Privacy Notice

General Privacy Notice :

This privacy notice (“Notice”) is provided by Dr. Reddy’s Laboratories, Ltd. ("Dr. Reddy’s") and its affiliates. Dr. Reddy’s is referred to in this Notice as “we”, “us” and “our”.

Scope of this Notice

This Notice describes how we use your personal information, and your data protection rights, including a right to object to some of the processing which we carry out. Our privacy notice tells you what personal information we collect and how we collect it. It explains what we use your personal information for and how we protect your personal information and keep it safe. This privacy notice explains our general practices. However, where local laws or regulations require that we process information differently, or refrain from such processing, we will always comply with the applicable local law.

This Notice is intended for:

visitors to our main website www.drreddys.com and certain other websites directly linking into this Website or APPs (“Site”);

members of the general public who interact with us;

employees and other persons acting on behalf of the businesses and organizations Dr. Reddy’s interacts with (such as vendors, health care professionals and customers); and

any individual receiving this Notice who has not received a more specific notice as described below.

Please read this Notice carefully to understand our policies and practices regarding your personal information, and how we will treat it. If you do not agree with our policies and practices, please contact us to request that we no longer process your personal information, and we will take appropriate action in this regard. However, if we no longer process your personal information, we may not be able to provide you with the information, goods, or services as may be requested.

Our Sites may include links to other websites over which we have no control. Dr. Reddy’s is not responsible for the privacy policies or practices of other websites. We may also link to other websites operated by Dr. Reddy’s or Dr. Reddy’s affiliated companies which may operate under separate privacy policies. If you access these websites via our Sites, you should review the privacy policies of those sites so you can understand how they collect, use, and share your information. We suggest that when linking to another website or accessing a third-party service, you always read that website’s privacy notice before volunteering any personally identifiable information.

Data We Collect About You:

We may collect, use, store and transfer different categories of personal data about you which we have grouped together as follows:

Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender;

Contact Data includes billing address, delivery address, email address and telephone numbers;

Financial Data includes bank account, payment card details, and payroll data;

Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us;

Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website or intranet;

Profile Data includes your username and password on our website, our intranet, purchases or orders made by you, your preferences, and feedback and survey responses; Usage Data includes information about how you use our website, intranet, products and services;

Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences; and

Special Categories of Personal Data: includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.

Healthcare Professionals: Dr. Reddy’s collects information about healthcare professionals when you interact with us or our representatives. Dr. Reddy’s also collects personal data from a number of third-party data sources, in particular from publicly available sources such as public registers of healthcare professionals, published journals and event materials and from websites of healthcare professionals or their employers. Dr. Reddy’s collects and process such publicly available data only to the extent where the purposes for such collection and processing are compatible with and correspond to the initial purposes for which the respective data are made publicly available. Dr. Reddy’s also specially makes use of third party data providers to enhance its own knowledge of the healthcare sector. This data may include information about your role(s), your qualifications, your specialty, your employer, your experience, your publications and other information related to your profession.

How We Use Your Information

We process the personal information we collect for the following purposes/legal bases:

Contract

We process your personal data when it is necessary for the performance of a contract with you, or where you have requested us to take steps prior to us entering into a contract together, in particular:

to fulfil any of our obligations owed to you under such contract such as to manage your orders, arrange the provision or receipt of goods and services, and to make payments to you for services provided, the reimbursement of expenses or rebates;

where applicable, to manage information related to your attendance at an event, for example, your dietary requirements; and

managing orders, questions, and complaints regarding products where you have placed orders, posed questions in relation to orders, or submitted complaints.

Legal obligation

We process your personal data to meet legal (including tax and accounting), regulatory, pharmacovigilance, quality, medical inquiry, and compliance requirements, including:

to respond to requests for information from government authorities;

to comply with all legal and self-regulatory obligations including transparency and disclosure obligations or anti-gift obligations (this may either be in our legitimate interests or a legal obligation);

to manage and respond to requests concerning quality or medical information (this may either be in our legitimate interests or a legal obligation);

prior to entering into a personal services contract with you, to check that your professional expertise and experience match our identified need for that service.

