Privacy Policy - Bristol Myers Squibb

Privacy Notice Center

General Privacy Notice

Bristol Myers Squibb Canada Co., together with its Canadian-resident affiliates, including Celgene Inc. (collectively, “Bristol Myers Squibb Canada”, “we”, “us” or “our”), respects your privacy and is committed to protecting your personal information. We encourage you to read this privacy policy before using our website, services or submitting information to us.

If you do not agree with this privacy policy, please do not use our website, sign up for our services or provide us your personal information.

1. ABOUT THIS PRIVACY POLICY

2. WHAT IS PERSONAL INFORMATION?

3. GETTING YOUR CONSENT

4. WHERE WE GET YOUR INFORMATION

5. WHAT INFORMATION WE COLLECT AND WHY?

Bristol is Myers Squibb Canada collects and uses personal information for a variety of reasons. If we collect personal information for purposes other than those described in this privacy policy, we will identify those additional purposes before or at the time the information is being collected.

Bristol Myers Squibb Canada generally aims to minimize the collection of sensitive personal information. Where this type of information is requested, Bristol Myers Squibb Canada may provide separate consent forms to ensure you understand why the information is requested and how it will be used. Examples of sensitive personal information include, health and biometric information, social insurance number, financial information, etc.

We may collect and use the following types of information for the following purposes:

Personal information category	Source	Types of information we may collect	How we may use it
Contact and identity information	Clinical trial participants, patients, health care providers, clinical investigators, website visitors, care givers, third party service providers	Name, alias, username, online identifier, email address, postal address, telephone number, facsimile number, Internet Protocol address, marital status, date of birth, reported gender, social insurance number (partial or full), driver’s license number, passport number, or other similar identifiers	· Identify and authenticate you · Communicate with you · Determine service, program and product eligibility, including for clinical trials, patient support programs, research programs, and/or receive other services · Enroll you in programs and provide you with products and services, including for clinical trials, patient support programs, research programs, and/or receive other services · Administer, manage, analyze, and improve our programs, products, and services including for clinical trials, patient support programs, research programs, and/or receive other services · Provide counseling, education, services and other information relating to our controlled distribution programs and to fulfill the requirements of our controlled distribution program · Provide you with relevant information and assistance on our products or services and to manage our customer relationships · Engage in service and product promotion, including to contact you regarding programs, products, services, and topics that may be of interest or useful · Engage in joint marketing initiatives · Fulfil your requests · Issuing tax documents where required by law
Biometric and physical characteristic-based information	Patients, clinical trial participants, caregivers, healthcare professionals	Height, weight, hair and eye colour, age, information related to sexuality or sex life, disability as well as physiological, biological or behavioral characteristics that can be used alone or in combination with each other to establish individual identity, including DNA, fingerprint, voice print, diagnostic or lab results, imagery of the face from which an identifier template can be extracted, and sleep, health, or exercise data that contain identifying information	· Determine and verify program, product, and service eligibility and coverage, including for clinical trials, patient support programs, research programs, and/or receive other services · Administer, manage, analyze, and improve our programs, products, and services, including for clinical trials, patient support programs, research programs, and/or receive other services · Assist in managing emergency incidents, including adverse reactions, that occur while participating in clinical trials, patient support services or on Bristol Myers Squibb Canada premises · Analyze and better understand your needs, preferences, and interests, as well as those of other consumers
Health information	Clinical trial participants, patients, health care providers, clinical investigators, health insurance organizations, caregivers, third party service providers	Any information in possession of or derived from a healthcare provider, healthcare service plan, pharmaceutical company, or contractor regarding an individual’s medical history, family history, medical conditions, drug prescription history, mental or physical condition or treatment	· Determine and verify program, product, and service eligibility and coverage, including for clinical trials, patient support programs, research programs, and/or receive other services · Enroll you in our programs and services, including for clinical trials, patient support programs, research programs, and/or receive other services · Administer, manage, analyze, and improve our programs, products, and services, including for clinical trials, patient support programs, research programs, and/or receive other services · Assist in managing emergency incidents, such as adverse reactions, that occur while participating in clinical trials, patient support services or on Bristol Myers Squibb Canada premises · Track, monitor, investigate, audit, and enforce compliance with our policies, product/service terms and conditions, and legal and regulatory requirements including for safety monitoring, pharmacovigilance and health regulatory purposes · Analyze and better understand your needs, preferences, and interests, as well as those of other consumers
Insurance and financial information	Directly from you, caregivers, healthcare providers, health insurance organizations and other payors, third parties, financial institutions	Insurance policy number or any unique identifier used by a health insurer to identify the individual, any information in the individual’s application and claims history, financial circumstances and funding requests, payment and reimbursement amounts, and banking information	· Determine and verify program, product, and service eligibility and coverage, including for compassionate funding programs, patient support programs. · Enroll you in our programs and provide our products and services to you, including for clinical trials, patient support programs, research programs, and/or receive other services · Administer, manage, analyze, and improve our programs, products, and services, including for clinical trials, patient support programs, research programs, and/or receive other services · To issue invoices and process payments · To reimburse customers, satisfy warranty obligations and fulfill our payment obligations · For fraud investigation and management purposes · For recordkeeping and compliance purposes
Health practitioner, clinical investigator and medical professional information	Healthcare providers, medical practitioners, professional registries and accreditation bodies, patients, third parties	Educational, training, licensing, certification, business and employment information. Additionally, prescribing and dispensing information and patterns as well as medical opinions, preferences and feedback	· Assess eligibility to participate in our programs and services, including for controlled drug distribution programs, clinical trials, patient support programs, and research programs · Enroll you in our programs and services, including for controlled drug distribution programs, clinical trials, patient support programs, and research programs · To administer, manage, analyze, and improve our programs, products, and services, including for controlled drug distribution programs, clinical trials, patient support programs, and research programs · Track, monitor, investigate, audit, and enforce compliance with our policies, product/service terms and conditions, and legal and regulatory requirements including for safety monitoring, pharmacovigilance and health regulatory purposes · Analyze and better understand your needs, preferences, and interests
Job applicant information	Directly from applicants, past employers or other references, third parties (such as recruitment agencies, background checking services, government and regulatory body registry databases)	Resumé, cover letter, recommendation letters, employment history and interests, interview records, behavioural assessments, background check-related information and records (such as police records, and media and social media searches)	· Staffing and recruitment activities · Maintain an inventory of candidates for current and future work opportunities
Audio visual and other interaction-based information	Directly from you, automatically (such as when we record calls to our call center and use CCTV cameras in our facilities), third party service providers	CCTV recordings, telephone call recordings and transcripts, records of communications (emails, letters, online chat etc.)	· Quality assurance and staff training purposes · Provide you with the services and information which you request · Communicate with you and respond to your inquiries, including responding to and resolving complaints · Understand any concerns you may have and improve your experience · Compliance and recordkeeping purposes · Security and loss prevention purposes

We may also collect and use your information to:

Understand your needs, the suitability of our products and services, and assess future needs;
Provide services tailored to your requirements and to treat you in a more personal way;
Administer surveys, or request feedback to improve and manage our relationship with you;
Research, analyze, develop, manage, protect and improve our business operations, our products and services, and to test new products and services, including:
- Audit, data analytics and research to help us deliver and improve our digital platforms, content and services;
- Monitor and analyze trends, usage and activities in connection with our products, programs and services to understand which parts of our services and offerings are of the most interest and to improve the design and content of programs and services;
Facilitate our business and operational needs;
Administer and protect the security of our business, and our website, app and other services;
Meet our legal and regulatory obligations, including to enforce our legal rights; and
To fulfil other purposes related to any of the above.

6. DE-IDENTIFIED, AGGREGATED, AND ANONYMIZED INFORMATION

7. SHARING YOUR PERSONAL INFORMATION?

8. COOKIES AND OTHER TECHNOLOGY

Information that is Automatically Collected

We, and our third-party service providers, may automatically collect information related to your use of our website, apps and other online resources through cookies and similar tracking technologies. We do not collect personal information that can identify you directly, such as by name, when browsing our website.

How we use information gathered from cookies and other technologies

We use cookies and similar technologies to:

Make your experience personalized and efficient
Understand and improve our digital services and offerings

Cookies

Cookies are small text files that are stored on the browser of your computer that assign an anonymous identifier to your browser and provide information to the cookie sender. Cookies may be placed on your computer by us when you our website or other digital offerings. In addition, we may use third party cookies that track how you use our website or other online resources in order to target advertisements to you on other websites.

You can manage website cookies in your browser settings, and you always have the choice to change these settings by accepting, rejecting, or deleting cookies. Please note that if you disable or delete cookies, the website may not function fully or as intended. Visit the Digital Advertising Alliance of Canada page at http://youradchoices.ca/choices/ for more information on how to manage and remove cookies and other targeted advertising.

Web Beacons

A Web Beacon is a clear GIF (Graphics Interchange Format) image or pixel tag that companies place on their Web sites to allow an Internet advertising or audience measurement company to help them analyze their advertising campaigns and general usage patterns of visitors to their Web sites. Bristol Myers Squibb Canada uses Web beacons on some of its Web sites. Subject to the transfer of control described below, Bristol Myers Squibb Canada will not sell or rent your personally identifiable information.

Web Server Data Collection and and Other Technologies

With or without cookies, our Web site keeps track of usage data, such as the source address that a page request is coming from (i.e., your IP address, domain name), date and time of the page request, the referring Web site (if any), and other parameters in the URL (e.g., search criteria). If you are a healthcare provider, you may be have registered with third parties and granted permission to share your personally identifiable information and online activities with others, such as pharmaceutical companies. Those third parties may provide us with technologies that allow us to see when you have been on our Web site while you are visiting even if you have not contacted us directly or registered on our Web site.

We use web server data and other technologies to better understand Web site usage on the whole and to determine which areas of our Web site users prefer (e.g., based on the number of visits to those areas). This information is stored and used by Bristol Myers Squibb for statistical reporting. In some cases, to provide you better tailored programs and information, we may collect and consolidate your online information, and match it with personally identifiable information collected from other third party resources and programs. We may work with third parties to help us with these activities.

9. INTERNATIONAL TRANSFERS OF INFORMATION

10. STORAGE OF YOUR INFORMATION

11. RETENTION OF YOUR INFORMATION

12. SAFEGUARDS

13. HYPERLINKS

14. CHILDREN'S INFORMATION

15. ACCESSING AND CORRECTING YOUR INFORMATION

16. CONTACT INFORMATION

17. CHANGES TO OUR PRIVACY POLICY

BMS Global Employee Privacy Notice

If you are an applicant, you can read more details here: https://www.bms.com/ca-en/privacy-policy.html#job.

