Johnson & Johnson Family of Companies
Global Employee Privacy Notice
Version: [2024V1]
Last Updated: [October, 2024]
Johnson & Johnson and its affiliated entities (collectively, “J&J” or the “Johnson & Johnson Family of Companies”) are committed to protecting the personal information of our employees. This information helps J&J conduct Human Resources and operational processes as well as contingency planning and internal talent searches. J&J operates in many different countries. Some of these countries have laws related to the processing of the personal information of individuals. The purpose of this Global Employee Privacy Notice (the “Notice”) is to give you information about what personal information we collect, use, transfer and disclose, and why.
We may update this Notice because of changes in our privacy practices and policies, a change in laws and regulations, or for other reasons. We will inform you of any material changes or updates to this Notice. The updated Notice will be available to you via the SUMMIT Learning Management System, Global Services HR portal or your local HR portal and you will receive an e-mail notifying you of the update and providing a link to access the appropriate portal. If you have any questions or concerns about how we process your personal information, please contact us via the Global Services HR portal or your local HR portal.
1. Why We Collect Information About You
In the course of your employment with a J&J company (the “Company”), J&J may have collected or will collect information about you and your working relationship with J&J, that may include limited information about your spouse, domestic/civil partner or dependents (“Dependents”). We refer to such information as “Personal Information”. J&J acts as a data controller with respect to such Personal Information. For more specific information regarding what information we collect and the purposes for which we collect it, please see Section 8.
We may receive Personal Information from you, as well as from other sources, such as colleagues, managers as part of regular evaluations, as well as references collected during the hiring process, prior employers or schools, clients, and background check providers.
We collect and process Personal Information about you:
(i) because we are legally obliged to do so by applicable laws,
(ii) because such information is necessary to fulfill your working contract,
(iii) because such information is of particular importance to our business operations and we have a specific legitimate interest to process it, for example, where necessary to ensure network or information security, communication across J&J, for administrative and compliance purposes, and as generally required to conduct our business. Additional information about those purposes is detailed under Section 8 of this Notice.
(iv) where a public interest requires it,
(v) where the Personal Information is necessary for the establishment, exercise or defense of legal claims,
(vi) where necessary to protect the vital interests of any person.
Please refer to Section 8 of this Notice to understand how each of these legal bases for processing your Personal Information applies to each category of Personal Information we collect about you.
Where none of the reasons above apply, your decision to provide Personal Information to J&J is voluntary and requires your consent. However, if you do not provide certain information, J&J may not be able to accomplish some of the purposes outlined in this Notice. If we process Personal Information based on your consent, you may withdraw your consent at any time. Such a withdrawal will not affect the legitimate processing prior to the consent withdrawal. To the extent you've provided your consent and wish to withdraw it, you can contact us as stated in Section 6 below.
Upon termination of your employment with J&J, it may be necessary for your Personal Information to be processed for a range of different purposes, such as to comply with our legal obligations, for administrative HR tasks, to manage pension and benefits, to respond to requests from tax or other regulatory authorities, to prevent and detect fraud, in order to assess your eligibility to be rehired by J&J, for statistical purposes or looking at trends in our workforce, to conduct investigations, for the purpose of distribution of shares, options or company share plans; to handle or defend current or prospective legal claims or disputes that may be brought by you or for which you may be connected, among others in line with the purposes set in this paragraph. We will process your data based on the legal basis described above (i. to vi.).
2. Sharing of Personal Information
J&J is the entity responsible for the management of your Personal Information.
Due to the global nature of J&J’s operations, J&J may disclose Personal Information to personnel throughout the Johnson & Johnson Family of Companies and authorized third parties to fulfill the purposes described in Section 8 of this Notice. This means that your Personal Information may be transferred to countries outside of the country or jurisdiction in which you reside and/or work, which may have data protection laws and rules that are different from those of your country or jurisdiction. We have put in place adequate security measures as may be required by applicable law or otherwise and will transfer your Personal Information consistent with applicable law. Where, in accordance with this Notice, we send or outsource your Personal Information to a country or jurisdiction other than the country or jurisdiction in which you are employed or reside, for processing or otherwise, that Personal Information may be shared with the applicable foreign government or its agencies consistent with the laws and/or lawful order in that foreign country or jurisdiction.
For a list of the Johnson & Johnson Family of Companies that may jointly process and use your Personal Information, please see Exhibit 21 to the Company’s last filed Form 10-K which is available at www.investor.jnj.com/financials/sec-filings/ searching for “Annual Filings”.). Johnson & Johnson Services, Inc. is the entity responsible for the global management of shared Personal Information. Also, please see Section 8 of this Notice for a list of the types of third parties with which we may share Personal Information.
