Privacy Policy - Bristol -Myers Squibb

This general privacy notice (“Notice”) is a global Notice. It describes how Bristol Myers Squibb may Use information about you (“Personal Data” or “Personal Information”) when you interact with our company, in connection with your use of BMS websites, mobile applications, devices and platforms, when we communicate with you and in the context of our business activities. It also informs you about your privacy rights and the measures and processes we put in place to protect your data.

This Notice applies whether you are a patient, member of the public, visitor, shareholder or investor, member of a regulatory body or authority, supplier or business partner, job applicant, or any other individual with whom we engage or who is involved in our business activities. In this Notice, we refer to you as “you” or “your”. We use the term “Processing” or “Use” when we refer to the access, collection, recording, organisation, structuring, retrieval, disclosure, storage, transfer, deletion or otherwise use of your Personal Information. 

Compliance with applicable laws

When Using your Personal Information in the context of our activities, we will do so in compliance with relevant data privacy and data protection laws, which includes regulatory and national law requirements that may apply to such Use and, where applicable, giving you the specific rights that apply in the country where you reside (altogether “Applicable Data Protection Law”).

We may collect your Personal Information online when you use BMS or third-party operated websites and other online resources, including mobile applications, other digital means or platforms. This may also happen through collaborations that we have in place with third parties or companies that host websites for us or with whom we have partnerships for our products, services, or activities. Below, we give you additional information about how we use your information online. 

You may interact with BMS or our partners’ websites and platforms that relate to BMS products and services, job application, patient recruitment, disease awareness, scientific research, alliance websites, or applications used in the context of patient support or management programs.

We enter into arrangements for those collaborations to require an appropriate protection of your Personal Information. Some areas of our websites and platforms may require you to submit information in order for BMS to respond to your request, permit you to access specific areas or participate in a particular activity. When visiting our websites, please also read our Legal Notice and if you are visiting our website for safety reasons, the Pharmacovigilance Notice. 

We have identified examples where we Use your Personal Information online in the table below.

Links to other third-party websites

As a convenience to users, our sites contain links to other third-party websites that may offer additional information, such as educational or professional materials, services and contacts. This Notice does not apply to your use of those other websites. Before using the linked websites, please review their privacy notices to understand how they use and protect your Personal Information.

The information that we Process about you may include various categories of Personal Data depending on your interactions with BMS, third parties with whom we collaborate, or external sources that provide us with your Personal Data. We have outlined below the main categories of Personal Information and, where applicable categories of sensitive Personal Information that we may collect about you. 

In some situations, we may collect sensitive Personal Information about you. When doing so, we apply stronger safeguards to protect your privacy. Depending upon the country in which you reside and the particular context for the collection of such Personal Information, this may include the following information:

In most cases, BMS will collect information directly from you, although sometimes we will obtain information from public or third-party information sources or from use of web-based, devices or other technologies which automatically generate such information. We have outlined below the main ways BMS collects and Processes Personal Data when interacting directly or indirectly with you.

We may collect information from you directly:

Such as when:

• we interact with you in the course of our activities or when you participate in a BMS activity, event or program (such as diversity and inclusion, ambassador or patient support programs);
• we collect information in the context of a specific treatment, such as for personalized medicines, using medical devices or digital platforms or applications;
• we engage service providers, business partners or institutions for services, collaborations or operations;
• you sign up to receive our communications to become a member of our databases or when registering to receive our press releases, e-mail alerts, marketing communications or more information about our activities;
• you share information with us through our various contact points, such as through our company products, commercial, clinical or alliance websites, mobile applications, contact forms, call centers, career application websites, during offices or manufacturing site visits, or for product inquiries;
• we collect information about you from your computer or other devices you use when visiting BMS’s website or mobile applications, or other products, our offices and facilities; or
• you share medical information with us relating to adverse events, pharmacovigilance or incidents involving devices or applications. These disclosures can be communicated in-person or remotely, including by calling us, or via our websites and other digital channels or means of communication.

We may collect Information about you indirectly:

Such as when:

• we receive information about you through a healthcare professional where necessary for pharmacovigilance, incident management, risk management, investigation, or litigation purposes;
• we obtain information that is accessible from public registries, databases, or other third-party sources, such as service providers, agencies or private organisations;
• you have made information about you publicly available on the Internet, including websites, social media platforms, scientific reviews, articles and publications and other sources, in which case we may either inform you, anonymize the data or get your prior consent;
• necessary to verify your credentials, professional information (such as by accessing publicly accessible information, national registries or third-party databases) or your identity for compliance, security or ID verification purposes; 
• you make public posts on social media platforms that we follow (for example, so that we can understand public opinions); or
• conducting pharmacovigilance monitoring activities, or in the context of incidents or other post-market surveillance obligations.

We may also collect information about you automatically, such as for security and systems monitoring (e.g. through video (CCTV) recording) and building access control logs when you visit our offices or in other contexts made apparent to you at the time.

Where permitted and feasible, and to protect your right to privacy, BMS will take reasonable steps to remove or anonymize information that may directly or indirectly identify you, and restrict to the minimum the amount of Personal Information that BMS Uses, submits or transfers to third parties, courts, or governmental bodies.

This is a global Notice. BMS Processes your information in the context of our regular activities, and in accordance with the purposes as set out in this Notice, a separate notice, or when Applicable Data Protection Laws either permit or require us to do so. These purposes may vary depending on where you live and where BMS operates. Where the laws of a country restrict or prohibit certain activities described in this Notice, we will comply with such requirements. This may include refraining or not Using your Information for those purposes restricted or prohibited in that country. 

Below, we list some of the main, but not all, of our purposes for which we may Use Personal Information about you. 

In this section, we describe our legal justifications (commonly referred to as “legal basis”) for the Use of your Personal Information related to each of our main Processing activities. We will use the legal basis that is most appropriate for the purpose and circumstances related to such Processing. Below, we have explained which legal bases we may choose or have to use when Using your Personal Information.  