For questions about this notice or data protection as a worker, please refer to the contact us section.

Click here to download or print a copy of this BMS employee privacy notice.

What You Will Learn in This Notice

This notice is specific to the use of your personal data by Bristol Myers Squibb (“BMS”, “we”, “us”, “our”) if you are or were part of our workforce. It explains what personal data processing activities are conducted at BMS worldwide covering BMS direct employees, consultants, contractors, interns and third parties as defined in this Notice – collectively called ‘workers’ or ‘employees’ (or “you”, “your”, “yours”) in this notice (“Employee Notice” or “Notice”). We use the term “processing activities” or “use” to refer to accessing, collecting, storing, transferring or any other use of your personal data.

Click on the icons or text below to find out more about how, why, and where BMS uses your data:

Who is the Controller disk icon

The type of data we process disk icon

How BMS protects your data magnifying icon

Legal reasons for using your data scale icon

Why we process your data rotating data icon

How we obtain your data pointer icon

How long we keep your data file folder icon

Who do we share your data with

Your privacy rights shield icon

1. INTRODUCTION – HOW TO READ THIS NOTICE

In this Notice, we provide you with an overview of how and why we collect your personal data - also known as personal information. We also inform you about your privacy rights related to our use of your data.

You should read this Employee Notice in combination with the BMS General Privacy Notice which explains the collective privacy standards and commitments that apply to all processing of personal data at BMS. It is available on the footer of our corporate www.bms.com websites for markets where we have a presence or operate.

Who it applies to and our other notices

Before you start reading this Notice
Who is the audience?	This notice applies to you during your employment and after its termination: as a new hire, a current or past worker, including an employee and a retiree; as a contractor, such as if you are an intern, consultant, autonomous or agency worker or a consultant; as a third party whose information is provided to us concerning the employment or work relationship (for example, referees, family members, relatives or emergency contact information).
Country-specific notices	As a supplement to this notice, there may be country specific BMS documentation covering individual country laws or processes that might impact the use of your personal data at your specific work location. These documents can be accessed through your local intranet or local HR contact.
Relevance of my personal data	The nature and the categories of the personal data that BMS processes about you can differ, depending on your role and your relationship with BMS. We try to point out these differences where possible but if there are processing activities specific to your role at BMS or to the country where you reside, we will provide you with additional ‘point in time information’ wherever possible.

Before you start reading this Notice
Who is the audience?
This notice applies to you during your employment and after its termination: as a new hire, a current or past worker, including an employee and a retiree; as a contractor, such as if you are an intern, consultant, autonomous or agency worker or a consultant; as a third party whose information is provided to us concerning the employment or work relationship (for example, referees, family members, relatives or emergency contact information).
Country-specific notices
As a supplement to this notice, there may be country specific BMS documentation covering individual country laws or processes that might impact the use of your personal data at your specific work location. These documents can be accessed through your local intranet or local HR contact.
Relevance of my personal data
The nature and the categories of the personal data that BMS processes about you can differ, depending on your role and your relationship with BMS. We try to point out these differences where possible but if there are processing activities specific to your role at BMS or to the country where you reside, we will provide you with additional ‘point in time information’ wherever possible.

Example: Most processing activities related to BMS employee benefits are not applicable to consultants, contractors, interns, agency workers or autonomous workers who are employed by third parties and then contracted by BMS. This notice covers personal data that BMS controls and processes. Contractors and consultants should therefore review privacy notices provided by their own employers to understand how their data is processed.

2. WHO IS THE CONTROLLER OF YOUR DATA

A controller decides why and how to process your personal data. However, central teams at BMS located in another country (for example, teams in the US and support services provided by our authorized business partners) may also access and process your personal data as described in this notice. For each activity, Bristol Myers Squibb Company and its affiliates will act as controller together or jointly for using your data.

Note: If you have an employment contract, the BMS legal entity who is your employer, or who has the contract with your employer, is the controller of your personal data. If you are a consultant, contractor, intern or independent worker), then the entity listed in your employer’s contract with BMS is the controller.

3. CATEGORIES – WHAT TYPE OF DATA BMS PROCESSES ABOUT YOU

This section describes the type of personal data and sensitive data we collect for our processing activities, which may vary depending on your role at BMS. We describe this personal data as “Work–Related Data” that BMS needs for the creation of your work contracts and to run our day–to–day work activities. Remember, depending on where you live, the relevant data protection law in your jurisdiction may define personal data differently from the descriptions used in this notice.

We use the categories of personal data in the following context:

Onboarding & HR day-to-day onboarding icon

Compensation, benefits & performance

Security, IT, devices, training Security icon

Surveys, events, images, videos

Sensitive data Sensitive data icon

Environmental, health & safety health monitor icon

Data for legal & compliance

Family & your relatives’ data

Roles & positions, relocation, leaving

Note: Most data we use about you is necessary for our day–to–day operations. In certain cases, you might decide to participate in activities that are not mandatory, such as attending events, accessing benefits, apply to internal jobs, responding to surveys or sharing your image or video recordings with BMS. In this case, we will let you know what your options are before processing your data.

You can learn more about our purposes and why we use your data in section 4.

The categories of Work-Related Data

When collecting and using your data as a BMS worker, most categories detailed below are relevant to you if you are an employee. If you don’t have a contract with us but provide services to us, the categories below will not be relevant to you, for example if you are hired by a third party agency, if you are a consultant or an independent worker.

Categories of Work Related Data
Onboarding data	Most of the personal data collected at BMS is done during the onboarding phase. The data collected during this stage allows BMS to build your profile and enables you to work at BMS. Examples of data collected are: CV, past experiences, external affiliations; BMS ID, login details, professional phone number; current and past roles within the organization; your hiring manager, HR business partner, department, functions; employment contract and current employment situation (temporary, permanent, practice), group and projects you belong to; initial and termination date, offer of employment, contractual conditions, signature, salary grade and bonus, promotions. You can read more information about the data we collected during your recruitment in our General Privacy Notice.
Contact and identification data	Your contact and ID information includes your: full name, title, location; postal code and/or personal email address, personal and professional phone numbers; date of birth; gender, nationality, photo; government-issued identification (national ID, driving license, passport, professional license number as applicable); unique personal identifiers, such as your assigned unique BMS ID.
Employment data	Data related to your previous or current role(s) at BMS, such as: previous or internal applications; resignation, termination dates; your resume or CV; office address, department; performance and disciplinary records; academic/professional qualifications; immigration status and documentation; residency permits and visas, occupational health assessments, work-related accidents, training data; occupational health assessments and work-related accidents, training information.
Educational and professional data	education information and professional qualifications; professional networks; training records; employment status; skills and work experience; programs, such as training, certifications, coaching, driving improvements if your role requires to drive a vehicle (i.e.: logistics, customer visits); publications and activities; awards and recognitions; teaching posts, board memberships, membership or directorship in various professional organizations, associations or other units, referrals and other relevant professional information where needed.
Family & data of your relatives and third parties	You may share contact details of family or relatives in case of relocation, services, accidents, or emergency situations, such as: family or your relatives’ contact data, including e-mail, personal phone number, home address; full name and specific needs for residence of partners and family members.
Conflict of interest data	BMS may also request to inform us about your potential conflict of interests which can include: contact details, positions of third parties with whom you belong or have professional interactions with; shares, stocks, participations in or partnerships with non-BMS affiliated organizations, including serving as director or officer of such organization; any potential gifts, financial interest or advantage, honorarium or other remuneration you may receive outside of BMS.
Sign-in, analytics and device data	When using BMS or third-party devices, platforms, intranet, systems and technologies, we use your personal data to provide you access to, tailor the services provided to, and to protect the security of, our systems. We use the following types of data: sign-in and log activity data; device ID and IP address, usage data; information accessible in your profile; abnormal use of devices warnings, for BMS platforms, intranet and systems for security and protection of BMS assets; application or interaction data in BMS or third-party platforms; personal data stored on BMS devices, platforms, intranet and systems, such as documents you upload and your emails. You can read more information about the use of your personal data online or digitally in section 5 below.
Financial information, compensation and benefits	We collect financial information about you for pay-roll, benefit and insurance purposes, which can include your: bank and account details; salary and compensation data; travel and expenses for work and authorized trips for reimbursement purposes; stock options, stocks, or company shares; pension fund related data; health plans, benefits and insurance allocations; severance package or benefits that apply when your contract with BMS comes to an end.
Data about you that we make public	There are instances when you agree or where we must disclose your personal information publicly on our corporate websites, public registries or public facing platforms – this will depend on your participation at BMS events, posts on social media, and your position and role at BMS. For example, your: full name, e-mail address; position within BMS, CV or professional background; compensation and benefits; position in a board of directors or your power to represent BMS; photos, audio or video recordings; quotes and posts on social media about corporate news, scientific research or events.
Other data	Tax status, information related to work attendance, travel and expenses, emergency contact details, compensation, hours of work, holidays and benefits related information, CCTV data and investigation related information.