Access to, processing and use of Personal Information within J&J will be limited to those who have a need to know the information and may include your managers and their designees, personnel in HR, IT, Compliance, Legal, Finance, Accounting and Internal Audit. All personnel within the Johnson & Johnson Family of Companies will generally have access to business contact information such as name, position, workplace telephone numbers, addresses and email addresses. Your photograph will also be shared if you have elected to upload it to J&J systems.
3. Information Security
J&J will take the appropriate contractual, administrative, physical, and technical measures to protect Personal Information consistent with applicable privacy and data security laws and regulations. When J&J retains a third-party service provider to store or process Personal Information, a contract with such provider will be signed and that provider will be assessed on a regular basis for their ability to meet industry standard security measures to ensure the confidentiality and integrity of the Personal Information.
J&J’s information security policies (Worldwide Policies on Information Asset Protection - IAPPs), including with respect to monitoring of use of Company information systems, are available on the Company’s internal IT website.
4. Data Integrity and Storage
J&J takes reasonable steps to ensure that Personal Information we process is reliable for its intended use, accurate, and complete as necessary to carry out the purposes described in this Notice. Personal Information is typically stored in one of our data centers or in the data centers of our approved vendors. If you wish to correct any part of your Personal Information processed by J&J, you may do so as described in Section 6 of this Notice.
5. Data Retention
J&J will retain Personal Information for the period necessary to fulfill the purposes outlined in this Notice, in accordance with applicable data protection laws.
The criteria used to determine our retention periods may include one or more of the following: as long as we have an ongoing relationship with you; as required by a legal obligation to which we are subject; as necessary to pursue our legitimate interests, where allowed, and as advisable in light of our legal position (such as in regard of applicable statutes of limitations, litigation, audits or regulatory investigations). The Johnson & Johnson Enterprise Retention Schedule (ERS), available in J&J’s Worldwide Records and Information Management (WWRIM) site, is intended to ensure compliance with laws and regulations across the globe, while meeting local and country specific requirements.
For more information about retention requirements applicable to your Personal Information, you may contact the records manager responsible for your Company. The J&J Records Manager Directory is available in J&J’s Worldwide Records and Information Management (WWRIM) site,
6. Access, Correction, Erasure, Portability, Questions and Complaints
You may access, modify or correct most Personal Information about you through the self-service options in the HR systems, through the Global Services HR portal, or through your local HR portal.
If you have any questions or concerns about how we process your Personal Information or if you wish to request access, correction, cessation or restriction of use, anonymization, suppression, deletion of Personal Information or object to the processing of it; or if you would like to request a copy or portability of your Personal Information (to the extent these rights are provided to you by applicable law and is not inconsistent with other obligations), please contact us via the HR portal. Please note, however, that certain Personal Information may be exempt from such requests; for example, we could not provide access to Personal Information where that would adversely impact the rights and freedoms of another individual and we could not delete Personal Information that we are legally required to retain. We will respond to your request as soon as reasonably practicable in accordance with applicable law. If circumstances cause any delay in our response, you will be promptly notified and provided a date for our response.
For processing of your Personal Information that was voluntary and required your consent, you also have the right to withdraw such consent at any moment. However, if you do not provide certain information, J&J may not be able to accomplish some of the purposes outlined in this Notice. Such a withdrawal will not affect the legitimate processing effectuated prior to the consent withdrawal.
7. Employee’s Obligations
Please keep Personal Information up to date and inform us of any significant changes to Personal Information. You agree to inform your Dependents whose Personal Information you provide to J&J about the content of this Notice, and, where relevant, to obtain their prior consent for the use (including transfer and disclosure) of that Personal Information by J&J as set out in this Notice.
You also agree to follow applicable law and J&J’s policies, standards and procedures that are brought to your attention when handling any Personal Information to which you have access in the course of your relationship with J&J. In particular, you shall not access or use any such personal information for any purpose other than in connection with and to the extent necessary for the performance of your functions. You understand that the obligation to keep personal information confidential continues to exist after termination of your employment with the J&J.