There may be times where we must use your consent to Process your Personal Information. We may also decide to ask your permission to Process your Personal Data, such as in the context of voluntary initiatives or activities. 

In the following table, you can read more details about what legal basis or combination of legal bases we use when Processing your Personal Information.

As a multinational company operating worldwide, your Personal Information may be shared with, or accessed by, parties located outside your country of residence. If you are located outside of the United States, BMS may share your Personal Information with parties located in countries that provide less protection than in your country, which includes the United States. We may also Process and share your Personal Information with some of our affiliates and other members of the BMS group including selected and approved third parties (vendors and business partners) that help us operate worldwide. When doing so, we implement appropriate measures to prevent unauthorised access or Use of your Personal Information.

Below you can find more information about how BMS shares your Personal Information within its group of entities and with third parties.

Sharing your Personal Information within the BMS group

Often, we share your Personal Information within the BMS group of companies (“BMS Group”). This may include the Bristol Myers Squibb Company headquarters in the United States and all of its current and future subsidiaries, branch offices, affiliates, entities and other companies that are part of, owned or controlled by, the BMS Group. When exchanging information internally, we rely on appropriate arrangements and mechanisms to cover any transfer of your Personal Information within our corporate structure, such as binding corporate rules (BCRs), contractual arrangements approved by authorities or based on consent.

Sharing your Personal Information with third parties

To conduct our business, we share with, or disclose Personal Information to, third parties, such as:

• Third-party service providers for the purpose of outsourcing specific business activities to request external support and resources. This may include companies that provide information technology services, clinical trials and studies support, marketing or market research services, events, meeting and planning services, or services related to talent acquisition or consultancy;
• business partners such as external scientists and healthcare professionals to review and assist us with healthcare compliance activities and institutions and other organisations with whom we collaborate to support our clinical or commercial activities (such as for clinical studies, patient support programs, and so on);
• Regulatory and health authorities including governmental bodies (such as the FDA, EMA, NHS), data protection authorities, tax authorities, or courts in case of disputes, when permitted or required by Applicable Data Protection Law; and
• third parties to whom BMS is legally obligated to provide such information, such as other parties in litigation or legal disputes, guardians, conservators, or individuals with powers of attorney. 

When engaging with third parties, we enter into agreements with them for the Processing of Personal Data so that such Processing is carried out in accordance with our instructions, in a confidential, secure, and transparent manner in order to protect your privacy rights. When it is not possible to enter into an agreement with a third party, such as when engaging, reporting or interacting with regulatory or health authorities or courts, and when legally possible, we will use our best efforts to implement appropriate security measures and controls (such as pseudonymisation) to protect your Personal Information.

If you are in the European Economic Area (“EEA”), Switzerland and the United Kingdom

Whenever we transfer your Personal Information within the EEA, Switzerland or to countries that are deemed “adequate”, such countries are deemed to offer the same level of protection as given by the law of your country. When accessing your Personal Data from, or transferring it, outside of the EEA or Switzerland to countries that may not provide the same level of protection as your own country, we will use appropriate safeguards to protect your right to privacy. For example, such safeguards may consist of using Standard Contractual Clauses (to exchange information with third parties outside of the EEA, Switzerland and the United Kingdom), Binding Corporate Rules (for data transfer within the BMS group of companies) as approved by the European Commission or the competent authority, data transfer agreements or your consent.

If you are outside the EEA, Switzerland and the United Kingdom

Where possible, we will allow access to or the transfer of your Personal Information outside your country of residence: to countries that provide a reasonable high level of data protection; using the most appropriate data transfer mechanisms available to BMS; or where required by Applicable Data Protection Laws, after we get your prior permission, for the collection, disclosure to third parties and the transfer of your Personal Information to a country which does not provide an adequate protection equivalent to the laws of your country of residence.

Unless permitted by law, BMS does not make decisions based solely on automated Processing (including profiling) of individual data unless we inform you otherwise prior to the Processing. We may use algorithms that will enable us to use automated decision-making, including to create profiles. This means that when we use certain technologies, software or algorithms, which may allow us to create profiles, tiering, further understand trends and statistics or use other advanced technologies or automated processing, someone will be involved to validate decisions resulting from such use.

As the use of such technologies evolves, we may use algorithms without a person involved in the decision. In this case, if this activity requires us to Process your Personal Information that is not anonymized, we will comply with any applicable legal requirements, such as to draw this to your attention and provide you with information about the logic involved in the decision, as well as the significance and the envisaged consequences for you of such Use of your Personal Information. Depending on your country of residence, you will have the right to ask that such decision is taken by an individual.

You have a number of rights related to the Personal Data that we Process about you (this will depend on the jurisdiction where you reside and the legal basis that we use). Most often, exercising your right is free of charge. We may also have to clarify your request and explain if we can comply with it or if this is restricted in your situation. You can always contact BMS at eudpo@bms.com to find out more about your rights and how best to exercise them. 

Below we have listed individual rights that may apply depending on your jurisdiction. 

You may have the right to:

• receive a copy of your Personal Data we hold about you;
• correct your Personal Data we hold about you;
• where applicable, receive a machine-readable copy of your Personal Data (portability);
• ask us to delete your Personal Data or restrict how it is used;
• where applicable, object to Processing of your Personal Data for certain purposes, such as when we use it for marketing purposes (opt-out); and
• where you have provided us with your consent to Use your Personal Data, you can withdraw your consent at any time without affecting BMS’ Use of such information before your withdrawal of consent.

Exceptions to your rights

There may be exceptions to your privacy rights described in this Notice. This depends on the country where you reside, why we are Processing your Personal Data and if your request may impair the rights of others. If we cannot comply with your request to exercise your privacy rights, for example when we keep your information for regulatory purposes or for the investigation, prosecution, or defence of a legal claim, we will explain this to you when you contact us.

How to contact us

If you have any questions about how we Use your Personal Information, please contact our Data Protection Office at eudpo@bms.com. 

Note: We may need to request specific information from you to help us confirm your identity. If your request is complex or if you have made a large number of requests, it may take us longer to respond to you, but we will keep you informed of any delays. You will not have to pay a fee to obtain a copy of your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.

