Global Privacy Policy

Protection of Personal Data and BTG’s Commitment to Privacy and Security

BTG’s Global Privacy Policy applies to all its operating companies and affiliates, branches and offices worldwide and all associated staff. At a minimum, BTG’s Privacy Policy meets the requirements of applicable laws. As a reflection of our patient focus and reflecting how we value the rights of individuals, in many instances, BTG’s global requirements exceed the strictest of various country specific laws.

BTG’s policy sets out the principles that BTG is to adhere to in order to protect the privacy of personal information. The requirements relate to any identified or identifiable living person on whom BTG collects, stores and processes data. The purpose of BTG’s Policy is to ensure the data are treated in an appropriate and lawful manner.

Personal Data Collected by or on Behalf of BTG

Personal data includes any information or representation that can identify an individual. Such information may be in paper or digital form. Individuals whose personal identifiable data BTG may collect and use for appropriate business purposes include the following:

  • Patients, including research subjects

  • Customers

  • Employees

  • Suppliers and service providers

  • Physicians, pharmacists and other healthcare professionals ("HCPs")

  • Investigators or other researchers

BTG further classifies personal data as sensitive personal data to the extent that it relates to any of the following information about an individual:

  1. Racial or ethnic origin

  2. Political opinions

  3. Religious or philosophical beliefs

  4. Sexual orientation

  5. Trade union membership

  6. Genetics, biometrics and/or health.

BTG takes measures in an effort to ensure sensitive personal data is subject to certain additional legal data protection safeguards.

BTG’s Privacy Principles

The following principles and requirements inform BTG’s collection, storage, and use of personal data. All BTG policies and procedures that address privacy practices are developed in accordance with these Privacy Principles and are prepared with the guidance of the BTG Privacy and Legal teams.

Principle 1: BTG Will be Accountable for Protecting Personal Data

In addition to completing company assigned training and adhering to policies and procedures, BTG management communicates and assigns accountability to BTG Staff, based on each employee’s role and responsibilities.

It is not the responsibility of management alone to lead in the critical area of data protection. All BTG Staff are accountable for protecting the personal data they handle on behalf of BTG.

Principle 2: Provide Notice Before Collecting Personal Data

BTG provides advance notice to individuals about its intended collection of personal data. Examples include obtaining patient consent for clinical trial participation and providing opt-in notices prior to collecting and utilizing HCP contact information for commercial purposes.

At a minimum, individuals are told BTG is responsible for their personal data, the purpose for which it is to be processed, and the identities of anyone to whom the data may be disclosed or transferred. Additional relevant information is to be communicated at the same time, including retention periods, the legal basis for processing, and the rights of individuals to object to certain processing (such as direct marketing). BTG collects and processes personal data only for the purposes identified to and consented by the individual or purposes subsequently authorized by them.

Principle 3: Use of Personal Data Appropriately and as Intended

BTG may only process personal data lawfully where one or more of the following circumstances occur:

  • The individual’s consent is obtained

  • The data is needed for contractual reasons (e.g. in connection with a customer relationship or to perform a contract with a supplier)

  • An applicable law specifically says BTG can process the personal data

  • It is necessary for BTG’s legitimate business interests, provided that the rights of the individual are not unduly prejudiced

However, BTG is not to do any of the following:

  • Sell or otherwise provide copies of mailing lists or other contact details to third parties (unless certain legal conditions are met)

  • Use data to promote unrelated products and/or services

  • Disregard the express wishes of individuals

  • Process personal data in a way which the company knows the individual will find objectionable

BTG Staff are to collect or process sensitive personal data in limited circumstances and for limited purposes. In most cases, the individual's explicit consent to the processing of such data, for the particular purpose for which it is collected, will be required. Sensitive personal data, including health data, should not be collected or processed for the purpose of marketing or development activities or general demographic profiling without the individual's explicit consent.

An exception to this rule is if the personal data has been “anonymized." The concept of anonymisation for data protection purposes, however, is narrowly defined. Excluding Company sponsored clinical trials (operated under SOPs addressing trial subject confidentiality and privacy), employees are to consult and gain the documented approval of the BTG Data Security Team (DST) before applying this exception. Other exceptions may apply for the purposes of adverse event reporting of issues that have been identified, which could affect the safety, quality and efficacy of health products.

Principle 4: Unless permissible by law, BTG will seek Permission prior to using personal information to send marketing communications to individuals.