8. Types of Personal Information, Purposes of Collection and Types of Third Parties
We collect, use, transfer and disclose the following types of Personal Information. The Company will process some or all of the below depending upon the type of activity and the applicable local laws; J&J only collects and processes the personal information that is relevant for purposes related to your employment:
• Personal Details: Your name, maiden name and surname, e-mail and telephone details, work and home contact details (email, phone numbers, physical address), location information when accessing or situated at one of our facilities, date and place of birth, national identification number, national insurance number, employee identification number, Social Security number, car registration number, gender, marital/civil partnership status, domestic partners, Dependents, disability status, language(s) spoken, emergency contact information and photograph;
• Documentation Required Under Immigration Laws: Citizenship, passport data, details of residency or work permit, or work visa;
• Payroll Data: Banking details, working time records (including vacation and other absence records, leave status, hours worked and department standard hours), termination date and pay data;
• Your Position: Description of current position, title, corporate status, management category, job code, job function(s) and subfunction(s), company name and code (legal employer entity), salary plan, grade, unit/department, location, supervisor(s) and subordinate(s), employment status and type, full-time/part-time, terms of employment, employment contract, work history, (re-)hire and termination date(s) and reason, length of service, retirement eligibility, promotions, and disciplinary records, date of transfers, and reporting manager(s) information;
• Talent Management Information: Details contained in letters of application and resume/CV, previous employment background, education history, professional qualifications, language and other relevant skills, certification, certification expiration dates, details on performance management ratings, development plan, development programs attended, e-learning programs, performance and development reviews, willingness to relocate; license information, and information used to populate employee biographies where employee has chosen to upload it, reference information, affiliation to nonprofit organizations;
• Compensation: Base salary, bonus, benefits, pay enhancements for Dependents, overtime and shift work, compensation type, pay grade, salary step within assigned grade, details on stock options, stock grants and other awards, currency, pay frequency, effective date of current compensation, salary reviews and performance appraisals;
• Management Records: Details of any shares of common stock or directorships, work product;
• System and Application Access Data: Information required to access and use company systems and applications such as System ID, LAN ID, email account, instant messaging account, mainframe ID, previous employee ID, previous manager employee ID, system passwords, employee status reason, branch state, country code, previous company details, previous branch details, and previous department details, and electronic content produced by you using J&J systems;
• Sensitive Information: We may also collect certain types of sensitive information only when permitted by local law, such as health/medical information, trade union membership information, religion, and race or ethnicity. We collect this information for specific purposes, such as health/medical information in order to accommodate a disability or illness and to provide benefits; religion or church affiliation in countries such as Germany where required for statutory tax deductions; membership in union or work council and diversity-related Personal Information (such as gender, race or ethnicity) in order to comply with legal obligations and internal policies relating to diversity and anti-discrimination and information necessary to perform a background check or credit check as appropriate. Please be assured that, as explained in the following section, we will only use such sensitive information for the following purposes and as provided by law.
The purposes for which we collect, use, transfer and disclose Personal Information:
We process Personal Information for the operational business and employment purposes listed in the chart below, which explains how we use Personal Information and the legal basis for such use (if applicable).
Purpose & Description Personal Information Legal Basis Where Required by Law
Managing Workforce: Managing work activities and personnel generally, including, appraisals, performance management, promotions and succession planning, rehiring, administering salary and payment administration, reviews, wages, other awards such as stock options, stock grants and bonuses, health care, pensions and savings plans, training, leave, managing sickness leave, social distancing, contact tracing, promotions, transfers, secondments, honoring other contractual benefits, providing employment references, recreational activities, loans, performing workforce analysis and planning, performing background checks, performing employee surveys, providing and managing access to facilities, managing disciplinary matters, grievances and terminations, reviewing employment decisions, making business travel arrangements, managing business expenses and reimbursements, planning and monitoring of training requirements and career development activities and skills, creating and maintaining internal employee directories, allowing internal communications, supporting digital business card functionality and participation in social responsibility programs. Personal details, Documentation Required Under Immigration Laws, Your Position, Payroll data, Talent Management Data, Compensation; System and Application Access Data; Communication Tools Information
In addition, sensitive information is processed for limited purposes such as background checks and travel arrangements & events, where allowable by law.
Manage our contractual relationship with you; Necessary to protect the vital interests of personnel; Necessary for the compliance with a legal obligation to which J&J is subject; Based on legitimate interest, such as allocating resources appropriately and evenly and ensuring business continuity, arranging events and travel related to employment. Consent when required by law.
Communications and Emergencies: Facilitating communication with you; ensuring business continuity; protecting the health and safety of our employees and others (including preventing the spreading of infectious diseases), safeguarding IT infrastructure, company property, office equipment and other property; facilitating communication with you and your nominated contacts in an emergency; providing references; sending cards, gifts, work-related materials, and activities to your home address. Personal Details, Your position, System and Application Access Data; Manage our contractual relationship with you; Necessary to protect the vital interests of personnel, including non-employees; Based on a legitimate interest, such as safeguarding IT systems, facilities, and other property, as well as ensuring business continuity; Necessary for the compliance with a legal obligation to which J&J is subject. Consent when required by law.
