The California Consumer Privacy Act of 2018 (CCPA) gives California residents the right to know what Personal Information Novo Nordisk collects about them, including whether it is being sold or disclosed to third parties. The CCPA also grants certain rights to California residents, including the right to delete their Personal Information (subject to certain exceptions) and the right to prevent Novo Nordisk from selling their Personal Information. Companies are prohibited from retaliating or discriminating against consumers for exercising their rights under the CCPA.

 

All companies need to collect and share consumers’ Personal Information for everyday business purposes, marketing, and maintenance of the safety, security, and integrity of their websites and other assets, among other reasons. This Supplemental Notice provides the information required under the CCPA and applies to both Novo Nordisk’s online and offline activities. For more information about how we collect, use, and share information through our websites and online services, please review our Novo Nordisk Privacy Policy.

The types of Personal Information we collect, disclose, and sell depends on your relationship and interaction with Novo Nordisk. Please review the Consumer Type below that applies to your relationship or interaction with Novo Nordisk to learn about the categories of Personal Information we have collected about you in the preceding 12 months, along with the categories of sources from which the Personal Information was collected, the purpose for collecting or selling the Personal Information, the categories of third parties with whom we share the Personal Information, and if we sell the information, the categories of third parties to whom we sell it. If you interact with Novo Nordisk in more than one way, please review each Consumer Type below that applies to you in order to learn about the Personal Information we collect and how we use and share it in connection with each particular relationship.

In addition to the purposes for collecting and sharing Personal Information described under each Consumer Type below, Novo Nordisk collects and discloses any and all Personal Information (regardless of your relationship or interaction with us) as necessary or appropriate to: comply with laws and regulations; monitor, investigate potential breaches of, and enforce compliance with Novo Nordisk policies and procedures and legal and regulatory requirements; comply with civil, criminal, judicial, or regulatory inquiries, investigations, subpoenas, or summons; and exercise or defend the legal rights of Novo Nordisk and its employees, affiliates, customers, contractors, and agents.

In this Supplemental Notice, “Personal Information” (or “PI”) means any information that identifies, relates to, describes, or is capable of being associated with you or your household, whether directly or indirectly. In the charts below, we use the following Categories of Personal Information to describe the Personal Information we collect, use, and share about consumers:

Biometric information, including an individual’s physiological, biological, or behavioral characteristics (including DNA) to the extent it can be used to establish individual identity. Biometric information consists of, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template (such as a faceprint, a minutiae template, or a voiceprint) can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

An individual’s education information, including academic information and records.

Audio, electronic, visual, thermal, olfactory, or similar information (e.g., a recording of a customer service call or profile photograph).

Financial information, including bank account number, credit or debit card number, or other financial information.

Identifiers, such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol (IP) address, phone number, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

Inferences drawn from any of the information listed above to create a profile about an individual reflecting the individual’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. (e.g., predications about an individual’s preferences or tendencies).

Health insurance information, including an individual’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in the individual’s application and claims history.

An individual’s precise geolocation data.

Medical information, including any information in possession of or derived from a healthcare provider, healthcare service plan, pharmaceutical company, or contractor regarding an individual’s medical history, mental or physical condition, or treatment.

Internet or other electronic network activity information, such as browsing history, search history, and information regarding an individual’s interaction with an internet website, application, or advertisement.

An individual’s professional or employment-related information.

Characteristics of protected classifications under California or federal law, such as race, gender, physical or mental disability, and religion.

An individual’s written signature.

If you are a California resident, you have the following rights under the CCPA with respect to your Personal Information:

  • Right to Notice.  Before or at the time we collect Personal Information from you, you have the right to receive notice of the Personal Information to be collected and the purposes for which we use it. This Supplemental Notice is intended to satisfy this requirement.
    • You also have the right to request that we disclose to you the categories of Personal Information we have collected about you in the preceding 12 months, along with the categories of sources from which the Personal Information was collected, the purpose for collecting or selling the Personal Information, the categories of third parties with whom we shared the Personal Information, and the categories of third parties with whom we sold the Personal Information.
  • Right of Access.  You have the right to request that we disclose or provide you with access to the specific pieces of Personal Information we have collected about you in the preceding 12 months.
  • Right to Deletion.  You have the right to request that we delete the Personal Information we collect from you.  However, in certain situations we are not required to delete your Personal Information, such as when the information is necessary in order to complete the transaction for which the Personal Information was collected, to provide a good or service requested by you, to comply with a legal obligation, to engage in research, to secure our websites or other online services, or to otherwise use your Personal Information internally in a lawful manner that is compatible with the context in which you provided the information.
  • Right to Opt-Out of the Sale of Personal Information.  If Novo Nordisk sells your Personal Information to third parties, you have the right, at any time, to direct us not to sell your Personal Information.  To exercise this right, please click on the “Do Not Sell My Personal Information” button below or on any Novo Nordisk webpage where the button is present. Novo Nordisk does not sell the Personal Information of minors under 16 years of age without affirmative authorization.
  • Right Not to Be Subject to Discrimination.  You have the right to be free from discrimination or retaliation for exercising any of your rights under the CCPA as described above.

You can exercise your rights by calling (888) 870-3901.

VERIFICATION: We value the security and confidentiality of your Personal Data. Therefore, if you exercise your right to notice, right of access, or right to deletion, we must first verify your identify to make sure that you are the person about whom we have collected Personal Data. We verify every request carefully.

  • When you submit a request, please indicate the specific reason why you are contacting us.
  • Along with your request, we ask that you log into your account with us and submit this request through our “Submit a Request” page; provide a copy of government-issued ID; identify a recent purchase made with a credit card you have on file with us for verification purposes.
  • When all of your household members jointly submit a request, we ask that each of you provide us with the information requested above.