Lodging a complaint with a competent supervisory authority

In some countries, you may have the right to lodge a complaint to the relevant data protection or competent authority if you believe that we Process your Personal Information unlawfully or are violating your rights. For example, in the European Union, you can access the list of competent data protection authorities, including the authority in your country of residence by clicking here or by visiting: https://edpb.europa.eu/about-edpb/board/members_en. For Ireland, for example, if you feel that we have been unable to resolve your information rights concern, you have the right to raise the matter with the Data Protection Commission by using the online contact form.

We aim not to retain your Personal Information for longer than necessary for the specific business purposes for which it was collected. After that, unless we are required to continue to maintain the information by law, we may anonymize, restrict, block or delete it. 

In certain cases, BMS may retain your Personal Information for a longer period for the purpose that we have and, in a manner, or a format, that may require BMS to keep certain identifiers. In such case, we may archive it and apply appropriate measures which may consist of blocking, preventing, obfuscating, pseudonymizing, key-coding, or restricting any further access and Use of Personal Information about you. When retaining and storing information about you in our systems, we have put in place data retention schedules in accordance with our company policy and in compliance with Applicable Data Protection Laws. 

When assessing the appropriate retention period, we take into account the quantity, nature and sensitivity of Personal Data, the potential risk of harm in the event of unauthorised use or disclosure, the purposes of the Processing and whether or not these purposes can be achieved by other means, as well as applicable legal obligations.

We implement appropriate technical and organisational controls to protect your Personal Information that we hold to prevent unauthorised Processing, loss of data, disclosure, use, alteration, or destruction.  Where appropriate, we use encryption, pseudonymisation (such as key coding), de-identification and other technologies that can assist us in securing the information about you, including measures to restore access to your information. We also require our service providers to comply with reasonable and recognized data privacy and security requirements. 

We conduct tests and reviews of our technologies and processes, including a review of our business partners and vendors, so that our security controls remain effective. Also, we may further anonymize your Personal Information when it is no longer needed for the purpose for which BMS originally collected such Information.

BMS may Process your Personal Data to evaluate your application to work at BMS. When applying for an opportunity at BMS, we may collect and Process Personal Information about you directly or indirectly from our official websites, third parties or when you make this information publicly available or accessible by third parties for recruitment purposes. You can consult our career opportunities on this page: https://careers.bms.com/ie. Below, you can find more information about how BMS Processes your Personal Information when you apply to work for us. 

To consider your application we may collect:

• your professional experience, such as job title, education information, professional qualifications, work experience, publications, and professional networks, programs and activities in which you participated;
• your contact details, such as your e-mail address, full name, date of birth and other information necessary to submit your application;
• information gathered from agencies, such as information from recruitment agencies, reference providers, and (where permitted by law) background screening providers;
• publicly available information from a company website, internet searches or social media platforms such as LinkedIn or other social media platforms, and publicly available profile information (such as your experience, skills, and interests);
• information that you allow us to access, for example, if you choose to simplify your login Process to the job platform to allow direct access once you have signed in to your third party social media user account, (such as Gmail or Yahoo!), or if you want to upload information to the platform (such as from LinkedIn) instead of manually completing an application; and
• other information that you submit to us, that we obtain indirectly or that we access when looking for new hires or career opportunities.

As your job application proceeds

We may ask you to share additional Personal Information with us, such as:

• official information, such as government issued identification number or tax status; 
• financial information, such as bank account details;
• special categories of Personal Data / sensitive Personal Data, including (where it is permitted, necessary or required for your application) information about your health, marital status, trade union membership religion, criminal records, or credit worthiness data; or 
• other information necessary for your interview or providing you with a job offer, such as details of any known disability or workplace accessibility needs, background information, travel and expenses, performance management, emergency contact details, compensation, hours of work, holidays and benefits-related information. 

Where do we Use your Personal Information for job application

As a multinational organisation, our affiliates transfer information globally. When you upload information to a job search platform, you provide it to all our affiliates, each of which may Process it for its own recruitment purposes. This is the case even where you respond to a job posting that mentions a particular BMS affiliate. Accordingly, we may transfer globally information about you (for example, if you are in the European Economic Area ("EEA"), your information may be transferred outside the EEA; if you are in Australia, your information may be transferred outside Australia).

We will not keep your Personal Information for longer than needed to consider your application. However, we may ask your permission to keep some information about you for a longer period (for example your CV or resume, work experience, cover letters and so on) to consider your eligibility for further job opportunities.

BMS Processes Personal Information about patients that use our treatments and in the context of our clinical research activities. We may also Use patient Personal Information in connection with certain activities, such as through our services, patient websites, collaborations or consortium agreements with third parties (for example genetic data), during events interviews, for advocacy related activities, or for clinical trials, studies or research projects linked to our products (for example to recruit you through our websites or business partners). 

Note, this section, together with this Notice, does not apply to participants to clinical trials. 

This Notice applies to how BMS may Use Personal Information about you when you participate in non-clinical activities. You can read our specific Patient privacy notice if you are involved in a research project, clinical trial or in a study. Below, you will find out more information about Personal Data that we collect about patients in contexts other than clinical studies or research projects.

Patients participating in non-clinical research activities with BMS

In the context of non-clinical research activities, BMS generally does not collect patient data, except in certain occasions, such as where we have reporting obligations to authorities, when we engage directly with you, via third parties, when you contact us, when accessing websites or other platforms, or if you agree to share such information with us. In some instances, we may have interactions with you or access information about you outside of our clinical research activities. This may happen when:

• accessing our personalized medicines, other innovative therapies or devices; 
• BMS collaborates with patient organisations;
• we recruit you for our clinical studies;
• inviting you to our events;
• we propose patient support programs; or 
• when conducting surveys, market research, interviews or propose ambassador programs. 

