GSK's Binding Corporate Rules
GSK’s human resources (HR) and research and development (R&D) activities involve the processing of “personal information”, including the transfer of that personal information internationally. We are committed to exercising high standards of integrity in dealing with personal information and have adopted Binding Corporate Rules (BCRs) to enable us to make international transfers of personal information within our group of companies in compliance with data protection laws of the European Union, in particular the General Data Protection Regulation (Regulation 2016/679) (GDPR).
If you require further detail, a copy of our BCRs can be obtained by contacting our EU Data Protection Officer here: EU.DPO@GSK.com.
The scope of our BCRs
As a result of the United Kingdom ceasing to be a member state of the EU, we have two sets of BCRs, our EU BCRs and our UK BCRs. All references in this statement to the GDPR shall, in respect of our UK BCRs, mean the equivalent UK data protection laws.
The EU BCRs apply to your personal information collected in the context of our HR and R&D activities (as further described below), where it is transferred internationally:
- by a GSK company that is subject to EU data protection laws, in the EU countries identified below;
- to a country outside the European Economic Area (EEA), where the laws do not provide adequate protection for personal information.
EU Countries where approval has been obtained: GSK has received approval for our BCRs in: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania (R&D only), Slovakia, Slovenia, Spain, Sweden and Switzerland.
The UK BCRs apply to your personal information collected in the context of our HR and R&D activities (as further described below), where it is transferred internationally:
- by a GSK company that is subject to UK data protection laws;
- to a country outside the UK, where the laws do not provide adequate protection for personal information.
Our HR activities: These include (i) managing the recruitment process which includes all screening, background and criminal record checks; (ii) managing our workforce which includes salary and benefits administration; managing health care, pensions, employee assistance, leave, insurance and savings plans; managing sickness, health and wellbeing, inclusion and diversity; managing employee relations, disciplinary matters and terminations; providing work related accomodations or health and insurance benefits; responding to queries or requests; and managing post-employment records and activities; (iii) maintaining business operations which includes allocating asset and resources, conducting strategic planning and project management, creating budgets and financial statements, keeping audit trails and maintaining records; (iv) analysing our workforce so that we can better use and allocate company assets and human resources; (v) managing the sale of assets, mergers, acquisitions and re-organizations; (vi) communicating with personnel, including in an emergency, and creating content, such as recordings, videos or pictures for internal communication and educational purposes; (vi) managing training, development, performance and talent management; (vii) managing GSK IT products, systems, networks and communication channels including to enable these to be used by personnel, including managing access rights and acceptable use, creating back-ups and gathering statistical data on their use; (viii) legal and compliance activities which include complying with legal, regulatory and other requirements such as employment, social security and occupational health laws and regulations, income tax and national insurance deductions; complying with record-keeping and reporting obligations; completing equal opportunity monitoring and reporting; conducting audits and risk management; complying with government inspections; responding to legal process, pursuing legal rights and remedies defending litigation and managing any internal complaints or claims; complying with internal polices and procedures; and monitoring activities as permitted or required by local law; (ix) monitoring GSK IT resource usage and corporate investigations; (x) health, safety and security activities; and (xi) operating the Speak Up process to allow concerns to be raised or reported internally.
Our R&D activities: These include, interventional and non-interventional clinical studies that are solely or jointly initiated, managed or financed by us, and associated regulatory compliance such as, safety monitoring and adverse event reporting. The personal information processed comprises information relating to “External Researchers” and “Research Subjects” (see Glossary).
Out of scope: Our BCRs do not govern the processing and transfer of personal information by our commercial divisions (e.g. personal information relating to consumers, or individuals connected with suppliers to our commercial divisions). That information is protected according to different lawful mechanisms. Our EU BCRs do not cover transfers of personal information by GSK companies located outside the EEA, where they are not subject to EU data protection laws. Our UK BCRs do not cover transfers of personal information by GSK companies located outside the UK, where they are not subject to UK data protection laws.
