1.1. This Personal Data Processing Policy (the “Policy”) defines the Company's policy regarding the processing of personal data, the procedure for processing personal data of persons (Website users) by the Company, including the procedure for collecting, storing, using, transferring and protecting such data.

1.2. The regulation of personal data treatment is aimed at ensuring the rights and freedoms of data owners whose personal data are being processed, maintaining the privacy and protection of personal data.

1.3. This Policy has been developed on the basis, and in pursuance, of:

a) the Constitution of the Republic of Azerbaijan;

b) the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (as per Law No. 879-IIIQ of the Republic of Azerbaijan dated 30 September 2009);

c) Law of the Republic of Azerbaijan No. 998-IIIQ “On Personal Data” dated 11 May 2010;

d) Law of the Republic of Azerbaijan No. 460-IQ “On Information, Information Technology and Protection of Information” dated 3 April 1998;

e) other regulatory legal acts of the Republic of Azerbaijan, as well as international acts ratified by the Republic of Azerbaijan.

2.1. The following basic definitions and terms are used throughout this Policy:

a) Company or Operator means Novo Nordisk Limited Liability Company, Taxpayer Identification Number: 7729427770, located at 15 Krylatskaya Street, Office 41, Moscow, 121614;

b) Group of Companies means a group of legal entities joined under the brand of Novo Nordisk (Denmark), a global pharmaceutical company;

c) Personal Data means information which relates directly or indirectly to an identified or identifiable person (personal data subject);

d) Personal Data Subject or Data Subject means a natural person who is a user of the Website, to which the Personal Data processed by the Company relates;

e) Personal Data Processing means any action (operation) or a set of actions (operations) performed towards personal data, whether using automation facilities or not, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of the Personal Data;

f) Automated Processing of Personal Data means the Personal Data Processing using computing machinery, however, such processing may not be treated as being performed solely using the automation facilities just because the Personal Data is contained in, or has been retrieved from, the personal data system;

g) Personal Data Processing without automation facilities (manual processing) means actions towards the Personal Data, in particular, use, clarification, distribution or destruction, carried out with direct involvement of a person;

h) Personal Data Distribution means actions aimed at disclosing the Personal Data to an uncertain number of persons;

i) Provision of Personal Data means actions aimed at disclosing personal data to a certain person or a certain number of persons;

j) Blocking of Personal Data means temporary termination of the Personal Data Processing (unless such processing is necessary to clarify the Personal Data);

k) Destruction of Personal Data means actions, as a result of which it becomes impossible to restore the content of the Personal Data in the personal data information system and/or as a result of which the physical storage media of the Personal Data are destroyed;

l) Depersonalization of Personal Data means actions, as a result of which it is impossible to determine, without the use of additional information, whether the Personal Data is owned by a specific Personal Data Subject;

m) Cross-Border Transfer of Personal Data means the transfer of the Personal Data to the territory of a foreign state, a foreign state authority, a foreign natural person or a foreign legal entity.

3.1. The Company processes the Personal Data of persons of the following categories:

a) users of the Website;

b) other persons, whose interaction with the Operator necessitates processing of their Personal Data.

4.1. The content and volume of the Personal Data of each category of persons shall be determined by the need to achieve specific purposes of such processing, and the need of the Company to exercise its rights and perform its obligations, as well as the rights and obligations of the relevant person.

4.2. The Personal Data of the Website users may include:

a) name, surname, patronymic;

b) nationality; 

c) data on education, advanced training and professional retraining, academic credentials, academic title;

d) contact details (including business and/or mobile phone numbers, e-mail, etc.);

e) information about the place of actual residence;

f) position;

g) name of the Employer;

h) information about the Employer's business address;

i) information about payments;

j) taxpayer identification number;

k) information of a medical nature (in cases provided for by law);

l) other data required for the exercise or performance of mutual rights or obligations between the Company and the Website user.

4.3. The Personal Data of other persons includes:

- name, surname, patronymic;

- contact details;

- other data necessary for the performance of mutual rights and obligations between the Company and the person.

