Personal data protection & privacy

As a healthcare company, we handle large volumes of personal data, including information on participants in clinical trials, human biosample donors, patients and healthcare providers reporting safety concerns, and our employees. 

 

Policies and governance

We store and transfer personal data in and across different jurisdictions on a global level. The Novo Nordisk Code of Conduct and Business Ethics Compliance Framework are the basis for our global Personal Data protection Compliance Programme. Together, they set the minimum global standards for how we handle and protect personal data.

We always comply with any stricter local legal requirements for protecting personal data. We recognise that domestic law may not adequately protect the right to privacy in some jurisdictions. Where there is a conflict between the national law and the internationally recognised human rights principle of privacy, we always seek to make a responsible decision about how to handle personal data. 

Novo Nordisk’s global Personal Data Protection Compliance Programme, including policies, training, and oversight mechanisms, is developed and maintained centrally, but each business area and its management are responsible for ensuring that their operations are in compliance with Novo Nordisk’s internal requirements and applicable law.

 

Assessing risks

Our Personal Data Protection Compliance Programme conducts cross-organisational reviews of risk to privacy in key functional areas to identify where we can reduce data collection and mitigate the highest risk to data subjects.  The Personal Data Protection compliance programme continuously assesses risks and trends and monitors national and international laws to ensure continued compliance. 

 

Actions

Our actions under the Personal Data Protection Compliance Programme include: 

  • Establishing standards detailing how employees must protect personal data;
  • Training employees on how to comply with the standards;
  • Monitoring and auditing to ensure that the standards are effectively implemented;
  • Investigating potential non-compliance and imposing disciplinary sanctions as appropriate;
  • Maintaining processes to allow individuals to request access, correction, and deletion of their personal data, and to object to processing of their data
  • Maintaining processes to promptly respond to personal data breaches

Requiring third parties who process data on our behalf to implement strict technical and organisational measures to protect personal data

 

Performance 

Novo Nordisk strives to continually to strengthen our measures to respect and protect privacy. These include monitoring compliance with the Novo Nordisk Business Ethics Compliance Framework and Binding Corporate Rules and regularly updating our risk-based global personal data protection strategy to reflect changes in law and social expectations around privacy.