SANOFI fully understands the importance of privacy and the protection of personal data in the digital era and is committed to ensure an adequate level of data protection for all persons with whom SANOFI has dealings. This includes, notably:
- patients and their relatives and carers
- participants in clinical trials
- healthcare professionals
- users of our products and services, including websites and app users
- representatives of our service providers, suppliers, contractors and business partners
- representatives of the scientific community
- job applicants
What you will find in this document
In certain circumstances, we may, if necessary, provide you with specific privacy information notices and/or consent forms (“Privacy Notice”), which will describe in more detail how your personal data will be processed. It is important that you read this Policy together with any Privacy Notice we may provide so that you are fully aware of how and why we are using your personal data. Click on the links below for more detailed information on our data processing activities in the following areas:
- Staying in touch privacy notice – information on how Sanofi processes personal data provided when you sign-up to receive emails from us with information about goods or services we feel may be of interest to you; and
- Webinars privacy notice – information on how Sanofi may collect and process personal data when you register for and/or attend one of our webinars.
The objective of this Policy is to help you understand the following areas. Click on the links to go straight to the specific section.
- What: What personal data SANOFI collects about you
- Where from: Where SANOFI collects your personal data from
- The purposes: For what reasons and purposes SANOFI processes your personal data
- On what ground: On what basis SANOFI processes your personal data
- Who: Who SANOFI shares your personal data with
- Where: Where SANOFI may transfer your personal data
- How secure: What SANOFI does to protect your personal data
- How long: SANOFI’s approach to determining how long to retain your personal data
- Your rights: What your rights are and how you can exercise them
- How to contact us: Where and how you can reach us if you wish to exercise your rights or if you have a question
Who is SANOFI and what is our role?
SANOFI is made up of different legal entities and, in the UK, SANOFI conducts its business through Aventis Pharma Limited and Opella Healthcare UK Limited. When we mention “SANOFI”, we are referring to the relevant company in the SANOFI group responsible for processing your data.
Each Privacy Notice will set out which SANOFI entity will be the controller and determines for what reasons (i.e. the purposes) your personal data is processed as well as the resources (i.e. the means) allocated to such processing. Unless specified otherwise, Aventis Pharma Limited is the controller and responsible for www.sanofi.co.uk and any other SANOFI website that links to this Policy.
We have appointed a Data Protection Officer who is responsible for overseeing questions in relation to this Policy. If you have any questions about this Policy, including any requests to exercise your rights (as detailed in the “Your rights” section below), please contact our data protection officer as described in the “How to contact us” section below.
Changes to this Policy
This Policy may be modified by SANOFI from time to time, in particular in the event of changes in the law or SANOFI’s practices. Changes to this Policy will be made available on this page. We invite you to check this Policy periodically. The date on which this Policy was last updated is shown at the end of this document.
1. What: What personal data SANOFI collects about you
Personal data, or personal information, means any information relating to an individual from which that person can be identified.
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
Identity data, which includes name, username or similar identifier, social media usernames, profile photos, title, date of birth, age, gender, race and ethnicity, photographs, and audio and visual recordings.
Contact data, which includes address, email, and telephone and mobile phone numbers.
Professional data, which includes job title, place of work, employment history, education, work address, areas of practice and specialisms.
Financial data, which includes bank account and payment card details.
Transaction data, which includes details about payments to and from you, and other details of products and services you have purchased from us, including customer account numbers.
Technical data, which includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our websites.
Profile data, which includes your username and password, purchases or orders made by you, and your interests, preferences, feedback and survey responses.
Usage and engagement data, which includes information about how you use our websites, products and services. We may use tracking pixels and encoded URL strings to track when emails we send you have been opened and which links in an email have been clicked. Tracking pixels are small image files which are embedded in emails and downloaded to your device when you load the pictures in an email. You can turn off pixels by turning off the images in the email itself. Encoded URL strings are pieces of code that are added to links. These do not use any technology (e.g. local storage, cookies etc.) to store or access data on your device. Through the use of tracking pixels and encoded URL strings, we collect information about your opening of the email (including time and date, your IP address, the city where you opened the email, the type of device, browser and operating system used to open the email) and the links you click on in the email.
Health data, which includes information about your health, diseases you may have, medicines you may be taking, adverse effects you may have experienced, and genetic and biometric data.
Beliefs and interests data, which includes details about your religious or philosophical beliefs, political opinions, hobbies and interests.
Marketing and communications data, which includes your preferences for receiving marketing from us and our third parties and your communication preferences
Some of our websites use analytics tools such as Google Analytics, Mouseflow and Amplitude to collect anonymous data to customise, measure and improve our websites.