5.1. Processing of the Personal Data of the Data Subjects is based on the following principles:

a) the Personal Data Processing must be carried out on a legal and fair basis;

b) the Personal Data Processing must be limited to the achievement of certain, predetermined and lawful goals. The Personal Data Processing that is incompatible with the purposes of collecting personal data is not allowed;

c) it is not allowed to combine databases containing the Personal Data the processing of which is carried out for purposes incompatible with each other;

d) the Personal Data shall only be subject to processing, if it meets the purposes of processing thereof;

e) the content and scope of the processed Personal Data must be consistent with the claimed purposes of processing. The processed Personal Data should not be redundant towards the claimed purposes of processing thereof;

f) while processing the Personal Data, it is necessary to ensure the accuracy, adequacy and, if and where necessary, the relevance to the purposes of the Personal Data Processing. The Operator must take, or ensure the taking of, necessary measures to delete or clarify incomplete or inaccurate data;

g) the Personal Data must be stored in a form that makes it possible to identify the Data Subject no longer than it is required for the purposes of the Personal Data Processing, unless provided otherwise by the law or a contract. The processed Personal Data are subject to destruction or depersonalization upon achievement of the processing purposes or if such achievement is no longer needed, unless provided otherwise by the law.

6.1. The Personal Data of the Data Subjects is processed in order to provide the Data Subjects with access to the Website of the Company, namely, for:

a) providing information about the Company’s products;

b) holding events and ensuring the participation therein of the Data Subjects;

c) providing medical and scientific, reference and informational, as well as other information from the Company;

d) processing applications with claims or product safety information;

e) processing applications about negative developments or side effects;

f) monitoring the effectiveness and safety of medicines;

g) performing and fulfilling the functions, powers and obligations assigned to the Company by the legislation of, or international treaties ratified by, the Republic of Azerbaijan;

h) meeting the requirements of the respective executive authority, in particular, Article 8.1 of Law No. 208-IIIQ “On Medicines” dated 22.12.2006;

i) other purposes aimed at safeguarding the interests of the Company and compliance with laws and other regulatory legal acts.

6.2. The Personal Data is processed solely for the achievement of the above legitimate purpose. In order to use the data for other purposes, it is necessary to inform, and if required, obtain a new consent from the Data Subject for such processing.

6.3. The Personal Data Processing may be carried out for other purposes if this is necessary to comply with the legislation.

7.1. General Rules

7.1.1. The Personal Data is processed by way of mixed (both automated and non-automated) processing, including the use of the internal network and the Internet.

7.1.2. In cases established by the legislation of the Republic of Azerbaijan, the main condition for processing the Personal Data is obtaining a consent from the relevant Data Subject, including the consent in writing.

7.1.3. The consent of the Data Subject to the Personal Data Processing shall at least include:

a) name, surname, patronymic;

b) name, surname, patronymic of the representative of a Data Subject;

c) name and address of the Company that receives the consent of the Data Subject;

d) the aim of the Personal Data Processing;

e) a list of the Personal Data for processing of which the consent of the Data Subject is to be granted;

f) a list of actions towards the Personal Data for which the consent is to be granted, the general description of processing methods used by the Operator;

g) a period, during which the consent is valid, as well as the procedure for withdrawal;

h) the signature of the Data Subject, or the equivalent thereof;

i) the conditions for destroying or archiving, in a manner established by law, the Personal Data collected in respect of the Data Subject upon the expiration of a period of the Personal Data storage in the relevant information system or in case of death thereof.

7.1.4. In cases, where the Personal Data Processing requires obtaining a consent, but not a written consent, from a Data Subject, the Data Subject may provide his/her consent by electronic communications, via Internet, e-mail or fax.

7.2. Collection

7.2.1. The source of information about all Personal Data is the Data Subject himself/herself.

7.2.2. Unless provided otherwise by the law, the Company may only obtain the Personal Data of the Data Subject from third parties upon notifying, or receipt of a consent from, the Data Subject to such obtaining.

7.2.3. A notice to the Data Subject of obtaining his/her Personal Data from third parties must contain:

a) a name and a place of business of the Operator;

b) the purpose of processing such Personal Data by the Company and the legal grounds therefor;

c) intended users of the Personal Data;

d) statutory rights of the Data Subject;

e) a source of obtaining the Personal Data.

7.3. Storage

7.3.1. When storing the Personal Data, it shall be required to observe the conditions ensuring the safety of the Personal Data.

7.3.2. Documents containing the Personal Data stored on paper are kept in dedicated places with limited access in conditions that ensure their protection against the unauthorized access. A list of document storage locations is determined by the Company within its organization, as a whole.

