases we ensure adequate standards of data protection through e.g. Standard Contractual Clauses between controllers and processors, a copy of which can be obtained at [email protected]. We also secure your data through encryption both in transport and at rest. We strictly limit this use to the extent required in relation to the agreement between you and us.

c) Participate in surveys

If you consent to participate in one of our surveys, we will process your submitted input for research and marketing purposes. Unless otherwise stated in the respective survey, you may participate on an anonymous basis and we will not be able to relate your input to you personally but will only assess it on an aggregate basis together with the input of others.

Surveys that rely on your personal information will be marked accordingly. You are always free to consent or to not participate; your refusal to participate will not have a negative impact on the scope of your services, unless otherwise stated in the invitation to the survey.

If we want to share our research with third parties, we will anonymise your data e.g. by aggregating it with data of other customers so that nobody could reasonably identify you based on the resulting statistics.

d) Order consumables or registering your products

Access to online services and product registration is limited to account holders only because the provision of these services involves health data that we consider to be sensitive that we want to protect.

When you use online ordering e.g. to order accessories*, medical consumables and medical devices paid for by your health care provider you need to create a personal account, register your product and log in to gain access.

When you register an Insulin Pump Delivery System that is paid for by your health care provider (e.g. an NHS Trust), we ask you for the serial number and the name of your hospital. This information is required for us to fulfil our contract with your health care provider who pay for your goods and retain the warranty for your products.

Once logged in, we process your personal information (see ‘Logistics’ below) in order to fulfil our contract with you e.g. fulfilment of an order for consumables. We will need your respective explicit consent prior to being able to accept your order.

Logistics: We use local and international logistics providers to fulfil your orders. The logistics providers may be able to indirectly derive your health status e.g. in case you return a product. Roche has data processing agreements in place with logistics providers to ensure that they do not use your personal information beyond what is required to perform the logistics service and to apply adequate technical and organisation measures to protect your personal information.

*e.g. battery vouchers, record books

e) Communicate with us by telephone, e-mail, webforms or otherwise in respect of our products and services or during the purchasing of any such products

If you communicate with us by telephone, e-mail, webforms or similar, we will process your contact details and the personal information you give to us even if you do not have an account with Roche. We will process such information only to the extent required to answer your enquiry, and will delete the information when no longer required as evidence (normally three years), unless you have consented for us to use your data for other purposes, of which its purpose will be specified at time of you giving us consent.

We record calls to our customer services team, when you have consented, for quality and training purposes. We do not record details of any financial transactions and delete the recording after a maximum of 6 months. We only retain records of where you have provided consent for as long as it is valid.

f) Complain about our services and products

When we receive a complaint about a product or service from a person we create a file containing the details of the complaint, including the identity of the complainant. It may contain health related information. We will only use the personal information we collect to process the complaint.

We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

g) Use our diabetes management software or app

Roche Diabetes Care offers services to help you better understand your diabetes. These include diabetes management services such as e.g. MySugr. You will be notified of the service’s privacy statement, terms of conditions of use at the point of setting up an account.

h) Use our Social Media Channels

If you interact with content published on our Social Media Channels, we may collect and process non-sensitive information about you.

If you communicate with us by ‘comment’, ‘chat’, or ‘direct message’ within the Social Media Channel we may need to process your contact details and the personal information you give to us. We will process such information only to the extent required to answer your enquiry and will delete the information when no longer required as evidence (normally three years), unless you have consented for us to use your data for other purposes, of which its purpose will be specified at time of you giving us consent.

We use social media management tools to administrate our Social Media accounts, manage the content we share as well as our visitors’ interactions with us. For this purpose, any of your interactions with our Social Media Channels (e.g. comments, likes, posts, messages) will be visible in our social media management tools for as long as the interaction exists in the original channel.

For details on the data the platform provider collects, please consult the privacy statement of the platform provider.

