You can find more details of Lonza Group and our Affiliates here www.lonza.com/investor-relations
- Use of our websites, including mobile websites and applications
- Visits to our stores/locations or attendance at one of our events
- Phone and email communications
- Social media interactions on our websites and other third party websites like Facebook, YouTube, Pinterest, Google+, Instagram and Twitter
- Viewing our online advertisements or emails through our authorized service providers
- Personal Information
As described below, Lonza Group may collect the following categories of personal information (“PI” or “Personal Information”). We may add to the categories of personal information we collect. In that case, we will update this policy.
- Identifiers. Examples include real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, or other similar identifiers.
- Other elements. Examples include name, signature, characteristics or description, address, telephone number, education, employment, employment history, bank account number, credit card number.
- Characteristics of protected classifications under applicable law. Examples include race, religion, and age.
- Commercial information. This includes services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Education information. This includes information that is not publicly available Personal Information as defined under applicable law.
- Internet or other electronic network activity. Examples include browsing history, search history, your interaction with an internet website, application, or advertisement.
- Geolocation data. This might include location information while using one of our apps.
- Audio, electronic, visual, thermal, olfactory, or similar information. Examples of this category including identifiable information obtained about you while speaking with our customer service representatives on the telephone.
- Professional or employment-related information.
- Consumer profile. This includes inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, and behaviors.
Of the categories of PI noted above we may share the following:
Categories of Personal Information Disclosed Categories of Third Parties to Whom Disclosed
Characteristics of protected classifications under California or federal law.
Internet or other electronic network activity.
Audio, electronic, visual, thermal, olfactory, or similar information.
Professional or employment-related information
- Third parties as directed by you. We will share your PI with those third parties to whom you direct. For example, if you decide to send one of our products as a gift, we may include your name.
- Our business partners. For example, we might share your PI with one of our business partners for purposes of collaborating on providing services to you, or to invite you to an event we are organizing. These business partners should also have their own privacy statements that set out the manner in which they will collect, use, and disclose PI. Where applicable, we encourage you to review each such business partner's privacy statement before signing on with them.
- Third parties who perform services on our behalf. For example, we share information with certain service providers, including marketing companies, professional service providers, debt collectors, information technology providers, and data storage companies. We might also authorize our service providers to collect PI on our behalf.
- Governmental entities, legal service providers. We may share your PI in order to comply with the law and in the course of providing our products and services. We may also disclose information if a government agency or investigatory body.
- Successors to all or portions of our business. If all or part of our business is sold, we may disclose PI in preparation for or as part of that transaction.
We do not sell your PI and do not have actual knowledge that we have sold personal information of minors under age 16.
- Collecting Personal Information
When a user creates a Lonza Group account, issues a request for information form or when the user orders products or accesses any of the Services, the user will be required to provide certain Personal Information.
Lonza Group collects Personal Information that users provide to us on our websites, which may include:
- Contact information – such as name, job title, company name, department, email address, physical mailing address and telephone number, as well as any other contact information provided in a contact form, registration or application process, during tradeshows or other events, or in connection with customer information Services;
- Professional information – such as your employment background, job description and related information, testimonials, references, as well as any other information provided during a registration or application process;
- Transaction information – such as your contact information, the products you are interested in, your purchasing requirements, your financial information including credit card or other payment information, purchase history, shopping cart information and information provided to customer service personnel or through customer service tools of Lonza Group;
- Responses to surveys – information you provide in responding to a survey on the website, via an app or email, on the telephone or otherwise, including responses provided through third party survey services used by Lonza Group;
While Lonza Group takes what we consider to be appropriate measures to provide accuracy in the handling of Personal Information, Lonza Group relies on its users to maintain correct Personal Information and to update this information as appropriate.
In addition, when a user accesses Lonza Group's website, the servers automatically record information provided by the user's browser. Generally, this information is automatically provided by a user whenever a user accesses any website. This information, recorded in a server log, may include a user's particular information (including, without limitation, IP address, browser software, language, date/time of access and other information and/or cookies that will uniquely identify a user's computer and the Internet browser the user is using). Lonza Group may also collect Personal Information about a user in connection with the user's use of the Services by using cookies on its website(s) as provided for in Lonza Group's Cookies Policy.
