1.1 DATA MINIMIZATION
Pfizer adheres to the principle of data minimization. Processing of Personal Information should be limited to circumstances where there is a legitimate business need to do so. This principle should be considered with respect to each type of Personal Information that is collected as well as retention of such information, which is discussed in Section 1.4.
1.2 NOTICE, CONSENT AND USE
Prior to any Processing of Personal Information by or on behalf of Pfizer, Pfizer will comply with any notice or consent procedures required by local laws or regulations. Legally required notices must be customized and tailored to the particular Processing of Personal Information as necessary to properly provide for the intended Processing. Any Processing of Personal Information undertaken by Pfizer or its Agents will be consistent with such prior notices or consents.
Personal Information will not be used or disclosed for purposes other than those for which it was collected, except:
(i) with the consent of the relevant Individual (see definition of Personal Information), or
(ii) where allowed by local laws, regulations or regulatory guidance. Such information may, however, be used in a de-identified or aggregated format (i.e. in a format which excludes identification or association with a particular Individual), provided that local law requirements for de-identifying Personal Information are satisfied.
1.3 ACCESS AND CORRECTION
Where required by local laws or regulations, Pfizer will allow Individuals upon request to:
(i) have reasonable access to review the Personal Information that Pfizer holds about them;
(ii) correct or amend Personal Information that is shown to be inaccurate or incomplete; and
(iii) request deletion of such inaccurate or incomplete information. Requests for access, correction, amendment or deletion must be made in writing, include verification of the requestor’s identity, and in the case of access requests, adequately describe the nature of the Personal Information requested. Subject to local laws and regulations, Pfizer may limit access and amendment where it would:
(i) affect Pfizer’s ability to comply with an applicable legal or ethical obligation or to investigate, make or defend itself against legal claims;
(ii) result in disclosure of the Personal Information of another Individual; or
(iii) result in a breach of contract or disclosure of confidential information, trade secrets or other proprietary information belonging to Pfizer, its Agents, or a third party.
1.4 INFORMATION RETENTION, DESTRUCTION AND INTEGRITY
Where local laws and regulations require consent or notice procedures to be undertaken in relation to Individuals, or empower Individuals to revoke their consent, Pfizer will ensure that such requirements are met and that the Personal Information that Pfizer or its Agents retain is relevant and appropriate for the purposes for which it was originally collected or as subsequently authorized. In jurisdictions where consent or notice procedures do not apply, Personal Information will only be retained for Pfizer’s own business purposes, including meeting legal and regulatory requirements. To the extent required by local laws and regulations, Pfizer will ensure that the Personal Information it retains is accurate, kept up to date and stored only as long as is appropriate, taking into account the purposes for which the Personal Information was collected and the requirements of local laws. Personal Information will be securely destroyed at the end of its retention period.
1.5 TRANSFERS TO AGENTS
Pfizer may use Agents to collect, use, retain or otherwise Process Personal Information or may transfer Personal Information to Agents for use on behalf of Pfizer in accordance with this Policy. Pfizer will disclose or Transfer Personal Information to Agents only after applicable Pfizer Agent vetting processes have been completed and passed and subject to appropriate contractual terms and conditions which require such Agents’ compliance with standards at least equivalent to those in this Policy. In addition, where required by law or regulations, Pfizer will implement such other measures as are appropriate to ensure that the Agent will apply necessary privacy protections to the Personal Information. Where Pfizer has knowledge that an Agent is using, disclosing or otherwise Processing Personal Information in a manner contrary to this Policy, Pfizer will take reasonable steps to prevent or stop such use, disclosure or other Processing.
Pfizer will implement and require its Agents to implement appropriate technical, physical and organizational security measures to
(i) protect Personal Information from loss, theft, misuse and any unauthorized access, disclosure, copying, use, alteration or destruction and
(ii) ensure that only individuals who require access to Personal Information to perform a legitimate business function have such access. The degree of protection will correspond to applicable local laws and regulations, and Sensitive Personal Information warrants enhanced protection.
1.7 INTERNATIONAL TRANSFERS
Pfizer will ensure that it complies with any applicable requirements and restrictions that apply to the international Transfer of Personal Information (whether to its Agents or between Pfizer business units, subsidiaries, affiliates or branches). Pfizer will only Transfer Personal Information in furtherance of its own legitimate business interests.