When doing so, BMS will either collect information that does not allow us to identify you or use technical measures to limit the risk of identification. For example, we may use measures that could include:

• replacing your information such as name, identification number or any other information with a code (key-coded study data); 
• using a third party provider who will only share your Personal Information in an aggregate manner with BMS; 
• anonymizing your Personal Information after its collection; or
• requesting your prior consent. 

If BMS accesses Personal Information about you that is sensitive, we will protect it adequately. For more information about our Use of sensitive data, please refer to section 4.

BMS websites and mobile applications are not intended or designed for children under the age of 13. Depending on the country where you reside, you may not use this website under the age of 16 or 18. We do not collect information from any individual we know to be under the age of 13 (or older if your country is more restrictive). Please refer to our Research Participants Privacy Notice for further information relating to non-adults participation to our studies.

Depending on the country where you reside, you may manage your preferences on cookies and similar tracking technologies through the use of consent management tools that are available on our websites. This section applies to cookies and similar tracking technologies and we explain what our use of cookies and similar tracking technologies means to you and how to disable tracking (such as using opt-in or opt-out preferences). When we collect information that may enable us to identify you, the other sections of this Notice will apply.

You can set your cookie preferences by clicking here.

What are cookies?

A cookie is a small piece of data that a website asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Such cookies when set by us are called first-party cookies. We may also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting (for example, those used by social media, instant messaging, CRM or marketing platforms, or advertising companies). For more information about cookies, types of cookies and how to manage cookies, including how to block them and delete them, please visit http://www.allaboutcookies.org. 

Below, we list the main categories of cookies and similar tracking technologies that we may use when you connect to our websites, use our web-based platforms, applications, devices, or when you interact with us electronically or when you receive electronic communications from us (“Online Use”). You can learn more about the purposes for which BMS may use such technologies for your Online Use.

What categories of cookies may BMS use?

We generally use certain types of cookies during your session on our website (“session cookies”). To improve your experience or remember your preferences or choices, we may use cookies that will remain on your device unless you remove them (“persistent cookies”). When using cookies on our websites and other digital services, such technology may include:

Why do we use cookies on our website?

In addition to the explanation provided in this Notice and the section above, we use cookies or similar tracking technologies in various instances, such as for the following purposes:

• Making your experience more efficient, faster and easier: by remembering your preferences, like preferred language, display and other settings, maintaining your session, and for authentication purposes. This helps us to provide you with a better user experience. These cookies are also referred to as Session-Id cookies, authentication cookies, and User Interface customization cookies.
• Gain useful knowledge about how the site is used: by collecting information about the number of visitors and other uses. This helps us improve our sites. These cookies are also referred to as analytics cookies. For this purpose, we use services such as Google Analytics which means that Google and similar suppliers will also have access to this information (including your IP address and any other equipment identifiers such as the IMEI number and the MAC address). 
• Provide easy access to our websites. This helps us to direct you, share with you our content within sites such as Facebook, Twitter, LinkedIn, YouTube or Pinterest or allow you to share content that is of your interest. To the extent we use such technology, these ‘social media plug-ins’ may store cookies and similar technology on your computer or other device. This means that the social media sites may access this information (including your IP address), may identify that you interacted with the BMS site. 
• Improve our marketing communications to you. Certain cookies, such as web beacons or tracking pixels, may be used by third party systems, such as customer relationship management systems or other service providers who help us manage e-mail campaigns. Those trackers enable us to better understand the success of our communications and the relevance of the content that we share with you. This may allow us to reduce the number of e-mails that we send you and provide you with content, scientific information, or initiatives that are more tailored to your interests.

How can you object or refuse cookies?

Subject to the law of your country, in particular in the European Union, we will either inform you, ask your prior permission (opt-in) before placing tracking technologies on your device, or provide you with a right to object (opt-out) for the purposes that we describe in this section. Your web browser, e-mail software (such as Microsoft outlook, or Google Gmail) and other clients that you use can be set to manage cookies and similar trackers and even reject them by default. Do bear in mind that if you set your browser to automatically reject cookies, your user experience when visiting websites will not be the same: your preferences may not be remembered, some functionality may be lost and you may not be able to access certain areas or features of the sites. 

For more details on the cookies that we use, you can read our cookie table below or, where applicable, on the website that you use by accessing the relevant cookie notice.

BMS may update this notice from time to time by posting any revisions on this website.  Where any material revisions are made, BMS may place a prominent notice on this website and when legally required to do so, will directly notify you.

If you have questions about this Notice, or want to obtain more information about our privacy practices, please contact our Data Protection Officer at eudpo@bms.com or contact us by postal mail at:

This privacy notice (“Notice”) describes how Bristol Myers Squibb uses information about you (“Personal Data” or “Personal Information”) as a healthcare professionals, medical professional, personnel and staff of healthcare institutions (such as statisticians, pharmacists, representatives of hospitals, clinicals, universities), government authorities, non-profit organisations, key opinion leaders or influencers, with whom we interact (altogether “HCPs”, “you”, “your”). This Notice applies when you interact with our company, and in the context of our business activities. It also informs you about the measures and processes that we put in place to protect your data.  We use the term “Processing” or “Use” when we refer to the access, collection, recording, organisation, structuring, retrieval, disclosure, storage, transfer, deletion or otherwise use of your Personal Information. 

Compliance with applicable laws

When Using your Personal Information in the context of our activities, we will do so in compliance with relevant data privacy and data protection laws, which includes regulatory and national law requirements that may apply to such Use and, where applicable, giving you the specific rights that apply in the country where you reside (altogether “Applicable Data Protection Law”).

We may collect your Personal Information online when you use BMS or third-party operated websites and other online resources, including mobile applications, other digital means or platforms. This may also happen through collaborations that we have in place with third parties or companies that host websites for us or with whom we have partnerships for our products, services, or activities. Below, we give you additional information about how we use your information online. 

You may interact with BMS or our partners’ websites and platforms that relate to BMS products and services, job application, patient recruitment, disease awareness, scientific research, alliance websites, or applications used in the context of patient support or management programs.