Independent of the above principle, in every instance, BTG gives individuals the opportunity to opt-out from receiving specific or any marketing communications at any time.

Special country specific laws apply to sending e-marketing to individuals (e.g. generic email marketing campaigns to a number of contacts/customers/clients). For European citizens, for example, BTG will ensure consent (i.e., opt-in) has been obtained and comply with all opt-out requests.

In relation to email marketing, individuals must be able to 'unsubscribe' or 'opt-out' at any time by following the link at the bottom of the email. If an individual makes a particular request not to be included in BTG marketing campaigns or email circulars, BTG staff will respond appropriately and promptly to ensure the appropriate action is taken.

All marketing initiatives which involve widespread communication with our customers and potential customers must be discussed and agreed with the DPO first.

It is important to note that BTG will not share the details of customers (such as customer lists) with third parties for marketing purposes.

Principle 5: International Transfer and Disclosure to Third Parties

BTG applies the BTG Privacy Principles to wherever personal data is transferred, including across national borders, to affiliates, third parties who support BTG’s business, and partners with whom BTG does business.

When transferring personal data, where necessary (e.g., to affiliated companies, other branches, representative offices of BTG, suppliers, service providers, other third parties), BTG Staff will take steps to ensure that such personal data remains adequately protected. If transferring personal data outside of the country of collection), additional rules and requirements may apply. BTG Staff and third parties are to ensure that any such international transfers comply with the International Transfers and Third Party Processors SOP.

In most instances, sharing personal data with overseas affiliates, branches and representative offices is not in breach of DP Laws. This is because BTG has measures in place to ensure that there is an adequate level of protection over the personal data that meet the legal standards of protection. The types of controls that BTG has in place include, meeting the obligations under the BTG intra-group data transfer agreement, which is based on standard clauses endorsed by the EU data protection regulators.

Principle 6: Individuals have a Right to Access and Correction

Personal data will be processed in line with individuals' rights. BTG will address the following rights of individuals:

  • To request access to any data held about them

  • To prevent the processing of their data for direct marketing purposes

  • To ask to have inaccurate personal data amended

  • To prevent processing that is likely to cause damage or distress to themselves or others

Individuals are entitled to request and see copies of all personal data the Company holds about them, unless a specific exemption applies.

If you wish to receive access to or correct information within BTG’s possession, submit your request here.

Principle 7: Ensuring and Maintaining Data Integrity is Essential

BTG ensures that personal data is accurate, up-to-date, and relevant for the purpose for which it is to be used.

BTG takes reasonable steps to ensure that personal data is reliable, accurate, and complete. Any personal data that is no longer required for the purpose for which it was collected is securely removed or destroyed, subject to any applicable retention periods, as specified in the BTG Retention and Document Management Policy.

Principle 8: BTG Recognizes that Personal Data Requires Appropriate Levels of Security

BTG uses reasonable and appropriate safeguards to protect information against loss, misuse, and unauthorized access, disclosure, alteration, or destruction.

Through its information security policies and procedures, BTG implements physical, technical, and organisational controls to protect information, including personal data that is within BTG’s possession or control. Maintaining data security means protecting the confidentiality, integrity and availability of the personal data, and is defined as follows:

  • Confidentiality means that only people who are authorised to use the data can access it.

  • Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.

  • Availability means that authorised users should be able to access the data if they need it for authorised purposes.

Regular training on appropriate security controls is mandatory for all BTG Staff.

Principle 9: BTG is Responsible for Reporting Data Breaches and Monitoring of Key Controls

If BTG loses, suspects, or is made aware of a potential loss of any personal data including data contained in documents, a laptop, tablet, mobile phone, or any other device that contains or permits access to any individuals' confidential information, immediate action is taken by staff per Company procedure.

To prevent and/or reduce the risk of data breaches occurring, BTG monitors key processes informing the risk of a control failure and non-compliance with Company policies and procedures. This would include auditing or investigating potential control failures.

BTG has established procedures to monitor for compliance to Company requirements, to handle inquiries, and respond to privacy or security incidents and complaints. When an incident occurs or a failure to adhere to applicable policies or procedures is identified, BTG takes measures to remediate the situation and takes appropriate measures to prevent a future failure.

Data Protection Questions or Concerns

Anyone who has questions related to BTG’s Privacy and Data Protection Program, observes potential or actual breaches may contact BTG’s Privacy and Data Protection Officer at