Categories of Work Related Data
Onboarding data
Most of the personal data collected at BMS is done during the onboarding phase. The data collected during this stage allows BMS to build your profile and enables you to work at BMS. Examples of data collected are: CV, past experiences, external affiliations; BMS ID, login details, professional phone number; current and past roles within the organization; your hiring manager, HR business partner, department, functions; employment contract and current employment situation (temporary, permanent, practice), group and projects you belong to; initial and termination date, offer of employment, contractual conditions, signature, salary grade and bonus, promotions. You can read more information about the data we collected during your recruitment in our General Privacy Notice.
Contact and identification data
Your contact and ID information includes your: full name, title, location; postal code and/or personal email address, personal and professional phone numbers; date of birth; gender, nationality, photo; government-issued identification (national ID, driving license, passport, professional license number as applicable); unique personal identifiers, such as your assigned unique BMS ID.
Employment data
Data related to your previous or current role(s) at BMS, such as: previous or internal applications; resignation, termination dates; your resume or CV; office address, department; performance and disciplinary records; academic/professional qualifications; immigration status and documentation; residency permits and visas, occupational health assessments, work-related accidents, training data; occupational health assessments and work-related accidents, training information.
Educational and professional data
education information and professional qualifications; professional networks; training records; employment status; skills and work experience; programs, such as training, certifications, coaching, driving improvements if your role requires to drive a vehicle (i.e.: logistics, customer visits); publications and activities; awards and recognitions; teaching posts, board memberships, membership or directorship in various professional organizations, associations or other units, referrals and other relevant professional information where needed.
Family & data of your relatives and third parties
You may share contact details of family or relatives in case of relocation, services, accidents, or emergency situations, such as: family or your relatives’ contact data, including e-mail, personal phone number, home address; full name and specific needs for residence of partners and family members.
Conflict of interest data
BMS may also request to inform us about your potential conflict of interests which can include: contact details, positions of third parties with whom you belong or have professional interactions with; shares, stocks, participations in or partnerships with non-BMS affiliated organizations, including serving as director or officer of such organization; any potential gifts, financial interest or advantage, honorarium or other remuneration you may receive outside of BMS.
Sign-in, analytics and device data
When using BMS or third-party devices, platforms, intranet, systems and technologies, we use your personal data to provide you access to, tailor the services provided to, and to protect the security of, our systems. We use the following types of data: sign-in and log activity data; device ID and IP address, usage data; information accessible in your profile; abnormal use of devices warnings, for BMS platforms, intranet and systems for security and protection of BMS assets; application or interaction data in BMS or third-party platforms; personal data stored on BMS devices, platforms, intranet and systems, such as documents you upload and your emails. You can read more information about the use of your personal data online or digitally in section 5 below.
Financial information, compensation and benefits
We collect financial information about you for pay-roll, benefit and insurance purposes, which can include your: bank and account details; salary and compensation data; travel and expenses for work and authorized trips for reimbursement purposes; stock options, stocks, or company shares; pension fund related data; health plans, benefits and insurance allocations; severance package or benefits that apply when your contract with BMS comes to an end.
Data about you that we make public
There are instances when you agree or where we must disclose your personal information publicly on our corporate websites, public registries or public facing platforms – this will depend on your participation at BMS events, posts on social media, and your position and role at BMS. For example, your: full name, e-mail address; position within BMS, CV or professional background; compensation and benefits; position in a board of directors or your power to represent BMS; photos, audio or video recordings; quotes and posts on social media about corporate news, scientific research or events.
Other data
Tax status, information related to work attendance, travel and expenses, emergency contact details, compensation, hours of work, holidays and benefits related information, CCTV data and investigation related information.

The categories of Sensitive Work-Related Data

Sensitive Work-Related Data
Health, welfare and leave information	This information if needed for managing your leave and compensation: number of sick days; information contained in a doctor’s certificate / medical certificate for sick leave; details of any known disability / workplace accessibility needs, for purposes of salary payment, workforce planning, and compliance with legal obligations; work-related accident information, compensation, work safety and compliance with legal obligations (such as reporting obligations); personal health status for commercial insurance or participation in various activities for example if you participate in the work-out, health programs or for support of your critical illness.
Vaccination or health status	In certain occasions, where applicable and permitted by applicable law, in particular for public health or protection against diseases (i.e.: pandemic situations) BMS may collect your health data, such as: presence at work or at home; vaccination or health status. In most cases, BMS will collect your data only indirectly without the need to obtain health information to protect against the spread of infectious diseases or to ensure a safe working environment.
Background check data	This includes if relevant to your role and permitted by local law: background checks or criminal records in the context of logistics and packing using airline companies; creditworthy information; document certification authenticity; recommendations by previous employers or third parties.
Religious beliefs	This can be collected or required by applicable law: for tax declaration purposes; as written in your ID card or passport, or internal purposes if you share this information voluntarily;
Race and ethnicity data	We will usually only collect and store such sensitive data anonymously for equal opportunities monitoring purposes or if you decide to share it for a defined purpose. Only where permitted or required by applicable law and where relevant to your role.
Trade–union / labor–union membership	If applicable in your country, BMS or competent authorities may request you to provide your professional contact, membership of affiliation to works councils, trade–union details, or other employee representative bodies
Sexual orientation data	Where this is required or permitted by applicable laws or you have voluntarily provided the information to us. For example: marriage, maternity, paternity, parental, bereavement and other similar leaves relating to family or your personal situation; marital status, family or relatives contact related information. Most often this data will be stored anonymously unless you decide to share it for a defined purpose.
Other sensitive Work Related Data	Depending on the law of your country, BMS collects other categories of personal data about you that can be considered sensitive, such as: your health information if you participate in pilot or test programs in the context of digital health initiatives; bank details, social security number, driver’s license number, email content and text messages, State ID card number, passport number, creditworthy information, precise geolocation data; dietary restrictions or health conditions; on rare occasions, genetic or biological data in the context of laboratory tests to protect your health if you are exposed to biomaterials or chemical compounds; biometric data, such as your fingerprint data to enter into our premises or facilities. Only authorized teams and approved third parties will have access to your sensitive personal data.

Sensitive Work-Related Data
Health, welfare and leave information
This information if needed for managing your leave and compensation: number of sick days; information contained in a doctor’s certificate / medical certificate for sick leave; details of any known disability / workplace accessibility needs, for purposes of salary payment, workforce planning, and compliance with legal obligations; work-related accident information, compensation, work safety and compliance with legal obligations (such as reporting obligations); personal health status for commercial insurance or participation in various activities for example if you participate in the work-out, health programs or for support of your critical illness.
Vaccination or health status
In certain occasions, where applicable and permitted by applicable law, in particular for public health or protection against diseases (i.e.: pandemic situations) BMS may collect your health data, such as: presence at work or at home; vaccination or health status. In most cases, BMS will collect your data only indirectly without the need to obtain health information to protect against the spread of infectious diseases or to ensure a safe working environment.
Background check data
This includes if relevant to your role and permitted by local law: background checks or criminal records in the context of logistics and packing using airline companies; creditworthy information; document certification authenticity; recommendations by previous employers or third parties.
Religious beliefs
This can be collected or required by applicable law: for tax declaration purposes; as written in your ID card or passport, or internal purposes if you share this information voluntarily;
Race and ethnicity data
We will usually only collect and store such sensitive data anonymously for equal opportunities monitoring purposes or if you decide to share it for a defined purpose. Only where permitted or required by applicable law and where relevant to your role.
Trade–union / labor–union membership
If applicable in your country, BMS or competent authorities may request you to provide your professional contact, membership of affiliation to works councils, trade–union details, or other employee representative bodies
Sexual orientation data
Where this is required or permitted by applicable laws or you have voluntarily provided the information to us. For example: marriage, maternity, paternity, parental, bereavement and other similar leaves relating to family or your personal situation; marital status, family or relatives contact related information. Most often this data will be stored anonymously unless you decide to share it for a defined purpose.
Other sensitive Work Related Data
Depending on the law of your country, BMS collects other categories of personal data about you that can be considered sensitive, such as: your health information if you participate in pilot or test programs in the context of digital health initiatives; bank details, social security number, driver’s license number, email content and text messages, State ID card number, passport number, creditworthy information, precise geolocation data; dietary restrictions or health conditions; on rare occasions, genetic or biological data in the context of laboratory tests to protect your health if you are exposed to biomaterials or chemical compounds; biometric data, such as your fingerprint data to enter into our premises or facilities. Only authorized teams and approved third parties will have access to your sensitive personal data.

4. PURPOSES – WHY WE PROCESS YOUR DATA AND IN WHAT CONTEXT

This section describes the main types of activities where BMS processes your personal data and the context in which BMS uses it. Our main processing activities consist of:

handling your data for day–to–day operations, such as for onboarding you as a new hire or worker, handling your payroll, requests, enabling access to our systems and intranet and BMS social media platforms to interact with other colleagues, for internal interactions, and if applicable performance reviews;
offering benefits, such as learning, career development programs, fitness, rebates on goods, well–being programs, BMS or external events/initiatives;
implementing appropriate security measures and infrastructures that prevent data losses, ensure compliance with applicable laws, maintain whistleblowing hotlines and channels to report misconducts, conflict of interest or unlawful behaviors which may require preserving information as evidence to comply with applicable employment legislation;
in the context of our working culture and environment as multinational company, such as participating in diversity and inclusion groups, activities or discussions, responding to surveys about the working environment at BMS.