Business Operations: Operating and managing the IT and communications systems; marketing the Company’s or our business partners' products and services to our associates; managing product and service development; improving our products and services; managing company assets, allocating company assets and human resources, fleet management, strategic planning, project management; business continuity, risk management (e.g., prevention and investigation of fraud and other financial crime), compilation of audit trails and other reporting tools, maintenance of records relating to manufacturing and other business activities, budgeting, financial management and reporting, and communications within and outside J&J Family of Companies; managing acquisitions, mergers and re-organizations, sales or disposals and integration with purchaser. Personal Details; Position; System and Application Access Data; Communication Tools Information.
Based on a legitimate interest, such as administer and conduct business within the Company and across the organization and operating IT systems, communications, and facilities; Necessary for the compliance with a legal obligation to which J&J is subject; Necessary to protect the vital interests of personnel, including non-employees; Based on a legitimate interest, such as operating IT systems, communications, and facilities and ensuring that our information and networks are secure; Consent when required by law..
Compliance: Complying with legal and other requirements applicable to our businesses in all countries in which the Johnson & Johnson Family of Companies operates, such as income tax and national insurance deductions, record-keeping and reporting obligations, conducting audits, compliance with government inspections and other requests from government or other public authorities, responding to legal process such as subpoenas, pursuing legal rights and remedies, defending litigation, and managing any internal complaints or claims (including those received through the Credo Integrity Line), conducting investigations including employee reporting of, or system detected, allegations of wrongdoing, policy violations, fraud, or financial reporting concerns, and complying with internal policies and procedures. Personal Details; Documentation required under Immigration Laws; Payroll data, Your position; System and Application Access Data; Compensation; Management Records
In addition, sensitive information is processed for limited purposes such as government identifiers, data related to investigations, etc.
Manage our contractual relationship with you; Based on legitimate interest, such as providing appropriate compliance training and other informational materials and courses. Necessary for the compliance with a legal obligation to which J&J is subject; Consent when required by law.
Monitoring: Monitoring compliance with internal policies, including the policies with regard to use of Company network, telephone, email, Internet and other Company resources, the Code of Business Conduct, and other monitoring activities as permitted by local law, including those related to data protection activities. Personal Details; Your position; System and Application Access Data; Management Records Necessary for the compliance with a legal obligation to which J&J is subject; Based on a legitimate interest, such as preventing fraud; Consent when required by law.
J&J shares Personal Information with the following types of Third Parties to the extent necessary to fulfill the purposes set out in this Privacy Notice:
• Professional Advisors. Accountants, auditors, lawyers, insurers, bankers, and other outside professional advisors in all of the countries in which J&J operates.
• Service Providers. Companies that provide products and services to J&J such as payroll, pension scheme, insurance or benefits providers; healthcare management and services providers; human resources services, performance management, training, expense management, IT systems suppliers and support; third parties assisting with equity compensation programs, credit card companies, medical or health practitioners, trade bodies and associations, and other service providers.
• Public and Governmental Authorities. Entities that regulate or have jurisdiction over J&J such as regulatory authorities, law enforcement, public bodies, and judicial bodies.
• Corporate Transaction. A third party in connection with any proposed or actual reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of J&J’s business, assets or stock (including in connection with any bankruptcy or similar proceedings).
• Business partners. Third-party partners, customers, and prospective customers with whom we maintain a professional relationship, such as hospitals, medical facilities, optical shops, and medical associations.
Any transfer of your Personal Information to a Third Party will be subject to a contract that will include all terms and conditions required by applicable law, and J&J will implement reasonable controls, including due diligence processes and periodic audits, to ensure that the Third Party implements appropriate technical and organizational measures to protect your Personal Information.
9. Additional Provisions for Specific Jurisdictions
9.1. Additional Provisions for Middle East & Africa
9.1.1. Kenya
“Sensitive Information” is considered to include Personal Information revealing your race, health, status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of your children, parents, spouse or spouses, sex or your sexual orientation.
9.1.2 Kingdom of Saudi Arabia
If you have any questions or comments about our collection, use or disclosure of Personal Information, or if you believe that we have not complied with this Notice or the laws of the Kingdom of Saudi Arabia, you may contact our Data Protection Officer at: meadpo@its.jnj.com. You may lodge a complaint with the Saudi Data & AI Authority through the National Data Governance Platform about the collection or processing of the Personal Information.