Amplitude is a web analytics service that collects engagement data across Sanofi’s customer-facing digital platforms using cookies. This includes website activity, such as (if relevant) data on how a user reached a website via a third-party or social media platform, as well as data on the performance of email campaigns. If amplitude cookies are installed on a website, you can opt out through the Cookie Preference Centre on that website. More information on how Amplitude processes personal data can be found at amplitude.com/privacy/archive/2022-12
In some cases, if you create a customer profile on a Sanofi website, the anonymous data collected from your interactions with Sanofi websites prior to creating the profile (including pages you viewed, content you accessed) may become deanonymised and then combined with data from other Sanofi platforms. This additional data may include:-
- data from customer registrations and logins
- data from Sanofi’s Customer Relationship Management (CRM) software, including sales representative visits, calls and the content detailed in those calls.
- data from marketing emails sent from Sanofi such as sends, opens, and clicks.
2. Where from: Where SANOFI collects your personal data from
SANOFI may collect your personal data from different sources:
- Data that you communicate to us through various media, registrations, applications, surveys, and direct and indirect interactions with SANOFI. For example, data you provide to purchase our products or services, when you meet or communicate with us, when you post a message on a SANOFI bulletin board or comments thread, to register for scientific events sponsored by SANOFI, to participate in a patient support programme, to report an adverse event, to submit an online application, to create an account on our websites, or to contact us or send us a request for information.
- Data that we collect from publicly available sources, including identity, contact and health data from SANOFI managed social media pages or accounts such as Twitter or Facebook (for example, when you post a query or report an adverse event).
- Data that we obtain from third parties, for example, technical data from analytics providers such as Google, contact, financial and transaction data from providers of technical, payment and delivery services, identity, contact and professional data from data brokers or aggregators such as IQVIA, and identity and health data from healthcare professionals when they report an adverse event.We may also need to confirm contact or financial information with third parties or verify the registration of healthcare professionals.
- In such cases, we generally receive such personal data from third parties that are authorised to share it in the framework of their own privacy and data protection policies or in accordance with the law. As applicable, we will inform you in the Privacy Notice of the identity of those third parties and will invite you to refer to their privacy and data protection policies so that you can determine where they obtained that personal data from and how they have processed it.
Personal data relating to children
In some instances we may collect personal data about children for the provision of our services, such as clinical activities or for patient support programs, with the consent of his/her parent or guardian. However, we do not otherwise knowingly solicit personal data from, or market to, children. If a parent or guardian becomes aware that his or her child has provided us with personal data, he or she should contact us as described in the “How to contact us” section below. We will take steps to delete such information from our database in accordance with applicable legal requirements.
3. The Purposes: For what reasons and purposes SANOFI processes your personal data
SANOFI collects your personal data for the following purposes:
- to carry out our business operations, including to carry out marketing and sales; to register you as a customer; to provide you with access to SANOFI’s products and services; to process and deliver your order, including to manage payments, fees and charges, and collect and recover money owed to us; to respond to your requests; and to keep track of our interactions and meetings, such as when you contact us for information and support.
- to comply with legal or regulatory obligations that apply to SANOFI, including to monitor safety; to manage and report adverse events; to carry out prevention and investigatory activities; to document and publicly disclose certain transfers of value made to healthcare professionals, healthcare organisations and patient organisations; and to carry out administrative formalities, registrations, declarations and audits.
- to provide patient support, healthcare support services, patient engagement and prescription information, including to provide, manage and administer patient support and homecare programmes; and to manage claims, including insurance claims.
- to conduct research and development, including to carry out clinical studies, registries and trials; to manage and validate the recruitment and participation of individuals in studies, trials and other operations; to analyse demographic data; to offer special programs, activities, trials, events and promotions via our services; and to carry out market and consumer studies.
- to provide you access to online services, applications and platforms, including to administer our websites and keep them safe and secure; and to manage your online accounts.
- to allow us to identify or authenticate you, including to provide or verify your credentials including via passwords, password hints, security information and questions, government-issued ID, healthcare professional number, driver’s license data, and passport data.
- to improve and develop our products and services, including to identify usage trends and develop new products and services; to understand how you and your device interacts with our services; to customise, measure and improve our websites, products and services, marketing, customer relationships and experiences; to track and respond to safety concerns; to determine the effectiveness of our promotional campaigns; and to conduct surveys. If we use tracking pixels or encoded URL strings in emails we send you as described in the "What” section above, we will use the data we collect to measure the performance and improve the content of our emails (for example, by ensuring that our emails are compatible with your type of browser or device). Please see the "What” section above for more details on our use of tracking pixels and encoded URL strings, including how to turn tracking pixels off.
