|1. Necessity Prior to collecting, using, or sharing Personal Information, we define and document the specific, legitimate business purposes for which it is needed.
- We determine and document how long Personal Information is needed for those defined business purposes and applicable legal requirements.
- We do not collect, use or share more Personal Information than is needed or retain it in identifiable form for longer than is needed for those defined business purposes and applicable legal requirements.
- We anonymize the data when business requirements necessitate that information about the activity or process is retained for a longer period of time.
- We ensure that these necessity requirements are designed into any supporting technology and that they are communicated to third parties supporting the activity or process.
|2. Fairness – We don’t process Personal Information in ways that are unfair to the people to whom those data relate.
- We determine whether the proposed collection, use or other processing of Personal Information presents a likely and/or severe risk of tangible or intangible harm to individuals in accordance with our privacy value to Prevent Harm.
- If the nature of the data, types of people, or the activity present a likely and/or severe risk of tangible or intangible harm to individuals, we ensure that the risk of harm is outweighed by a corresponding benefit to those individuals or to our mission of saving and improving lives, and mitigated by the measures, safeguards and mechanisms we have put in place.
- Where the risk appears to outweigh the benefits to individuals, we only process the Sensitive Information or Personal Information with the explicit consent of the individuals, as expressly required or expressly permitted by applicable law, or as expressly authorized by a competent regulatory authority.
- We document the risk analysis and design any required mechanisms to obtain and document evidence of consent into supporting technologies.
|3. Transparency - We don’t process Personal Information in ways or for purposes that are not transparent.
- All individuals about whom Personal Information is processed under this Policy shall have a right to a copy of this Policy. We will make copies of this Policy available online at www.msd.com/privacy. The Global Privacy Office will provide electronic and/or paper copies of this Policy upon request to the addresses listed in Section 3.a. below.
- When Personal Information is collected directly from individuals, we inform them, prior to collecting the information and through a clear, conspicuous, and easily accessible privacy notice or similar means, of (1) the company entity or entities responsible for the processing, (2) the contact details of our Chief Privacy Officer and/or the regional/local Data Privacy Officer, (3) what information will be collected, (4) the purposes for which it will be used, (5) the legal basis for our processing, (6) with whom it will be shared, including any requirements to disclose Personal Information in response to lawful requests by government authorities, (7) whether and how we will transfer the Personal Information to other countries, including the relevant countries where feasible (8) how long it will be retained or the criteria by which we make that determination, (9) how they can ask a question, raise a concern or exercise their rights related to their Personal Information, (10) how they can withdraw any consent they have provided, (11) their right to lodge a complaint with a supervisory authority, (12) any obligation to provide Personal Information and the consequences of not doing so, (13) any automated decision-making, including profiling, we will carry out, and (14) a link to this Policy, where possible and appropriate. Our comprehensive privacy notices for many of our stakeholders are available online at http://www.msd.com/about/how-we-operate/privacy/transparency-and-privacy.html
- When Personal Information is obtained through observation, sensors, or other indirect means, it may not be possible to provide a privacy notice directly to the individual at the time the information are collected. In such cases, we assure transparency to the individual through other means, such as posted or printed on the device or materials associated with the device that will obtain the information.
- When Personal Information is collected from other sources and not specifically at the direction of our company,prior to obtaining the information, we verify in writing that the provider of the information has informed individuals of the ways and purposes for which our company intends to use the information. If written verification cannot be obtained from the provider of the information, we use only anonymized information, or prior to using Personal Information, we inform the affected individuals through a privacy notice or similar means of (1) the entity or entities of our company responsible for processing the information, (2) the contact details of our Chief Privacy Officer and/or the regional/local Data Privacy Officer, (3) what information our company plans to use, (4) the purposes for which our company plans to use it, (5) the legal basis for our processing, (6) with whom our company will share it, (7) whether and how we will transfer the Personal Information to other countries, including the relevant countries where feasible (8) how long our company plans to retain it or the criteria by which we make that determination, (9) how they can ask a question, raise a concern or exercise their rights related to their Personal Information, (10) how they can withdraw any consent they have provided, (11) their right to lodge a complaint with a supervisory authority, (12) any obligation to provide Personal Information and the consequences of not doing so, (13) any automated decision-making, including profiling, we will carry out, and (14) a link to this Policy, where possible and appropriate.