GSK companies covered by the BCR: Our BCRs are binding on all our group companies that have signed the intra-group agreement mentioned above. GlaxoSmithKline (Ireland) Limited, an Irish company, has overall responsibility for ensuring that other group companies around the world comply with the EU BCRs, including remedying breaches of the EU BCRs. GlaxoSmithKline plc, a UK company, has overall responsibility for ensuring that other group companies around the world comply with the UK BCRs, including remedying breaches of the UK BCRs.Back to top
1. We process personal information fairly and lawfully
We will comply with applicable laws relating to processing personal information. In the event of a conflict between these BCRs and applicable laws, which is likely to have a substantial adverse effect, including any legally binding requests for the disclosure of personal information by a law enforcement authority or state security body, this shall be reported to the competent supervisory authority. Where applicable law prohibits the relevant group company from making such a notification to the competent supervisory authority then we will use our best efforts to obtain a waiver of this prohibition.
In the event that these efforts are unsuccessful, the group company will provide to the competent supervisory authority, for each 12 month period, general information in respect of the requests it has received from such authorities, including the number of applications for disclosure, the type of data requested and, if possible, the identity of the body requesting it.
At no time will any group company provide personal information to government entities in any country indiscriminately, disproportionately or on a large scale in a manner that goes beyond what is necessary in a democratic society.
Reason for processing: We only process personal information where we have a legitimate business purpose for doing so and the processing is necessary for that purpose. All processing aligns with an appropriate legal basis under the GDPR.
Legal basis for processing: We rely on the following legal bases to process personal information. Processing must be necessary:
(i) for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract;
(ii) to comply with our legal obligations;
(iii) for performance by us of a task carried out in the public interest;
(iv) to protect your vital interests; or
(v) for legitimate interests pursued by us or a third party, provided these interests are not overriden by your own interests, rights and freedoms.
Special category information: Given the nature of “special category information” (see Glossary), extra safeguards apply. We only process special category information where:
(i) it is necessary for us to comply with our legal obligations and exercise our legal rights under employment laws;
(ii) it is necessary to protect your vital interests, where you are physically or legally incapable of giving consent;
(iii) processing involves personal information which are manifestly made public by you;
(iv) it is necessary for the establishment, exercise or defence of legal claims;
(v) it is necesssary for reasons of substantial public interest; or
(vi) for the purpose of preventive or occupational medicine, the assessment of the working capacity of one of our employees, medical diagnosis, the provision of health or social care or treatment or the management of health and social care systems and services, either under applicable laws or under a contract with a healthcare professional. Under these circumstances, the processing will be undertaken by a healthcare professional bound by an obligation of professional secrecy or by another person subject to an appropriate obligation of secrecy.
Where it is required by law or where we are unable to rely on one of the above grounds to process your personal information, we will seek your unambiguous consent. Where processing special category information we will only do so where such consent is explicitly provided. If you provide your consent, you are free to withdraw it at any time. If you would like to do so, please let us know by getting in touch with us as set out in our Privacy Notices which are available here.
- We collect and retain the minimum amount of personal information necessary to pursue specific, explicit and legitimate business purposes
We collect the minimum amount of personal information necessary to pursue each specified, explicit and legitimate business purpose. We ensure personal information is adequate, relevant and limited to the purposes for which we collect and/or further process it. Where we become aware that any personal information is inaccurate, we take every reasonable step to erase or rectify it without delay. Whenever possible, we rely on “anonymised information” (see Glossary) rather than using personal information to achieve our aims. We ensure personal information is accurate and, where necessary, kept up-to-date.
We retain personal information only for as long as necessary for a legitimate business purpose. We then delete, destroy or anonymise the personal information.
- We explain how personal information will be used and your rights
Transparency: We are transparent about our personal information processing activities. We provide the information required by applicable laws, at the time of collecting the personal information. At a minimum, we provide the minimum information required under articles 13 and 14 of the GDPR. Where we obtain personal information from third parties rather than directly from you, we may (subject to applicable law) not provide this information to you if doing so would be impossible or involve a disproportionate effort.