- to personalise our communications with you and your experience when using our services, including to personalise the way we communicate with you and the content of those communications (through all channels) to ensure they are in line with your preferences and relevant to your practice and interests; to ensure that our services are presented in the way that best suits you; and to present you products and offers tailored to you. This may include combining your data with other information we may already have about you from other sources (e.g. from our interactions through other channels). It may also include analysing and predicting your preferences, interests and prescribing behaviours. We may use segmentation techniques to do this, which involves dividing our customers into smaller groups or “segments” that are likely to have similar preferences and interests, so that we can personalise our communications with you.
- to allow us to communicate with you, including to respond to your requests and inquiries; to provide support for products and services; to provide you with important information, administrative information, required notices, and promotional materials; to send you news and information about our products, services, or brands and operations; and to organise and manage professional events and congresses, including your participation in such events.
- to process payments we may need to issue in a specific situation, including to verify your financial data and to facilitate further payments.
- to process requests for donations and sponsorships, including from organisations you may represent, such as hospitals or universities.
- to respond to legal requests, including from administrative and judicial authorities, in accordance with applicable laws; to comply with a subpoena, required registration, or legal process.
- to protect our rights and interests, including to protect the health, safety and security of SANOFI personnel and premises; to carry out internal audits, asset management, system and other business controls; to manage business administration (finance and accounting, fraud monitoring and prevention); to maintain the security of our services and operations; to protect our rights, privacy, safety and property; to allow us to pursue available remedies and limit the damages that we may incur as necessary; and to protect ourselves against possible fraudulent actions.
If you sign-up to receive email updates from Sanofi, we will also use your personal data in the ways described in our separate Staying in touch privacy notice.You may unsubscribe from receiving these emails at any time by following instructions which will be provided in each email.
4. On what ground: On what basis SANOFI processes your personal data
Depending on the data processing in question, SANOFI will generally process your personal data on one of the following legal grounds:
- With your prior consent, where you have clearly expressed your consent to SANOFI’s processing of your personal data. In practice, this will generally mean that SANOFI will ask you to sign a document, to fill in an “opt-in” form or to follow a procedure to allow you to be fully informed, and then either clearly accept or refuse the data processing envisaged.
- Where needed to perform a contract between you and SANOFI. In this case, the processing of your personal data is generally necessary for the execution or performance of that contract; this means that if you do not wish for SANOFI to process your personal data in that context, SANOFI may refuse to enter into such contract with you or may not be able to provide you with the products or services covered by that contract.
- Where we need to comply with legal obligations applicable to SANOFI’s activities, for instance, SANOFI is required to implement pharmacovigilance procedures to monitor adverse effects of marketed products, which generally involves the collection and retention of personal data.
- Where it is necessary for the “legitimate interests” of SANOFI, meaning the interests of our business in conducting and managing our business to enable us to give you the best service/product, and the best and most secure experience. In this case, SANOFI will consider and balance your fundamental rights and interests and any potential impact on you when determining whether the processing is legitimate and lawful and before we process your personal data. We will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting as described in the “How to contact us” section below.
As described in “The Purposes” section above, we may collect and process your personal data when you visit our websites (including through cookies) for a number of purposes, such as to administer and protect our websites, to deliver relevant website content to you, and to use data analytics to improve our websites. In these cases, we will process your personal data on the basis that it is necessary for our legitimate interests (for provision of administration and IT services and network security, to keep our website updated and relevant, to study how customers use our products/services and to develop our business).
If we use tracking pixels or encoded URL strings in emails we send you as described in the “What” section above, we will process your personal data on the basis that it is necessary for our legitimate interests (to develop our products/services and grow our business).
When we process your personal data for other purposes, we will notify you of the specific legal ground we are relying on to process your personal data in the Privacy Notice we provide you.
SANOFI may, on a case-by-case basis, rely on other legal grounds for processing your personal data, such as the protection of your vital interests. If this is the case, we will notify you in a Privacy Notice.
Please note that we may also process your personal data on the basis of more than one legal ground depending on the specific purpose for which we are using your data.
Please contact us as described in the “How to contact us” section below if you need details about the specific legal ground we are relying on to process your personal data.
5. Who: Who SANOFI shares your personal data with
For the purposes described above, SANOFI may need to share your personal data with the following authorised third-parties:
- Sanofi and its affiliates who undertake leadership reporting, and provide IT and system administration services and other services.
- our partners, such as healthcare professionals and organisations, distributors and agents, and other members of the healthcare and pharmaceutical industry.
- selected suppliers, service providers and vendors acting upon our instructions who provide website hosting, payment processing, order fulfilment, information technology, system administration and related infrastructure provision, customer service, healthcare professional validation, email delivery, data analysis, auditing, market research, digital monitoring, marketing, advertising, brand, communication and other services.
- healthcare and patient service providers who administer patient support and homecare programmes on behalf of SANOFI and provide other healthcare services such as nurse services.