- We ensure that the necessary transparency mechanisms, including, where possible, mechanisms that support individual rights requests, are designed into supporting technologies, and that third parties supporting the activity or process do not process information about people in ways that are inconsistent with what individuals have been told through a privacy notice or other verifiable means that we and others working for us will do with the information.
|4. Purpose Limitation – We only use Personal Information in accordance with the Necessity and Transparency principles.
- If new legitimate business purposes are identified for Personal Information that previously was collected, we either obtain the individual’s consent for the new use of Personal Information, or we ensure that the new business purpose is compatible with, including materially similar to, purposes described in a privacy notice or other transparency mechanism that was previously provided to the individual. We will determine compatibility based on (1) any link between the original purposes and the proposed new purpose, (2) the reasonable expectations of the individual, (3) the nature of the Personal Information, (4) the consequences of the further processing for the individual, and (5) the safeguards we have put in place.
- We do not apply this principle to anonymized information or where we use Personal Information solely for historical and scientific research purposes and (1) an Ethics Review Committee, or other competent reviewer, has determined that the risk of such use to privacy and other rights of individuals is acceptable, (2) we have put in place appropriate safeguards to ensure data minimization, such as pseudonymization, and (3) all other applicable Laws are respected.
- We ensure that purpose limitation restrictions are designed into any supporting technology, including any reporting capabilities and downstream data sharing.
|5. Data Quality – We keep Personal Information accurate, complete and current consistent with its intended use.
- We ensure that periodic data review mechanisms are designed into supporting technologies to validate the data accuracy against source and downstream systems.
- We ensure that Sensitive Information is validated as accurate and current prior to its use, evaluation, analysis, reporting or other processing that presents a risk of unfairness to people if inaccurate or outdated data are used.
- Where changes are made to Personal Information by our company or third parties working for our company, we ensure that those changes are communicated to the relevant individuals in a timely manner where reasonably possible.
|6. Security – We implement safeguards to protect Personal Information and Sensitive Information from loss, misuse, and unauthorized access, disclosure, alteration or destruction.
- We have implemented a comprehensive information security program and we apply security controls that are based on the sensitivity of the information and the risk level of the activity, taking into account current technology best practices and the cost of implementation. Our functional security policies include, but are not limited to, standards on business continuity and disaster recovery, encryption, identity and access management, information classification, information security incident management, network access control, physical security, and risk management.
|7. Data Transfer – We are responsible for and we preserve the privacy protections for Personal Information when it is transferred to or from other organizations or across country borders.
(1) We transfer Personal Information within our company if the following requirements are met:
- (1) the sharing is necessary to fulfil the purpose for which the Personal Information was originally collected or another legitimate interest of the company, and (2) the purpose for which it is to be shared, and the fact that it will be shared, is consistent with the privacy notice or other transparency mechanism that was previously provided to the individual at the time the Personal Information was originally collected and the individual gave their consent where necessary. (3) where one of our company subsidiaries acts solely on behalf of another of our company subsidiaries in processing Personal Information, (4) where required by Law, those subsidiaries of our company will execute an internal data processing agreement in accordance with Principle 8 of this Policy.
(2) We only transfer Personal Information to or allow it to be processed by third parties if the following requirements are met and we are liable for ensuring that the third parties we engage meet these requirements:
- If the role of the third party is to process Personal Information for or on behalf of our company, before providing Personal Information to the third party or engaging the third party, we: (1) complete privacy due diligence to evaluate the privacy practices and risks associated with those third parties, (2) obtain contractual assurances from those third parties that they will process Personal Information pursuant only to our company’s instructions, and in accordance with this Policy, including without limitation all 8 Privacy Principles and the other standards set forth in this Policy, and applicable Laws, that they will notify our company promptly of any Privacy Incident, including any inability to comply with standards set forth in this Policy and applicable Laws, or Security Incident, and cooperate to promptly remediate any substantiated Incident and to address the individual rights set forth in Section 2 below, that they will not engage another company to process the Personal Information without our written authorization and without putting in place an agreement imposing equivalent data protection obligations, that they will delete or return to us all Personal Information after they have finished providing services to us or upon our request, and that they will permit our company to audit and monitor their practices for the duration of the processing for compliance with these requirements. Additionally, if the third party processes Personal Information that originates in a country or territory with a law that restricts the transfer of Personal Information, we will ensure that the transfer to the third party meets the requirements for cross-border data transfer described in (3) below.
