Safe Harbor Standards
This Safe Harbor Privacy Statement (the "Statement") sets forth the privacy principles followed by Novartis Institutes For BioMedical Research, Inc., (NIBRI) in connection with the transfer and protection of "personal information" received from the European Union (EU) or Switzerland.
About The Safe Harbor
The "U.S.-EU Safe Harbor" program was jointly established in 2000 by the United States Department of Commerce and the European Commission, as a method for transferring personal information from the European Union (EU), to companies in the United States. The "U.S.-Swiss Safe Harbor" program was jointly established in 2009 by the U.S. Department of Commerce and the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland, as a method for transferring personal information from Switzerland, to companies in the United States. The Safe Harbor programs involve a voluntary self-certification process for companies operating in the United States. Companies that certify represent that they are upholding privacy standards for personal information received from the EU and/or Switzerland that have been jointly accepted by the U.S. Department of Commerce and the EU Commission and the Swiss FDPIC. These standards exceed current US privacy standards. NIBRI has certified to the Safe Harbor program and makes that commitment.
"Personal Information" means information that can directly or indirectly lead to the identification of a living person, such as an individual's name, address, e-mail, telephone number, license number, medical identification number, photograph, or other identifying characteristic. The identification can occur by reference to one or more factors specific to the individual's physical, physiological, mental, economic, cultural or social identity. Personal information does not include information that has been anonymized, encoded or otherwise stripped of its identifiers, or information that is publicly available, unless combined with other non-public personal information.
This Statement governs personal information transferred from countries in the EU or Switzerland (which has adopted substantially similar privacy laws to those of the EU), to the United States on behalf of NIBRI. It applies to personal information in electronic and off-line formats.
Safe Harbor Privacy Principles
The following privacy principles apply to the transfer, collection, use or disclosure of personal information from the EU and Switzerland by NIBRI.
Notice: NIBRI informs individuals in the EU and Switzerland about the purposes for which it collects and uses their personal information, how to contact NIBRI., the types of third parties with which NIBRI shares their personal information, and the choice and means NIBRI offers for limiting the use and disclosure of their personal information.
Consistent with the Safe Harbor requirements, NIBRI may not be in a position to furnish notice in certain limited situations. Specifically, notice is not required where the processing of EU or Swiss personal information is necessary to respond to a government inquiry; is required by applicable laws, court orders or government regulations; or is necessary to protect NIBRI' legal interests and providing notice would interfere with those interests.
Choice: NIBRI will not process personal information about EU or Swiss individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the EU or Swiss individual unless the individual affirmatively and explicitly consents ("opt-in") to the processing, or unless an exception applies. NIBRI. also provides EU and Swiss individuals with the opportunity to withdraw consent at any time ("opt-out"), in which case their personal information will not be further processed. There are certain limitations on the right to opt-out, such as those that apply in the clinical research situation. In that situation, NIBRI. can continue to rely upon personal information already provided by clinical research participants who choose to discontinue participation in a clinical trial, to the extent needed to protect the integrity of the study, but cannot collect any additional personal information about that individual once the written request to withdraw participation is received.
Data Integrity: NIBRI seeks to ensure that any personal information held about EU or Swiss individuals is accurate, complete, current and otherwise reliable in relation to the purposes for which the information was obtained. NIBRI collects personal information that is adequate, relevant and not excessive for the purposes for which it is to be processed. EU and Swiss individuals have a responsibility to assist NIBRI in maintaining accurate, complete and current personal information about them.
Transfers To Third Parties: NIBRI will only transfer personal information about EU or Swiss individuals to third-parties where the third-party (a) has provided satisfactory assurances to [NIBRI] that it will protect the information consistently with this Statement; or (b) is located in the EU or Switzerland or a country considered "adequate" for privacy by the EU Commission or the Swiss Commission, and therefore is required to comply with EU or Swiss data protection laws or substantially equivalent privacy laws; or (c) the third-party has also certified to the Safe Harbor, and is accordingly independently responsible for complying with the Safe Harbor requirements.
Where NIBRI has knowledge that a third-party to whom it has provided EU or Swiss personal information is processing that information in a manner contrary to this Statement or the Safe Harbor requirements, NIBRI will take reasonable steps to prevent or stop the processing.
Access And Correction: Upon written request to NIBRI, NIBRI will provide EU and Swiss individuals with reasonable access to their personal information. NIBRI will also take reasonable steps to allow EU and Swiss individuals to review their information for the purposes of correcting their information. There are certain limitations to the Access and Correction rights, as set forth in the US Department of Commerce's Safe Harbor website.
US Department of Commerce's Safe Harbor website
Security: NIBRI takes reasonable precautions to protect EU and Swiss personal information in its possession from loss, misuse, unauthorized access, disclosure, alteration and destruction.
Enforcement: NIBRI has established internal mechanisms to verify its ongoing adherence to this Statement. NIBRI also encourages individuals covered by this Statement to raise any concerns about our processing of their personal information by contacting NIBRI's Privacy Office at the address below or by contacting their local privacy officer or Legal Department. NIBRI will seek to resolve any concerns. NIBRI has also agreed to participate in the dispute resolution program provided by the European Data Protection Authorities and the Swiss Federal Data Protection and Information Commissioner.
Limitation On Scope Of Principles: Adherence to these Privacy Principles may be limited to the extent required to meet a legal, governmental, national security or public interest obligation.
Effective Date: This Safe Harbor Privacy Statement is effective as of November 17, 2009
U.S. Privacy Officer
NIBRI Institutes for BioMedical Research, Inc.,
250 Massachusetts Avenue
Cambridge, MA 02139
Phone: +1 617.871.5007
Fax: +1 617.871.3349