Details about the context in which we use your data

Category of data	The Purpose for use
Relocation, local assignments of workers	BMS processes your data for the following reasons: managing your relocation to other locations; to apply for a working visa or residence permit; for employment related information for compliance with applicable laws, such as tax filing purposes; passport or other citizenship and right to work documentation or information collected for visa and immigration purposes; or family or relatives related data for insurance, travel, costs and expenses purposes.
Onboarding and administration	When joining BMS as a new hire, to: register your emergency contacts and emergency notifications in the event of business continuity response measures or for workspace security; determine incentive and corporate credit card eligibility; establish worker location, to manage internal transfers within BMS and off-boarding/termination, for business travel purposes; manage the workflow, such as assigning, managing, administering projects; enable organizational development, preparation, management, and use of an internal business directory, organization charts; record trade union membership where required by local law.
Talent acquisition and recruitment	After your application has succeeded, BMS will use your information necessary to process your job application, record your information in our systems, as an applicant to internal opportunities for roles, projects or initiatives.
Attendance administration	In some cases, BMS may record your on-site attendance in the workplace in compliance with internal policies and as permitted by local law. This includes data necessary to record and administer your working hours, attendance and overtime application, approval and reimbursement when applicable or compliance with the applicable BMS flexible way of working policy.
Leave management	To enable your leave application for paid annual leave and unpaid leave: health and medical data, such as the number of sick days; doctor’s certificate/medical certificate; information on work-related accidents; insurance claims; information on disability; information on marriage, maternity and parental, and bereavement leave.
Compensation and benefits	To comply with legal requirements and BMS labor policies related to compensation and benefits, which includes: offering of social security insurance, pension, housing fund and other flexible benefit programs and wellness initiatives, such as commercial medical insurance, annual medical examination and other allowances, based on your jurisdiction; offering well-being services, rebates or points for goods and services, car fleet services; administering employee welfare activities that participants may voluntarily participate in (including welfare provided for former employees), such as team-building activities, recreative and event activities including with your family, labor union activities, and aid service, etc. when applicable.
Learning and development	To manage talent development, administer and track training and awareness activities.
Performance and recognition	to enhance performance evaluation, promote personnel development, improve worker efficiency; to set performance objectives, evaluate performance; provide you with recognition and awards, to manage promotions.
Working culture and BMS events, surveys and activities	to improve the working culture at BMS and provide you with a friendly working environment; to conduct surveys, hold events and other activities that you could participate in voluntarily.
Travel and expense reimbursement	to book travel and accommodation; to review and evaluate reimbursement applications and the supporting documents including transaction records for business expenses; to make reimbursement payment to an employee’s bank account; to ensure compliance with travel & business expenses policies.
Safe work environment, information security, acceptable usage purposes and fraud detection and prevention	The nature of the work at BMS requires to protect the health & safety of its employees, data, or infrastructures. BMS will access your data in particular to: ensure security and systems monitoring (for example through video (CCTV) recording); ensure the security and integrity of BMS facilities, IT systems and data; notify you by phone or electronic notifications about events or incidents happening while you are traveling for work; administer, monitor and/or manage appropriate usage of BMS premises, property, and equipment, such as requirements for identity verification and access control to device, hardware, software, internet, network, infrastructure, mobile phone, mail services, or other facilities.
Protecting health & safety of its workers or third parties	BMS may apply internal policies to protect against serious diseases or threats in the context of: exposure to chemical or biological compounds in our manufacturing sites, or global, regional, or national public health, for instances in the event of pandemic situations. In such cases, BMS may collect, or require third parties to collect information that demonstrate your health or vaccination status.
Compliance and regulatory purposes	to ensure corporate compliance requirements and policies are met, including conflict of interest declaration and review, audit, completion of mandatory training; to manage, review and respond to complaints, investigations and disciplinary matters, to establish, exercise or defend legal claims or other legal rights; monitoring and tracking of the different cases and their resolution, and definition of the nature or cause of the investigation; to comply with applicable laws (such as tax deductions and declarations), regulations and requests from governmental agencies, and to adhere to industry standards.
Equal opportunity and diversity monitoring / initiatives	When using this data in limited, permitted or required cases, we may collect: race, gender or ethnicity data such as information contained in your passport or other citizenship and right to work documentation or information collected for visa and immigration purposes or to comply with local regulations; sexual orientation, diversity data where this has been provided voluntarily to BMS.
Understanding the diversity of our workforce	We collect certain demographic data mostly in aggregate, such as: race, gender, ethnicity, sexual orientation, veteran and disability status to help us understand the diversity of our workforce and to support core business diversity, equity, and inclusion initiatives; in some circumstances, we may also need to use this data to comply with government regulations. Note: we generally collect this information on an aggregate or on a voluntary basis, and you are not required to provide it unless it is necessary for us to comply with a legal obligation. We will not share your data without your permission unless we are legally required to do so.
Run security & compliance scans or verifications	In certain countries, BMS will monitor your individual activity only if we have a reasonable, proportionate, and robust legal reason in place. Typical examples of where BMS might monitor your activity are: your physical movement using CCTV, badge data or sign-in sheets – this is for the security of our employees, visitors and BMS property; your interactions with customers (for example HCPs) - this is only conducted for specific job roles at BMS and is done for training, verification, and quality assurance reasons; network scans including your electronic activity when using our communications systems and networks. This can cover logfiles, use of BMS assets and systems. The reason for monitoring might be network and device management, protecting our intellectual property (IP), protection against cyber-attacks, certain legal obligations, but always where permitted by law; for specific investigations, for example if an employee is strongly suspected of breaching BMS policies. This type of monitoring will always fully comply with the law and will only process the least amount of data needed to complete the investigation.
Automated decision making	In general, BMS does not make employment decisions based solely on automated processing (including profiling) of employees. If this were to happen, for example using Artificial Intelligence, then BMS will make you aware of this activity before any of your personal data is processed. You can learn more about the technologies we use in section 9.
Criminal records and background checks and verification	BMS run background verifications to confirm the accuracy of documentation you provide to BMS during and after your hiring process, but only where permitted by the law and where relevant to your role. Examples: criminal records, education, employment verification, creditworthiness, conflict of interests checks.
Other processing activities	BMS may require you to provide certain personal data (such as your name, address, and ID number) of other individuals such as your family members, for other purposes such as: managing your employment relationship with us; contacting you or your personal contacts during emergency; declaring conflict of interest; filing tax returns; processing any corporate group insurance plans; participate in BMS activities or enjoy benefits provided by BMS.

Category of data

The Purpose for use

Relocation, local assignments of workers

BMS processes your data for the following reasons:

managing your relocation to other locations;
to apply for a working visa or residence permit;
for employment related information for compliance with applicable laws, such as tax filing purposes; passport or other citizenship and right to work documentation or information collected for visa and immigration purposes; or
family or relatives related data for insurance, travel, costs and expenses purposes.

Onboarding and administration

When joining BMS as a new hire, to:

register your emergency contacts and emergency notifications in the event of business continuity response measures or for workspace security;
determine incentive and corporate credit card eligibility;
establish worker location, to manage internal transfers within BMS and off-boarding/termination, for business travel purposes;
manage the workflow, such as assigning, managing, administering projects;
enable organizational development, preparation, management, and use of an internal business directory, organization charts;
record trade union membership where required by local law.

Talent acquisition and recruitment

After your application has succeeded, BMS will use your information necessary to process your job application, record your information in our systems, as an applicant to internal opportunities for roles, projects or initiatives.

Attendance administration

In some cases, BMS may record your on-site attendance in the workplace in compliance with internal policies and as permitted by local law. This includes data necessary to record and administer your working hours, attendance and overtime application, approval and reimbursement when applicable or compliance with the applicable BMS flexible way of working policy.

Leave management

To enable your leave application for paid annual leave and unpaid leave:

health and medical data, such as the number of sick days;
doctor’s certificate/medical certificate;
information on work-related accidents;
insurance claims;
information on disability;
information on marriage, maternity and parental, and bereavement leave.

Compensation and benefits

To comply with legal requirements and BMS labor policies related to compensation and benefits, which includes:

offering of social security insurance, pension, housing fund and other flexible benefit programs and wellness initiatives, such as commercial medical insurance, annual medical examination and other allowances, based on your jurisdiction;
offering well-being services, rebates or points for goods and services, car fleet services;
administering employee welfare activities that participants may voluntarily participate in (including welfare provided for former employees), such as team-building activities, recreative and event activities including with your family, labor union activities, and aid service, etc. when applicable.

Learning and development

To manage talent development, administer and track training and awareness activities.

Performance and recognition

to enhance performance evaluation, promote personnel development, improve worker efficiency;
to set performance objectives, evaluate performance;
provide you with recognition and awards, to manage promotions.

Working culture and BMS events, surveys and activities

to improve the working culture at BMS and provide you with a friendly working environment;
to conduct surveys, hold events and other activities that you could participate in voluntarily.

Travel and expense reimbursement

to book travel and accommodation;
to review and evaluate reimbursement applications and the supporting documents including transaction records for business expenses;
to make reimbursement payment to an employee’s bank account;
to ensure compliance with travel & business expenses policies.

Safe work environment, information security, acceptable usage purposes and fraud detection and prevention

The nature of the work at BMS requires to protect the health & safety of its employees, data, or infrastructures. BMS will access your data in particular to:

ensure security and systems monitoring (for example through video (CCTV) recording);
ensure the security and integrity of BMS facilities, IT systems and data;
notify you by phone or electronic notifications about events or incidents happening while you are traveling for work;
administer, monitor and/or manage appropriate usage of BMS premises, property, and equipment, such as requirements for identity verification and access control to device, hardware, software, internet, network, infrastructure, mobile phone, mail services, or other facilities.

Protecting health & safety of its workers or third parties

BMS may apply internal policies to protect against serious diseases or threats in the context of:

exposure to chemical or biological compounds in our manufacturing sites, or
global, regional, or national public health, for instances in the event of pandemic situations.

In such cases, BMS may collect, or require third parties to collect information that demonstrate your health or vaccination status.

Compliance and regulatory purposes

to ensure corporate compliance requirements and policies are met, including conflict of interest declaration and review, audit, completion of mandatory training;
to manage, review and respond to complaints, investigations and disciplinary matters, to establish, exercise or defend legal claims or other legal rights;
monitoring and tracking of the different cases and their resolution, and definition of the nature or cause of the investigation;
to comply with applicable laws (such as tax deductions and declarations), regulations and requests from governmental agencies, and to adhere to industry standards.

Equal opportunity and diversity monitoring / initiatives

When using this data in limited, permitted or required cases, we may collect:

race, gender or ethnicity data such as information contained in your passport or other citizenship and right to work documentation or information collected for visa and immigration purposes or to comply with local regulations;
sexual orientation, diversity data where this has been provided voluntarily to BMS.

Understanding the diversity of our workforce

We collect certain demographic data mostly in aggregate, such as:

race, gender, ethnicity, sexual orientation, veteran and disability status to help us understand the diversity of our workforce and to support core business diversity, equity, and inclusion initiatives;
in some circumstances, we may also need to use this data to comply with government regulations.

Note: we generally collect this information on an aggregate or on a voluntary basis, and you are not required to provide it unless it is necessary for us to comply with a legal obligation. We will not share your data without your permission unless we are legally required to do so.

Run security & compliance scans or verifications

In certain countries, BMS will monitor your individual activity only if we have a reasonable, proportionate, and robust legal reason in place. Typical examples of where BMS might monitor your activity are:

your physical movement using CCTV, badge data or sign-in sheets – this is for the security of our employees, visitors and BMS property;
your interactions with customers (for example HCPs) - this is only conducted for specific job roles at BMS and is done for training, verification, and quality assurance reasons;
network scans including your electronic activity when using our communications systems and networks. This can cover logfiles, use of BMS assets and systems. The reason for monitoring might be network and device management, protecting our intellectual property (IP), protection against cyber-attacks, certain legal obligations, but always where permitted by law;
for specific investigations, for example if an employee is strongly suspected of breaching BMS policies.

This type of monitoring will always fully comply with the law and will only process the least amount of data needed to complete the investigation.

Automated decision making

In general, BMS does not make employment decisions based solely on automated processing (including profiling) of employees. If this were to happen, for example using Artificial Intelligence, then BMS will make you aware of this activity before any of your personal data is processed.

You can learn more about the technologies we use in section 9.

Criminal records and background checks and verification

BMS run background verifications to confirm the accuracy of documentation you provide to BMS during and after your hiring process, but only where permitted by the law and where relevant to your role.

Examples: criminal records, education, employment verification, creditworthiness, conflict of interests checks.