We enter into arrangements for those collaborations to require an appropriate protection of your Personal Information. Some areas of our websites and platforms may require you to submit information in order for BMS to respond to your request, permit you to access specific areas or participate in a particular activity. When visiting our websites, please also read our Legal Notice and if you are visiting our website for safety reasons, the Pharmacovigilance Notice. 

We have identified examples where we Use your Personal Information online in the table below.

Links to other third-party websites

As a convenience to users, our sites contain links to other third-party websites that may offer additional information, such as educational or professional materials, services and contacts. This Notice does not apply to your use of those other websites. Before using the linked websites, please review their privacy notices to understand how they use and protect your Personal Information.

We interact with you as an HCP and Use information about you during our activities, such as to conduct clinical trials, for collaborations or commercial activities, for scientific projects, to understand the market or improve our medicines and products. When doing so we may Process various categories of Personal Information depending on your interactions with BMS or third parties with whom we collaborate, or external sources from where we obtain your Personal Data. We have outlined below the main categories of Personal Information about you that we may Use.

In many cases, BMS will collect Personal Information directly from you (such as when we collaborate with you) although sometimes we will obtain information about you indirectly from public or third-party information sources, databases or third-party providers. We have outlined below the main ways BMS collects and Processes Personal Data when interacting directly or indirectly with you.

We may collect information about you directly:

Such as when:

• we conduct clinical trials, studies, research projects;
• we enable early access programs to patients or when you request us to provide patients with a BMS product at an early stage, or for compassionate use;
• we provide innovative products or devices to patients, such as cell therapies or personalized medicines;
• you use or visit about offices and facilities;
• you connect to or use our websites, applications, devices or other digital platforms in the context of clinical or commercial activities;
• you contact us through our different means of communication (email, call centers, medical information), such as to obtain information about BMS products, diseases or treatments;
• you notify, or report medical information to, BMS that may relate to adverse events or incidents, in the context of pharmacovigilance or risk management programs via other similar channels (via pharmacovigilance or risk management touch points), which may include incidents or other post-market surveillance obligation; 
• we exchange or when you request, information before entering into a contract with you, and thereafter during the term of such arrangement;
• we conduct due diligence, assessments, or when we evaluate your institutions’ eligibility to conduct a clinical study and thereafter if we select your institution;
• you interact with our BMS representatives in the course of our activities and interactions with you;
• you subscribe to our newsletters or want to remain informed about our activities or collaboration opportunities or where the law requires it, you agree to receive promotional materials; or
• we conduct in-person or remote visits or exchange information with you about our products and activities.

We may collect Information about you indirectly: 

• when obtaining it from, or when you make your Personal Information available on, the website of your institution or your office, the Internet, social media, and other digital platforms;
• when we access public or private registries, or publication databases, journals, societies, editorial board websites, national registries, professional directories and third-party HCP databases; 
• when conducting pharmacovigilance and risk management monitoring activities; or
• when we need to verify or obtain verification from third parties about your professional status, medical licence, such as by accessing publicly accessible information, national registries or third-party databases.

Where permitted and feasible, and to protect your right to privacy, BMS will take reasonable steps to remove or anonymize information that may directly or indirectly identify you, and restrict to the minimum the amount of Personal Information that BMS Uses, submits or transfers to third parties, courts, or governmental bodies.

This is a global Notice. BMS Processes your information in the context of our regular activities, and in accordance with the purposes as set out in this Notice, a separate notice, or when Applicable Data Protection Laws either permit or require us to do so. These purposes may vary depending on where you live and where BMS operates. Where the laws of a country restrict or prohibit certain activities described in this Notice, we will comply with such requirements. This may include refraining or not Using your Information for those purposes restricted or prohibited in that country. Below, we list some of the main, but not all, of our purposes for which we may Use Personal Information about you. 

In this section, we describe our legal justifications (commonly referred to as “legal basis”) for the Use of your Personal Information related to each of our main Processing activities. We will use the legal basis that is most appropriate for the purpose and circumstances related to such Processing. Below, we have explained which legal bases we may choose or must use when Processing your Personal Information.  

There may be times where we must use your consent to Process your Personal Information. We may also decide to ask your permission to Process your Personal Data, such as in the context of voluntary initiatives or activities. 

In the following table, you can read more details about what legal basis or combination of legal bases we use when Processing your Personal Information.

As a multinational company operating worldwide, your Personal Information may be shared with, or accessed by, parties located outside your country of residence. If you are located outside of the United States, BMS may share your Personal Information with parties located in countries that provide less protection than in your country, which includes the United States. We may also Process and share your Personal Information with some of our affiliates and other members of the BMS group including selected and approved third parties (vendors and business partners) that help us operate worldwide. When doing so, we implement appropriate measures to prevent unauthorised access or Use of your Personal Information.

Below you can find more information about how BMS shares your Personal Information within its group of entities and with third parties.

Sharing your Personal Information within the BMS group

Often, we share your Personal Information within the BMS group of companies (“BMS Group”). This may include the Bristol Myers Squibb Company headquarters in the United States and all of its current and future subsidiaries, branch offices, affiliates, entities and other companies that are part of, owned or controlled by, the BMS Group. When exchanging information internally, we rely on appropriate arrangements and mechanisms to cover any transfer of your Personal Information within our corporate structure, such as binding corporate rules (BCRs), contractual arrangements approved by authorities or based on consent.

Sharing your Personal Information with third parties

To conduct our business, we share with, or disclose Personal Information to, third parties, such as:

• Third-party service providers for the purpose of outsourcing specific business activities to request external support and resources. This may include companies that provide information technology services, clinical trials and studies support, marketing or market research services, events, meeting and planning services, or services related to talent acquisition or consultancy;
• business partners such as external scientists and healthcare professionals to review and assist us with healthcare compliance activities and institutions and other organisations with whom we collaborate to support our clinical or commercial activities (such as for clinical studies, patient support programs, and so on);
• Regulatory and health authorities including governmental bodies (such as the FDA, EMA, NHS), data protection authorities, tax authorities, or courts in case of disputes, when permitted or required by Applicable Data Protection Law; and
• third parties to whom BMS is legally obligated to provide such information, such as other parties in litigation or legal disputes, guardians, conservators, or individuals with powers of attorney. 