You may also authorize someone else to submit these requests on your behalf. To do so, you may designate directly with us another person who may act on your behalf by providing us with a notarized copy of power of attorney, or ask the authorized agent to provide us with a copy of your written permission and a scanned copy of their own government-issued ID.

Call (888) 870-3901 or email us at NNIPrivacy@novonordisk.com to contact us with questions regarding this Supplemental Notice. California residents who are unable to review or access this Supplemental Notice due to a disability may contact us to request access this Supplemental Notice an alternative format.

Categories of PI Collected

Identifiers, Health Insurance Information, Financial Information, Medical Information, Protected Characteristics, Commercial Information, Network Activity Data, Geolocation Data, Electronic and Sensory Data, Professional Information, Education Information, Written Signature, Inferences

Sources of PI

Directly from consumer or consumer’s caregiver

A consumer’s healthcare provider or health insurance provider

Publicly available sources

Commercial sources, including third parties that aggregate and sell data

Purposes for Collecting or Sharing PI

To administer Novo Nordisk websites

To contact consumers and provide consumers with information, opportunities, updates, or special offers from Novo Nordisk and its business partners

To contract with service providers

To evaluate eligibility for Novo Nordisk programs and services

To manage attendance at events and activities we host or sponsor

To manage access to and protect our facilities and physical locations

To meet legal requirements and ensure compliance with Novo Nordisk policies and procedures

To monitor and improve Novo Nordisk’s websites, products, and services, including monitoring the safety and efficacy of our products

To plan and manage business activities, including management of consumer relationships and Novo Nordisk personnel that interact with consumers

To prepare for and conduct research related to medical conditions, treatments, and therapies

To prevent fraud or physical harm

To provide consumers with products or services that a consumer or consumer’s healthcare provider requests from us

To respond to requests from consumers

With the consumer’s permission, to include information about the consumer in marketing materials or at events, and to prepare, evaluate, and distribute or conduct those materials or events

Third Parties to Whom We Disclose PI

Service Providers

Government Entities

The consumer’s healthcare provider or pharmacy

The consumer’s health insurance provider or administrator

In the case of marketing materials or events in or at which the consumer has consented to appear, the general public

Third Parties to Whom We Sell PI

We share inferences, network activity data, IP addresses, commercial information, and other online identifiers with marketing vendors to provide consumers with online advertising that is more relevant.

 

We sell and disclose deidentified patient information derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by the Health Insurance Portability and Accountability Act (HIPAA), the Confidentiality Of Medical Information Act (CMIA), or the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.  Such information was either deidentified pursuant to the HIPAA expert determination method, as described in 45 C.F.R. § 164.514(b)(1) or the HIPAA safe harbor method, as described in 45 C.F.R. § 164.514(b)(2).

Categories of PI Collected

Identifiers, Protected Characteristics, Commercial Information, Network Activity Data, Electronic and Sensory Data, Professional Information, Education Information, Written Signature, Inferences

Sources of PI

Directly from consumer or the consumer’s patient

Publicly available sources

Commercial sources, including third parties that aggregate and sell data

Purposes for Collecting or Sharing PI

To administer Novo Nordisk websites

To contact consumers and provide consumers with information, opportunities, updates, or special offers from Novo Nordisk and its business partners

To contract with service providers

To identify and recruit subject matter experts, spokespersons, and other professionals

To improve Novo Nordisk’s websites, products, and services, including monitoring the safety and efficacy of our products

To manage attendance at events and activities we host or sponsor

To manage access to and protect our facilities and physical locations

To meet legal requirements and ensure compliance with Novo Nordisk policies and procedures

To plan and manage business activities, including management of consumer relationships and Novo Nordisk personnel that interact with consumers

To prepare for and conduct research related to medical conditions, treatments, and therapies

To prevent fraud or physical harm

To provide a consumer or a consumer’s patient with products or services that a consumer or a consumer’s patient requests from us

To respond to requests from consumers

To support, collect and monitor publications, presentations, posters, and other media about Novo Nordisk, its products, and associated research

With the consumer’s permission, to include information about the consumer in marketing materials or at events, and to prepare, evaluate, and distribute or conduct those materials or events

Third Parties to Whom We Disclose PI

Service Providers

Government Entities

A patient’s other health care providers or pharmacy

A patient’s health insurance provider or administrator

In the case of marketing materials or events in or at which the consumer has consented to appear, the general public

Third Parties to Whom We Sell PI

We share inferences, network activity data, IP addresses, commercial information, and other online identifiers with marketing vendors to provide consumers with online advertising that is more relevant.

Categories of PI Collected

Identifiers, Financial Information, Medical Information, Protected Characteristics, Network Activity Data, Electronic and Sensory Data, Professional Information, Education Information, Written Signature, Inferences

Sources of PI

Directly from consumer

Purposes for Collecting or Sharing PI

To administer Novo Nordisk websites

To contact consumers and provide consumers with information, updates, opportunities, or special offers from Novo Nordisk and its business partners

To evaluate eligibility for Novo Nordisk programs and services

To improve Novo Nordisk’s websites, products, and services, including monitoring the safety and efficacy of our products

To manage attendance at events and activities we host or sponsor

To meet legal requirements and ensure compliance with Novo Nordisk policies and procedures

To plan and manage business activities, including management of consumer relationships and Novo Nordisk personnel that interact with consumers

To prevent fraud or physical harm

To provide a consumer with products or services that the consumer requests from us

Third Parties to Whom We Disclose PI

Service Providers

Government Entities

Third Parties to Whom We Sell PI

We share inferences, network activity data, IP addresses, other online identifiers, and associated information with marketing vendors to provide consumers with online advertising that is more relevant