Other processing activities

BMS may require you to provide certain personal data (such as your name, address, and ID number) of other individuals such as your family members, for other purposes such as:

managing your employment relationship with us;
contacting you or your personal contacts during emergency;
declaring conflict of interest;
filing tax returns;
processing any corporate group insurance plans;
participate in BMS activities or enjoy benefits provided by BMS.

Category of data
Relocation, local assignments of workers
BMS processes your data for the following reasons: managing your relocation to other locations; to apply for a working visa or residence permit; for employment related information for compliance with applicable laws, such as tax filing purposes; passport or other citizenship and right to work documentation or information collected for visa and immigration purposes; or family or relatives related data for insurance, travel, costs and expenses purposes.

Category of data

Relocation, local assignments of workers

The Purpose for use

BMS processes your data for the following reasons:

managing your relocation to other locations;
to apply for a working visa or residence permit;
for employment related information for compliance with applicable laws, such as tax filing purposes; passport or other citizenship and right to work documentation or information collected for visa and immigration purposes; or
family or relatives related data for insurance, travel, costs and expenses purposes.

Category of data
Onboarding and administration
When joining BMS as a new hire, to: register your emergency contacts and emergency notifications in the event of business continuity response measures or for workspace security; determine incentive and corporate credit card eligibility; establish worker location, to manage internal transfers within BMS and off-boarding/termination, for business travel purposes; manage the workflow, such as assigning, managing, administering projects; enable organizational development, preparation, management, and use of an internal business directory, organization charts; record trade union membership where required by local law.

Category of data

Onboarding and administration

The Purpose for use

When joining BMS as a new hire, to:

register your emergency contacts and emergency notifications in the event of business continuity response measures or for workspace security;
determine incentive and corporate credit card eligibility;
establish worker location, to manage internal transfers within BMS and off-boarding/termination, for business travel purposes;
manage the workflow, such as assigning, managing, administering projects;
enable organizational development, preparation, management, and use of an internal business directory, organization charts;
record trade union membership where required by local law.

Category of data
Talent acquisition and recruitment
After your application has succeeded, BMS will use your information necessary to process your job application, record your information in our systems, as an applicant to internal opportunities for roles, projects or initiatives.

Category of data

Talent acquisition and recruitment

The Purpose for use

Category of data
Attendance administration
In some cases, BMS may record your on-site attendance in the workplace in compliance with internal policies and as permitted by local law. This includes data necessary to record and administer your working hours, attendance and overtime application, approval and reimbursement when applicable or compliance with the applicable BMS flexible way of working policy.

Category of data

Attendance administration

The Purpose for use

Category of data
Leave management
To enable your leave application for paid annual leave and unpaid leave: health and medical data, such as the number of sick days; doctor’s certificate/medical certificate; information on work-related accidents; insurance claims; information on disability; information on marriage, maternity and parental, and bereavement leave.

Category of data

Leave management

The Purpose for use

To enable your leave application for paid annual leave and unpaid leave:

health and medical data, such as the number of sick days;
doctor’s certificate/medical certificate;
information on work-related accidents;
insurance claims;
information on disability;
information on marriage, maternity and parental, and bereavement leave.

Category of data
Compensation and benefits
To comply with legal requirements and BMS labor policies related to compensation and benefits, which includes: offering of social security insurance, pension, housing fund and other flexible benefit programs and wellness initiatives, such as commercial medical insurance, annual medical examination and other allowances, based on your jurisdiction; offering well-being services, rebates or points for goods and services, car fleet services; administering employee welfare activities that participants may voluntarily participate in (including welfare provided for former employees), such as team-building activities, recreative and event activities including with your family, labor union activities, and aid service, etc. when applicable.

Category of data

Compensation and benefits

The Purpose for use

To comply with legal requirements and BMS labor policies related to compensation and benefits, which includes:

offering of social security insurance, pension, housing fund and other flexible benefit programs and wellness initiatives, such as commercial medical insurance, annual medical examination and other allowances, based on your jurisdiction;
offering well-being services, rebates or points for goods and services, car fleet services;
administering employee welfare activities that participants may voluntarily participate in (including welfare provided for former employees), such as team-building activities, recreative and event activities including with your family, labor union activities, and aid service, etc. when applicable.

Category of data
Learning and development
To manage talent development, administer and track training and awareness activities.

Category of data

Learning and development

The Purpose for use

To manage talent development, administer and track training and awareness activities.

Category of data
Performance and recognition
to enhance performance evaluation, promote personnel development, improve worker efficiency; to set performance objectives, evaluate performance; provide you with recognition and awards, to manage promotions.

Category of data

Performance and recognition

The Purpose for use

to enhance performance evaluation, promote personnel development, improve worker efficiency;
to set performance objectives, evaluate performance;
provide you with recognition and awards, to manage promotions.

Category of data
Working culture and BMS events, surveys and activities
to improve the working culture at BMS and provide you with a friendly working environment; to conduct surveys, hold events and other activities that you could participate in voluntarily.

Category of data

Working culture and BMS events, surveys and activities

The Purpose for use

to improve the working culture at BMS and provide you with a friendly working environment;
to conduct surveys, hold events and other activities that you could participate in voluntarily.

Category of data
Travel and expense reimbursement
to book travel and accommodation; to review and evaluate reimbursement applications and the supporting documents including transaction records for business expenses; to make reimbursement payment to an employee’s bank account; to ensure compliance with travel & business expenses policies.

Category of data

Travel and expense reimbursement

The Purpose for use

to book travel and accommodation;
to review and evaluate reimbursement applications and the supporting documents including transaction records for business expenses;
to make reimbursement payment to an employee’s bank account;
to ensure compliance with travel & business expenses policies.

Category of data
Safe work environment, information security, acceptable usage purposes and fraud detection and prevention
The nature of the work at BMS requires to protect the health & safety of its employees, data, or infrastructures. BMS will access your data in particular to: ensure security and systems monitoring (for example through video (CCTV) recording); ensure the security and integrity of BMS facilities, IT systems and data; notify you by phone or electronic notifications about events or incidents happening while you are traveling for work; administer, monitor and/or manage appropriate usage of BMS premises, property, and equipment, such as requirements for identity verification and access control to device, hardware, software, internet, network, infrastructure, mobile phone, mail services, or other facilities.

Category of data

Safe work environment, information security, acceptable usage purposes and fraud detection and prevention

The Purpose for use

The nature of the work at BMS requires to protect the health & safety of its employees, data, or infrastructures. BMS will access your data in particular to:

ensure security and systems monitoring (for example through video (CCTV) recording);
ensure the security and integrity of BMS facilities, IT systems and data;
notify you by phone or electronic notifications about events or incidents happening while you are traveling for work;
administer, monitor and/or manage appropriate usage of BMS premises, property, and equipment, such as requirements for identity verification and access control to device, hardware, software, internet, network, infrastructure, mobile phone, mail services, or other facilities.

Category of data
Protecting health & safety of its workers or third parties
BMS may apply internal policies to protect against serious diseases or threats in the context of: exposure to chemical or biological compounds in our manufacturing sites, or global, regional, or national public health, for instances in the event of pandemic situations. In such cases, BMS may collect, or require third parties to collect information that demonstrate your health or vaccination status.

Category of data

Protecting health & safety of its workers or third parties

The Purpose for use

BMS may apply internal policies to protect against serious diseases or threats in the context of:

exposure to chemical or biological compounds in our manufacturing sites, or
global, regional, or national public health, for instances in the event of pandemic situations.

In such cases, BMS may collect, or require third parties to collect information that demonstrate your health or vaccination status.

Category of data

Compliance and regulatory purposes

The Purpose for use

to ensure corporate compliance requirements and policies are met, including conflict of interest declaration and review, audit, completion of mandatory training;
to manage, review and respond to complaints, investigations and disciplinary matters, to establish, exercise or defend legal claims or other legal rights;
monitoring and tracking of the different cases and their resolution, and definition of the nature or cause of the investigation;
to comply with applicable laws (such as tax deductions and declarations), regulations and requests from governmental agencies, and to adhere to industry standards.

Category of data

Equal opportunity and diversity monitoring / initiatives

The Purpose for use

When using this data in limited, permitted or required cases, we may collect:

race, gender or ethnicity data such as information contained in your passport or other citizenship and right to work documentation or information collected for visa and immigration purposes or to comply with local regulations;
sexual orientation, diversity data where this has been provided voluntarily to BMS.

Category of data

Understanding the diversity of our workforce

The Purpose for use

We collect certain demographic data mostly in aggregate, such as:

race, gender, ethnicity, sexual orientation, veteran and disability status to help us understand the diversity of our workforce and to support core business diversity, equity, and inclusion initiatives;
in some circumstances, we may also need to use this data to comply with government regulations.

Category of data

Run security & compliance scans or verifications

The Purpose for use

your physical movement using CCTV, badge data or sign-in sheets – this is for the security of our employees, visitors and BMS property;
your interactions with customers (for example HCPs) - this is only conducted for specific job roles at BMS and is done for training, verification, and quality assurance reasons;
network scans including your electronic activity when using our communications systems and networks. This can cover logfiles, use of BMS assets and systems. The reason for monitoring might be network and device management, protecting our intellectual property (IP), protection against cyber-attacks, certain legal obligations, but always where permitted by law;
for specific investigations, for example if an employee is strongly suspected of breaching BMS policies.

This type of monitoring will always fully comply with the law and will only process the least amount of data needed to complete the investigation.

Category of data

Automated decision making

The Purpose for use

Category of data

Criminal records and background checks and verification

The Purpose for use

Category of data

Other processing activities

The Purpose for use

BMS may require you to provide certain personal data (such as your name, address, and ID number) of other individuals such as your family members, for other purposes such as:

managing your employment relationship with us;
contacting you or your personal contacts during emergency;
declaring conflict of interest;
filing tax returns;
processing any corporate group insurance plans;
participate in BMS activities or enjoy benefits provided by BMS.

Note: As a BMS Worker, you are responsible for any sharing with BMS of personal data about persons outside BMS – for example, providing BMS with information about family members for health insurance purposes, relocation services, conflict of interests, verification to past employers, emergency contacts and so on. Therefore, it is your responsibility to inform the third party about such disclosure or where required, obtain their prior permission, and provide them a copy of this privacy notice. When disclosing the personal data of these individuals, you will be acting on their behalf.

5. ENTERPRISE PLATFORMS & DEVICES – HOW WE USE YOUR DATA

As a BMS Worker, there are many times when we need to process or share your data using digital means. In most cases, your online connection to BMS systems is securely managed through the BMS single sign-on (SSO) process or through our VPN (virtual private network). You may access other systems, such as Outlook or Workday using double factor authentication.