Individual rights management: We allow you to exercise rights under the GDPR, including the right:
(i) to access your personal information;
(ii) to rectify your personal information;
(iii) to erase your personal information;
(iv) to restrict or object to processing of your personal information;
(v) to provide a copy of your personal information to you or a third party;
(vi) not to make automated decisions about you (see below);
(vii) to withdraw your consent; and
(viii) to opt-out of receiving marketing communications.
We also comply with applicable laws in those countries that provide you with other rights in respect of your personal information. We may restrict your right to access your personal information in order to protect others (e.g. another individual’s right of privacy) or to meet our legal obligations.
Automated decision-making: We make limited use of automated decision making procedures when processing personal information. We will only use automated decision making if:
(i) it is necessary for entering into, or performance of, a contract between us and you;
(ii) it is authorised under a specific EU or Member State law (in relation to EU BCRs) or under UK law (in relation to UK BCRs), and the safeguards required to be implemented by that law have been implemented; or
(iii) you have given explicit consent.
If you would like to exercise any of your rights, please let us know by getting in touch with us as set out in our Privacy Notice. Where you opt to exercise any right, we will try to provide information on the action we have taken in response within one calendar month. Depending on the complexity of your request and the number of other requests we are dealing with, we may need a further two months to provide this information. We will let you know within one month of receiving your request if our response will be delayed.
- We do not use personal information for further purposes incompatible with the purpose for which it was originally collected
Purpose limitation: We will only process personal information in a way which is compatible with the specified, explicit and legitimate business purpose for which it was originally collected. We will notify you of any new purposes for processing your personal information.
- We use appropriate security safeguards
Safeguarding your Privacy: We implement appropriate technical and organisational security measures to prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information. These measures are appropriate to the risks associated with using personal information and incorporate state of the art technologies.
Incident and breach management: We will notify supervisory authorities of personal data breaches, unless those breaches are unlikely to result in a risk to your rights and freedoms. We will notify you of personal data breaches if such breach is likely to result in a high risk to your rights and freedoms, and (at our discretion) in certain other circumstances. We maintain a record of personal data breaches which includes facts about the personal data breach, its effects (if any) and the remedial action taken to resolve the breach. We will make these records available to competent supervisory authorities on request.
- We carefully control disclosure of personal information to third parties
Third Party Privacy Management: We disclose personal information outside of our group of companies where required by law, in connection with legal proceedings, and in other limited and lawful circumstances. We may also transfer personal information outside of our group of companies to: (a) third-parties acting on our behalf, including suppliers; or (b) other independent third parties, such as research and commercial partners or regulatory agencies.
Where we rely upon any third parties to process personal information on our behalf, we put in place appropriate contractual, organisational and operational controls with them to ensure the confidentiality and security of your personal information. We require that those third parties agree to all provisions set out in article 28 of the GDPR. If we discover that a third party is processing personal information inconsistently with requirements imposed by us, or applicable laws, we will take all reasonable steps to ensure the deficiencies are addressed as quickly as possible.
Onward transfers to third parties: Where we transfer personal information internationally to third parties located in countries, where data protection laws do not offer an adequate level of protection for personal information, we implement approved standard contractual clauses (details of which are available here : https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en).
Regulatory Filings: Where required under applicable data protection laws in any Member State or the UK, we notify or obtain approval from the relevant supervisory authority with regards to processing of personal information (including international transfers of personal information), and ensure that the notifications or submissions for approval are kept up to date in the event of any changes.
- We operate a complaints procedure and respect your right to a remedy
Making a complaint to us: If you believe we may not have complied with the rules set out in our BCRs, you are free to raise concerns directly with us and to have your complaint assessed under our internal complaints resolution procedure. We encourage you to raise privacy complaints through our Speak Up line.
