The Company responsible for processing your personal data is:

Novo Nordisk Pharma (Thailand) Ltd.
98 Sathorn Square Office Tower,
Unit 2101-2105, 21st Floor, North Sathorn Road, Silom Bangrak District, 10500
Bangkok, Thailand
+66 2 237 9263

You can always contact us or the Novo Nordisk Data Privacy Officer at DataPrivacyTH@novonordisk.com with questions or concerns about how we process your personal data.

We get your personal data from one of the following sources:

• From you directly (e.g. through phone calls, emails and other digital channels)
• From your family members or care givers on your behalf
• From Health Care Professionals (“HCPs”) such as your nurse, a pharmacist or doctor
• From publicly available publications, websites, or social media

We process personal data about you for the following purposes:

• To provide products and services to you: To enter into a contract and manage our contractual relationship with you or your hospital / health care service provider / company; to evaluate your suitability and qualifications; to support, assist and perform other activities related to such services or products; to document and coordinate your involvement in an event or for scientific research; to record, edit, and use your recorded lecture and rehearsal for educational and training purposes; to manage, coordinate, and, accommodate your business travels, conferences, or events (such as, reservations and applying for VISA applications); to complete financial transactions, including transaction checks, verification, receipts and invoices; to process payment, perform and record accounting, auditing, financial checks, billing and collection activities;
• To register and authenticate: To register, verify, identify, and authenticate you or your identity;
• To contact and communicate with you: To communicate or conduct an interview with you in relation to the products and services you or your hospital / health care service provider / company obtain from us or through a research project; to respond to your questions and/or requests for information; to provide you with marketing related activities regarding our products; to provide announcements and information about the products and services; to provide product samples for trial use; to provide kit/tools in relation to our program / research project; to accommodate you, invite you to participate in, and administer training, events, meetings, seminars and/or educational activities;
• To do data analytics: To undertake data analytics and data profiling, market research, surveys, assessments, to support product usage enquiries, to know you better and to improve our customer service, our product offerings, our scientific and product communication to HCPs and patients and, our business performance; to identify and resolve issues with our existing products and services;
• To perform scientific evaluations of complaints and side effects potentially related to Novo Nordisk’s medicinal products: To assess patterns and trends associated with complaints, side effect and product usage. Complaints and side effects will be filed in databases and will be regularly analysed for overall patterns; and
• Internal compliance and legal compliance: To comply with internal policies and applicable laws, regulations, directives and regulatory guidelines.

Where we need to collect your personal data as required by law, or for entering into or performing the contract we have with you and you fail to provide that data when requested, we may not be able to fulfil the relevant purposes as listed above.

For the purposes described above, we may process the following types of personal data:

• Contact Information (e.g. name, address, telephone number, email address);
• Personal Profile (e.g. name, title, specialty, institution name, signature, gender, date of birth, image, video, sound, passport number, ID number, HCP license number, educational background, professional qualifications, CV);
• Financial Information (e.g. financial data of interest, bank account, payment for your services)
• Employment related information (historical employment, work experience and period, hospital or clinic name);
• Data concerning health and medicinal products you are using; and
• Other information (e.g. preference, opinion, patient relationship)

If you provide personal data of any third party to us (e.g. name and telephone number of your family members or your patient), please ensure that you provide this Privacy Notice for their acknowledgement and/or obtaining consent where applicable.

Our processing of your personal data requires a legal basis. By law, we are allowed to process your personal data described above in Section 4 based on the following legal bases:

• The processing is necessary to fulfil a contract with you;
• The processing is necessary for our legitimate interests. The legitimate interests are:

a.   to perform scientific evaluations of complaints and side effects potentially related to Novo Nordisk’s medicinal products.

b.   to improve our customer service and product offerings.

c.   to enhance our scientific and product communication.

• The processing is necessary for our compliance with a legal obligation, laws relating to the business operation or other laws of authorities;
• You gave consent for us to process your personal data / sensitive personal data.

We may process your personal data for other purposes as specified by laws, such as, the processing is necessary to protect your vital interests or the interests of another person or the public interest of the Company or for the exercise of the state power granted to the Company.

When you use our products or our services, the contract made with us may have additional conditions related to how we do the processing of your personal data. These may be used in addition to the objectives specified in this Privacy Notice.

We may share your personal data with:

• Suppliers or vendors that assist our company (e.g., consultants, IT service providers, financial auditors, financial institutions, law firms, educational associations, license partners travel agency, event organisers);
• Other Novo Nordisk entities (e.g., Novo Nordisk affiliates in other countries)
• Public authorities, embassies, including health and/or regulatory authorities
• Other pharma companies and partners if an enquiry is related to their product(s)

For the purposes described above and data back up, we may transfer your personal data to countries outside Thailand. Some recipients of your personal data may be located in another country which the Personal Data Protection Committee under the Thai Personal Data Protection Act B.E. 2562 has not yet to rule that this country has adequate data protection standards.

When it is necessary to transfer your personal data to a third country with a level of data protection standards which may be considered lower than in Thailand, we will use our best endeavours to ensure an adequate degree of protection is afforded to the transferred personal data, or that the transfer is otherwise permitted in accordance with the applicable data protection law. We may, for example, obtain contractual assurances from any third party given access to the transferred personal data that such data will be protected by data protection standards which are equivalent to those required in Thailand.

We will keep your personal data for the following period of time:

• For data relating to technical complaints: 12 years
• For safety information and data relating to side effects: End of activity + 10 years, where end of activity is the time where no product with the active ingredient is marketed
• For all other enquiries: Up to 5 years

Apart from that, we may keep the relevant personal data as long as it is reasonably necessary and required by applicable law to fulfil the purposes for which we obtained it for and to comply with our legal and regulatory obligations. However, we may need to keep your personal data for a longer duration, as required and/or permitted by applicable laws.

The rights listed in this section are your legal rights, where you may request to exercise these rights under the conditions prescribed by law and our rights management procedures. These rights are as follows:

• To request access, obtain a copy of your personal data, or for the disclosure of the acquisition of your personal data that is obtained without your consent;
• To have your personal data corrected, if it is inaccurate or not up to date;
• To have your personal data deleted, destroyed, or anonymized;
• To request us to provide your personal data in a structured, commonly used and machine-readable format, and transmit it to another organisation;
• To object to how we collect, use and/or disclose your personal data in certain activities;
• To restrict us from using your personal data if you believe such data to be inaccurate, that our processing is unlawful, or that we no longer need to process this data for a particular purpose; and
• To withdraw consent for collection, use and/or disclosure of your personal data that is based on your consent at any time.
• To lodge a complaint to the competent data protection authority, where applicable. We would, however, appreciate the chance to deal with your concerns before you approach the authority, so please contact us in the first instance.

Your withdrawal of any previously given consent, your request to delete, destroy and anonymise your personal data, your request to restrict or your objection to the processing of your personal data could mean that the Company is unable to perform our obligations under an existing contract with you, and that there may be restrictions on certain transactions or services provided by us.

To exercise your right or in case of inquiry, you can always contact the Novo Nordisk Data Protection Officer at DataPrivacyTH@novonordisk.com.

Your request for exercising any of the above rights may be limited by the applicable laws. There may be certain cases where we can reasonably and lawfully decline your request; for example, due to our legal obligation or a court order. If we decline your request, we will notify you of our reason.