For more information about how we collect personal data from visitors to our websites or users of our products and services, please review our General Privacy Notice.

Online information that we may collect when you use our sites

Type of activity

Data categories

Purpose for use

BMS intranet, websites and applications

Login data (BMS ID, login details for SSO), Analytics data

The main use of your personal data for our intranet sites are for:

enabling you to connect to our systems;
audience measurements and aggregate websites’ traffic and analytics.

Eligible programs, benefits or activities run by third parties

Eligibility contact data (BMS e-mail, BMS ID, full name, role if needed).

BMS shares your contact details with trusted third parties to offer various benefits to workers who are eligible to access such programs.

Matching your profile for internal opportunities

Application data (full name, BMS ID, your skills, interests, current role)

Professional data (such as your CV/resume, data from 3^rd party platforms such as LinkedIn).

When you enter your professional data into BMS HR systems, BMS can use that data to propose internal opportunities at BMS that might be relevant to you. When doing so, BMS sometimes uses third parties to help match your profile to the most suited available job roles. When we do use external providers and/or software for this activity, you will receive more information prior to our use of such data.

Read more in section 9 about artificial intelligence and section 10 about your privacy rights.

Bring your own device (BYOD)

Device ID and other data needed to secure the connection to BMS application and systems.

Where permitted under BMS policies, you may also use your own device (Bring Your Own Device (BYOD)) or other approved devices to perform your job at BMS. This requires BMS to access your personal data to enable your device, including the installation of BMS approved software for information protection purposes.

Cybersecurity & information protection

Aggregate security data, system monitoring data and contact details and usage data

BMS uses a variety of supporting applications and teams to ensure all data remains available, secure, and confidential when you use BMS approved, technologies and systems. To achieve this goal, BMS processes aggregate data for the purposes of updates, diagnostics, tests, and the security of your laptop or devices.

Example: To prevent data losses, phishing or scam attempts or for compliance purposes, we may send you notifications, or refresher training requests.

Type of activity

BMS intranet, websites and applications

Data categories

Login data (BMS ID, login details for SSO), Analytics data

Purpose for use

The main use of your personal data for our intranet sites are for:

enabling you to connect to our systems;
audience measurements and aggregate websites’ traffic and analytics.

Type of activity

Eligible programs, benefits or activities run by third parties

Data categories

Eligibility contact data (BMS e-mail, BMS ID, full name, role if needed).

Purpose for use

BMS shares your contact details with trusted third parties to offer various benefits to workers who are eligible to access such programs.

Type of activity

Matching your profile for internal opportunities

Data categories

Application data (full name, BMS ID, your skills, interests, current role)

Professional data (such as your CV/resume, data from 3^rd party platforms such as LinkedIn).

Purpose for use

Type of activity

Bring your own device (BYOD)

Data categories

Device ID and other data needed to secure the connection to BMS application and systems.

Purpose for use

Type of activity

Cybersecurity & information protection

Data categories

Aggregate security data, system monitoring data and contact details and usage data

Purpose for use

6. DATA SOURCES – HOW DO WE OBTAIN AND SHARE DATA ABOUT YOU

BMS collects personal data directly from you for most of our processing activities, although sometimes we obtain personal data automatically through certain internal BMS sites or indirectly from alternative sources.

For example: we collect personal data indirectly from service providers (such as recruitment agents and background checking services), online platforms, government bodies (criminal records, wage garnishments) or authorities where required by law (such as tax authorities) to manage your work relationship with us.

We also automatically collect information about you through physical or online security, systems monitoring (for example, through video (CCTV) recording), or building access control logs when you enter the workplace or in similar contexts. BMS will always strive to make you aware of this type of processing before collecting your personal information.

7. DATA TRANSFERS – WHO WE SHARE YOUR DATA WITH AND WHO CAN ACCESS IT

Only limited BMS teams and approved third parties or authorities who need to manage or obtain your information may access Work–Related Data. When your personal data is more sensitive, BMS will apply more restrictions and protections to protect it. For details on our cross–border transfer mechanisms, please see the relevant section in our General Privacy Notice available on all bms.com websites.

Work-Related Data we share inside the BMS group

Inside the BMS group
BMS locations	BMS is headquartered in the United States, with operations in Europe, Asia, Australia and in North and South America – all collectively known as the “BMS group” (of companies). Given the global nature of our company, processing of employee data occurs across several countries. Many of our HR processing activities are centralized in the United States (for example in our Tampa office), but we also have centralized HR activities in Australia, China, India and the United Kingdom. Your data will be accessed by local and central teams who may be located in such locations. You can also find the main locations from where we operate here: https://www.bms.com/about-us/our-company/worldwide-facilities.html.
Contracts and principles to secure the transfer	Binding Corporate Rules (BCRs) is a recognized mechanism that allows the transfer and disclosure of personal data across entities that are part of the same company group. Our Binding Corporate Rules Policy provide you with an overview of our global privacy program and commitment to maintaining high data protection standards when processing personal data transferred to different countries within the BMS Group of companies. Transfers of Work-Related Data also occur on the basis of appropriate arrangements including data transfer agreements, local or regional transfer schemes or, when appropriate or required, your consent.
Teams or function accessing your data	BMS teams who can access your information include: HR departments and hiring managers in the context of the employment relationship; BMS functions, such as finance, internal audit, IT, the law department and records management in the context of their functions and responsibilities; corporate directory (whitepages): all the employees of the BMS group of companies will have access to the business contact details (name and surname, role and function, manager, email, where applicable phone numbers and business address).

Inside the BMS group
BMS locations
BMS is headquartered in the United States, with operations in Europe, Asia, Australia and in North and South America – all collectively known as the “BMS group” (of companies). Given the global nature of our company, processing of employee data occurs across several countries. Many of our HR processing activities are centralized in the United States (for example in our Tampa office), but we also have centralized HR activities in Australia, China, India and the United Kingdom. Your data will be accessed by local and central teams who may be located in such locations. You can also find the main locations from where we operate here: https://www.bms.com/about-us/our-company/worldwide-facilities.html.
Contracts and principles to secure the transfer
Binding Corporate Rules (BCRs) is a recognized mechanism that allows the transfer and disclosure of personal data across entities that are part of the same company group. Our Binding Corporate Rules Policy provide you with an overview of our global privacy program and commitment to maintaining high data protection standards when processing personal data transferred to different countries within the BMS Group of companies. Transfers of Work-Related Data also occur on the basis of appropriate arrangements including data transfer agreements, local or regional transfer schemes or, when appropriate or required, your consent.
Teams or function accessing your data
BMS teams who can access your information include: HR departments and hiring managers in the context of the employment relationship; BMS functions, such as finance, internal audit, IT, the law department and records management in the context of their functions and responsibilities; corporate directory (whitepages): all the employees of the BMS group of companies will have access to the business contact details (name and surname, role and function, manager, email, where applicable phone numbers and business address).

Work-Related Data we share outside the BMS group

Outside the BMS group
Why we need to disclose your data	BMS partners with many organizations that are specialized in areas such as IT, security, tax and accounting, payroll, providing benefits, running programs, insurance, pension or other services. In other cases, we disclose your data to authorities.
Approved third parties	BMS engages with a variety of third-party service providers to help support the services we provide to our workers. For many of our HR functions, the third-party service providers are embedded within our HR functions (for example as consultants providing IT Support services) but in other instances, you will have a direct relationship with the external vendor – for example, insurance providers, health, and wellness Apps and so on.
Governmental bodies or authorities	BMS may share Work-Related Data that includes your contact details, correspondence, internal or external communications with authorities or for dispute resolution purposes, claims or investigations, to comply with applicable laws or to protect BMS’ business or interests.
Security	BMS puts all third-party vendors through a series of rigorous security and privacy checks, rregardless of whether the vendor works directly for BMS providing a support service or whether the relationship with the vendor is directly between you and them. In addition, we have data protection clauses included in all our contracts with vendors, where needed, to ensure that the applicable data protection legislation is followed regardless of the country in which your data is processed.

Outside the BMS group
Why we need to disclose your data
BMS partners with many organizations that are specialized in areas such as IT, security, tax and accounting, payroll, providing benefits, running programs, insurance, pension or other services. In other cases, we disclose your data to authorities.
Approved third parties
BMS engages with a variety of third-party service providers to help support the services we provide to our workers. For many of our HR functions, the third-party service providers are embedded within our HR functions (for example as consultants providing IT Support services) but in other instances, you will have a direct relationship with the external vendor – for example, insurance providers, health, and wellness Apps and so on.
Governmental bodies or authorities
BMS may share Work-Related Data that includes your contact details, correspondence, internal or external communications with authorities or for dispute resolution purposes, claims or investigations, to comply with applicable laws or to protect BMS’ business or interests.
Security
BMS puts all third-party vendors through a series of rigorous security and privacy checks, rregardless of whether the vendor works directly for BMS providing a support service or whether the relationship with the vendor is directly between you and them. In addition, we have data protection clauses included in all our contracts with vendors, where needed, to ensure that the applicable data protection legislation is followed regardless of the country in which your data is processed.

8. OUR LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA

In this section, we describe our legal justifications (commonly referred to as “legal basis”) for the use of your data related to each of purpose for using it. We will use the legal basis that is most appropriate for the purpose and circumstances related to such processing. Below, we have explained which legal bases we may choose or have to use when using your personal information.

Note: Depending on the country or State where you reside, the law of your country may not require that BMS justifies how it uses your data (such as in the US or Hong–Kong). This applies to ordinary use of your data, transfers outside of your residence, or when sharing or disclosing your Work–Related Data with a third party. If you are from a jurisdiction or a State that requires a legal basis for processing personal data (such as China, the EEA, UK, or Brazil), our legal basis will depend on the personal data concerned and the context in which we collect it. Where required by applicable law, BMS will obtain your prior consent for certain processing activities – for example, using cookies or trackers, when using your images or recording materials, disclosing your personal data outside of your country of residence or disclosing it with BMS–approved third parties.

Specific examples of usual legal bases

BMS relies on a legal basis for each of our processing activities for most of the jurisdictions where BMS operates, whether relating to Work Related Data or Sensitive Work Related data. However, the privacy laws in some countries may not require the same legal basis for our processing activities as we have described in this notice. For instance, we may use consent or contractual necessity instead of legitimate interest when the local law does not recognize such a legal concept.

