Roche’s Privacy notice for pharmacovigilance, medical information and product complaints

Zur deutschen Version
General Information

At F. Hoffmann-La Roche Ltd and the legal entities of Roche Group (hereafter “Roche”, “we”, us”), we take data privacy seriously and treat all your personal data in accordance with Roche General Privacy Policy and applicable privacy and data protection laws, including as applicable the Swiss Federal Data Protection Act, the European Union General Data Protection Regulation (GDPR), the Personal Information Protection Law of the PR China (PIPL) and other applicable local laws that regulate the storage, processing, access and transfer of personal data.

This Privacy Notice (“Notice”) intends to explain how Roche collects and processes your personal data for the purposes of pharmacovigilance related activities, medical information inquiries and product complaints. The scope of this Notice is limited to the collection and processing of your personal data for pharmacovigilance, medical information inquiries and/or product complaints. For general information about data processing at Roche, please visit the

This Notice applies to (a) patients or their representatives reporting safety information including but not limited to adverse events or submitting a quality complaint relating to any one of Roche’s products, and (b) any individual reporting safety information including but not limited to adverse events or a quality complaint relating to any one of Roche’s as part of the professional activities of such individual (e.g. professional caregiver, healthcare professional such as a medical doctor, a pharmacist, a nurse, Roche employee, Roche service provider or partner employee etc.)

Identity and contact details of the data controller

F. Hoffmann-La Roche Ltd, Grenzacherstrasse 124, CH-4070 Basel, Switzerland, email:(“Roche”) is the data controller. You may contact our Global Privacy Office with inquiries relating to the scope of this Notice. The Global Privacy Office may then re-direct you to a local privacy office of the Roche Group entity that can best serve your needs. 

In the event that your personal data is covered by the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”): EU representative of F. Hoffmann-La Roche Ltd is Roche Privacy GmbH, Emil-Barell-Str. 1, D-79639 Grenzach-Wyhlen,In the event that your personal data is covered by the UK GDPR: UK representative of F. Hoffmann-La Roche, Ltd. is Roche Products Limited, 6 Falcon Way, Shire Park, Welwyn Garden City, AL7 1TW, United Kingdom, 

For United States (“US”) residents, theprovides the appropriate channels for contacting Roche with questions, requests, and inquiries in the scope of US state privacy laws.

In the event that your personal data is covered by the China Personal Information Protection Law (PIPL): Shanghai Roche Pharmaceuticals Co., Ltd., No. 1100 Longdong Avenue, Pudong District, Shanghai, email:

Purposes and legal basis for processing:
  • Pharmacovigilance

Any personal data provided to Roche related to adverse events or other activities related to pharmacovigilance will be used for these purposes. This information is very important for public health and will be used for the detection, assessment, understanding and prevention of adverse effects or any other medicine-related problem.

For the processing of personal data for pharmacovigilance, Roche relies on a legal obligation and for reasons of public interest, as the processing is necessary to comply with Roche legal pharmacovigilance (GVP) obligations.

  • Product Complaints

Any personal data provided to Roche related to a product complaint will be used for these purposes. This information is very important for public health and will be used for the evaluation, classification and assessment of the product complaint, to follow up on such requests and to maintain the information in a product complaints database for reference.     

For the processing of personal data for product complaints, Roche relies on a legal obligation and for reasons of public interest. 

  • Medical Inquiries     

Any personal data provided to Roche related to a medical inquiry may be used to answer the inquiry, follow up on such requests and maintain the information in a medical information database for reference. Where required by law (such as for pharmacovigilance and drug safety), we may also be required to report the data to regulatory authorities. 

Roche relies on legitimate interest to follow-up on medical inquiries. If you are a patient, Roche will process your personal data based on your explicit consent.

Categories of personal data processed

The type of information that we collect from you will depend on the data subject and the type of processing activity:

  • Pharmacovigilance: We collect the name, contact details, and affiliations/profession of the reporting individual. We may collect some additional personal data related to health and medical history of the individual experiencing an adverse event if required for processing of adverse event for pharmacovigilance purposes.

  • Medical Inquiries: We may collect the name, contact details and affiliation/profession of the individual making the inquiry.

  • Product Complaints: We may collect the name, contact details and affiliation/profession of the individual reporting the complaint. We may collect some additional personal data related to the health and medical history of the individual affected by the product complaint if such information is relevant to evaluate, classify and assess the product complaint.

Recipients of your personal data

Roche may share the data you provided to us among Roche Group companies and affiliates. We share data in order to operate a Roche global pharmacovigilance database, the Roche product complaint database and to fulfil regulatory obligations deriving from applicable pharmacovigilance legislation and/or legislation regarding drug safety. The current Roche Financial Report, which you can find in the Investors section of our website (), contains a list of Roche subsidiaries and associates.

We may also share data with other third parties, such as service providers and experts for technical maintenance of our platforms, support and consultancy services.

