AstraZeneca SUPPLEMENTAL WEBSITE PRIVACY NOTICE for California, Colorado, Connecticut, Utah, and Virginia Consumers
Effective date: January 2023
This Supplemental Website Privacy Notice (“Supplemental Notice”) applies only to information collected about California, Colorado, Virginia, Utah, and Connecticut consumers. It provides information required under the California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 (collectively, the “CPRA”), the Colorado Privacy Act of 2021 (the “CPA”), the Virginia Consumer Data Protection Act of 2021 (the “VCDPA”), the Utah Consumer Privacy Act of 2022 (the “UCPA”), and the Connecticut Data Privacy Act of 2022 (“CDPA”). We also provide a brief paragraph regarding information collected about Nevada consumers under the heading “Privacy Notice for Nevada Residents” at the end of this Supplemental Notice. The other portions of this Supplemental Notice do not apply to Nevada consumers.
This Supplemental Privacy Notice (“Supplemental Notice”) describes AstraZeneca’s (“AZ”) and AstraZeneca group of companies (“we” “us” “our”) practices regarding the collection, use, and disclosure or Personal Information and provides instructions for submitting data subject requests. The Notice also describes AstraZeneca’s processing of Personal Information in the United States.
In this Supplemental Notice, you’ll learn about the following:
Definitions
Sources of Personal Information
Categories of Personal Information We Process and Disclose
Purposes for Processing Personal Information
Categories of Entities with Whom We May Disclose your Personal Information
Your Rights and Choices
How to Contact Us
Updates to this Supplemental Notice
DEFINITIONS
For purposes of this supplemental notice, “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Information includes “personal data” as that term is defined in the CPA, VCDPA, UCPA, and CDPA. Personal Information also includes “Sensitive Personal Information,” as defined below, except where otherwise noted.
“Sensitive Personal Information” means Personal Information that reveals a consumer’s social security, driver’s license, state identification card, or passport number; account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious beliefs, or union membership; contents of email or text messages; and genetic data. Sensitive Personal Information also includes processing of biometric information for the purpose of uniquely identifying a consumer and Personal Information collected and analyzed concerning a consumer’s health, sex life, or sexual orientation. Sensitive Personal Information also includes “sensitive data” as that term is defined in the CPA, VCDPA, UCPA, and CDPA.
“Third Party” has the meanings afforded to it in the CPRA, CPA, VCDPA, UCPA, and CDPA.
“Vendor” means a service provider, contractor, or processor as those terms are defined in the CPRA, CPA, VCDPA, UCPA, and CDPA.
To the extent other terms used in this Supplemental Notice are defined terms under the CPRA, CPA, VCDPA, UCPA, or CDPA they shall have the meanings afforded to them in those statutes, whether or not capitalized herein. As there are some variations between such definitions in each of the four statutes, the definitions applicable to you are those provided in the statute for the state in which you are a consumer. For example, if you are a Virginia consumer, terms used in this Supplemental Notice that are defined terms in the VCDPA shall have the meanings afforded to them in the VCDPA as this Supplemental Notice applies to you.
SOURCES OF PERSONAL INFORMATION
We and our vendors collect Personal Information in a variety of ways, including:
Directly from you
From joint marketing partners
Public databases
Providers of demographic data
Publications
Professional organizations
Social media platforms
Caregivers
Vendors and Third Parties when they share the information with us
Healthcare Providers & Insurance Companies
Automatically, such as through cookies or other technologies that provide us with information about your use of our online services.
CATEGORIES OF PERSONAL INFORMATION WE PROCESS AND DISCLOSE
Depending on the nature of our interactions with you in the prior 12 months, we or our Vendors may have collected and processed the following categories of Personal Information, about you. We may disclose this Personal Information to Vendors and Third Parties.
Identifiers, such as name, alias, online identifiers, account name, address, company-generated identification number, insurance policy number
Contact information, such as email or mailing address, phone number
Mental and physical health information or conditions
Audio or visual information, such as video recordings
Financial information, such as to determine eligibility for patient assistance programs
Demographic information, such as age, date of birth, race and gender
Internet or other electronic network activity information, such as IP address, geographic location, browser type, device type, operating system, dates and times you access our services, browsing history, and other information about your interactions with our online services, or advertisements.
Inferences, such as notes drawn from any of the personal data listed above to create a profile or summary about, for example, an individual’s preferences and characteristics
Retention of Personal Information. We retain your Personal Information to meet Company and legal requirements on processing Personal Information as listed in the section below. We maintain a Company retention and disposal schedule describing the retention and disposal of company information assets. Visit www.astrazenecapersonaldataretention.com for more information.
PURPOSES FOR PROCESSING PERSONAL INFORMATION
We process Personal Information, including Sensitive Personal Information, for the following business and commercial purposes and may use any of the types of Personal Information described above:
- Operate, manage, promote, and maintain our business
- Provide, develop, improve, repair, and maintain our products and services
- Personalize, advertise, and market our products and services;
- Communicate with you
- Provide patient assistance programs
- Conduct research, analytics, and data analysis
- Maintaining our facilities and infrastructure
- Undertake quality and safety assurance measures
- Conduct risk and security controls and monitoring
- Detect and prevent fraud
- Perform identity verification
- Perform accounting, audit, and other internal functions, such as internal investigations
- Detect and prevent fraud
- Comply with law, legal process, and internal policies
- Maintain records
- Exercise and defend legal claims
- Otherwise accomplish our business purposes and objectives
CATEGORIES OF ENTITIES WITH WHOM WE MAY DISCLOSE YOUR PERSONAL INFORMATION
We grant access to Personal Information only to the extent needed to perform business functions, and require entities that receive Personal Information to protect the confidentiality and security of such information.