Our most used legal bases are:

contractual necessity: in practice, this means that BMS needs to process your data to honor our commitments as stated in your arrangement with BMS, for example providing your personal data to our third-party payroll, pension or insurance provider;
compliance with a legal obligation: there are many times where BMS has a legal obligation to use, retain or disclose your Work Related Data. We will make this clear at the time and inform you whether provision of your personal data is mandatory or not, as well as the possible consequences if it is not provided;
prior consent: where BMS conducts optional activities or when the law requires it, we will inform you and BMS may require your prior consent. Unless the nature of the activity or of the data requires it, your local law prescribes or allows otherwise, you will have the right to withdraw your consent at any time;
public disclosures: if you agree to disclose your Work Related Data publicly or if BMS has a duty to do so, then future control over that data may be compromised. BMS will provide you with a notice explaining the processing activity where your personal data may become publicly available and if you have a choice of whether to participate or not.

Legal basis

Description and examples when using our legal basis

Performance of a contract with you

In most cases, we justify using your data for HR management as described in our HR related policies, handbooks and other rules that may apply to your role at BMS.

Example: Compensation & benefits, performance, ensuring compliance with employee handbooks, SOPs, internal procedures, for sick leave, internal career development and opportunities, running our daily operations, login to and use our IT systems.

Legal obligations, investigations and compliance

We use your personal data when BMS complies with its legal obligations related to employment which can include Sensitive Work Related Data.

Example: in the context of tax laws, regulations preventing anti-bribery or conflict of interests, public health, for security, health & safety at work, investigations or internal or third party claims, audits, good clinical, laboratory and manufacturing practices (GxPs). This includes sharing your Work Related Data with third parties or competent authorities or bodies.

Legitimate interest or use

BMS has legitimate interests to use your personal data for identified purposes, always assessing that there is an appropriate balance between your right to privacy and BMS’s interest to conduct its business operations.

In general, BMS considers it has a legitimate interest to use your Work related Data to achieve its immediate and long-term business and commercial goals and outcomes, such as in the context of:

recruitment and candidate selection, HR management;
protecting our work case management, running investigations to evaluate misconducts or non-compliance with internal policies or procedures, retaining data for protecting against claims and disputes, business continuity, pension or retirement administration;
celebrations of special occasions (recognizing years of service, birthday), using intranets, corporate directories, make your BMS profile available internally or to our approved third parties;
prevention and detection of data loss, crime or fraud;
manage and forecasting our finances;
conduct surveys, analytics, improve facility accesses, workforce optimization, security of our systems or prevent data losses.

Note: BMS uses its legitimate interest when it is proportionate, aligned to, or would not conflict with, your reasonable expectations, and does not undermine your individual rights, interests or freedoms.

Consent

In the context of voluntary initiatives or benefits where we obtain your prior permission to use or share your personal data for a specific activity, such as events, picture or recordings, connecting to third party platforms or services.

Public interest

To protect against serious diseases or threats in the context of global, regional, or national public health, for instances in the event of pandemic situations. In most cases, accessing or disclosing your personal data in this context will be based directly on applicable laws.

Vital interest

On rare occasions, we use your vital interest to protect your, or the vital interest of third parties, for accident, security or to prevent imminent threats to your or third parties’ health and safety at the workplace or outside our premises for emergencies or insurance purposes.

Legal basis

Performance of a contract with you

Description and examples when using our legal basis

Legal basis

Legal obligations, investigations and compliance

Description and examples when using our legal basis

Legal basis

Legitimate interest or use

Description and examples when using our legal basis

recruitment and candidate selection, HR management;
protecting our work case management, running investigations to evaluate misconducts or non-compliance with internal policies or procedures, retaining data for protecting against claims and disputes, business continuity, pension or retirement administration;
celebrations of special occasions (recognizing years of service, birthday), using intranets, corporate directories, make your BMS profile available internally or to our approved third parties;
prevention and detection of data loss, crime or fraud;
manage and forecasting our finances;
conduct surveys, analytics, improve facility accesses, workforce optimization, security of our systems or prevent data losses.

Legal basis

Consent

Description and examples when using our legal basis

Legal basis

Public interest

Description and examples when using our legal basis

Legal basis

Vital interest

Description and examples when using our legal basis

The above list is not exhaustive and is intended to provide you with an overview of how we justify the processing of your personal data.

9. DO WE USE ARTIFICIAL INTELLIGENCE (AI) OR SIMILAR TECHNOLOGIES?

BMS has developed internal policies and guidance on responsible use of AI. When using AI tools involving Work-Related Data, we will apply globally recognized data privacy & protection principles. When using third party technology, we ensure to apply:

(i) BMS principles on responsible use of AI;
(ii) appropriate technical and security measures;
(iii) contractual arrangement to protect your personal data.

BMS will provide you with more detailed information in a privacy notice, and if required, obtain your prior consent before using such technologies. You can read more information about your rights, including your right to object or to request human intervention, in section 10.

More information and examples of our use of digital technologies

10. INDIVIDUAL CHOICES – RIGHTS AND ACCESS TO YOUR DATA

This section describes the rights you may have and the potential actions you can take in relation to how BMS processes your personal data.

You have several privacy rights in relation to the processing of your personal data at BMS, but these will depend on the country where you reside and on the legal basis that we used to process your personal data. Exercising your rights is usually free of charge, except if your request is excessive or requires disproportionate efforts, in which case we may ask you for a reasonable fee.

BMS assesses every request received based on who you are and the jurisdiction or State in which you are based. If we cannot comply with your request, we will let you know the reasons why. You can always contact BMS at dpo@bms.com to find out more about your rights and how you can exercise them.

You can read more about your individual rights

Actions you can take about your personal data

I would like to

Tools you can use to manage your data

Update my data

Workday, mybms & e-mail. If your personal data changes during the course of your time at BMS, please raise a ticket or connect to your Workday account to update that data or contact your HR business partner to note those changes.

Access my data or receive a copy of my data

Workday, mybms, & e-mail. Workday and the relevant applications available in mybms allows you to see the data that we hold about you and download a copy. If we have data that you cannot access via Workday, then you may make a request by emailing your HR Business Partner or by using the contact details provided in the contact us section below.

Note: we might need to refuse access to personal data in certain cases, such as when providing access might infringe someone else’s privacy rights.

Delete my data or withdraw consent

Workday, mybms & e-mail. You can ask that we delete personal data that you believe is inaccurate or no longer relevant by emailing your HR Business Partner or by using the contact details provided in the contact us section below.

In addition, you can go into Workday and remove some of the data you have chosen to share with us, such as your photo, demographic data, emergency contacts and so on. We might need to refuse deletion of personal data in certain cases, for example if there is an impact on our legal obligations.

I would like to

Update my data

Tools you can use to manage your data

I would like to

Access my data or receive a copy of my data

Tools you can use to manage your data

I would like to

Delete my data or withdraw consent

Tools you can use to manage your data

11. DATA SECURITY – HOW WE PROTECT YOUR PERSONAL DATA

BMS uses appropriate technical and organizational measures to protect your personal data online and offline. We do this to prevent unauthorised processing, loss of data, disclosure, use, alteration, or destruction of your personal data. The measures that we deploy are dependent on the sensitivity of the personal data and the most recent advancements made in security technology. Where appropriate, we use encryption, pseudonymisation (such as key coding), de-identification and other technologies that can assist us in securing your data, including measures to restore access to your data. We also require our service providers to comply with reasonable and recognized data privacy and security requirements.

The measures we use to protect your data

12. DATA RETENTION – HOW LONG BMS RETAINS YOUR PERSONAL DATA

Data retention schedules

BMS will only retain your personal data for as long as necessary for the processing purposes listed in section 4. When retaining and storing data about you in our systems, we have put in place specific data retention schedules in accordance with our company policy and in compliance with applicable data protection and local employment laws.

More information on our retention periods

Criteria to keep your data

Typically, we retain data based on the following criteria, where we consider:

the quantity, nature and sensitivity of the personal data in question;
the potential risk of harm in the event of unauthorised use or disclosure;
the purposes of the processing;
whether or not these purposes can be achieved by other means, as well as the applicable legal obligations.

Note: the below retention schedules are not applicable across all countries - certain retention periods may differ from this table to meet local legal or regulatory requirements (such as China). Retention periods can also be adjusted in line with specific changes made through new legislation.

There are instances where BMS is legally obliged to adhere to specific retention periods. For example, when BMS must retain data for a set minimum period or to delete it after a set maximum time limit. Some common examples of these obligations normally relate to data needed for tax and accounting, anti-bribery, conflict of interest or investigation purposes.

Type of activity

Retention period

Benefit plan administration, reporting, and participant disclosure

Event + 10 years

Benefit enrolment and participation

Benefit plan development and management

Benefit plan texts and amendments

Event + 6 years

Education assistance, and work/life and diversity

Creation + 7 years

Workforce tracking and compliance

Creation + 5 years

Employee recruitment and selection

Creation + 3 years

Employment eligibility / verification & immigration

Duration of employment + 6 years

Personnel relations & investigations

Event + 3 years

Personnel records

Training completion – general

Duration of employment + 7 years

Labor arbitration / grievances

Labor relations records

Event + 50 years

Creation + 50 years

Compensation / salary, and incentive planning

Creation + 10 years

Training programs and materials

Training relating to BMS products in compliance with GxPs

Active + 5 years

Active + 2 years. Thereafter, the longer of 25 years or 10 years after the expiration of the drug’s marketing authorization.

Employee relocation and forgivable loans

Creation + 7 years

Payroll

Payroll tax records

Creation + 11 years

Employee time and attendance records

Creation + 8 years

Type of activity

Benefit plan administration, reporting, and participant disclosure

Retention period

Event + 10 years

Type of activity

Benefit enrolment and participation

Benefit plan development and management

Benefit plan texts and amendments

Retention period

Event + 6 years

Type of activity

Education assistance, and work/life and diversity

Retention period

Creation + 7 years

Type of activity

Workforce tracking and compliance

Retention period

Creation + 5 years

Type of activity

Employee recruitment and selection

Retention period

Creation + 3 years

Type of activity

Employment eligibility / verification & immigration

Retention period

Duration of employment + 6 years

Type of activity

Personnel relations & investigations

Retention period

Event + 3 years

Type of activity

Personnel records

Training completion – general

Retention period

Duration of employment + 7 years

Type of activity

Labor arbitration / grievances

Labor relations records

Retention period

Event + 50 years

Creation + 50 years

Type of activity

Compensation / salary, and incentive planning

Retention period

Creation + 10 years

Type of activity

Training programs and materials

Training relating to BMS products in compliance with GxPs

Retention period

Active + 5 years

Active + 2 years. Thereafter, the longer of 25 years or 10 years after the expiration of the drug’s marketing authorization.

