Data Privacy

We process personal data with due care

Roche operates around the globe, using various electronic systems to process, exchange and share information between units within the Roche Group and with third parties. Increasing cooperation in all fields entails the exchange of personal data. This trend is reinforced by the increasing use of modern telecommunications and electronic collaboration tools and platforms.

Roche is committed to respecting data privacy and has developed principles that must be consistently applied when processing personal data within the Roche Group and by its business partners.

Being active in clinical and genetic research, Roche must ensure that identifiable health information is carefully processed. Roche takes due care to prevent any misuse of or unauthorised access to such identifiable health information within its control.

All processing of personal data (e.g. data on employees, business partners, customers and suppliers) must be in compliance with applicable data privacy laws and the Roche principles.

We are all expected to:
  • Ensure that we process personal data with due care and only for the defined legitimate purpose it was collected for and in compliance with applicable laws and Roche principles.
  • Never collect more personal data than needed for a particular defined purpose.
  • Store personal data for the shortest possible time only as they are needed for the purpose such data were collected for.
Questions & Answers

I work in a clinical research unit and have access to identifiable health information which I would like to share with a colleague. Is this okay?

Being active in clinical and genetic research, Roche has to ensure that identifiable health information is processed with care and diligence. As a Roche employee you have a strict obligation to treat such information as confidential and to share it only with colleagues who need to know in order to do their work, in accordance with the purpose the data was obtained for and only if and as allowed under applicable law.

Roche wants to collaborate with a third party that is processing data in or accessing our data from another country. What do I have to consider?

Any exchange of personal data with another entity or person, i.e. between companies of the Roche Group or with third parties, requires adequate measures to be in place which ensure continued compliance with data privacy laws and the Roche principles, in particular if personal data are transferred across country borders.

I am using a company laptop to write personal e-mails regarding non-businessrelated topics. I am notified that I am now part of an investigation regarding a potential non-compliant behaviour of a fellow colleague. Because of this, my laptop is screened by a prosecutor. Is the external investigator allowed to review my personal e-mails?

Your e-mails may be reviewed internally or externally in the context of investigations or legal action. Roche or authorities may have the right or reasons which justify accessing your company devices or IT accounts, which may result in them also becoming aware of the content of any private communication. Always bear in mind that privacy for data on company devices or systems is not unreservedly granted, even if such information stems from appropriate personal use.

Further Informations