9.1.3. Nigeria
If you have any questions, comments or complaints about our collection, use or disclosure of Personal Information, or if you believe that we have not complied with this Notice or relevant Nigerian laws, you may contact our Data Protection Officer at: meadpo@its.jnj.com. You may lodge a complaint with the Nigeria Data Protection Commission about the collection or processing of the Personal Information.
9.1.5. South Africa
If you have any questions, comments or complaints about our collection, use or disclosure of Personal Information, or if you believe that we have not complied with this Notice or relevant South African laws, you may contact our Information Officer at emeaprivacy@its.jnj.com. You can lodge a complaint with the South African Information Regulator, which can be contacted at POPIAComplaints@inforegulator.org.za.
9.1.4 United Arab Emirates
We will ask for your consent to collect and process Personal Information for purpose (iii) listed in Section 1 (i.e., such information is of particular importance to our business operations), unless one of the other purposes listed in paragraph 1 applies.
If you have any questions or comments about our collection, use or disclosure of Personal Information, you may contact our Data Protection Officer at: meadpo@its.jnj.com
9.2. Additional Provisions for Americas
9.2.1. Brazil
If you have any questions, comments or complaints about our collection, use or disclosure of Personal Information, or if you believe that we have not complied with this Notice or relevant Brazilian laws, you may contact the Data Protection Officer at Privacidade_Brasil@its.jnj.com. You may lodge a complaint with the National Data Protection Authority (Autoridade Nacional de Proteção de Dados). Further information will be available at www.gov.br/anpd/pt-br.
9.2.2. Canada
In addition to the purposes listed in Section 1, we may also collect and process Personal Information without your consent where this is permitted or required by applicable Canadian law.
Except as above, where “legitimate interests” are specified in this section as the reason for processing your Personal Information, informed consent shall apply instead, except where such purposes are essential and will not be subject to consent options.
For further clarity, your information may be used as required for managing the employer-employee relationship.
The information on sharing your photograph if you have uploaded it onto J&J systems also applies if you do not upload your photograph yourself but have someone upload it on your behalf.
If you have questions or complaints about our processing of Personal Information, please contact the “Data Privacy Officer, Canada.” by email at RA-CanadaPrivacy@its.jnj.com.
9.2.3. Colombia
If you would like to request to correct, update or delete your Personal Information, or if you believe that we have not complied with this Notice or relevant Colombia laws, you may file a claim with J&J.
9.2.4 Costa Rica
If you would like to request to correct, update or delete your Personal Information, or if you believe that we have not complied with this Notice or relevant Costa Rican laws, you may file a claim with J&J. You may lodge a complaint with the National Data Protection Authority (Agencia de Protección de Datos de los Habitantes -Prodhab-). Further information will be available at www.prodhab.go.cr.
9.2.5. Mexico
If you would like to request to correct, update or delete your Personal Information, or if you believe that we have not complied with this Notice or relevant Mexican laws, you may file a claim with J&J. You may lodge a complaint with the National Data Protection Authority (Instituto Nacional para la Transparencia, Acceso a la Información y Protección de Datos). Further information will be available at home.inai.org.mx.
9.2.6. Panama
If you would like to request to correct, update or delete your Personal Information, or if you believe that we have not complied with this Notice or relevant Panamanian laws, you may file a claim with J&J. You may lodge a complaint with the National Data Protection Authority (Autoridad Nacional de Transparencia y Acceso a la Información – ANTAI). Further information will be available at www.antai.gob.pa.
9.2.7 Peru
If you would like to request to correct, update or delete your Personal Information, or if you believe that we have not complied with this Notice or relevant Peruvian laws, you may file a claim with J&J. You may lodge a complaint with the National Data Protection Authority (Autoridad de Protección de Datos Personales). Further information will be available at www.gob.pe/anpd.
9.2.8. United States – California
This California section applies to California residents and supplements the information provided in J&J Employee Privacy Notice. The following chart details which categories of Personal Information we collect and process, as well as which categories of Personal Information we disclose to third parties for our operational business and employment purposes, including within the 12 months preceding the date this Privacy Notice was last updated.