Type of activity

Employee relocation and forgivable loans

Retention period

Creation + 7 years

Type of activity

Payroll

Payroll tax records

Retention period

Creation + 11 years

Type of activity

Employee time and attendance records

Retention period

Creation + 8 years

For more specific information about the description of each activity, how long BMS retains your personal data for human resources management, or for other purposes as described in this privacy notice, please access this page: https://retention.bms.com. If your relationship with BMS does not allow you to access this page, please contact us at dpo@bms.com.

13. LEAVING BMS – WHAT HAPPENS TO MY DATA

After you end your employment with, BMS we will need to retain certain information about you, including your contact details, to fulfil certain business obligations, to administer or manage retirement plans, payment for outplacement services, respond to queries from your new employer.

Information about why we may retain your data after you leave BMS

Purpose

Categories of data

Details

Claims & disputes

For example, compensation, incident data, e-mail exchanges, investigation data.

To deal with claims or disputes involving you or others. This could include an accident at work. We do this because we have a legal obligation to provide the information, or it is in our interests to bring or defend a claim. We may also have an obligation to retain and preserve data or evidence that is subject to a legal hold obligation.

Retirement, e-mail communications or referrals

Years of service, compensation, e-mail exchanges, your applications and new role, third party contact details.

We may keep or share your information to administer or manage leave, severance or retirement packages, contact you in relation to your past role or work or to respond to queries to your new employer about your role at BMS.

Outplacement services

Professional and personal contact details, CV, professional background, role at BMS.

BMS may offer or pay for services after you leave our company. BMS will only keep your data necessary to pay the costs of packages you may be eligible for.

Business

continuity

E-mails and documentation, projects, and decisions you made, login and accesses to systems.

To understand and evidence decision making in your role and maintain knowledge within the business after you leave. We do this because it is in our interests to use this information to help run our business, or it may be to support a legal obligation we have.

Employee retention

Leave reasons, manager and employee evaluations, performance, role, position/title.

To understand why you left us. We do this because it is in our interests to use this information to help run our business or it may be to support a legal obligation we have.

Pension administration

Your contact details, compensation and benefits, years of service, payroll, and tax data.

To manage and administer your pension and related legal obligations.

Obligations to third parties

Your contact details, role, position, title, compensation & benefits.

To comply with our obligations to third parties in connection with your employment, such as tax authorities and professional bodies.

Purpose

Claims & disputes

Categories of data

For example, compensation, incident data, e-mail exchanges, investigation data.

Details

Purpose

Retirement, e-mail communications or referrals

Categories of data

Years of service, compensation, e-mail exchanges, your applications and new role, third party contact details.

Details

Purpose

Outplacement services

Categories of data

Professional and personal contact details, CV, professional background, role at BMS.

Details

BMS may offer or pay for services after you leave our company. BMS will only keep your data necessary to pay the costs of packages you may be eligible for.

Purpose

Business

continuity

Categories of data

E-mails and documentation, projects, and decisions you made, login and accesses to systems.

Details

Purpose

Employee retention

Categories of data

Leave reasons, manager and employee evaluations, performance, role, position/title.

Details

To understand why you left us. We do this because it is in our interests to use this information to help run our business or it may be to support a legal obligation we have.

Purpose

Pension administration

Categories of data

Your contact details, compensation and benefits, years of service, payroll, and tax data.

Details

To manage and administer your pension and related legal obligations.

Purpose

Obligations to third parties

Categories of data

Your contact details, role, position, title, compensation & benefits.

Details

To comply with our obligations to third parties in connection with your employment, such as tax authorities and professional bodies.

14. TRANSFER OF CONTROL

Data sharing in connection with a transfer of control

Circumstances may arise where we decide to reorganize or divest part (or all) of our business or a line of our business (or any portion of our assets). This can include our information databases and websites, through a sale, divestiture, merger, acquisition, in the event of a bankruptcy, or other means of transfer.

In such circumstances, your personal data may be shared with, sold, transferred, rented, licensed, or otherwise provided or made available by us or on our behalf to actual or potential parties to, and in connection with, the contemplated transaction (without your consent or any further notice to you). In such circumstances, we will seek written assurances that your personal data will be protected appropriately.

15. CHANGES TO THIS NOTICE

BMS may update its privacy notices from time to time. If there are any important revisions which might impact the way we process your personal data, BMS will notify you to inform you of these changes either directly or through our internal communication channels.

16. CONTACT US

If you have questions about this notice, or you want to obtain more information about our use of your personal data as a BMS Worker, you can ask a question by raising a ticket on myBMS. For current and previous employees, you can also contact us by email at eudpo@bms.com for the EU/EEA, Switzerland and the UK. If you are located elsewhere, please email the team at dpo@bms.com or by post at the contact details as described on the relevant footer of our corporate websites that applies in your own language under the contact section.

More information about data protection in your market

List of privacy notices for other jurisdictions
Argentina	Australia	Austria	Belgium EN Belgium NR Belgium FR	Brazil	Canada EN Canada FR
Chile	China	Colombia	Czech Republic	Denmark	Finland
France	Germany	Greece	Hong Kong	Hungary	India
Ireland	Israel	Italy	Japan	Korea	Luxembourg EN Luxembourg FR
Mexico	Netherlands NL Netherlands EN	New Zealand	Norway	Peru	Poland
Portugal	Romania	Saudi Arabia EN Saudi Arabia AR	Singapore	Spain	Sweden
Switzerland DE Switzerland FR	Taiwan	Thailand	Turkey	United Arab Emirates	United Kingdom

List of privacy notices for other jurisdictions
Argentina
Australia
Austria
Belgium EN Belgium NR Belgium FR
Brazil
Canada EN Canada FR
Chile
China
Colombia
Czech Republic
Denmark
Finland
France
Germany
Greece
Hong Kong
Hungary
India
Ireland
Israel
Italy
Japan
Korea
Luxembourg EN Luxembourg FR
Mexico
Netherlands NL Netherlands EN
New Zealand
Norway
Peru
Poland
Portugal
Romania
Saudi Arabia EN Saudi Arabia AR
Singapore
Spain
Sweden
Switzerland DE Switzerland FR
Taiwan
Thailand
Turkey
United Arab Emirates
United Kingdom

Privacy notice versions

Current	Comprehensive update in the layout and content to harmonise transparency across all BMS markets
2020

Right of access	You have the right to contact BMS and request confirmation that we process your personal data, why we process your data, and be provided with access to that data. Please remember that this is not an ‘absolute right’; there are situations where we must remove or redact data to protect other data subjects and company confidentiality.
Right to rectification	You may have the right to update/correct your personal data, for example if it is inaccurate, incomplete, or not up to date.
Right to erasure (right to be forgotten)	You may have the right to have your personal data deleted. There are exceptions to this right, for example when we are legally obliged to retain your personal data for a specific time-period, or when your data is disclosed publicly.
Right to restrict the processing	You have the right to request that we restrict, suspend, or cease the processing of your personal data. Exceptions also apply here. If BMS lifts the restriction, we will inform you beforehand and explain our reasoning.
Right to data portability	You have the right to receive or have your personal data transferred to a third party in a structured, commonly used, and machine-readable format. Note: This right may not apply when your data is processed based on the legitimate interest of BMS or in certain jurisdictions.
Right to withdraw consent	When we process your personal data based on your consent, you have the right to withdraw it at any time and BMS will stop processing your personal data. However, the withdrawal of consent does not impact our processing of your personal data prior to the removal of your consent.
Right to object	You may have the right to object to BMS processing your personal data. This is also not an absolute right and your right to object will depend on the nature of the processing by BMS..
Account deletion	Where applicable, you may have the right to request to delete your user account. This applies for example when using an account on a platform that is operated by a third party. In this case, please contact the platform directly to exercise your rights.
Right to complain to data protection authorities	In some countries, you may have the right to complain directly to the data protection authority in your jurisdiction, if you believe that BMS is processing your personal data unlawfully and/or is violating your rights. The privacy rights section of our BMS General Privacy Notice describes how to contact the competent authority or relevant contact in your country where you reside.

Americas

Argentina

Brazil

Canada

Chile

Colombia

Mexico

Peru

United States

Asia Pacific

Australia

China

India

Japan

Korea

New Zealand

Singapore

Taiwan

Thailand

Europe

Austria

Belgium

Czech Republic

Denmark

Finland

France

Germany

Greece

Hungary

Ireland

Italy

Luxembourg

Netherlands

Norway

Poland

Portugal

Romania

Spain

Sweden

Switzerland

United Kingdom

Middle East

Israel

Saudi Arabia

Turkey

United Arab Emirates

Other

Other Markets

Privacy Policy - Bristol Myers Squibb

Privacy Notice Center

General Privacy Notice

1. ABOUT THIS PRIVACY POLICY

2. WHAT IS PERSONAL INFORMATION?

3. GETTING YOUR CONSENT

4. WHERE WE GET YOUR INFORMATION

5. WHAT INFORMATION WE COLLECT AND WHY?

6. DE-IDENTIFIED, AGGREGATED, AND ANONYMIZED INFORMATION

7. SHARING YOUR PERSONAL INFORMATION?

8. COOKIES AND OTHER TECHNOLOGY

9. INTERNATIONAL TRANSFERS OF INFORMATION

10. STORAGE OF YOUR INFORMATION

11. RETENTION OF YOUR INFORMATION

12. SAFEGUARDS

13. HYPERLINKS

14. CHILDREN'S INFORMATION

15. ACCESSING AND CORRECTING YOUR INFORMATION

16. CONTACT INFORMATION

17. CHANGES TO OUR PRIVACY POLICY

BMS Global Employee Privacy Notice

What You Will Learn in This Notice

1. INTRODUCTION – HOW TO READ THIS NOTICE

Who it applies to and our other notices

2. WHO IS THE CONTROLLER OF YOUR DATA

3. CATEGORIES – WHAT TYPE OF DATA BMS PROCESSES ABOUT YOU

The categories of Work-Related Data

The categories of Sensitive Work-Related Data

4. PURPOSES – WHY WE PROCESS YOUR DATA AND IN WHAT CONTEXT

Details about the context in which we use your data

5. ENTERPRISE PLATFORMS & DEVICES – HOW WE USE YOUR DATA

Online information that we may collect when you use our sites