Novo Nordisk Care^® Patient Support Program – Privacy Notice

Effective Date: April 1, 2024

1. Introduction

This Patient Support Program Privacy Notice (the “Privacy Notice”) applies to you when you participate in the Novo Nordisk Care^® (previously known as SaxendaCare^®, OzempicCare^®, WegovyCare^®) or any other applicable patient support program (the “Program”), offered by Novo Nordisk Canada Inc. (“Novo Nordisk”, “we”, “our” and “us”), in relation to your use of the Program or any other applicable Program medication (the “Medication”) and when you are using our Program website(s) located at novonordiskcare.ca or nnpatientconnect.ca (the “Site”).

This Privacy Notice does not apply to situations where we have notified you that an alternative privacy notice or statement applies, nor does it apply to other Novo Nordisk websites not listed above. You should review the privacy notice or statement posted on other Novo Nordisk websites when you visit them.

This Privacy Notice explains how we collect, retain, use, share, destroy or otherwise process (“process” or “processing”) your personal information, which means any information about an identified individual, whether the information allows that individual to be directly or indirectly identified, during your participation in the Program and/or your use of the Site.

2. Collection and use of your personal information

We collect personal information provided by you during the Program, including data generated by your use of the Site for the purposes described below and may also collect and use your personal information as otherwise required or permitted by applicable law.

Personal Information we collect:

We may collect the following personal information directly from you:

• Identification information: such as your name, e-mail address, mailing address, phone number, gender, and date of birth;
• Account information: such as your registration date, the status and details of your consents, and your preferred language;
• Medical information: such as the name and contact information of your prescribing physician, medical history, previous treatment experience, dose level, questionnaire responses (for example, regarding your motivations, progress and expectations), data that is derived from what you have provided (for example, approximated treatment week, product efficacy, adherence to treatment) and, in the event we become aware that you are experiencing a medical event or side effect while using the Medication, additional information in order to report the issue to our Product Safety Department, who are in turn required to file a report with Health Canada;
• Insurance information: your insurance information, including where applicable your spouse’s insurance information;
• Recordings: a complete recording of the voice or video call(s) with our Program educators;
• Technical information: such as information about how you use the Site.

If you participate in our discount or sample coupon service, our vendor(s) may collect claim information. Claim information is provided during our discount and sample coupon service by pharmacies to our vendor(s), in accordance with the standard rules of electronic claims transmission defined by the Canadian Pharmacists Association. This is the same information provided to other Canadian insurers and benefits carriers. Claim information is used to determine eligibility for coverage, and to verify, assess, pay and audit claims. Our vendor anonymizes this personal information before they save it. This means that information ceases to be personal information because it cannot be used to identify you directly or indirectly.

Your consent:

Certain types of the above information we collect is considered as sensitive personal information, as it relates to your health condition. We will only collect and use such sensitive personal information with your express consent.

In certain cases, you may give your consent verbally to us when you contact us by phone at the number displayed on the Site to enroll in the Program that is relevant to you and for us to verify your eligibility to the Program.

Finally, some of the above information that we collect is optional. We will inform you when the information is optional and not necessary.

You can withdraw your consent at any time by reaching out to us using the contact information below in the Contact Us section. You can also withdraw your consent to our marketing communications and surveys at any time through the unsubscribe instructions in the e-mail.

If you do not consent to the processing of your personal information, or later withdraw that consent, we will still do our best to service you, although you may not be able to participate in certain Program features. Complete information also helps us provide you with the best care possible.

Use of your personal information:

We may use your information for the following purposes:

• To deliver the Program: our live program educators are contracted regulated health professionals, they will only use the information you give us to provide patient support and education under the Program (if applicable to you, a very limited number of our employees within the Patient Support Department may also have access to your information for auditing and training purposes, to ensure that patient care and data entry are in compliance with the Program’s standards), and to look up your information in the context of follow-up calls that you initiate or that you explicitly agree to receive;
• To manage your account registration and account in order for you to beneficiate of the Program;
• To enable Program features and content to you;
• To improve our products and services – in such case, we will never include personal information that can identify you, directly, as a person, such as your name or contact information, in the IT environments where we use the data for product and service improvement, but will assign a random user ID number to your information;
• To keep you informed by e-mail of new developments in relation to the Program and send you articles that might be relevant for you, and the services we and our partners offer;
• To offer you the possibility to take part in surveys;
• To conduct scientific research and to develop statistics purposes, about our services, programs, and the healthcare sector, and to issue research publications in accordance with applicable law – when we disclose or sell those research and statistics to third parties, the information will be anonymized so that it cannot directly or indirectly identify any individual;
• For safety reporting purposes;
• To enforce our rights or the rights of others, to prevent abuse by users or to assert, exercise, or defend legal claims;
• To comply with our legal and regulatory obligations, with court or official decisions and instructions, criminal investigation, or in the public interest;

Novo Nordisk will never use your personal information to market its products to you and will not share your personal information with any third parties for their own marketing purposes.

3. Sharing of your personal information

We may share your personal information in the following circumstances in accordance with applicable laws and as otherwise permitted or required by applicable law:

• With your prescribing physician with your authorization: in such case, your live Program educator will ask for your consent to send a letter to your prescribing physician regarding your completion of training on the Medication, if you discontinue the Medication without the advice of your prescribing physician, or if there is a medical concern;
• With third-party service providers that are engaged by Novo Nordisk and may access your personal information on behalf of us and only for use as described in this Privacy Notice. We use the following categories of service providers: contracted customer service representatives, regulated health professionals delivering the live support, consultants delivering reimbursement navigation Program offering services (i.e., STI Technologies Limited), IT service providers and consultants (i.e. Lumedi Inc.);
• With persons involved in your treatment whom you authorize to receive information about your participation in the Program (e.g., your physician, nurses, pharmacists), to keep them updated on your status in the Program, if you discontinue your Medication or to sign reimbursement navigation forms, and only with your express consent;
• With public bodies, such as health authorities or other government authorities, in accordance with our legal and regulatory obligations;
• With your insurance provider if you participate in reimbursement navigation services;
• With other third parties, such as competent courts or legal advisors, government authorities, in case of a product recall or claim or to assert, exercise, or defend legal claims;
• With other third parties that you instruct us to share the data with;
• With government authorities or law enforcement agencies as permitted or required by law, for example in the context of a legal investigation or if Novo Nordisk receives a court order compelling disclosure.