Categories of Personal Information Disclosed to Which Categories of Third Parties for Operational Business Purposes
Identifiers, such as name, alias, postal address, unique personal identifiers, IP address that can reasonably be linked or associated with a particular California resident or household, email address, account name, online identifiers, photo badges, beneficiary designations and government-issued identifiers (e.g., Social Security number, driver’s license number, passport number)
Affiliates, Professional Advisors, Service Providers, Public and Governmental Authorities, Corporate Transactions, Business Partners
Personal information as defined in the California customer records law, such as name, contact information, signature, Social Security number, passport number; medical, insurance, financial, education and employment information, physical characteristics or description
Affiliates, Professional Advisors, Service Providers, Public and Governmental Authorities, Corporate Transactions, Business Partners
Protected Class Information, such as characteristics of protected classifications under California or federal law, such as sex, age, gender, race, disability, medical conditions, citizenship, military/veteran status, primary language, immigration status, marital status, and requests for leave Affiliates, Professional Advisors, Service Providers, Public and Governmental Authorities, Corporate Transactions
Commercial Information, such as transaction information and purchase history, such as travel expenses, including information about corporate credit card purchases, frequent flyer rewards, and other travel-related programs and expenses Affiliates, Professional Advisors, Service Providers, Public and Governmental Authorities, Corporate Transactions
Internet or network activity information, such as access and usage information regarding websites, applications and systems, information about online communications, including browsing and search history, timestamp information, and access and activity logs Affiliates, Professional Advisors, Service Providers, Public and Governmental Authorities, Corporate Transactions
Geolocation Data, such as [device location, and approximate location derived from IP address, or GPS, Wi Fi or BLE (Bluetooth Low Energy) tracking]. Affiliates, Professional Advisors, Service Providers, Public and Governmental Authorities, Corporate Transactions
Audio/Video Data. Audio, electronic, visual and similar information, such as call and video recordings, including voicemail and security camera footage, information about the use of electronic devices and systems, key card usage, and photos on websites or in employee directories. Affiliates, Professional Advisors, Service Providers, Public and Governmental Authorities, Corporate Transactions
Employment Information. Professional or employment-related information, such as work history and prior employer, information from reference checks, background screening information, employment application, membership in professional organizations, personnel files, personal qualifications and training, eligibility for promotions and other career-related information, work preferences, business expenses, wage and payroll information, benefit information, information on leaves of absence or PTO, performance reviews, information on internal investigations or disciplinary actions. Affiliates, Professional Advisors, Service Providers, Public and Governmental Authorities, Corporate Transactions
Inferences drawn from any of the Personal Information listed above to create a profile about, for example, an individual’s preferences, characteristics, predispositions, and abilities. Affiliates, Professional Advisors, Service Providers, Public and Governmental Authorities, Corporate Transactions
Sensitive Personal Information.
• Personal Information that reveals an individual’s Social Security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, citizenship, immigration status, or union membership; the contents of mail, email, and text messages unless Company is the intended recipient of the communication;
• Personal Information collected and analyzed concerning an individual’s health.
• Personal information collected and analyzed concerning an individual’s sex life or sexual orientation. Affiliates, Professional Advisors, Service Providers, Public and Governmental Authorities, Corporate Transactions
Selling/Sharing of Personal Information. We do not “sell” or “share” your Personal Information, including your Sensitive Personal Information, as defined under the California Consumer Privacy Act. We have not engaged in such activities in the 12 months preceding the date this Privacy Notice was last updated. Without limiting the foregoing, we do not “sell” or “share” the Personal Information, including the Sensitive Personal Information, of minors under 16 years of age.
Use and Disclosure of Sensitive Personal Information. We use and disclose Sensitive Personal Information only as permitted by applicable law, such as for purposes of performing services for our business, providing services as requested by you, and ensuring the security and integrity of our business, infrastructure, and the individuals we interact with. For California purposes, this includes, without limitation, establishing and maintaining your employment relationship with us, ensuring the diversity of our workforce, complying with legal obligations, managing payroll and corporate credit card use, administering and providing benefits, and securing the access to, and use of, our facilities, equipment, systems, networks, applications, and infrastructure.
Individual Rights and Requests. As part of the right to access mentioned in Section 6, California residents may request that we disclose to you the following information: (i) the categories of Personal Information we collected about you and the categories of sources from which we collected such Personal Information; (ii) the specific pieces of your Personal Information; (iii) the business or commercial purpose for collecting Personal Information about you; and (iv) the categories of Personal Information about you that we disclosed, and the categories of third parties to whom we disclosed such Personal Information.