7.3.3. The Personal Data kept in an electronic form is protected against the unauthorized access using special technical and software safeguards. It shall not be allowed to store the Personal Data in an electronic form outside the information systems used by the Company or databases specifically designated by the Company (off-system storage of the Personal Data).

7.3.4. The Personal Data shall be kept in a form that allows identifying the Data Subject, but no longer than the purposes of processing thereof require, unless another period is established by the legislation of the Republic of Azerbaijan or a contract, to or under which the Data Subject is a party, beneficiary or surety.

7.3.5. Unless provided otherwise by the legislation, the processed Personal Data is subject to destruction or depersonalization upon achievement of the processing purposes, or there is no further need in such achievement, or after the expiration of a period of storage thereof.

7.3.6. The destruction or depersonalization of the Personal Data must be carried out in a way that excludes further processing of this Personal Data. At the same time, if appropriate, it is necessary to preserve the ability of processing other data recorded on the corresponding physical storage media (deletion, defacement).

7.3.7. If it is necessary to destroy or block a part of the Personal Data, the physical storage medium shall be destroyed or blocked, copying first the information that is not subject to destruction or blocking in a way that precludes the concurrent copying of personal data that is subject to destruction or blocking.

7.4. Use

7.4.1. The Personal Data is processed and used for the purpose specified in Clause 6.1 of this Policy.

7.4.2. The access to the Personal Data is provided only to persons, whose responsibilities involve treatment of the relevant Personal Data, and only for a period necessary for such treatment.

7.5. Transfer

7.5.1. The transfer of the Personal Data of the Data Subjects to third parties is allowed to the minimum extent required and only for performing tasks consistent with the objective reason of collecting such data. 

7.5.2. The transfer of the Personal Data to third parties, including for commercial purposes, is allowed only with the consent of the Data Subject, or under other legal grounds.

7.5.3. A Data Subject must be notified, if his/her Personal Data is provided to third parties, other than in cases established by law, in particular, if:

a) the Data Subject has been notified of processing his/her Personal Data by an operator, who has obtained the respective data from the Company;

b) the Personal Data has been made public by the Data Subject or has been received from the publicly available source;

c) the Personal Data are processed for the statistical or other research purposes or for the scientific, literary or other creative activities, provided that the rights and legitimate interests of the Data Subject are not infringed.

7.5.4. The information containing the Personal Data must be transferred in a way that ensures protection against the unauthorized access, destruction, modification, blocking, copying or dissemination, as well as other illegal actions in relation to such information.

7.5.5. It may be so that the information containing the Personal Data is transferred on the territory of a foreign state (cross-border transfer), including the territory of a state which does not ensure the adequate protection of the Data Subjects’ rights. Such transfer must be date in accordance with the requirements and rules established by the laws of the Republic of Azerbaijan concerning the cross-border transfer of personal data.

7.5.6. Persons receiving the Personal Data have to be warned that such data may only be used for purposes for which it has been obtained, and in compliance with the privacy regime. The Company may request from such persons the confirmation that this rule is observed.

7.5.7. In cases where the state bodies have the right to request the Personal Data, or where the Personal Data must be provided in accordance with law, as well as by a court order, the relevant information shall be provided to them in a manner established by the effective legislation of the Republic of Azerbaijan.

7.5.8. All incoming requests should be transferred to a person responsible for organizing the Personal Data Processing in the Company for preliminary review and approval.

7.6. Processing Delegation

7.6.1. The Company may delegate the Personal Data Processing to another person, with the consent of the Data Subject, unless the laws of the Republic of Azerbaijan provide otherwise, under an agreement entered into with such person. The person who processes the Personal Data on behalf of the Company must adhere to the principles and rules of the Personal Data Processing established for by the legislation.

7.6.2. An agreement with a person who processes the Personal Data on behalf of the Company shall include:

a) a list of actions (operations) towards the Personal Data that will be performed by the person processing the Personal Data;

b) processing purposes;

c) the undertaking of such a person to observe the privacy of the Personal Data and ensure the safety of the Personal Data while processing, as well as specify the requirements to the protection of processed the Personal Data in accordance with the legislation, and the liability for non-compliance with such requirements.

7.7. Protection

7.7.1. The reference to the protection of the Personal Data shall mean a number of legal, organizational and technical measures aimed at:

a) ensuring the protection of information against the unauthorized access, destruction, modification, blocking, copying, provision, dissemination, or against other illegal actions in relation to such information;

b) maintaining the privacy of restricted information;

c) exercising the right of access to information.

