Novartis – General Privacy Statement for the Neurohouse Website

July 2019

You are hereby informed by means of this Privacy Statement that you are visiting a
site belonging to Novartis Farmacéutica, S.A. Therefore, this company is processing information about
you which comprises “Personal Data” and Novartis considers that protection of your personal data and your
Privacy is of the utmost importance.

Novartis Farmacéutica, S.A. ("Novartis") with registered offices in Gran Via de les Corts Catalanes, nº
764, CP 08013, Barcelona, is responsible for processing your personal data
because it decides why and how it is processed, therefore acting as “Data Controller”. In this
Privacy Statement, “we” refers to Novartis.
This Privacy Statement is divided into two parts. Part I contains practical information
about specific personal information that we process when you visit our site and why and how we process
that data. Part II contains more general information about technical or standard transactional personal data
that we process about visitors to our sites and users of our apps, the
legal grounds for using your personal data and your rights regarding all the
personal data collected about you.
You are urged to read this Privacy Statement carefully, and if you have any other questions
about how we process your personal information, you may contact the Data
Protection officer (DPO) at

Part I - Important information

Novartis processes your personal data when you visit this site.
Specific personal data we collect about you
For this purpose, we gather the following personal data about you: data
that you provide on data collection web forms, any data you may
provide when using any contact sections.
You may provide this data yourself (for example, by filling a web
form or interacting with a site or app), by third parties or obtained
from trusted public sources, after obtaining your consent to obtaining this
personal data when this is required by the applicable law.
Specific purposes for which we need your personal data

We use the information gathered for the following specific purposes:

gestionar nuestros usuarios;

  • manage our users;
  • manage and improve our sites and applications;
  • measure the use of our sites and applications;
  • improve, store your preferences and tailor the content to you;
  • send you customised services and contents based on your location;
  • improve the quality of our products and services and extend our marketing activities;
  • control and prevent fraud, infringements and other possible incorrect uses of our sites and pages;
  • if you ask us to do so, and if permitted by the applicable law, we will send you marketing email messages about our own and/or third-party products.
  • social networks: we will process your data in order to correctly manage its presence in the corresponding social networks, informing about our activities, products and/or services or those of third parties related to our activity, and for any other purposes permitted by the regulations governing the Social Networks.
  • comply with official demands from a regulator or court with proper authorisation;
  • manage our information technology (IT) systems, including infrastructure management and business continuity;
  • help us for business purposes and ensure compliance and create reports;
  • filing and keeping records; and
  • any other purpose required by law and the authorities.

Please note that we may use the data collected for other
usual purposes, and that the abovementioned purposes are dealt with in more detail in Part II

Specific third parties with which we will share your personal data

We may share your personal data with third parties that may provide us with services, always
with the corresponding legal safeguards in each case.
Please note that we may also share your data with several other parties
(for example, another Novartis Group organisation if the organisation that collects the data is not
the same that uses it) but always under strict conditions, as explained in greater
Detail in Part II.

During storage

We only store the above personal data and the personal data itemised in Part
II for the duration of the use of the website or the specific application
and for a maximum of three years since the last connection.

Cookies and similar technologies

Specific types of cookies and other tracking technologies explained in
Part II are used. If the site has another, specific cookies policy, the policy established by the site
will prevail.
Please note that we also use cookies and other usual technologies for the standard purposes set forth
in Part II below (for example, to ensure the correct
functionality of our site or application).

Specific contact point

If you have any questions about how we process your personal data in the above context,
please contact the DPO by sending an email to

Part II - General information

The second part of this Privacy Statement provides greater details of
the context in which your personal data is processed and explains your rights and obligations during the

1. In what circumstances do we use your personal data?

We will not process your personal data unless we have appropriate grounds for doing so
under the applicable law. Therefore, we will only process your personal data:

  • if we have obtained your consent to do so;
  • if the processing is necessary to comply with our contractual obligations to you or to adopt precontractual measures if so requested;
  • if the processing is necessary to comply with our legal or regulatory obligations; or
  • if the processing is necessary for our legitimate interests and does not unduly affect your fundamental interests, rights and freedoms.