We may also process your personal data in connection with dispute resolution, legal claims, compliance, regulatory and such investigative purposes as we deem to be necessary (including disclosure of such information in connection with legal process or litigation). We maintain records of any consents, preferences or other settings to enable us to comply with data protection laws.

Legitimate interests
We also process your personal data when it is necessary for the purposes of our legitimate interests as a controller (or those of a third party):

to educate and train staff and promote their professional and personal development;

to promote goods and services including in relation to promotional and educational events for healthcare professionals;

to respond to your queries or other correspondence you have submitted through our Sites;

to analyze engagement with our Sites, communications, events and services in order to improve content, optimize performance and enhance their relevance to various audiences;

to optimize and tailor the use of our Sites and our communication to you;

to detect, investigate, prevent or report activities that may violate our policies or be illegal;

to carry out conflict of interest checks and assessments where you have been identified by a Dr. Reddy’s employee as having a potential conflict of interest with us and keep records of the same to enable us to take appropriate action to remediate such conflicts;

to develop and maintain our relationship with you and to better understand the healthcare sector;

to contact you or otherwise provide you with information regarding Our products or events (when your consent to receive direct marketing communications is not required);

to tailor our communications to you based on your expertise and professional interests;

to assess and analyze your interests and experience based on information our representatives collect during calls or visits;

to carry out and follow-up training, including by providing you with further information, inviting you to symposia, congresses, seminars, debates and other events;

to carry out or engage in market research, scientific cooperation or other research activities to better understand our markets and/or increase our expertise;

to check that your professional expertise and experience matches our identified need for a particular service prior to entering into any personal services contract with you (to the extent that this is not a legal obligation as set out below);

to manage our business relationship with you;

to plan for, conduct and monitor our business in relation to our supplier/vendor or customer contracts;

to handle any questions or complaints you may have about us or our staff

to investigate allegations of misconduct; and

for due diligence prior to setting up a trading account or in the circumstances of mergers and acquisitions, dispute resolution or audit. Consent

Generally, we do not rely on consent as a legal basis for processing your personal data, except for certain circumstances such as sending direct marketing communications to you via email or as required by applicable law. If we require your consent to process your personal data in any other circumstance, we will contact you separately to request such consent.

In some cases, we may ask you for your consent to collect and process your personal data. If you choose to provide us with your consent, you may later withdraw your consent (or opt-out) by contacting us as described in the “how do you contact us” section below. Please note that if you withdraw your consent, it will not affect any processing of your personal data that has already occurred. Where we process your personal data based on consent, we will provide more detailed information to you at the time when we obtain your consent.

Where we collect personal data to perform our contract with you or to comply with our legal obligations, this is mandatory, and we will not be able to perform the contract, or we may be prevented from complying with our legal obligations to you or third parties (such as mandatory reporting, tax and accounting) without this information. In all other cases, provision of the requested personal data is optional, but this may affect your ability to receive certain services or take part in certain activities where the information is needed for those purposes.

Sharing Your Personal Data

Dr. Reddy’s discloses your personal data to the following categories of recipients (in all cases, only when necessary to fulfil their functions):

our staff (including employees and external consultants), professional advisors and agents;

other functions and companies in the Dr. Reddy’s group of companies worldwide who provide IT support, IT hosting and other group services such as HR, Finance and other support;

third party service providers which process your personal data on behalf of Dr. Reddy’s and who are bound by contractual obligations to keep your personal data confidential and appropriately secure, such as:

IT support, website hosting, CRM hosting, event management and analytics providers;

in the case of supplier and supplier personnel personal data, administrative, consultancy and logistical support service providers, investment houses for the purposes of benefits management, and training providers;

Inquiry and other database hosting and support;

various HR, travel and administration services.

government authorities (including tax authorities), regulatory agencies and law enforcement officials, if required for the purposes specified above, if mandated by law, or if required for the legal protection of our legitimate interests in compliance with applicable laws.