We may disclose your Personal Information as follows:
Vendors and business partners may receive the information we collect directly from you, other people and organizations, public sources, and automatically. We may disclose your personal data to vendors who work on our behalf to provide certain services, for example, entities that provide us with research services, data storage, data analysis and processing, distribution, patient support, IT and data security, and legal services. We also may disclose your data to our business partners, for example, researchers with whom we collaborate, companies with whom we co-develop a therapy, companies with whom we co-promote a product or third-party companies managing our in-countries operations.
Our affiliates and subsidiaries may receive the information we collect directly from you, other people and organizations, public sources, and automatically. For business purposes, we may disclose your personal data to for example, current and future companies within the AstraZeneca family of companies so we can improve our offerings.
We may disclose all of the information we collect in connection with a business transfer or sale, for example, as part of a sale, assignment, or transfer of an AZ business or asset, or acquisition of or merger with another entity.
We also may disclose any of the information we collect in response to requests from government or law enforcement agencies or where required or permitted by applicable laws, court orders, or government regulations, for example, in response to a subpoena or regulatory inquiry.
We may disclose all of the information we collect to protect rights and interests, for example, when needed for corporate audits, to investigate or respond to a complaint or threat, or to exercise our legal rights.
We may disclose any of the information we collect with your consent, for example, when you agree that we can share your personal data with an HCP.
AZ does not sell Personal Information. In the twelve months since this Privacy Policy took effect, for commercial purposes, we have processed or shared for targeted advertising the following categories of personal data: “Identifiers” and “Internet or other electronic network activity information”. We have shared such Personal Information for these purposes with advertisers and marketing partners, data analytics providers, and social media networks. You have the right to opt out of such “sharing” as described under Your Rights and Choices below.
We do not knowingly sell the Personal Information of consumers under 16 years of age or share such information for purposes of targeted advertising.
Disclosure About Direct Marketing for California Residents. California Civil Code § 1798.83 permits California residents to annually request certain information regarding our disclosure of Personal Information to other entities for their direct marketing purposes in the preceding calendar year. We do not distribute your Personal Information to other entities for their own direct marketing purposes.
YOUR RIGHTS AND CHOICES
California, Colorado, Connecticut, Utah, and Virginia consumers have certain rights with respect to their Personal Information. Those rights vary by state. If you are a resident of the above-mentioned states, you may exercise the rights applicable to you by submitting a request to AstraZeneca at www.astrazenecapersonaldataretention.com or by calling 1-800-236-9933. Please note that the rights described below may be subject to limitations under applicable laws and regulations.
Verification of Request: To make your request, you must provide us with your first and last name, email address, city and state of residence, and which of the right(s) described below you are intending to exercise. We will verify your request by comparing the information that you provide as part of your request with the information (if any) that we have about you in identifiable form.
Data Subject Rights: You may be entitled, in accordance with applicable law, to request:
Access to the specific pieces of Personal Information we have about you or more information about our data processing practices.
Deletion of your Personal Information.
Correction of any inaccurate Personal Information we maintain about you.
Opt-Out of Processing Personal Information for Purposes of Targeted Advertising by clicking the link called “Privacy Preferences” on an AZ US website. Please note that your use of our website may still be tracked by AZ and/or our Vendors.
Right to Opt-Out for the Purposes of Profiling: you may have the right to opt-out of processing of Personal Information for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects. Appeals: To appeal our decision on your data subject requests, you may contact us at privacyrequests@astrazeneca.com. Please enclose a copy of, or otherwise specifically reference, the decision you want to appeal. We will respond to your appeal in accordance with applicable law.
Non-Discrimination: We will not discriminate against you for exercising your data subject rights, although some of the functionality and features available on the Service may change or no longer be available to you. Any difference in the Services are related to the value provided..
Use of an Authorized Agent: You may designate an authorized agent to make a request on your behalf by drafting, signing, and authenticating a letter that makes clear (i) the identity of your agent and (ii) the purposes for which you are appointing the agent. If you are an authorized agent, you must provide us with the information described above about the consumer on whose behalf you are acting as an agent, as well as your own first and last name and email address, and a letter that has been signed and notarized by the consumer appointing you as an agent. We may require that you verify your identity to us or confirm with us that you provided your agent with permission to submit the request. In some instances, we may decline to honor your request if an exception applies under applicable law. We will respond to your request consistent with applicable law.
HOW TO CONTACT US
If you have any questions, comments, requests, or concerns related to this Supplemental Notice, AstraZeneca’s US privacy practices, or how to access this policy in another format, please contact AstraZeneca at:
Global Data Protection Officer
AstraZeneca 1 Francis Crick Avenue,
Cambridge Biomedical Campus, Cambridge, CB2 0AA,
United Kingdom
privacy@astrazeneca.com
UPDATES TO THIS SUPPLEMENTAL PRIVACY NOTICE
We reserve the right to amend this Supplemental Notice at our discretion and at any time. When we make material changes to this Supplemental Notice, we will notify you by posting an updated Supplemental Notice on our website and listing the effective date of such updates.