PRIVACY POLICY


1   INTRODUCTION


The Johnson & Johnson Global Privacy Compliance Framework and privacy laws and regulations throughout the world require that we provide appropriate information prior to the collection of Personal Information of current employees and non-employee workers, among other data subjects. This document provides guidance on proper drafting of a privacy policy for internally facing Digital Assets, which is defined as websites and mobile applications for internal use by employees and, if applicable, non-employee workers.


In general, a privacy policy should be provided to an employee / non-employee worker when Personal Information is collected directly from the individual  through the following mechanisms for the first time:


1. Electronically (via Intranet sites and other mobile applications collecting or processing personal data)

2. Manually (via paper forms)


Whenever you ask for Personal Information, a Collection Statement should be used at the point of collection to explain the most important privacy elements to the individual and to provide a link to the Privacy Policy. The Privacy Policy is to be made available to the individual on an easy to find dedicated page (online) or as a document (offline)[1]. Please refer to the chapters on “General Considerations” and “Collection Statements” in the Johnson & Johnson Internet Privacy Manual for more guidance.


Please refer to the Johnson & Johnson Policy for Designating Personal Data by Type for a comprehensive discussion of what constitutes “Personal Information.”


IMPORTANT NOTE:


- This guidance is not meant to replace the Johnson & Johnson Internet Privacy Manual, which applies to externally-facing Digital Assets of the company, including recruiting sites. However, you may consult the Internet Privacy Manual, Chapter 2 – “Collection Statements” for guidance on how to construct a collection statement, in addition to the chapter on “General Considerations”.

- This guidance should not be used when collecting Personal Data Type 3 / Highly Restricted. Such applications may require specific, explicit consent from the individual. In those cases, you should work with your Privacy Designee or your local legal support for specific guidance.


2   SOLUTION IMPLEMENTATION


Below are the steps that the business owner and/or his/her delegate should implement to ensure that the appropriate information has been posted on the website or mobile application, or distributed in paper form.


STEP –  1:    Consult “Appendix  A: Privacy Policy Template” at the end of this document, which contains a generic privacy policy template that will be appropriate in most cases and must be customized to provide more specific notice.

STEP – 2:     Customize the template to incorporate language specific to the system or process.  It is critical to describe all the intended uses or purposes for the collection of Personal Information so that it will not be necessary to go back to the employees or non-employee workers to obtain additional consent in the event another use for the Personal Information is identified.

STEP –3:     Create or update the Collection Statements for both electronic and manual Personal Information collection, as necessary.


3  RESOURCES


The Global Privacy Compliance Framework and supporting corporate policies, standards, glossary of terms, guides, and tools related to privacy can be found at http://privacy.jnj.com , including:


    - J&J Employee Notice – Global Template
    - Global Non-Employee Worker Privacy Notice
    - Johnson & Johnson Policy for Designating Personal Data by Type
    - The Internet Privacy Manual,
        o  which contains general privacy guidance for externally facing websites and mobile apps, including on privacy collection statements.

Questions regarding these materials should be directed to the Global Privacy Team. Contact information is available on http://privacy.jnj.com.


4  CHANGE HISTORY


Version

Date

Changes

v1.0

 

Creation

v2.0

30 April 2010

Major update

v3.0

6 September 2018

GDPR update

 

5  APPENDIX : PRIVACY POLICY TEMPLATE


Privacy Policy


Johnson & Johnson and its affiliated entities (collectively, “J&J”) are committed to protecting your personal information. J&J operates in many different countries. Some of these countries have laws related to the collection, use, transfer and disclosure of the personal information of individuals. The purpose of this Privacy Policy is to give you information about what personal information we collect through the Product360 Medical Devices  and Product360 Pharma websites (hereinafter the “Service”), how we use, transfer and disclose it, and why.