if you are a healthcare professional, relevant regulators as required, such as EMA and pharmaceutical self-regulatory bodies such as EFPIA in Europe;

our third party sources of personal data where we need to confirm and have agreed to assist them with the accuracy of information (for example, if you are a healthcare professional, we may share personal data with our third party sources where we become aware that you have moved to a new role);

in relation to the performance of our relations, the protection of our legitimate interests or the compliance with our legal obligations, we may disclose your personal data to service providers such as banks, postal service providers, lawyers, auditors, etc. When dealing with such providers, we require them to strictly comply with all applicable data protection rules and laws, as well as the specific rules applicable to their activities and the protection of the information they process in the course of such activity;

if you are a pharmacy customer, your nominated wholesaler;

in the event that the business is sold or integrated with another business, potentially our advisers, any prospective purchaser’s advisers and any new owners of the business and third parties (and their advisors) with whom we merge with or acquire in future.

How We Store/Protect Your Information

If we have a contract with you, your personal data will be retained for the duration of your contract and for an appropriate duration, in accordance with applicable laws after its termination.

Otherwise, your personal information will be retained for two years, or as reasonably necessary for the purposes set out above, in accordance with applicable laws. For more information on your circumstance, please contact us using the contact information listed below.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal information to those employees, service providers, business partners, vendors and other third parties who have a legitimate need to know. They will only process your personal information on our instructions or as otherwise agreed and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

YOUR RIGHTS – FOR EUROPE

By law you may be entitled under circumstances to the following:

Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.

Request the transfer of your personal data to another party.

If you want to review, verify, correct, or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact us using the contact details in this Privacy Notice.

International Transfers

Dr. Reddy’s operates internationally and will transfer your information to the recipients set out in the ‘Sharing Your Personal Data’ section in countries outside your own country and outside the European Economic Area, including to India. For the purposes of EEA, UK and Swiss data protection laws, when transferring your information to India or any other country, Dr. Reddy’s generally relies on EU Commission approved standard contractual clauses.  Information on the relevant mechanism can be provided upon request.

Contact Information

Please contact us at: dataprivacy@drreddys.com

Additional notice to California residents – your California privacy rights

This section supplements the description of our information collection and sharing practices elsewhere in this Privacy Notice to provide certain disclosures to California residents whose personal information Dr. Reddy’s processes pursuant to the California Consumer Privacy Act (“CCPA”).  Please note that these disclosures do not apply to information that is not processed under the CCPA.

During the preceding 12 months, Dr. Reddy’s may have collected, used, and shared the categories of personal information described above in this Privacy Notice. For example, depending on the services you use, this may include identifiers (e.g., email addresses, IP addresses, and mobile device identifiers), health information, demographic information, geolocation information, and internet or other electronic network activity information. This may also include inferences we draw from the other information we collect.  See the “The Data We Collect”.

Under the CCPA, California residents may have the right to request that a business that collects consumers’ personal information give consumers additional transparency and access to the specific pieces of personal information that the business has collected about the consumer. California residents also have the right to submit a request for deletion of information under certain circumstances.  Please note that these rights are not absolute.  For example, we may not delete information we are required to retain for regulatory reasons, certain internal business purposes, or where otherwise provided for by law.  In addition, we will not respond to a request if we cannot verify you as the requestor.

Once we receive your request, we may verify it by requesting information sufficient to confirm your identity, including by asking you for additional information. If you would like to use an agent registered with the California Secretary of State to exercise your rights, we may request evidence that you have provided such agent with power of attorney or that the agent otherwise has valid written authority to submit requests to exercise rights on your behalf.

Consistent with California law, if you choose to exercise your rights, we will not charge you different prices or provide different quality of services unless those differences are related to your information or otherwise permitted by law. Please submit your request by sending an email to dataprivacy@drreddys.com

Changes to this Notice

This Notice may change from time to time. Dr. Reddy’s will place an updated version of the Notice on this page and may otherwise communicate changes as appropriate. December 2021