Novo Nordisk’s Privacy Notice for Partner Apps

Effective Date December 1, 2020

A. INTRODUCTION

This Privacy Notice applies to you if you are using a connected insulin pen provided by Novo Nordisk (below referred to as a “Smart Insulin Pen”). The Privacy Notice applies when you use a Smart Insulin Pen to-gether with any third party’s software application that is compatible with the Smart Insulin Pen (such third party referred to as a “Partner” and such application referred to as a “Partner App” below). The Privacy No-tice does not apply to situations where we have notified you that an al-ternative privacy statement applies, nor does it apply to Novo Nordisk websites, including websites operated by other Novo Nordisk affiliates. You should review the privacy statement posted on the Novo Nordisk websites when you visit them. For information on how your data is used by a Partner, please see the privacy notice provided by the relevant Partner.

This Privacy Notice tells you what we do with your personal data. When referring to “Novo Nordisk”, “we”, “our” and “us”, we mean Novo Nordisk A/S. We encourage you to contact Novo Nordisk or the Novo Nordisk Data Protection Officer at privacy@novonordisk.com if you have questions about this Privacy Notice. To take advantage of your data privacy rights as a user of a Smart Insulin Pen, please contact the Partner via the con-tact information set out in the privacy notice provided by that Partner. 

Our contact information is:

Novo Nordisk A/S 
Novo Allé
2880 Bagsværd
Denmark 
CVR number 24256790
+45 4444 8888 
privacy@novonordisk.com 

Below you will find a description of the personal data, which Novo Nordisk may collect and process about you in connection with your use of our Smart Insulin Pen, as well as the purpose and on which basis we are processing the data. Your personal data is information that can spe-cifically identify you.

B. OUR USE OF YOUR PERSONAL DATA

Personal data collected as part of your use of a Smart Insulin Pen together with a Partner App (optional information)

Before you provide data as part of your use of a Smart Insulin Pen to-gether with a Partner App, we will ask for your explicit consent, which you will provide separately from this Privacy Notice in the Partner App. If you do not consent, it will not affect your use of the Partner App and you can change your preference at any time.

If you consent to provide the information to us, we will use this infor-mation to help us understand which features are the most useful, and to assess, document, or improve the use and effects of our products and services.

As part of your use of a Smart Insulin Pen together with the Partner App and only based on your explicit consent, the Partner may collect and share any of the information listed below with Novo Nordisk for our use as described above, to the extent the data is registered in the Partner App. We do not receive your name or contact information. The only in-formation linking you to the data is the Patient ID. The Patient ID is a us-er number generated by the Partner, and only the Partner will be able to connect the Patient ID to you by name. In other words, the data that Novo Nordisk receives about you is pseudonymized.

(a) Patient ID

(b) Age

(c) Country/region of residence

(d) Gender

(e) Height and weight

(f) When and how your consent was obtained

(g) Smart Insulin Pen type, status, serial number, firmware, settings, system ID and error messages

(h) Smartphone brand and operating system

(i) Type of insulin or other types of diabetes medication used

(j) Dose log data (dose size, date & time stamp of dose, information from notes, classification as priming or therapeutic)

(k) CGM/BGM/manually entered BG log data (blood glucose infor-mation)

(l) Other health data that you provide (for example ketone levels, carbohydrate count, meal timing, step count, other activity track-ing or blood pressure)

(m) Type of diabetes 

(n) Years of living with diabetes 

(o) Status as Legal Guardian, if applicable

Personal data used for safety reporting

If you have chosen to provide us with information as described above, we may use that information for safety reporting if we believe we are required to do so to comply with any law, regulation, court order, legal or government request. Please see the Notice of Personal Data Processing related to Safety Information for more information.

C. THE PROTECTION AND SHARING OF YOUR DATA

We will receive your personal data from the Partner in pseudonymized form so that we cannot refer it to you by name. The data will be treated as confidential information by those who are allowed to access it. We will only use the data for the purposes set out in this Privacy Notice. We may disclose your data where such disclosure is necessary for compliance with a legal obligation to which we are subject. 

Third party service providers engaged by Novo Nordisk (processors), such as IT service providers and consultants, may access your pseudon-ymized personal data on behalf of us and only for use as described in this Privacy Notice. 

D. STORAGE AND DELETION

We store your personal data for as long as necessary for us to fulfil the purpose of the processing. Where we process your personal data with your consent, we will keep and process the data until you ask us to stop and for a short period of time after this (and solely to allow us to imple-ment your requests), if there is no other legal ground for further pro-cessing, such as a requirement under applicable law to keep your per-sonal data for a longer period of time. If deleting your data would make ongoing research impossible, or significantly impair it, we may keep the necessary part of your data for use solely as required for that research. After that, your personal data will be deleted or anonymized. 

E. YOUR RIGHTS

As a data subject you have a number of rights which are described below. Since Novo Nordisk does not have your name or contact information, we cannot link you to the data that we have if you reach out to us directly. Instead, we ask you to contact the Partner that is providing the Partner App. The Partner will forward the request to us along with your Patient ID, and we will then be able to help you without learning your identity. Please use the contact information set out in the privacy notice provided by that Partner. You can also let us know which Partner App you are using, and we will provide you with the relevant contact information to that Partner.

Your rights are:

The right to information. You can obtain further information on the personal data, which we store and processes about you by contacting the Partner requesting access to the information that Novo Nordisk has about you. 

The right to a copy. You can obtain a copy of your personal data in a structured, commonly used and machine-readable format by contacting the Partner with this message.

The right to object. You can object to the processing of your personal data at any point in time by contacting the Partner with this message.

The right to restrict data processing. You have the right to request restriction of our use of your personal data for the duration of any inves-tigation review that you have requested.

The right to rectify. You can at any point in time request correction of your personal data by contacting the Partner requesting that your infor-mation is rectified.

The right to withdraw the consent. You can at any point in time with-draw your consent to the processing of your personal data by contacting the Partner stating that you are withdrawing your consent to Novo Nordisk’s processing as described above.

The right to erasure. You have the right to request the erasure of your data by contacting the Partner stating that you wish to have your data erased by Novo Nordisk. There are exceptions to the right to erasure, for example where we have a legal obligation to keep the data. 

The right to complain. If you have any complaints about Novo Nordisk’s processing of your personal data, you may contact the Danish Data Protection Agency, or lodge a complaint with the supervisory au-thority where you are based. The names and contact information of all supervisory authorities in the EU are listed here.

F. CHANGES

As technology and data protection and device legislation are constantly changing, we may have to change this Privacy Notice from time to time. We will inform you of changes through our Partners and/or Partner Apps with an appropriate advance notice period and, if necessary, obtain new consents. 

G. PERSONAL INFORMATION OF CHILDREN

We do not knowingly collect personal data from children without the con-sent of their respective parent or legal guardian. If we learn that a child, who is not old enough to consent according to the terms of the relevant Partner App, has provided us his/her personal data without the consent of his/her parent or legal guardian, we will delete that information. If you believe a child that does not meet the age limit stated in the relevant Partner App has provided his/her personal data without the consent of his/her parent or legal guardian, please contact the Partner.