If you are a J&J employee, your employer has delivered to you a general notice that gives you information about what personal information we collect, use, transfer and disclose, and why. Such notice may be the ‘Global Employee Notice’ or a localversion of such notice. If you are a non-employee worker assigned to J&J, your employing company has delivered to you a similar notice. Such notice may be the Global Non-Employee Worker Notice, or a local version of such noticel. You can consult the Global Employee Privacy Notice or Non-Employee Worker Privacy Notice in the Summit training system (https://jnj.csod.com/), if you have access, by searching for “Privacy Notice” to find the document that is applicable to you. If your employer or company of assignment uses a local version, please consult your local HR or sponsor at J&J.


  

Please consult such general notice  for further information on:


    - Why we collect information about you
    - How we may share your Personal Information
    - How we protect your Personal Information
    - How we ensure data integrity, and how we store your Personal Information
    - How long we retain your Personal Information
    - How to submit requests for access, correction, or erasure, questions and complaints
    - What your obligations are with respect to the Personal Information
    - Which types of Personal Information we collect,
    - The purposes for which we may collect, use, transfer and disclose Personal Information
    - The types of Third Parties with whom J&J may share Personal Information
    - Additional provisions for specific jursidictions.

ADDITIONAL INFORMATION APPLICABLE TO THIS SERVICE


Why We Collect Information About You


The personal data collected is intended for use by J&J employees and non-employee workers to send email notifications if email preferences are activated by the user.   


You will be informed what information is required and what information is optional.  We may combine the information you submit with other information we have collected from you, whether on‑ or offline.


If you submit any personal information relating to another individual to us, you represent that you have the legal authority to do so and to permit us to use the information in accordance with this Privacy Policy.


Cross Border:


Your personal information may be stored in the databases of Johnson & Johnson Medical Devices 2019 and its third-party service providers inside and outside of your country of residence. The personnel, agents and third-party service providers of Johnson & Johnson Medical Devices 2019 may have access to your personal information to manage data in compliance with this Privacy Policy.


Automatic Information Collection and Use


We and our service providers may collect certain information automatically as you navigate around the Service.  Please read the Cookie Policy for detailed information about the cookies and other tracking technologies used on the Service.  The Cookie Policy includes information on how you may disable these technologies.  If you do not disable them and continue to use our Service, we will infer your consent to their use.


We and our service providers may also automatically collect and use information in the following ways:


   Through your browser: Certain information is collected by most browsers, such as your Media Access Control (MAC) address, computer type (Windows or Mac), screen resolution, operating system name and version, and Internet browser type and version. We may collect similar information, such as your device type and identifier, if you access the Service through a mobile device. We use this information to ensure that the Service functions properly.

    IP address: Your IP address is a number that is automatically assigned to your computer by your Internet Service Provider. An IP address is identified and logged automatically in our server log files whenever a user visits the Service, along with the time of the visit and the pages visited. Collecting IP addresses is standard practice and is done automatically by many online services. We use IP addresses for purposes such as calculating Service usage levels, diagnosing server problems, and administering the Service. We may also derive your approximate location from your IP address.

    Device Information: We may collect information about your mobile device, such as a unique device identifier, to understand how you use the Service.


Data Retention


The Company will retain Personal Information for the period necessary to fulfill the purposes outlined in this Notice. The criteria used to determine our retention periods may include one or more of the following: as long as we have an ongoing relationship with you; as required by a legal obligation to which we are subject; and as advisable in light of our legal position (such as in regard of applicable statutes of limitations, litigation, audits or regulatory investigations). The Johnson & Johnson Enterprise Retention Schedule, available in the Company’s internal Records Management site, ensures compliance with laws and regulations across the globe, while meeting local and country specific requirements.


For more information about retention requirements applicable to your Personal Information, you may contact the records manager responsible for your Company.


CHANGES TO THIS PRIVACY POLICY


If this Privacy Policy changes, the revised statement will be posted on here.  This Privacy Policy was last updated on January 31, 2020. We encourage you to regularly review the Privacy Policy.


 

[1] Please note that if the Privacy Policy is provided in paper form, the version / effective date should be clearly identified, so if the Privacy Policy is subsequently revised, it is clear under what version the individual’s data was collected and processed.