• Facebook’s privacy notice https://www.facebook.com/policy.php.

i) Service communications

We may use the data to communicate with you, for example, informing you about your account, providing information about the product(s) and/or service(s) you have registered with us e.g software updates, product modifications and enhancements, and associated services)

j) Consent to marketing

We will only send you marketing communications when you have provided your consent and we will only share your data with a third party if we have your consent. We will make this clear at the time you provide your consent.

k) Testimonials

With your consent we will use testimonials that you have provided to us for marketing purposes. Testimonials will only be used for the purposes identified and agreed with you at the time of collection. You may withdraw your permission at any time by contacting us.

6. Retention periods

We retain personal information we collect from you where we have a genuine business need to do so, for example, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements.

When we have no ongoing business need to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

7. Security

Roche takes appropriate technical and organisational measures to protect your personal information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. To ensure the confidentiality of your data, Roche uses industry standard firewalls and password protection. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential and we ask you not to share this password with anyone.

8. Who receives your information

Roche shares your personal information with your consent and further as necessary in relation to the above purposes, as required by applicable laws, court orders, or government regulations. Roche uses group internal and external providers and agents e.g. for IT systems operation and maintenance or to fulfil business transactions, such as providing customer services, or sending communications. In all these cases, access to unencrypted data is restricted to those who have a need to know. Also, Roche has entered into data processing agreements in order to ensure that providers and agents process the personal information only on Roche’s behalf and subject to appropriate technical and organisational measures.

Roche will not sell or otherwise transfer your personal information to any third parties for their own use unless with your explicit consent.

We also share data with our company's subsidiaries and affiliates globally, or store that data with them when required to by law or to respond to a legal process, to respond to a complaint or security request.

9. Transfers to other countries

We may transfer the personal information we collect about you through the website to countries that may not have the same data protection laws as the country in which you initially provided the information. When we transfer your information to other countries, we will protect that information as described in this Privacy Statement. In particular, we will base such data transfers on adequate standards such as data protection clauses approved by the European Commission or the US-EU Privacy Shield, as applicable. You may receive a copy of the clauses by contacting us as described above (see section 2).

10. Your Rights and how to exercise them

You may, in accordance with applicable data protection law, request the following from Roche Diabetes Care:

  • Right of access: request access to your personal information we process, obtain a copy of such data, and have inaccurate data rectified or completed;
  • Right to rectification: to have your personal information corrected if it is inaccurate/have incomplete personal information completed
  • Right to erasure: to have your personal information erased or its processing restricted (each to the extent that one of the grounds provided for by statutory law applies)
  • Right to restriction of processing: to restrict processing of your personal data
  • Right to data portability: to electronically move, copy or transfer your personal information in a standard form
  • Right to object: to object to processing of your personal information
  • Right to withdraw consent
  • Rights relating to automated individual decision making, including profiling. We do not use such processes without your prior consent.

You can exercise your rights by visiting your online account or contacting us at the address above (see section 2). You can adjust your privacy preferences, manage your consents, and amend your data. These choices do not apply to mandatory service communications that are part of certain Roche Diabetes Care services.

If you do not have an account or have difficulties or other enquiries, please approach us or our data protection officer using the above contact details (see section 2).

11. Privacy of Children

Our website is directed at an adult audience. We do not knowingly collect any personally identifiable information from anyone we know to be a child without the prior, verifiable consent of his or her legal representative.

12. Updates to Privacy Statement

We keep this Privacy Statement under regular review and we will place any updates on this website in response to changing legal, technical or business developments. When we update this statement, we will take appropriate measures to inform you. When we change any processing that is based on consent, we will ask you for a new consent. We encourage you to periodically review this page for the latest information on our privacy practices.

13. Third Party Resources

This Privacy Statement does not apply to third party sites to which our website may link, where we do not control of the content or the privacy practices of such third parties. We will tell you when you follow a link to such a third party site.

English, British