Please, remember that your personal data is processed based on the latter
premise and that will always try to maintain a balance between our legitimate interests
and your privacy. Examples of these “legitimate interests” are the
data processing activities carried out:

  • to benefit from profitable services (i.e. we may opt to use certain platforms offered by data processing suppliers);
  • to offer our products and services to our customers;
  • to prevent fraud and criminal activity, improper use of our products and services, and the security of our networks, architecture and IT systems.
  • to sell any part of our business or its assets or to further the acquisition of all or a part of our business or assets by a third party; and
  • to comply with our corporate social responsibility objectives.

2. Who has access to the personal data and to whom are they transferred?

We undertake not to sell your personal data to third parties, and not to disclose it
to third parties other than in the cases indicated in this Privacy
During the course of our activities and for the same purposes described
in this Privacy Statement, access may be permitted to your personal data
by the specified third parties identified in Part I of this Privacy Policy, or
transferred to them and to the following categories of recipients, if they need to
know them, to fulfil these purposes:

  • our staff (including staff, departments or other companies of the Novartis group);
  • our other suppliers and service providers who provide us with products and services;
  • our suppliers of computer systems, cloud service providers, database suppliers and consultants;
  • our business partners that offer products or services jointly with us;
  • any third party to which we assign or parties that take over any of our rights and obligations;
  • our consultants and outside lawyers in the context of the sale or transfer of any part of our business or assets.

The third parties referred to above are bound by contract to protect the
confidentiality and security of your personal data, in compliance with applicable
Your personal data may also be consulted by regulatory agencies,
police authorities, public or national and international courts, or transferred to them, when
we are obliged to do so in compliance with the applicable law or
regulation or when requested.
Your Personal Data may also be processed,
accessed, or stored in countries outside the country where Novartis is established, which
may offer a different level of personal data protection.
If we transfer your Personal Data to external companies in other jurisdictions,
we will ensure the protection of your personal data (i) by applying the level of protection
required under applicable data protection/privacy laws
applicable to Novartis, (ii) acting in accordance with our rules and policies, and (iii)
for Novartis located in the European Economic Area (i.e., the EU member
States plus Iceland, Liechtenstein and Norway, the “EEA"), unless otherwise required
transferring your personal data exclusively in accordance with the
standard contractual clauses approved by the European Commission. You may request additional
information in relation to international transfers of personal data and obtain a
copy of the appropriate protective measures implemented by exercising the rights
listed below in the section on your rights and how to exercise them.

For transfers of personal data within a group, the Novartis Group has adopted
Binding Corporate Rules, a system of principles, standards and tools
provided by European legislation, in order to ensure effective levels of
data protection for transfers of personal data outside the EEA and
Switzerland. Click here or follow the link for more information on the Novartis Binding
Corporate Standards in in section: "Data Protection:
Your Rights".

3. How do we protect your personal data?

We use appropriate technical and organisational safeguards to provide a suitable level of security and confidentiality for your personal data.

.These measures take into account:

  1. the latest advances of the technology used;
  2. the nature of the data; and
  3. the risk of processing.

Its purpose is to protect against accidental or improper destruction or alteration,
accidental loss, disclosure or unauthorised access and any other
improper processing.
In addition, to process your personal data, we will comply with the following obligations:

  • we only collect and process personal data which are adequate, relevant and limited to what is necessary, as required to comply with the above purposes;
  • we ensure that your personal data are kept up to date and accurate (for the latter purpose, we may ask you to confirm the personal data that we have about you and we also urge you to inform us spontaneously if your personal circumstances change so that we can ensure that your data are up-to-date); and
  • we can process any sensitive data about you that you provide voluntarily in compliance with the applicable data protection rules and which are strictly necessary for the relevant purposes stated above, and that only appropriate personnel have access to and process it, under the responsibility of one of our representatives who is obliged to keep confidentiality and professional secrecy.

4. How long do we store personal data?

We will store your personal data for as long as necessary to comply with the
purpose for which it is collected or to comply with regulatory or legal
Unless otherwise stated in Part I of this Privacy Statement, we will
store your data for 36 months from the last use of/login to the website or
relevant application. At the end of this period, your personal data will be deleted from
our active systems.