When engaging with third parties, we enter into agreements with them for the Processing of Personal Data so that such Processing is carried out in accordance with our instructions, in a confidential, secure, and transparent manner in order to protect your privacy rights. When it is not possible to enter into an agreement with a third party, such as when engaging, reporting or interacting with regulatory or health authorities or courts, and when legally possible, we will use our best efforts to implement appropriate security measures and controls (such as pseudonymisation) to protect your Personal Information.

If you are in the European Economic Area (“EEA”), Switzerland and the United Kingdom

Whenever we transfer your Personal Information within the EEA, Switzerland or to countries that are deemed “adequate”, such countries are deemed to offer the same level of protection as given by the law of your country. When accessing your Personal Data from, or transferring it, outside of the EEA or Switzerland to countries that may not provide the same level of protection as your own country, we will use appropriate safeguards to protect your right to privacy. For example, such safeguards may consist of using Standard Contractual Clauses (to exchange information with third parties outside of the EEA, Switzerland and the United Kingdom), Binding Corporate Rules (for data transfer within the BMS group of companies) as approved by the European Commission or the competent authority, data transfer agreements or your consent.

If you are outside the EEA, Switzerland and the United Kingdom

Where possible, we will allow access to or the transfer of your Personal Information outside your country of residence: to countries that provide a reasonable high level of data protection; using the most appropriate data transfer mechanisms available to BMS; or where required by Applicable Data Protection Laws, after we get your prior permission, for the collection, disclosure to third parties and the transfer of your Personal Information to a country which does not provide an adequate protection equivalent to the laws of your country of residence.

BMS may combine your Personal Data with other information we may already have about you or obtained through public means such as scientific and medical publications, national registries, software, databases, or the Internet. We may also carry out internal assessments, evaluations, categorization, classification, raking or ratings of your activities, and/or your site’s performance, including analytics (where applicable). Below, we provide you with additional information about how we categorize or classify your Personal Data.

We use an algorithm to tier HCPs according to your research activity (including publications) and skills (such as years of experience and qualifications). Applicable rates for speaking and event participation are set according to the tiering of HCPs. 

Unless permitted by law, BMS does not make decisions based solely on automated Processing (including profiling) of individual data unless we inform you otherwise prior to the Processing. This means that when we use certain technologies, software, or algorithms, which may allow us to create profiles, tiering or further understand trends and statistics, someone will be involved to validate decisions resulting from such use. 

As the use of such technologies evolves, we may use algorithms without a person involved in the decision. In this case, if this activity requires us to Process your Personal Information that is not anonymized, we will comply with any applicable legal requirements, such as to draw this to your attention and provide you with information about the logic involved in the decision, as well as the significance and the envisaged consequences for you of such Use of your Personal Information. Depending on your country of residence, you will have the right to ask that such decision is taken by an individual.

You have a number of rights related to the Personal Data that we Process about you (this will depend on the jurisdiction where you reside and the legal basis that we use). Most often, exercising your right is free of charge. We may also have to clarify your request and explain if we can comply with it or if this is restricted in your situation. You can always contact BMS at eudpo@bms.com to find out more about your rights and how best to exercise them. 

Below we have listed individual rights that may apply depending on your jurisdiction. 

You may have the right to:

• receive a copy of your Personal Data we hold about you;
• correct your Personal Data we hold about you;
• where applicable, receive a machine-readable copy of your Personal Data (portability);
• ask us to delete your Personal Data or restrict how it is used;
• where applicable, object to Processing of your Personal Data for certain purposes, such as when we use it for marketing purposes (opt-out); and
• where you have provided us with your consent to Use your Personal Data, you can withdraw your consent at any time without affecting BMS’ Use of such information before your withdrawal of consent.

Exceptions to your rights

There may be exceptions to your privacy rights described in this Notice. This depends on the country where you reside, why we are Processing your Personal Data and if your request may impair the rights of others. If we cannot comply with your request to exercise your privacy rights, for example when we keep your information for regulatory purposes or for the investigation, prosecution, or defence of a legal claim, we will explain this to you when you contact us.

How to contact us

If you have any questions about how we Use your Personal Information, please contact our Data Protection Office at eudpo@bms.com. 

Note: We may need to request specific information from you to help us confirm your identity. If your request is complex or if you have made a large number of requests, it may take us longer to respond to you, but we will keep you informed of any delays. You will not have to pay a fee to obtain a copy of your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.

Lodging a complaint with a competent supervisory authority

In some countries, you may have the right to lodge a complaint to the relevant data protection or competent authority if you believe that we Process your Personal Information unlawfully or are violating your rights. For example, in the European Union, you can access the list of competent data protection authorities, including the authority in your country of residence by clicking here or by visiting: https://edpb.europa.eu/about-edpb/board/members_en. For Ireland, for example, if you feel that we have been unable to resolve your information rights concern, you have the right to raise the matter with the Data Protection Commission by using the online contact form.

We aim not to retain your Personal Information for longer than necessary for the specific business purposes for which it was collected. After that, unless we are required to continue to maintain the information by law, we may anonymize, restrict, block or delete it. 

In certain cases, BMS may retain your Personal Information for a longer period for the purpose that we have and, in a manner, or a format, that may require BMS to keep certain identifiers. In such case, we may archive it and apply appropriate measures which may consist of blocking, preventing, obfuscating, pseudonymizing, key-coding, or restricting any further access and Use of Personal Information about you. When retaining and storing information about you in our systems, we have put in place data retention schedules in accordance with our company policy and in compliance with Applicable Data Protection Laws. 

When assessing the appropriate retention period, we take into account the quantity, nature and sensitivity of Personal Data, the potential risk of harm in the event of unauthorised use or disclosure, the purposes of the Processing and whether or not these purposes can be achieved by other means, as well as applicable legal obligations.