- If the role of the third party is to supply Personal Information to our company, before obtaining Personal Information from the third party, we ensure that the Transparency requirements for collecting Personal Information from other sources and not specifically at the direction of our company are met, and we obtain contractual representations from the third party that it is not violating any Law or the rights of any third party by providing Personal Information to our company.
- If the role of the third party is to receive information from our company for processing that is not specifically at the direction of our company, before providing information to the third party, we ensure that the information has been anonymized, and we obtain written assurances from the third party that they will use it only for business purposes defined in the agreement and in accordance with applicable laws, and that they will not attempt to re-identify the information.
- If the transfer to a third party is required to protect the individual’s legitimate interests or those of the company, we may transfer the information: (1) for the purposes of fraud prevention or to enforce or protect the rights and properties of the company, (2) for the protection of the personal safety of our employees or third parties on our property, and (3) to protect our assets by taking corrective security measures if we reasonably suspect that unlawful activity or serious misconduct has taken place.
- If the third party is a target for acquisition or a controlling interest by our company, (1) prior to entering into an agreement to acquire the third party or to acquire a controlling interest in the third party, we complete privacy due diligence to evaluate the privacy practices and risks associated with acquisition of that third party or a controlling interest in that third party, and (2) we enter into a data transfer agreement that specifies the terms and conditions under which Personal Information may be disclosed and the respective obligations of our company and the third party.
- If the role of the third party is to acquire all or part of our company’s business, prior to sharing any Personal Information in connection with a divesture of any part of our company’s business, we (1) enter into a data transfer agreement that specifies the terms and conditions under which Personal Information may be disclosed to the purchaser, including appropriate limitations as to the permitted uses of the Personal Information and compliance with the standard set forth this Policy and applicable Law, (2) review all data elements about people prior to sharing to evaluate the requirements for sharing, (3) obtain consent to share Personal Information or Sensitive Information in accordance with the Transparency and Purpose Limitation principles of this Policy, and (4) require the third party to notify our company promptly of any applicable Privacy Incident, including any inability to comply with standards set forth in this Policy and applicable Laws, and cooperate to promptly remediate any substantiated Incident or cease Processing relevant Personal Information.
(3) We transfer Personal Information across country borders, including to the United States of America, by or on behalf of our company in accordance with this Policy. We will apply this Policy to transfers of Personal Information from any other country or territory with a law that restricts the transfer of Personal Information, in addition to complying with any requirements imposed by such Laws (including the use of any mechanisms required for cross-border transfers).
|8. Legally Permissible – We only process Personal Information if the requirements of applicable laws have been met.
- While the other 7 privacy principles, as well as the Individual Rights requirements described below, are intended to ensure that the requirements of most privacy and data protection laws that apply to our business around the world have been met, in some countries, we need to meet additional requirements, including but not limited to the following:
- Where required, we will obtain specific forms of consent for certain processing of Personal Information, including but not limited to, approval of the processing by works councils and other labor unions;
- Where required, we will register processing of Personal Information with or seek the approval of the applicable privacy or data protection regulatory authority;
- Where required, we will provide broader rights (for example, of access and correction) than set forth in this Policy;
- Where required, we will further limit data retention periods for Personal Information; and
- Where required, we will enter into agreements containing specific contractual clauses, including agreements for cross-border data transfer to third parties
- Where required, we will disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
- In the event of a conflict between this Policy and an applicable law, the standard that provides more protection to individuals will prevail.