5. How do we use cookies and other similar technologies in our sites
and applications?

5.1 Cookies

Cookies are small text files that are sent to your computer when you visit
a site. We use cookies for the purposes stated above and
in accordance with this Privacy Statement.
We do not use cookies to control individual visitors or identify you, but to
gain practical knowledge of how you use our websites
and applications to enable us to improve them for users. The personal data
generated through cookies are collected in pseudonymized format and are subject
to your right to object to the processing of the data, as specified
below.We may use the following specific types of cookies :

  • user interface customization cookies (that is, cookies that remember your preferences);
  • authentication cookies (that is to say, cookies that allow you to leave and return to the website without logging in again);
  • video player cookies (that is to say, cookies that store the necessary cookies to play back audio or video content and store your preferences);
  • first-party analytics cookies (that is to say, cookies that memorise the pages you have visited and provide information about your interaction with these pages); and
  • third-party Analytics cookies (that is to say, cookies from third-party vendors that
    track the statistics of our web page and vice versa).


Remember that you can change your browser setting to alert you of
cookies. If you do not wish to receive cookies, you can also block them in your browser
settings. Finally, you can also delete cookies that have already
been sent.
For more information about how to manage cookies on your device, see the
Help function of your browser or visit, which contains detailed
information on how to do this in a wide variety of browsers (the link is

5.2 Other Technologies

We may also use other technologies in our sites and applications to
collect and process your personal data for the same purposes as stated above

  • Internet tags (such as action tags, single-pixel GIF, evident GIF, invisible GIF and 1-by-1 GIF, technologies that allow us to track user results); and
  • Adobe Flash technology (including Flash local shared-objects, unless you change the setting).

6. What are your rights and how can you exercise them?

You can exercise the following rights under the conditions and within the limits specified by law:

  • The right of access to the personal data collected about you and how they are processed and if you believe that any data concerning you is incorrect, outdated or incomplete, to request that they be corrected or updated;
  • The right to request erasure of your personal data or its restriction to specific categories of processing;
  • The right to withdraw your consent at any time, without affecting the validity of processing prior to withdrawal;
  • The right to object to the processing of all or any of your personal data;
  • The right to object to direct marketing communications; and
  • The right to request portability of your data, i.e., that the personal data that you have provided be returned or transmitted to the person you choose, in a structured format, usually used and readable by machine, without any impediment by our part and in accordance with their obligations of confidentiality.

Note, however, that in certain circumstances, not accepting
cookies or changing your browser settings may affect your browsing experience
and prevent you from using certain functions of our sites or applications.
If you have a question or want to exercise the rights listed above, you can send an e-mail
to the DPO along with a scanned image of
your national identity document for identification purposes.
If you are not satisfied with the way we process your personal data, please contact our
Data Protection Officer on who will analyse your
In any case, you also have the right to file a complaint with the
data protection authorities, in addition to the earlier rights.

7. What technical and transactional data we may collect about you?

7.1 Categories of technical and transactional data

In addition to the information collected about you pursuant to Part I of this Privacy
Statement, we may collect different types of technical personal data and
usual transactional data about you during your use of our sites and
applications that are required for the proper functioning of our web pages and
applications, including:

  • information about your browser and device (e.g. service provider's domain of internet services, your browser type and version, operating system and platform, screen resolution, manufacturer and model of the device);
  • statistics relating to your use of our sites and applications (e.g. information about pages visited, information searched for, duration of the visit to our site);
  • usage data (i.e., date and time of access to our website and application, downloaded files);
  • the location of your device when using our application (unless this feature is disabled in your device settings); and
  • at a more general level, any information you provide to us when using our site and applications.

Please note that we will not knowingly collect, use or intentionally disclose
personal data from minors under the age of 18 years without obtaining prior consent from a
parent or legal guardian.

7.2 Why do we collect technical data and transactional data?

We always process your personal data with a specific objective and will only process personal
data that is relevant to achieve that objective. In addition to the purposes that
have already been notified to you in Part I of this Privacy Statement, we also process
your personal data collected during the use of one of our sites or
applications for the following purposes:

