This information is meant to explain to you what kind of data we collect from what sources and are used for which purposes.
Identity and contact details of the data controller
F. Hoffmann-La Roche Ltd, Grenzacherstrasse 124, CH-4070 Basel, Switzerland, email: [email protected] (“Roche”) is the data controller.
In the event that your personal data is covered by the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”): EU representative of F. Hoffmann-La Roche Ltd is Roche Privacy GmbH, Emil-Barell-Str. 1, D-79639 Grenzach-Wyhlen.
Please direct any questions and requests related to this information to F. Hoffmann-La Roche Ltd, Global Privacy Office, Grenzacherstrasse 124, CH-4070 Basel, Switzerland, email: [email protected].
Purposes and legal basis for processing
PingIdentity platform will be used to provide and enhance multi factor authentication at Roche and assess user login risk.
Personal data is collected and used to secure access to Roche's applications through the authentication process and assess the risk as part of the authentication flow, in order to better detect threats (such as account takeover or phishing attacks) and improve users' experience.
We collect and process your data on the basis of our legitimate interest to enhance security to access Roche's applications because it is necessary for the performance of the contract with you (access management).
Categories of personal data processed
For the purposes specified in this Privacy Notice, Roche may collect,
process and share the following categories of personal data:
Recipients of personal data
Recipients of your data may be Roche's affiliates around the world including in countries with privacy standards different from those in your country. Our Roche affiliates will use the data for the same purposes as we do. A list of Roche's affiliates is available in the current annual report which can be found in the Investors section of www.roche.com.
Additional information in case your data is covered by GDPR: Regarding the exchange of data within the Roche Group, contracts containing the EU Standard Contractual Clauses according to EU Commission decisions of 27 December 2004 (2004/915/EC) and 05 February 2010 (C(2010) 593) or according to EU Commission decision of 04 June 2021 (EU 2021/914), whichever is applicable, constitute appropriate and suitable safeguards to ensure compliance with GDPR. Data processor for service and support is: Ping Identity Corp 1001 17th Street Denver, CO 80202 United States
We store your personal data for ten (10) years (non-GxP projects) and fifteen (15) years (GxP projects) after the end of the year in which the data was collected.
Information about your rights if your data is covered by GDPR
Provided your personal data is covered by GDPR, please note that you have the right to request from Roche access to and rectification of your personal data as well as the right to data portability, if applicable, or erasure or restriction of processing of your personal data. Erasure or restriction of processing is only possible if and to the extent the processing of personal data is based on consent or legitimate interest. If data processing is based on consent, kindly note that you have the right to withdraw your consent at any time, however, without affecting the lawfulness of processing based on consent before its withdrawal. For sending us a note to exercise your right to withdraw consent, please see contact details in the section "Identity and contact details of the data controller" above.
To avoid that your data is entered in the systems again after your request for erasure, in your interest and for us to comply with GDPR we may keep your name and e-mail address with a flag "Don't contact anymore" in our systems.
In the event you have the impression that our data processing is non-compliant with GDPR: You are entitled to lodge a complaint with the responsible supervisory authority.
For the purposes defined in this privacy notice, we collect the Personal Data directly from you.
Please note that we will not process the biometric information that may be collected for authentication purposes. PingID authenticates the users by sending a request through the notification server to the PingID app installed on the user's mobile device. The PingID app receives the notification sent by the server. Before interacting with the user, the PingID app first checks against the server that the request sent to it is valid and authentic, and that the device meets administrative and security policies. Once this is confirmed, the app will receive instructions from the PingID server on how to authenticate the user.
Forgot your password?