Additionally, whenever you send an email to Lonza Group, Lonza Group may retain that email so that Lonza Group can investigate and respond to your concerns. We may also use publicly accessible information to verify information we have been provided and to manage and expand our business.
- Processing and Use of Personal Information
- To process applications of candidates for open positions at Lonza Group;
- To provide the information, services or support you request and related after-sales services;
- To identify you, and to contact you from time to time with product or service updates;
- To send other messages that are useful to the service we provide;
- To manage our relationship with you and to carry out any related administration;
- To promote our services, events, conferences, or the services, events, conferences of our partners, including by email, telephone and via social media platforms;
- To compare information for accuracy, and verify it with third parties;
- To carry out research, including market research, statistical research on website traffic, sales and other commercial information to assist us in improving the services we provide to you and tailor the website(s).
You may have accessed our website(s) through a hyperlink from the website of one of our trading partners. If so, you consent to your personal details and purchase information, including behavioral patterns, being shared with that trading partner in accordance with our contractual relationship with them.
Lonza Group may, from time-to-time, share with third parties information that contains non-Personal Information. If you have asked us to share data with third party websites (such as social media sites), their servers may not be secure. Note also that, despite the measures taken by us and the third parties we engage, the internet is not secure. As a result, others may unlawfully intercept or access private transmissions or data.
Please remember that when you share information publicly on a Lonza Group website, for example a comment on a blog post, it may be indexable by search engines, including Google, which may mean that the information is made public.
- Security and Data Retention
Lonza Group takes what we consider to be reasonable technical and organizational measures to guard against unauthorized or unlawful processing of your Personal Information and against accidental loss or destruction of, or damage to your Personal Information. While no system is completely secure, we believe the measures implemented by the website reduce Lonza Group's vulnerability to security problems to a level appropriate to the type of data involved. We have security measures in place which are designed to protect our user database and access to this database is restricted internally. In an effort to ensure the security and confidentiality of Personal Information that Lonza Group collects online, we use data networks protected by firewalls and passwords. In the course of handling your Personal Information, Lonza Group takes measures reasonably designed to protect that information from loss, misuse, unauthorized access, disclosure, alteration or destruction.
However, it remains your responsibility:
- Where you have a user account for the Lonza Group website:
- To log off or exit from the website when not using it;
- To ensure no-one else uses the website while your device is logged on to the website (including by logging on to your device through a mobile, Wi-Fi or shared access connection you are using);
- To keep your password or other access information secret. Your password and log in details are personal to you and should not be given to anyone else or used to provide shared access for example over a network. You should use a password which is unique to your use of the website – do not use the same password as you use for another website or email account; and,
- To maintain good internet security. For example if your email account or Facebook account is compromised, this could allow access to your account with us if you have given us those details and/or permitted access through those accounts. If your email account is compromised, it could be used to ask us to reset a password and gain access to your account with us. You should keep all of your account details secure. If you think that any of your accounts have been compromised you should change your account credentials with us, and in particular make sure any compromised account does not allow access to your account with us. You should also tell us as soon as you can so that we can try to help you keep your account secure and if necessary warn anyone else who could be affected.
For the purpose of sending e-mailings to you provided that you have subscribed to Lonza Group's news updates on the website, Lonza Group may give your name and email address to agencies appointed by Lonza Group. These agencies are not authorized to store and/or use your Personal Information for any other purposes than for the sending of e-mailings on behalf of Lonza Group.
We will retain your Personal Information for as long as we think it necessary for processing purposes for which they were collected, processed and/or used and any other associated purposes (for example certain transaction details and correspondence may be retained until the time limit for claims in respect of the transaction has expired or in order to comply with regulatory requirements regarding the retention of such data). Therefore, if information is used for two purposes we will retain it until the purpose with the latest period expires; but we will stop using it for the purpose with a shorter period once that period expires. We restrict access to your Personal Information to those persons who need to use it for the relevant purpose(s). Our retention periods are based on business needs and your Personal Information that is no longer needed is either irreversibly anonymized (and the anonymized information may be retained) or securely destroyed.