California residents have the right not to be unlawfully retaliated against for making a request under the CCPA. To make a privacy request, please contact us via the Global Services HR portal or your local HR portal. We will verify and respond to your request consistent with applicable law, considering the type and sensitivity of the Personal Information subject to the request. We may need to request additional Personal Information from you, such as by requesting you provide your employee ID or asking you to authenticate to your account on our systems, to verify your identity and protect against fraudulent requests. If you make a request to delete, we may ask you to confirm your request before we delete your Personal Information.
If an agent would like to make a request on your behalf as permitted by applicable law, the agent may use the submission methods noted above. As part of our verification process, we may request that the agent provide, as applicable, proof concerning their status as an authorized agent. In addition, we may require that you verify your identity as described in the paragraph above or confirm that you provided the agent permission to submit the request.
9.2.9. Uruguay
If you would like to request to correct, update or delete your Personal Information, or if you believe that we have not complied with this Notice or relevant Uruguayan laws, you may file a claim with J&J. You may lodge a complaint with the National Data Protection Authority (Unidad Reguladora y de Control de Datos Personales). Further information will be available at www.gub.uy/unidad-reguladora-control-datos-personales/.
9.3. Additional Provisions for Asia Pacific
9.3.1. Australia & New Zealand
If you have any questions, comments or complaints about J&J’s collection, use or disclosure of Personal Information, or if you believe that J&J has not complied with this Notice or relevant Australian or New Zealand laws, you may contact the Privacy Officer of J&J at RA-JNJAU-PrivacyOffi@ITS.JNJ.com.
9.3.2. China
Notwithstanding anything contained above to the contrary, we collect and process Personal Information about you in accordance with the legal bases provided under Chinese law. We collect and process your Personal Information where it is necessary for human resources management and administration.
As noted in Section 2, foreign transfers of Personal Information will be made in accordance with applicable law.
Sensitive Information is Personal Information that the breach or illegal use of information may easily lead to the infringement of your personal dignity or harm to personal or property safety. Personal Information about your Dependents under the age of fourteen is Sensitive Information, which is only collected and shared with your consent (where applicable).
In principle, Personal Information generated or collected within the territory of Mainland China will be processed and stored within Mainland China. To fulfill the purposes described in Section 8 of this Notice, your Personal Information may be disclosed to members of the Johnson & Johnson Family of Companies and authorized third parties located in countries or regions outside Mainland China, including but not limited to the United States, countries within the European Economic Area (EEA), Singapore, Australia, and New Zealand. We will strictly abide by relevant laws and regulations as well as J&J’s information security policies to ensure the security of your Personal Information during the transfer, and will require data recipients to provide adequate protection for your Personal Information through contractual clauses or other means. Requests for the exercise of access and other rights in respect to Personal Information disclosed to an overseas recipients can be directed to us via the HR portal.
If we process Personal Information based on your consent, you may withdraw your consent at any time by contacting us via the HR portal.
If you have any questions, comments or complaints about our collection, use or disclosure of Personal Information, or if you believe that we have not complied with this Notice or relevant laws, you may contact the Personal Information Protection Officer at chinaprivacy@its.jnj.com. Alternatively, you can lodge a complaint with the HR portal.
To the extent inconsistent with the provisions of this Notice, including but not limited to definitions (e.g., sensitive Personal Information), China’s Cybersecurity Law, Personal Information Protection Law, Data Security Law, their implementing measures and other Chinese laws and regulations in relation to cybersecurity and data protection will prevail.
9.3.3. India
You may lodge a complaint with our Grievance Officer via JJ_INDIA_PRIVACY@its.jnj.com.
9.3.4. Japan
We will only use “Individual Number” as defined under Article 2, Paragraph 7 of the Act on the Use of Numbers to Identify a Specific individual in the Administrative Procedure (Act No. 27, of May 2013) consistent with applicable law.
9.3.5. South Korea
When we destroy Personal Information, we will do so in a manner that makes it unreadable or non- reconstructable.
You may contact our Privacy Officer of J&J at RA-JACKR-PrivacyComp@ITS.JNJ.com.
9.3.6. Thailand
If you have any questions, comments or complaints about our collection, use or disclosure of Personal Information, or if you believe that we have not complied with this Notice or relevant laws, you may contact the Data Protection Officer at ThailandPrivacy@its.jnj.com. Alternatively, you can lodge a complaint with the Personal Data Committee of Thailand.
9.3.7. Vietnam
With respect to section 1: Notwithstanding anything contained above to the contrary, we collect and process Personal Information about you in accordance with the legal bases provided under Vietnamese law. References to processing based on our “legitimate interest” in the relevant sections of the Notice are subject to your prior consent. You may agree to the above processing purposes in full or in part by checking the related boxes in the consent form.
