Personal data protection and privacy

As a healthcare company, we handle large volumes of personal data, including information on participants in clinical trials, human biosample donors, patients and healthcare providers reporting safety concerns, and our employees. 

 

Policies and governance 

We store and transfer data in and across different jurisdictions on a global level. We always comply with local legal requirements for protecting personal data. We recognise that domestic law may not adequately protect the right to privacy in some jurisdictions. Where there is a conflict between the national law and the internationally recognised human rights principle of privacy, we always seek to make a responsible decision about how to handle personal data. 

The Novo Nordisk Binding Corporate Rules are the basis for our global Personal Data Protection Compliance programme. This includes a governance structure, procedures, training for employees working with personal data, and oversight mechanisms to ensure effective data protection and respect for the rights of data subjects. Read the Novo Nordisk Binding Corporate Rules here (PDF).

Novo Nordisk’s global Personal Data Protection Compliance programme is developed and maintained centrally, but each business area and its management are responsible for ensuring that their operations are in compliance with Novo Nordisk policies and procedures.

 

Assessing risks

Our Personal Data Protection Compliance programme conducts cross-organisational reviews of risk to privacy in key functional areas to identify where we can reduce data collection and mitigate the highest risk to data subjects.  The Personal Data Protection compliance programme continuously assesses risks and trends and monitors national and international laws to ensure continued compliance. 

 

Actions

Our actions under the Personal Data Protection Compliance programme include: 

  • Standards detailing how employees must protect personal data, such as:

    a) procedures for providing individuals with notice of how their personal data will be processed

    b) procedures allowing individuals to request access, correction, and deletion of their personal data, and to object to processing of their data

    c) legally binding agreements with third parties who process data on our behalf requiring them to implement strict technological and organisational measures to protect personal data

  • Training for employees on how to comply with the standards 
  • Communication pathways to disseminate updates on compliance standards to employees and to solicit complaints and reports of non-compliance
  • Monitoring and auditing processes to ensure that the standards are effectively implemented 
  • Processes to investigate any potential non-compliance 
  • Disciplinary sanctions for non-compliance with the standards

 

Performance 

In the past few years we have strengthened measures to respect privacy. These include the development of the Novo Nordisk Binding Corporate Rules, a Personal Data Protection strategy and a governance and compliance programme. We are on track to implement additional protections for personal data, including documentation of data processing activities and mitigating actions for key risks to data subjects as required by the new EU data protection law.