We implement appropriate technical and organisational controls to protect your Personal Information that we hold to prevent unauthorised Processing, loss of data, disclosure, use, alteration, or destruction.  Where appropriate, we use encryption, pseudonymisation (such as key coding), de-identification and other technologies that can assist us in securing the information about you, including measures to restore access to your information. We also require our service providers to comply with reasonable and recognized data privacy and security requirements. 

We conduct tests and reviews of our technologies and processes, including a review of our business partners and vendors, so that our security controls remain effective. Also, we may further anonymize your Personal Information when it is no longer needed for the purpose for which BMS originally collected such Information.

Depending on the country where you reside, you may manage your preferences on cookies and similar tracking technologies through the use of consent management tools that are available on our websites. This section applies to cookies and similar tracking technologies and we explain what our use of cookies and similar tracking technologies means to you and how to disable tracking (such as using opt-in or opt-out preferences). When we collect information that may enable us to identify you, the other sections of this Notice will apply.

You can set your cookie preferences by clicking here.

What are cookies?

A cookie is a small piece of data that a website asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Such cookies when set by us are called first-party cookies. We may also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting (for example, those used by social media, instant messaging, CRM or marketing platforms, or advertising companies). For more information about cookies, types of cookies and how to manage cookies, including how to block them and delete them, please visit http://www.allaboutcookies.org. 

Below, we list the main categories of cookies and similar tracking technologies that we may use when you connect to our websites, use our web-based platforms, applications, devices, or when you interact with us electronically or when you receive electronic communications from us (“Online Use”). You can learn more about the purposes for which BMS may use such technologies for your Online Use.

What categories of cookies may BMS use?

We generally use certain types of cookies during your session on our website (“session cookies”). To improve your experience or remember your preferences or choices, we may use cookies that will remain on your device unless you remove them (“persistent cookies”). When using cookies on our websites and other digital services, such technology may include:

Why do we use cookies on our website?

In addition to the explanation provided in this Notice and the section above, we use cookies or similar tracking technologies in various instances, such as for the following purposes:

• Making your experience more efficient, faster and easier: by remembering your preferences, like preferred language, display and other settings, maintaining your session, and for authentication purposes. This helps us to provide you with a better user experience. These cookies are also referred to as Session-Id cookies, authentication cookies, and User Interface customization cookies.
• Gain useful knowledge about how the site is used: by collecting information about the number of visitors and other uses. This helps us improve our sites. These cookies are also referred to as analytics cookies. For this purpose, we use services such as Google Analytics which means that Google and similar suppliers will also have access to this information (including your IP address and any other equipment identifiers such as the IMEI number and the MAC address). 
• Provide easy access to our websites. This helps us to direct you, share with you our content within sites such as Facebook, Twitter, LinkedIn, YouTube or Pinterest or allow you to share content that is of your interest. To the extent we use such technology, these ‘social media plug-ins’ may store cookies and similar technology on your computer or other device. This means that the social media sites may access this information (including your IP address), may identify that you interacted with the BMS site. 
• Improve our marketing communications to you. Certain cookies, such as web beacons or tracking pixels, may be used by third party systems, such as customer relationship management systems or other service providers who help us manage e-mail campaigns. Those trackers enable us to better understand the success of our communications and the relevance of the content that we share with you. This may allow us to reduce the number of e-mails that we send you and provide you with content, scientific information, or initiatives that are more tailored to your interests.

How can you object or refuse cookies?

Subject to the law of your country, in particular in the European Union, we will either inform you, ask your prior permission (opt-in) before placing tracking technologies on your device, or provide you with a right to object (opt-out) for the purposes that we describe in this section. Your web browser, e-mail software (such as Microsoft outlook, or Google Gmail) and other clients that you use can be set to manage cookies and similar trackers and even reject them by default. Do bear in mind that if you set your browser to automatically reject cookies, your user experience when visiting websites will not be the same: your preferences may not be remembered, some functionality may be lost and you may not be able to access certain areas or features of the sites. 

For more details on the cookies that we use, you can read our cookie table below or, where applicable, on the website that you use by accessing the relevant cookie notice.

BMS may update this notice from time to time by posting any revisions on this website.  Where any material revisions are made, BMS may place a prominent notice on this website and when legally required to do so, will directly notify you.

If you have questions about this Notice, or want to obtain more information about our privacy practices, please contact our Data Protection Officer at eudpo@bms.com or contact us by postal mail at:

Our Commitment

At BMS we recognize the importance of, and are fully committed to protecting your privacy as a patient or any other participant (“Research Participant”) in BMS sponsored clinical trials, observational studies and other scientific research projects (including projects using already available data at BMS or third parties for other research purposes, and projects where additional data is derived from available human biosamples such as blood samples) (altogether “Research Projects”). 

Scope of this Research Participants Privacy Notice 

This Notice applies in relation to a Research Project. In other cases, please refer to the BMS General Privacy Notice .

This Notice includes general information about what, why and how your data is processed, as well as your data privacy rights. This information complements any information you may have already received in the context of your participation into a Research Project (e.g. via an Informed Consent Form, a separate Privacy Notice or a GDPR patient letter). If you have any questions, please contact your usual Research Project point of contact (e.g. Study doctor).

References to “BMS”, “group”, “affiliates”, “we”, “us” and “our” are references to the relevant BMS entity sponsoring the Research Project and its worldwide affiliates.

Your personal data is in principle collected by a third party (e.g. hospital, clinic) (“Study Site”). The type of information and specific data collected is determined based on the needs for the Research Project. It may include:

In principle, we will not collect information directly from you, we will obtain information about you from the Study Sites, third party vendors and service providers acting on our behalf or from publicly accessible sources (such as websites, social media and other digital platforms, publication databases, journals, societies, editorial board websites, national registries, professional directories and third party healthcare professionals databases).

Under applicable law, BMS will be considered “data controller” in the context of the Research Project in relation to the study data which the Study Site transfers to BMS or BMS’ service providers for the Research Project. Typically, such data will be coded before being transferred to BMS.  BMS will ensure that such data is processed in accordance with applicable law. The Study Site remains data controller of the data it holds about you that is processed for other purposes (e.g. medical care).