Any wider reporting within or outside of Novo Nordisk on the use of the Program will involve anonymized and aggregated personal information that is scrubbed of all identifiers such that it cannot identify you directly or indirectly and will only be used for research, statistical purposes and service improvement, in accordance with applicable laws.

4. Protection of your personal information

Your personal information will be treated as confidential information by those who are allowed to access it and will only be used for the purposes set out in this Privacy Notice.

Novo Nordisk’s live program educators are governed by strict provincial laws and regulations for health professionals. They are committed to respecting patient confidentiality and are also trained on privacy best practices by Novo Nordisk.

Novo Nordisk uses an IT service provider to assist us in securely housing the patient information we collect under the Program. Production data is only accessed by our service provider to assist with any back-end technical issues. We only use service providers that are capable of offering suitable technical, physical and organizational security measures in accordance with applicable privacy laws.

We acknowledge that a data security breach could result in potential harm to individuals whose personal information is entrusted to us. Thus, we have implemented critical physical, organizational and technical measures to guard against unauthorized or unlawful access to the personal information we manage and store. We have also taken steps to avoid accidental loss or destruction of, or damage to, your personal information. While no system is completely secure, the measures implemented by Novo Nordisk significantly reduce the likelihood of a data security breach.

Here are some examples of the security controls, policies and practices we have in place to safeguard your personal information:

• secure office premises;
• locked filing cabinets and a secure shredding practice for paper records;
• the use of encryption, firewalls, anti-virus programs and robust authentication processes, including complex passwords, for access to electronic records;
• internal policies and procedures that limit access to personal information by contractors and limited employees who need the information to perform their work-related duties;
• the use of sophisticated data centres with effective physical and logical data security controls;
• initiatives to raise awareness amongst staff of their data protection responsibilities;
• a privacy framework governing the protection of personal information through its lifecycle. This framework defines the roles and responsibilities of our personnel, provides a process for dealing with complaints regarding the protection of the information, and addresses the retention and destruction of personal information;
• a designated Privacy Officer to monitor our compliance with applicable privacy laws; and
• regular reviews of privacy compliance and best practice initiatives.

In addition, we recommend that you do your part in protecting yourself from unauthorized access to your personal information. For example, never share your passwords with anyone. We are not liable for any unauthorized access to your personal information that is beyond our reasonable control.

5. External Links

We may offer links from our Site to the websites of third parties (including affiliated organizations), that may be of interest to you. Since these websites are not owned or controlled by us, we make no representations as to such third parties’ privacy practices and we recommend that you review their privacy policies before providing your personal information to any such third parties.

6. Storage and deletion of your personal information

We retain your personal information for as long as necessary for us to fulfil the purpose of the processing. Where we process your personal information with your consent, we will keep and process the data until you withdraw your consent or until the purpose for which your information was collected is achieved, if there is no legal or regulatory requirement under applicable law to keep your personal information for a longer period of time.

Once your information is no longer required for the Program and to meet legal or regulatory requirements, your personal information will be securely destroyed, deleted or anonymized.

7. Your privacy rights

As a data subject, you may have a number of rights which are described below. To make use of any of these rights, please reach out to us using the contact information provided below in the Contact Us section and let us know which right it concerns.

Depending on your jurisdiction, and subject to legal and/or contractual obligation and reasonable prior written notice, you may have the following privacy rights:

• The right to access. You may have the right to request access to the personal information we store and process about you.

• The right to rectification. You may have the right to request the rectification or correction of inaccurate or incomplete personal information that concerns you. We take steps to ensure that your personal information is as accurate, complete and up to date as is necessary for the purposes for which it is to be used, however, if you believe that the personal information we have about you isn’t accurate or complete, please contact us as provided below.

• The right to withdraw your consent. You may have the right to withdraw your consent to our processing of your personal information. Note that if you withdraw your consent to certain processing of your personal information, we may no longer be able to provide you with the Program. You may unsubscribe to receiving commercial marketing emails at any time by following the unsubscribe link in any email that we have sent to you or by sending us an email as indicated in the Contact Us section below.

8. Contact Us

We encourage you to reach out to us if you have questions about this Privacy Notice or how we handle your personal information, or if you want to exercise any of your data privacy rights as a user of our Program and/or of the Site by contacting our Privacy Officer as follows:

Privacy Officer
Novo Nordisk Canada Inc.
101 – 2476 Argentia Rd.
Mississauga, Ontario
Canada L5N 6M1

Tel: 1-833-NORDISK (667-3475)

Email: privacy@nnpatientconnect.ca

9. Changes to the Privacy Notice

We may change this Privacy Policy from time to time in order to better reflect our current personal information handling practices. Thus, we encourage you to review this document frequently. The “Last Updated” date at the top of this Privacy Policy indicates when changes to this policy were published and are thus in force. If we make any significant changes to the Privacy Policy, we will post a notice on our Site or contact you to inform you when required by law. Your continued use of the Program and the Site following the posting of any changes to this Privacy Policy means you accept such changes, subject to any additional requirements that may apply.