- professional advisors including lawyers, bankers, auditors and insurers, who provide consultancy, banking, legal, insurance, accounting and other services.
- legal, regulatory, administrative and other authorities, as required by applicable laws including laws outside your country of residence.
- potential acquirers and other stakeholders in the event of a merger or legal restructuring operation such as an acquisition, joint venture, assignment, spin-off or divestiture.
- sponsors of sweepstakes, contests and similar promotions.
SANOFI may need to share your personal data with other third-parties, in which case we will inform you in the applicable Privacy Notice.
In any case, SANOFI will require that all such third-parties:
- undertake to comply with data protection laws and the principles of this Policy.
- only process the personal data for the purposes described in this Policy and in accordance with our instructions.
- implement appropriate technical and organisational security measures designed to protect the integrity and confidentiality of your personal data.
6. Where: Where SANOFI may transfer your personal data
SANOFI is a multinational organisation with affiliates, partners, suppliers, service providers and vendors located in many countries around the world. For that reason, SANOFI may need to transfer (via access, visualisation or storage) your personal data to other jurisdictions, including countries outside the UK which may not be regarded as providing the same level of protection as the UK.
Safeguards for international transfers of personal data: In cases where SANOFI needs to transfer personal data outside the UK, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data. For further details, see UK Information Commissioner's Office: Is the restricted transfer covered by "adequacy regulations"?
- Where we use certain suppliers, service providers or vendors, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK, known as “Standard Contractual Clauses”. For further details, see UK Information Commissioner's Office: Is the restricted transfer covered by appropriate safeguards?
- Where we transfer data to our group companies, such as for clinical studies or pharmacovigilance, we ensure your data is protected by requiring all our group companies to follow the sale rules when processing personal data. These are called “Binding Corporate Rules”. For further details, see UK Information Commissioner's Office: Is the restricted transfer covered by appropriate safeguards?
Please contact us as described in the “How to contact us” section below of you want further information on the specific mechanism used by us when transferring your personal data out of the UK.
7. How secure: What SANOFI does to protect your personal data
We have implemented a variety of technological and organisational procedures and measures to ensure the integrity and confidentiality of your personal data from unauthorised access, use and disclosure. These measures will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks posed by the processing (in terms of likelihood and severity) to your rights and freedoms. For instance, we store your personal data on servers that have various types of technical and physical access controls, which may include, for instance, if appropriate, encryption. We may also aggregate, pseudonymise or anonymise personal data to ensure that no personally identifiable information is communicated to third parties.
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
8. How long: SANOFI’s approach to determining how long to retain your personal data
SANOFI will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, as outlined in this Policy.
As an exception, SANOFI may be required to retain your personal data for longer periods as required or permitted by law, or as necessary to protect its rights and interests. In such a case, you will be informed of the intended retention period in the applicable Privacy Notice.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting and other requirements.
In some circumstances you can ask us to delete your data: see the "Your Rights" section below for further information.
We may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
9. Your rights: What your rights are and how you can exercise them
Under certain circumstances, you have rights under data protection laws in relation to your personal data.
- to request access to your personal data. This enables you to receive a copy of your personal data, unless such data is already made directly available to you, for instance within your personal account.
- to request correction of your personal data should your personal data be inaccurate, incomplete or obsolete.
- to request the deletion of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- to withdraw your consent at any time to the data processing, where your personal data has been collected and processed by SANOFI on the basis of your consent. Note, this will not affect the lawfulness of processing up until the time at which you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
- to object to the processing of your personal data, including profiling, where your personal data has been collected and processed on the basis of the legitimate interests of SANOFI or where SANOFI is processing your personal data for direct marketing purposes. To exercise this right you will need to justify your request by explaining to us your particular situation and why you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- to request restriction of the processing of your personal data This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the data's accuracy.
- Where our use of the data is unlawful but you do not want us to erase it.
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- to request the transfer of your personal data from SANOFI to you or a third-party, where technically feasible, in which case we will provide to you, or a third-party of your choice, with your personal data in a structured, commonly used and machine-readable format. Please note however that this right only applies to automated information where the processing is based on your consent or in order to perform a contract with you.
If you would like to exercise any of these rights, please contact us as described in the “How to contact us” section below and we will take necessary steps to respond as soon as possible.
You also have the right to make a complaint at any time to the Information Commissioner’s Office (“ICO”), the UK supervisory authority for data protection issues (www.ico.org.uk), regarding the processing of your personal data. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
10. How to contact us
SANOFI welcomes any questions or comments you may have regarding this Policy or its implementation.
You can send any questions about this Policy or SANOFI’s use of your personal data to our Data Protection Officer using the contact details below:
Post: 410 Thames Valley Park Drive, Reading Berkshire, RG6 1PT
Last updated: September 2023
Date of preparation October 2023