7.7.2. To protect the Personal Data, the Company takes the necessary measures provided for by law, including, but not limited to:

a) restricting and regulating a number of persons, whose duties require access to the information containing the Personal Data (including through the use of passwords for accessing electronic information resources);

b) ensuring conditions for the restricted-access storage of documents containing the Personal Data;

c) organizing the procedure for the destruction of information containing the Personal Data, unless the legislation establishes requirements for the storage of such data;

d) monitoring the compliance with the requirements for ensuring the security of the Personal Data, including those established by this Policy (by way of internal audits, installing special monitoring tools, etc.);

e) investigating cases of the unauthorized access or disclosure of the Personal Data, bringing the guilty employees to liability, or taking other measures;

f) implementing software and technical means of protection of electronic information;

g) ensuring the ability of restoring the Personal Data modified or destroyed due to the unauthorized access thereto, etc.

7.7.3. To protect the Personal Data while processing in information systems, the Company takes the necessary measures provided for by law, including, but not limited to:

a) locating any threat to the safety of the Personal Data during processing;

b) implementing the organizational and technical measures to ensure the safety of the Personal Data during processing in personal data information systems, necessary to meet the statutory requirements for the protection of the Personal Data at levels established by the Government of the Republic of Azerbaijan;

c) recording machine-based storage media of the Personal Data;

d) locating any event of unauthorized access to the Personal Data and taking measures;

e) restoring personal data modified or destroyed due to the unauthorized access thereto;

f) establishing rules for the access to the Personal Data processed in the personal data information system, as well as ensuring the registration and record of all actions performed towards with the Personal Data in the personal data information system.

7.7.4. The Company should have in place persons responsible for organizing the Personal Data Processing.

7.7.5. The Company shall take other measures aimed at ensuring the Company’s compliance with its obligations in the field of personal data, as provided for by the effective legislation of the Republic of Azerbaijan.

8.1. The Data Subjects shall have the right to:

a) have access to their Personal Data;

b) withdraw their consent to processing of their Personal Data;

c) change, clarify, destroy or block their Personal Data;

d) receive information concerning processing of their Personal Data;

e) appeal against the unlawful actions or inaction in processing of Personal Data and claim appropriate compensation in court in a manner provided for by law;

f) appoint representatives to protect their Personal Data and represent their interests within the procedure provided for by law;

g) protect their rights and legitimate interests in the field of the Personal Data;

h) exercise other rights provided for by laws or other regulatory acts, or the local regulatory acts of the Branch concerning the processing and protection of the Personal Data.

8.2. The right of a Data Subject to access his/her Personal Data may be restricted in accordance with the laws.

8.3. All requests from the subjects or their representatives in connection with processing of their Personal Data are recorded in an appropriate log.

8.4. The Data Subject shall:

a) provide the Company with accurate personal data;

b) timely inform the Company about changes or additions to their Personal Data;

c) exercise their rights in accordance with the law, other regulatory legal acts and local regulations of the Company for the Personal Data processing and protection;

d) perform other obligations stipulated by the law, other regulatory legal acts and local regulations of the Company for the Personal Data processing and protection.

9.1. The Company has the right to:

a) establish rules for the Personal Data Processing in the Company, amend this Policy, independently develop and apply form documents necessary for the Operator to perform its obligations;

b) exercise other rights provided for by the laws or other regulatory acts or local regulatory acts of the Branch concerning the processing and protection of the Personal Data.

9.2. The Company has to:

a) ensure that the Personal Data is processed solely for the purposes for which it has been collected;

b) obtain a consent, or, in cases established by the laws of the Republic of Azerbaijan, a written consent, from the Data Subject to processing of his/her Personal Data;

c) only process specific categories of Personal Data with the written consent of the Data Subject, unless the law provides otherwise;

d) protect the Personal Data against the unlawful use or loss;

e) perform other obligations stipulated by the legislation of the Republic of Azerbaijan and local regulations of the Company for processing and protection of the Personal Data.

10.1. The Company shall be held liable under the law for the breach of the legislation of the Republic of Azerbaijan concerning the procession and protection of the Personal Data.

10.2. If the Company delegates the Personal Data Processing to any other person, the liability to the Data Subject has to be borne by the Company. A person processing the Personal Data on the instructions of the Company should bear liability to the Company under an agreement entered into therewith.