It looks like you are using an older version of Internet Explorer which is not supported. We advise that you update your browser to the latest version of Microsoft Edge, or consider using other browsers such as Chrome, Firefox or Safari.

SANDOZ - GENERAL WEB PRIVACY NOTICE

You are receiving this Privacy Notice because you are visiting a website or using a mobile application (“app”) from one of the companies of the Novartis group. As a result, this company is processing information about you which constitutes “personal data” and Novartis considers the protection of your personal data and privacy a very important matter.

Unless otherwise specified in any other policy communicated to you, Sandoz SA (Pty) Ltd, having its registered office at 72-74 Steel Road, Spartan, Johannesburg, 1618 is responsible for the processing of your personal data as it decides why and how it is processed, thereby acting as the “responsible party” or the “controller”. In this Privacy Notice, “we” or “us” refers to Sandoz SA (Pty) Ltd.

This Privacy Notice is divided into two parts. Part I contains key information about the specific personal data we process when you visit our ACC 200 website (www.acc200.co.za), why we process this data and how. Part II contains more general information about the standard technical or transactional personal data which we are processing about all visitors to our websites and users of our apps, as well as your rights in respect to all personal data collected about you.

We invite you to carefully read this Privacy Notice, and for any further question in relation to the processing of your personal data, we invite you to contact the Head: Data Privacy for the Africa Cluster at [email protected]

By agreeing to this Privacy Notice, you provide us with your consent to collect, receive, record, organise, collate, store, update, change, retrieve, read, process, use, distribute and share your personal data in the ways set out in this Privacy Notice, to the extent that such consent may be required to permit us to do so.

Part I – Key information

Sandoz SA (Pty) Ltd is processing personal data about you when you are visiting our website ACC 200 (www.acc200.co.za). This website is intended to provide general information on cough and sinus congestion and to provide you with information about ACC 200 and its use in these conditions.

Specific purposes for which we require your personal data

The collected information will be used by us for the following specific purposes:

To provide you with information about our product. Please note that the collected data may also be used by us for a number of other standard purposes (e.g. to measure the usage of our website and app), as set out in Part II below.

Duration of storage

We will only store the above personal data and the personal data listed in Part II for as long as there is a valid and lawful business reason to do so.

Cookies and other similar technologies

The following specific type of cookies and/or other tracking technologies are used on the ACC 200 website:

• Tag manager. Please note that we also rely on the usual cookies and other technologies for the standard purposes set out in Part II below (e.g. to ensure the proper functioning of our website or app).

Dedicated point of contact

Should you have any question in relation to the processing of your personal data in the above context, please contact Head: Data Privacy for the Africa Cluster at [email protected]

Part II – General information

The second part of this Privacy Notice sets out in more detail in which context we are processing your personal data and explains your rights and our obligations when doing so.

1. On what basis do we use your personal data?

We will not process your personal data if we do not have a proper justification foreseen in the law for that purpose. Therefore, we will only process your personal data if permitted by law, including under the following conditions:

° if we have obtained your prior consent; or

° if the processing is necessary to carry out actions for the conclusion or performance of a contract to which you are

a party; or

° if the processing is necessary to comply with our legal or regulatory obligations; or

° the processing protects your legitimate interest; or

° if the processing is necessary for our legitimate interests or the legitimate interests of a third party to whom the personal data is supplied, and does not unduly affect your interests or fundamental rights and freedoms.

Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interests and your privacy. Examples of such “legitimate interests” may include data processing activities performed:

  • to benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers to process data);
  • to offer our products and services to our customers;
  • to prevent fraud or criminal activity, misuses of our services and products as well as the security of our IT systems, architecture and networks;
  • to sell any part of our business or its assets or to enable the acquisition of all or part of our business or assets by a third party; and
  • to meet our corporate and social responsibility objectives.

2. Who has access to your personal data and to whom are they transferred?

We will not sell, share, or otherwise transfer your personal data to third parties other than those indicated in this Privacy Notice.

