Data Privacy

We process personal data with due care

The right to privacy is a fundamental human right.

The protection and responsible use of personal data is reflected in our daily operations. We see data as a valuable element for developing innovative treatments and diagnostic solutions for patients, and as a driver for business excellence. As such, we strive to be a respected and preferred partner to all who may provide such data. We are committed to collecting and using data in a lawful, fair, legitimate and ethical way, and will always respect the privacy of individuals in order to earn and deserve their trust.

Roche assumes accountability for the compliant processing of personal data by itself or by its trusted service and cooperation partners.

Any information related to an identified or identifiable person must be collected and processed in compliance with applicable data privacy laws (e.g. Swiss Federal Act on Data Protection, EU General Data Protection Regulation and the US Health Insurance Portability and Accountability Act). Roche employees with access to such personal data are expected to apply the privacy principles of lawful, fair and transparent data processing, respecting any purpose limitations, as well as the principles of data minimisation, accuracy, storage limitation, integrity and confidentiality.

Anonymisation, pseudonymisation or equivalent concepts like de-identification are measures which Roche uses to protect individuals’ privacy rights. Any Roche employees who have access to anonymised data must not try to (re-)identify or cause identification of any individuals such anonymised data were derived from. Further, any Roche employees who have access to pseudonymised data shall not try to identify any individuals to which pseudonymised data relate to unless it is necessary in order to comply with applicable law. The same is expected from our service providers and collaboration partners.

Roche applies additional appropriate governance and safeguard measures to protect individuals’ privacy rights. The Data Privacy Officer coordinates a global network with subject matter experts.

We are all expected to:
  • Collect, use and store data in compliance with applicable laws, privacy principles and Roche’s commitments.
  • Respect individuals’ privacy at all times.
  • Never re-identify or attempt to re-identify anonymised data.
  • Carefully select the third parties we’re trusting to process or access personal data which we are responsible for, and enter into the right contract.
Questions & Answers

If I have a question relating to data privacy, whom can I contact as subject matter expert?

You can contact the Data Privacy Officer (global.privacy@roche.com) or the local data privacy coordinator.

What shall I do if I become aware that someone unauthorised accessed personal data?

Incidents where personal data is accessed by unauthorised individuals could be a privacy breach. Promptly report this through the appropriate channels.

If I use an external service provider to process data, do I still need to be concerned?

Yes, if we provide a third party with data we remain responsible under privacy laws. External vendors must be assessed and contracts in place to fulfil legal obligations. If we determine the purpose and means of the data processing, we remain responsible for compliance with privacy laws by third parties.