Roche is conducting activities covered by this Privacy Notice globally, as required by applicable laws and regulations, as well as industry standards and best practices. In particular, in the field of pharmacovigilance, Roche and the local companies that act as the so-called marketing authorization holder may have to share information with supervisory authorities worldwide to the extent the data is potentially relevant to such authorities for reasons of drug safety.  We are mindful that the data relating to you may be processed in a jurisdiction that has different data protection standards compared to your place of residence. But to ensure the safety of our products and to advance the safety of medical procedures the global accessibility of information is of utmost importance. Such reports contain details about the incident but will only contain limited personal data:

  • Patients: Information as provided, including age or date/year of birth (where permitted by regulations) and gender (note that patient name will never be provided)

  • Reporting Individuals: Information as provided to allow the regulatory authority to follow up with the reporting individual, including name, profession, initials, address, email, phone number

It is also important to note that Roche or other entities of Roche Group will not share any information with your health insurance provider unless we are legally obliged to do so under applicable local laws and regulations.  

Additional information in case your data is covered by EU GDPR, UK GDPR and Swiss Federal Act on Data Protection: It is possible that in the exchange of data within the Roche Group, business partners and service providers, your personal data may be transferred to countries that do not provide the same level of protection as your own. In this case, contracts containing the EU Standard Contractual Clauses according to the EU Commission decision of 04 June 2021 (EU 2021/914), and the UK and Swiss supervisory authority’s decisions, constitute appropriate and suitable safeguards to ensure compliance with GDPR, UK GDPR and Swiss Federal Act on Data Protection. In certain specific situations, Roche may need to share the personal data, where it is not possible or not appropriate to agree on contractual data protection safeguards with a third party recipient. Such circumstances include when Roche has to share certain information with a regulatory authority for purposes of a recognized public interest, such as product safety or product efficacy assessments. In such a case, Roche may rely on the derogation under Art. 49(1)(d) GDPR when the transfer is necessary for important reasons of public interest. 

For all other countries, Roche is ensuring compliance with the local applicable rules and regulations on the cross-border transfer of personal data. Roche is applying legal, technical and organizational measures to ensure the members of Roche Group and all partners we collaborate with ensure the same consistent, high level of data protection globally. We are continuously monitoring legal developments in this area and adjust our processes if and as required.

Storage period

As information related to pharmacovigilance (reports about adverse events) are important for public health reasons, reports are kept for a minimum of 10 years after the withdrawal of the product in the last country where the product is marketed.

Personal data retained as part of a medical information inquiry are kept for minimum of 10 and maximum of 15 years after receipt.

As information related to product complaints and drug safety are important for public health reasons, complaint records, including personal data contained, are kept for a minimum of 15 years.


Information about your rights

Various data protection laws and regulations around the world provide for specific data subject rights. Roche is committed to adhere to such rights and to support you in case you want to exercise any of your rights as a data subject. Roche has set up robust processes to support your request and we are here to help you in case you have questions or concerns regarding the processing of personal data for the purposes in scope of this Notice. 

If the processing of your personal data is covered by GDPR/UK GDPR, please note that you have the right to request from Roche information on which personal data we store and the purpose for which we process them. You can also request access to and rectification of your personal data as well as the right to data portability, if applicable (which means if the legal basis for collecting your data is consent). Erasure or restriction of processing is only possible if and to the extent the processing of personal data is based on consent or legitimate interest. Please note that due to our legal obligations for pharmacovigilance legislation, Roche may not be able to erase or restrict processing of your data if processed for pharmacovigilance.

In accordance with the Swiss Federal Act on Data Protection, please note that you have the right to request from Roche access to your personal data, a copy of your personal data, to rectify your personal data or to have Roche register a note dispute. Additionally, you have the right to erase or anonymize  personal data relating to you if such data  is no longer needed for the purpose for which you provided it, and the right to restrict the processing of your personal data to specific purposes if erasure is not possible. 

In accordance with the Chinese PIPL you have the right to know what personal data Roche collects about you, the right to request from Roche access to and rectification of your personal data as well as the right to data portability, if applicable, or erasure or restriction of processing of your personal data. 

If data processing is based on your consent, kindly note that you have the right to withdraw your consent at any time, however, without affecting the lawfulness of processing based on consent before its withdrawal. If you would like to contact us to exercise your right to withdraw consent, please see our contact details in the section “Identity and contact details of the data controller”.

To prevent your data from being entered into our systems again after your request for erasure, in your interest and for us to comply with applicable privacy laws, we may keep your name and e-mail address with a flag “Don’t contact anymore” in our systems.

In case you have the impression that our data processing is non-compliant with the EU GDPR or other applicable data protection laws and regulations: You are entitled to lodge a complaint with the responsible supervisory authority.

Möchten Sie den Inhalt auf Deutsch lesen?

This website contains information on products which is targeted to a wide range of audiences and could contain product details or information otherwise not accessible or valid in your country. Please be aware that we do not take any responsibility for accessing such information which may not comply with any legal process, regulation, registration or usage in the country of your origin.

ContactLocationslinkedinfacebooktwitterinstagramyoutubeCovid-19Pharma solutionsRoche careersMedia libraryAnnual Report 2023Privacy policyLegal statementAccessibility statement