HR activities: For employees and other individuals whose information is processed in connection with HR activities, a privacy complaint could be registered with your line manager (in the case of GSK employees), a country compliance officer, a local HR or legal representative, or the regional equivalent of any of these, all of whom will report the privacy complaint to the complaint channel, which will forward the complaint to the business unit’s compliance group and the Privacy Centre of Excellence. They will independently assess the appropriate course of action in response to your complaint.
R&D activities: For individuals whose personal information is processed in connection with R&D activities, if you are a “Research Subject” (see Glossary), you should contact the clinician or researcher who is conducting the study, who will forward the complaint to our Privacy Centre of Excellence. If you are an “External Researcher” (see Glossary), a privacy complaint could be registered with GSK’s country compliance officer, legal representative, or the regional equivalent, all of whom will report the privacy complaint to the complaint channel within GSK. They will independently assess the appropriate course of action in response to your complaint.
Escalation: Regardless of where we receive data privacy complaints, if they cannot be resolved they will be escalated: (i) to a GSK Country Privacy Advisor, whose contact details are published on our website here; or (ii) to GSK’s EU/UK Data Protection Officer at EU.DPO@GSK.com. The EU/UK Data Protection Officer represents the final avenue within GSK for complaint resolution relating to our BCRs. We endeavour to resolve complaints expeditiously and, unless exceptional circumstances apply, GSK will contact you in writing within one month. That communication will either: (a) indicate our position with regards to the complaint and any action we have taken, or will take, in response to the complaint; or (b) state when you will be informed of our position, which will be no later than two months thereafter. You can contact our EU/UK Data Protection Officer directly if you wish.
Making a complaint to a supervisory authority or courts: You may submit a complaint in relation to our EU BCRs to any of the following: (i) the competent supervisory authority in the country where you have your habitual residence, place of work, or where the alleged breach took place; (ii) the Irish Data Protection Commissioner or Irish courts (as the location of GlaxoSmithKline (Ireland) Limited); (iii) the courts of the EEA country from which your personal information was transferred by us; or (iv) the courts in the EEA country where you have your habitual residence. You may submit a complaint in relation to our UK BCRs to the UK Information Commissioners’ Office or the courts of England and Wales (as the location of GlaxoSmithKline plc). Following our internal complaints procedure in no way prejudices your right to use any of these options.
If you raise a complaint and can demonstrate that you have suffered material or non-material damage most likely because of a breach of either or both of our EU BCRs or UK BCRs, we will need to prove that there has been no breach of the relevant BCRs. If a supervisory authority or court makes an order against a GSK company outside of the EEA in relation to our EU BCRs, and the GSK company is unable or unwilling for whatever reason to pay the damages or comply with the order within any applicable grace period, then GlaxoSmithKline (Ireland) Limited will pay the damages awarded to you directly, or ensure that the relevant GSK company complies with the order. If the UK Information Commissioners’ Officer or the courts of England and Wales make an order against a GSK company outside of the UK in relation to our UK BCRs, and the GSK company is unable or unwilling for whatever reason to pay the damages or comply with the order within any applicable grace period, then GlaxoSmithKline plc will pay the damages awarded to you directly, or ensure that the relevant GSK company complies with the order.Back to top
“Anonymised information” refers to personal information rendered anonymous in such a manner that an individual is not or no longer identified or identifiable.
“Complementary Worker” is understood within GSK to mean any individual(s), excluding GSK employees, who provide services for or on behalf of GSK, including on or off-site contingent workers, professional consultants, temporary staff, vendors and service contractors.
“External Researcher” refers to external physicians or other healthcare professionals who participate or may participate in R&D.
“Personal information” refers to information that relates to an identified or identifiable individual.
“Research Subject” refers to candidates for, or individuals participating in research activities, or individuals taking our products or treatments whose personal information we process in the pharmacovigilance context. Research Subjects include participants that are both external and internal to GSK.
“Special category information” refers to a subset of personal information relating to an individual’s race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.Back to top