With respect to the purposes for which we process Personal Information: we will process your information with your consent for the purposes mentioned in Section 8.
We may communicate marketing and advertisement on our products and the products of our business partners, after obtaining your prior consent. Such communications may be in the form of emails, text messages, phone calls, chatbot, or other means. Our communications will remain reasonable, avoiding excessive or intrusive messaging.
We protect your Personal Information from the moment we collect it and until its deletion or destruction. In the case of a data incident (loss, disclosure, unauthorized access, etc.) affecting your Personal Information, you may experience consequences or damages such as exposure of your Personal Information (which may include Sensitive Information), identity theft, financial harm, reputational damage, and increased vulnerability to targeted scams or fraud attempts.
If you have any questions, comments or complaints about our collection, use or disclosure of Personal Information, or if you believe that we have not complied with this Notice or relevant laws, you may contact the Personal Information Protection Officer at aspacprivacy@its.jnj.com. Alternatively, you can lodge a complaint with the local authorities.
To the extent inconsistent with the provisions of this Notice, including but not limited to definitions (e.g., Sensitive Personal Information), Vietnam’s Cybersecurity Law, Personal Data Protection Decree, their implementing measures and other Vietnamese laws and regulations in relation to cybersecurity and data protection will prevail.
9.4. Additional Provisions for Europe
9.4.1. European Economic Area (EEA)
We may transfer your Personal Information to countries located outside of the EEA. Some of these countries are recognized by the European Commission as providing an adequate level of protection according to EEA standards (the full list of these countries is available http://europa.eu). With regard to transfers from the EEA to countries not considered adequate by the European Commission, we have put in place adequate safeguards, such as EU Standard Contractual Clauses, to protect your Personal Information. You may obtain a copy of these measures by contacting our Data Protection Officer at emeaprivacy@its.jnj.com. You may also contact our Data Protection Officer if you have questions about the interpretation or operation of this notice.
You may lodge a complaint with a supervisory authority for your country. You may find the list of supervisory authorities available in https://edpb.europa.eu/about-edpb/about-edpb/members_en.
The local Johnson & Johnson entity that employs you is the data controller for your Personal Information. Johnson & Johnson Services, Inc. is also a joint data controller where Personal Information is shared among the J&J entities.
9.4.2. Russia
You may access, modify or correct most Personal Information about you by making the corresponding request to your local HR Admin. If you have any questions or concerns about how we process your Personal Information or if you wish to request access, correction, cessation or restriction of use, anonymization, suppression, deletion or a copy or portability of your Personal Information (to the extent these rights are provided to you by applicable law and is not inconsistent with other obligations), please contact your local HR Admin.
The section on joint processing of Personal Information, included in paragraph 2 above, does not apply in Russia.
9.4.3. Switzerland
Your Personal Information may be stored and processed outside of Switzerland in any country worldwide where we have facilities or service providers. Currently, such countries include but are not limited to: EU-Member State, United Kingdom, United States of America, and Philippines. Such countries may provide for different data protection rules than in Switzerland.
Some countries outside of Switzerland, but not all, are recognized as providing an adequate level of data protection. For transfers to countries not recognized as providing an adequate level of data protection (such as, United States of America and Philippines), we have ensured that adequate measures are in place, including by ensuring that the recipient is bound by the revised European Commission’s Standard Contractual Clauses (including the necessary adjustments and additions made for use under Swiss data protection law) to appropriately protect your Personal Information.
9.4.4. Turkey
The local Johnson & Johnson entity that employs you is the data controller for your Personal Information.
Your Personal Information will be deleted or anonymized at the end of the applicable retention period. You may lodge a complaint with a supervisory authority in Turkey according to the Turkish Data Protection Law and applicable Turkish legislation.
9.4.5. United Kingdom (UK)
We may transfer your Personal Information outside of the UK. Some of these countries are recognized by the UK as providing an adequate level of protection according to UK standards. The UK will continue to permit the transfer of Personal Information to the EEA and any countries that are covered by a UK Government adequacy decision (the full list of these countries is available here https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/). About transfers from the UK to countries not considered adequate, we have put in place adequate safeguards, such as International Data Transfer Agreements or Standard Contractual Clauses, to protect your Personal Information. You may obtain a copy of these measures by contacting our Data Protection Officer at emeaprivacy@its.jnj.com. You may also contact our Data Protection Officer if you have questions about the interpretation or operation of this notice. You may lodge a complaint with the Information Commissioner’s Office (ICO) in the UK. More information on the ICO is available at https://ico.org.uk.