In the course of our activities and for the same purposes as those listed in this Privacy Notice, your personal data can be accessed by or transferred to the specific third parties identified in Part I of this Privacy Notice and the following categories of recipients:

- our personnel (including personnel, departments or other companies of the Novartis group) on a strict need-to-know basis;

- our other suppliers and services providers that provide products and services to us;

- our IT systems providers, cloud service providers, database providers and consultants;

- our business partners who offer products or services jointly with us;

- any third party to whom we assign or novate any of our rights or obligations;

- our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets; and

- any national and/or international regulatory, enforcement, public body or court where we are required to do so by applicable law or regulation or at their request.

The above third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.

We work with affiliates and other trusted partners and service providers located outside of the Republic of South Africa (“South Africa”). The personal data we collect from you may therefore also be processed, accessed, stored in or transferred to a country outside South Africa, which may not offer a level of protection of personal data which is substantially similar to the protections as may be enjoyed in South Africa. If we transfer your personal data to any third party outside South Africa, we will do so in accordance with data protection laws applicable in South Africa. For intra-group transfers of personal data, the Novartis Group has adopted Binding Corporate Rules, a system of principles, rules and tools, which accord with the data protection principles provided by applicable law, in an effort to ensure effective levels of data protection relating to transfers of personal data to other countries. Read more about the Novartis Binding Corporate Rules by clicking here:

https://www.novartis.com/privacy-policy/novartis-binding-corporate-rules-bcr

3. How do we protect your personal data?

We have implemented appropriate reasonable technical and organisational measures as required by applicable law to provide a level of security and confidentiality to your personal data.

These measures take into account:

(i) the state of the art of the technology;

(ii) the costs of its implementation;

(iii) the nature of the data;

(iv) and the risk of the processing.

The purpose thereof is to protect it against accidental or unlawful destruction or alteration, loss, damage, unauthorised disclosure or access and against other unlawful forms of processing.

Moreover, when handling your personal data, we comply with the following obligations:

- we only collect and process personal data which is adequate, relevant and not excessive, as required to meet the above purposes;

- we ensure that your personal data remains up to date and accurate (for the latter, we may request you to confirm the personal data we hold about you and you are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up-to-date); and

- we may process any special personal data about yourself you voluntarily provide in compliance with applicable data protection rules and strictly as required for the relevant purposes listed above, the data being accessed and processed solely by the relevant personnel, under the responsibility of one of our representatives who is subject to an obligation of professional secrecy or confidentiality.

4. How long do we store your personal data?

We will only retain your personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal or regulatory requirements.

Unless otherwise indicated in Part I of this Privacy Notice, the retention period is 24 months after your last use of/access to the relevant website or app. When this period expires, your personal data is deleted from our systems and/or destroyed.

5. How do we use cookies and other similar technologies on our websites and apps?

5.1 Cookies

Cookies are small text files that are sent to your computer when you visit our websites or use our apps. We use cookies for the purposes set out above and in accordance with this Privacy Notice.

We do not use cookies to track individual visitors or to identify you but to gain useful knowledge about how our website and apps are used so that we can keep improving them for our users. Personal data generated through cookies are collected in a pseudonymised form and subject to your right to object to such data processing, as set out below.

In particular, in addition to the cookies listed in Part I of this Privacy Notice, we may also use the following types of usual cookies:

- user interface customisation cookies (i.e. cookies memorising your preferences);

- authentication cookie (i.e. a cookie allowing you to leave and return to our websites without having to re-authenticate yourself);

- video player cookies (i.e. cookies storing data needed to play back video or audio content and storing your preferences);

- first party analytics cookie (i.e. a cookie memorising the pages you visited and providing information about your interaction with those pages); and

- third party analytics cookies (i.e. cookies from third party suppliers tracking our website’s statistics and vice versa).

Please note that you can modify your browser so that it notifies you when cookies are sent to it. If you do not want to receive cookies, you can also refuse cookies altogether by activating the relevant settings on your browser. Finally, you can also delete cookies that have already been set.