Your inclusion in the Research Project requires the processing of your personal data. 

We will only process information for purposes permitted by applicable law, which may vary depending on where you live and where we operate. 

Below, we list the main purposes for which we may process information about you and our legal bases.

We will process information for further purposes, where lawful to do so (such as for archiving, scientific or market research purposes) or when legally obliged to do so (such as reporting information for BMS’ risk management and drug safety obligations).

Legal Bases for Processing your Personal Information

We may process information based on one or more of the following legal bases:

• You have provided consent (in such cases, consent can be withdrawn at any time);
• It is necessary to comply with our contractual obligations with you; 
• Where required for vital interests of any individudal; 
• The processing is necessary for our compliance with a statutory or legal obligation;
• in certain circumstances the processing information is necessary for BMS’ or a third party’s legitimate interest – for example, we process information for scientific and statistical research purposes, for drug safety and risk management purposes;
• where we process special categories of your personal data – for example, information related to your health – we shall only do so in accordance with applicable law.

The processing of information for scientific research purposes is considered to be compatible with the initial purposes for which information was initially collected.

We have headquarters in the United States, with worldwide operations. Your information may be accessible to our headquarters in the United States, and to some of our affiliates, and selected vendors and partners, globally. Where we process information in countries that may not provide the same level of protection as in your own country, we will implement reasonable and appropriate legal and security measures to protect your information from unauthorized access, use or disclosure including, but not limited to, maintaining binding contracts that require appropriate protection of your information. 

For residents of EEA: whenever we transfer your information outside of the EEA, Switzerland and any other country benefiting from an adequacy decision from the European Commission, we will take necessary steps to ensure that adequate safeguards are put in place to protect your information. Such safeguards include the use of European Commission approved standard contractual clauses. 

To the extent BMS is based outside the EEA, it will appoint, where required by applicable law, a representative within the EEA. Its contact details are made available to you through the Research Project information you received or from your Research Project usual contact point.

In the context of the Research Project, there will be disclosure of your personal data maintained by the Study Site (e.g. your medical records), where required under applicable law, to:

• Study monitors and auditors, who may work for BMS or its authorized agents, who check that the Research Project is being performed correctly and that the information collected about you is accurate; 
• National and international regulatory authorities such as Ethics Committees, Health authorities and other competent authorities (for example, inspectors or other officials of the health authority in your country, the European Medicines Agency, the United States Food and Drug Administration). 

Those persons will have the obligation to keep your records and your information confidential.

We may also disclose the study data where this is reasonably required to pursue our legitimate business aims and as required by law. Information will be disclosed only in accordance with applicable laws, and appropriate safeguards will be established, where possible, to protect your information. We may disclose your information to third party companies and other entities, for activities related to the Research Project (e.g. data storage, data analysis). You may ask your Research Project contact point for a list of the recipients of your data. Your contact point will liaise with us. 

If BMS or substantially all of our assets are acquired by a third party, personal information held by us about you will be included as transferred assets. 

We may also disclose information to enforce any rights we have or to protect our rights or the rights, property or safety of our employees, patients or others.

Access, Revision and Deletion

Under applicable privacy law, you may have a right to request a copy of your information held by us. You may also have the right to revise, correct, or delete such information. Your rights to this information may be subject to limited legal and regulatory restrictions. Please refer to the “Contact Us” section of this privacy notice.

Objection to Processing and Additional Rights

Under applicable privacy law, where we rely on legitimate interests or public interest to process your information, you can formally object to processing of your information for these purposes. 

In certain circumstances, you have the additional rights to restrict aspects of the processing of your information or ask for a copy of your data to be provided to you, or a third party, in a digital format. 

Please refer to the “Contact Us” section of this privacy notice.

Lodging a Complaint with Data Protection Authorities

You may have the right to lodge a complaint directly with the relevant data protection authority or supervisory authority if you believe that we have processed information in a manner that is unlawful or breaches your rights under applicable data privacy law. 

Without limiting any rights to complain directly to an authority, we are committed to protecting personal information, and complaints may be made directly with the Study Site that will liaise with us, please refer to the “Contact Us” section of this privacy notice.

We aim to retain your information for no longer than necessary for the purposes for which it was collected or obtained. For example, in the context of a clinical trial, legal retention periods may go up to minimum of 25 years. Information may be retained for a longer duration where applicable laws or regulations require, or allow us to do so, for example for conducting further research purposes. 

If your participation in the Research Project stops for any reason, data collected prior to your withdrawal may still be processed along with other data collected as part of the Research Project. Normally no new information will be collected for the study database unless you specifically consent to that as part of participating to a follow-up study, except where this is required by law (e.g. law may require that any side-effects you may suffer are documented). To complete the study findings, your long term health status may also be ascertained from publicly available records (unless you have objected to this to your study contact point).

We use appropriate technical and organizational measures to protect information. When handling the information of Research Participants, we take reasonable steps to protect it from loss, misuse, unauthorized access, disclosure, alteration or destruction.

We may update this notice from time to time by posting any revisions on https://www.bms.com/ie/privacy-policy.html. Where any material revisions are made, we may directly notify individuals when legally required to do so, or may place a prominent notice. Please regularly refer to this page for updates.

If you have any questions about how your data is used or wish to exercise any of your data privacy rights or have a complaint related to the processing of your personal information, please liaise with your usual Research Project contact point (e.g. Study doctor). This contact will direct your requests to BMS, if needed, by using your Research Participant identification code. It is recommended using this approach so that your request is dealt with in the most confidential way and your identity is not revealed to us. In addition, should you contact us directly, we are likely not in a position to identify you from the data we hold (since we do not have access to the Research  Participants’ identity but only their identification code). If you feel that your contact point is unable to address your query, you can also contact  BMS via our Data Protection Officer or at this address https://www.bms.com/ie/about-us/contact-us.html.