  • to manage our users (e.g. registration, account management, responding to queries and offer technical assistance);
  • manage and improve our sites and applications (for example, diagnose Server issues, optimise traffic, integrate and optimise sites when appropriate);
  • track the use of our sites and applications (for example, generating statistics on traffic, gathering information about the user behaviour and the pages they visit);
  • improve, store your preferences and tailor the content to you (for example remembering their selections and preferences, through the use of cookies);
  • send you personalised services and contents based on your location;
  • improve the quality of our products and services and extend our marketing activities;
  • control and prevent fraud, infringements and other possible incorrect uses of our sites and applications;
  • if you ask us to do so, and if permitted by the law in force, we will send you marketing email messages about our own and/or third-party products and services related to the manufacturing and marketing of products and/or pharmaceutical services and/or pharmaceutical specialities for quality vision care, generics and biosimilars as well as manufacture and marketing of computers and surgical devices.
  • social networks: please note that we are present in social networks. The processing of the data made by people who become followers (and/or any link or action to connect through social networks) from the official pages of the Data Officer, in the social networks shall be governed by this section, the rest of the Privacy Policy and the Terms of Use of the Site, as well as the Terms of Use, privacy policies and other regulations governing access, use and similar that belong to the social network. We will process your data for the purposes of properly managing your presence in the social network in question, inform you of our activities, products and/or services, or those of third parties that are related to our activity (related to
    the sectors of manufacturing and marketing products and/or pharmacy services and/or pharmaceutical specialities, for quality vision care, generic medicines and biosimilars, as well as manufacturing and marketing of surgical equipment and devices), as well as for any other purpose that the regulations governing the social networks.
  • comply with official demands made by a regulator or court with the necessary authorisation;
  • manage our IT resources, including the management of infrastructures and business continuity;
  • uphold our business interests and ensure compliance and produce reports (and compliance with our local legal policies and requirements, taxation and deductions, the management of alleged cases of misconduct or fraud, audits and defence in litigation);
  • filing and keeping records; and
  • any other purpose required by law and the authorities.

8. How do we notify you of changes in our Privacy Statement?

Any future changes or additions to the processing of your personal data as described
in this Privacy Statement will be notified in advance through an
individual notification through our usual communication channels (e.g.
email), as well as through our web pages or applications (through
banners, pop-ups or other notification mechanisms).

9. Data Protection Your Rights

Individual rights
Novartis is committed to respecting your privacy and to adequately protect your personal information to
collect and share data with other people in the performance of their legitimate business activities.
As well as the Novartis policy on Personal Data Protection, Novartis has adopted the Binding Corporate
Rules (BCR), a set of principles governing the international transfer of personal data of partners,
customers and business partners of Novartis, in addition to other persons whose data is collected and
processed in the EU and Switzerland. The adoption of the Binding Corporate Rules of Novartis on the
part of the EU and of the Swiss Data Protection authorities enables Novartis to comply with the data
protection laws of the countries of the EU and Switzerland when you submit your personal information
from these countries to its global subsidiaries.

What are the applicable principles relating to the protection of personal data?
Novartis companies that send your personal information from the EU or Switzerland to other countries
must comply with applicable laws, as well as Novartis policies and the Binding Corporate Rules.
Specifically, these companies:

  • Collect and process your personal information by transparent and lawful means.
  • Process your personal information solely for specific and lawful purposes and not used for any other purpose.
  • Inform you of the transfer of your personal information and, if necessary, you are asked for your consent, as required by local laws.
  • Preserve your personal information only for the time required, unless the law requires or permits longer or shorter storage periods.
  • Preserve the confidentiality of your personal information and take appropriate security and reasonable measures to protect it from any unauthorised access, damage or accidental loss, misuse, and alteration or unauthorised erasure.

What are my rights?
If you are a contributor, customer or trading partner of Novartis or another person whose personal
information has been collected and processed by Novartis in the EU or in Switzerland, you have the
following rights:

  • You can ask Novartis to provide information about the collection and use of your personal information that the latter carries out based on the applicable local laws.
  • You can ask Novartis to correct, delete or not to use your personal information if it is incomplete or inaccurate.
  • You can oppose the processing of your personal information and require Novartis to not continue processing your data whenever you have legitimate grounds for doing so.
  • You can request a review of decisions taken by the automatic processing of your personal information, in the event that those decisions have a significant effect on them.

How can I exercise my rights?
If your personal information has been sent to a Novartis company in a country that does not belong to the
EU and is not Switzerland and that this company does not provide an adequate level of protection and
you consider that your personal information has been processed in breach of the Binding Corporate
Rules, you can proceed as follows:

  • File a complaint with the Novartis Office of Business Practices (BPO) by sending an e-mail to: Your complaint will be investigated in accordance with our internal procedures.
  • File a complaint with the competent data protection authority or file a complaint with the courts of
    Switzerland or the EU country from which your personal information has been sent.


Be informed about our events and news