For more information as to how to manage cookies on your device, please consult the Help function of your browser or visit www.aboutcookies.org, which contains comprehensive information on how to do so on a wide variety of browsers (link is external).

5.2 Other technologies

We may also use other technologies on our websites and apps to collect and process your personal data for the same purposes as set out above, including:

- Internet tags (such as action tags, single-pixel GIFs, clear GIFs, invisible GIFs and 1-by-1 GIFs, which are technologies allowing us to track users’ hits); and

- Adobe Flash technology (including Flash Local Shared Objects, unless you set your setting otherwise).

6. What are your rights and how can you exercise them?

You may exercise the following rights under the conditions and within the limits set forth in the law:

- the right to access your personal data as processed by us and, if you believe that any information relating to you is incorrect, obsolete or incomplete, to request its correction or updating;

- the right to request the erasure of your personal data or the restriction thereof to specific categories of processing;

- the right to withdraw your consent at any time, without affecting the lawfulness of the processing before such withdrawal;

- the right to object, in whole or in part, to the processing of your personal data; and

- the right to object to a channel of communication used for direct marketing purposes.

Please note however that, in certain circumstances, your refusal to accept cookies or browser setting may affect your browsing experience and prevent you from using certain features on our websites or apps.

If you have a question or want to exercise the above rights, you may send an email to [email protected] or a letter to P.O. Box 12257. Vorna Valley 1686. South Africa for the attention of the Head: Data Privacy for the Africa Cluster.

If you are not satisfied with how we process your personal data, please address your request to our Head: Data Privacy for the Africa Cluster, who will investigate your concern.

In any case, you also have the right to file a complaint with the relevant data protection authorities, in addition to your rights above. In South Africa, this is the Information Regulator, contactable at [email protected]

7. What technical and transactional data may we collect about you?

7.1 Categories of technical and transactional data

In addition to any information collected about you under Part I of this Privacy Notice, we may collect various types of standard technical and transactional personal data about you during your use of our websites and apps which are necessary to ensure a proper functioning of our websites and apps, including:

- information regarding your browser and device (e.g. internet service provider’s domain, browser’s type and version, operating system and platform, screen resolution, device manufacturer and model);

- statistics in relation to your use of our website and our app (e.g. information regarding the pages visited, information researched, time spent on our website);

- usage data (i.e. date and time of access of our website and app, files downloaded);

- your device’s location when using our app (unless you disabled this function by changing your device’s settings); and

- more generally, any information you provide to us when using our website and app.

Please note that we will not knowingly collect, use or disclose personal data from a minor under the age of 18 years without obtaining prior consent from a parent or legal guardian.

7.2 Why are we collecting technical and transactional data?

We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In addition to any purposes already communicated to you in Part I of this Privacy Notice, we also process your personal data collected during your use of one of our websites or apps for the following standard purposes:

- manage our users (e.g. registration, account management, answer questions and provide technical support);

- manage and improve our website and apps (e.g. diagnose server problems, optimise traffic, integrate and optimise web pages where appropriate);

- measure the usage of our website and apps (e.g. by drawing up statistics about the traffic, by gathering information regarding the users’ behaviour and the pages they visit);

- improve and personalise your experience and better tailor content to you (e.g. by remembering your selections and preferences, by using cookies);

- send you personalised location-based services and content;

- improve the quality of our products and services and expand our business activities;

- monitor and prevent fraud, infringement and other potential misuse of our website and app;

- reply to an official request from a public or judicial authority with the necessary authorisation;

- manage our IT resources, including infrastructure management and business continuity;

- preserve the company’s economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct fraud, conducting audits, defending litigation);

- archiving and record keeping; and

- any other purposes imposed by law and authorities.

8. How will you be informed of the changes to our Privacy Notice?

Any future changes or additions to the processing of your personal data as described in this Privacy Notice will be notified to you in advance through our websites (via banners, pop-ups or other notification mechanisms).