- Personal Information of Children
Without a parent's or guardian's consent, no Personal Information should be submitted to our website by children. Lonza Group will not knowingly collect or use Personal Information from children under the age of sixteen (16) years.
- Your Rights
If you have given permission, we may contact you by mail, telephone, SMS, text/picture/video message, fax, or email about products, services, promotions, special offers, events, webcasts, conferences and charitable causes that may be of interest to you. If you prefer not to receive any direct marketing communications from us, you can opt out at any time.
In addition, to the extent permitted by the laws of your country, you may have the right to object to the processing of your Personal Information for direct marketing purposes. If your objection is not to direct marketing in general, but to direct marketing by a particular channel e.g. email or telephone, please specify the channel you are objecting to.
Further, to the extent permitted by the laws of your country, you may also have the right to access, correct, delete, restrict, be forgotten, or object to processing of, or request data portability of the Personal Information collected about you subject to some conditions and exceptions.
You can find out more about these rights in the EU by reading the General Data Protection Regulation. You can find out more about these rights in the UK (and about UK GDPR) by visiting the Information Commissioner’s website.
If you wish to inquire about any of this please send an email to email@example.com.
You may also have the right to lodge a complaint with a data protection regulator.
- Export of Personal Data from the EEA, UK or Switzerland
Personal information collected in the territory of the European Economic Area (EEA), UK or Switzerland may be accessed in, transferred to, and/or stored at, a destination outside the European Economic Area (EEA), UK or Switzerland in which data protection laws may be of a lower standard. Certain countries outside the EEA have been approved by the European Commission and/or the UK as providing essentially equivalent protections to EEA/UK data protection laws and therefore no additional safeguards are required to export Personal Information to these jurisdictions. In countries which have not had these approvals, (see the full list for the EU here and the list for the UK here). We will transfer Personal Information out of the EEA only subject to European Commission approved contractual terms that impose equivalent data protection obligations directly on the recipient unless we are permitted under applicable data protection law to make such transfers without such formalities. Similarly for transfer outside of the UK we will transfer Personal Information out of the UK only subject to approved contractual terms that impose equivalent data protection obligations directly on the recipient unless we are permitted under applicable data protection law to make such transfers without such formalities.
- Google Analytics – Statement
Upon receipt of an inquiry or complaint, Lonza Group will contact the user regarding the inquiry or complaint and take what we consider to be appropriate measures to address the user's concerns.
- For California Residents
The CA Policy describes Lonza Group’s policies and practices regarding the personal information we collect, use, and disclose about you, including personal information you submit or we obtain when you access the Site and other sources. This CA Policy is adopted in part to comply with the California Consumer Privacy Act (“CCPA”).
- Publicly available information from government records.
- De-identified or aggregated consumer information.
- Information excluded from the CCPA's scope, such as personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994.
Consumer Rights. Pursuant to the CCPA, and as detailed below, consumers have various rights with respect to their PI.
- Request to Delete. You have the right to request that we delete your PI from our records and direct any service providers to delete your PI from their records, subject to certain exceptions. Upon receipt of a confirmed verifiable consumer request (see below), and as required by the CCPA, we will delete and direct any service providers to delete your personal information from our records.
Lonza Group is not required to comply with your request to delete your PI if it is necessary for us (or its service provider) to maintain your PI in order to:
- Complete the transaction for which the PI was collected, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between Lonza Group and you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
- Debug to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when Lonza Group’s deletion of the information is likely to render impossible or seriously impair the achievement of such research, if you have provided informed consent.
- To enable solely internal uses that are reasonably aligned with your expectations based on your relationship with Lonza Group.
- Comply with a legal obligation.
- Otherwise use your PI, internally, in a lawful manner that is compatible with the context in which you provided the information.
Upon receipt of a confirmed verifiable consumer request (see below), and as required by the CCPA, we will provide a response to such requests.
- Request to Know. You have the right to request that we disclose the following to you as it relates to the 12-month period preceding its receipt of your verifiable consumer request:
- The categories of PI we have collected about you.
- The categories of sources from which the PI was collected.
- The business or commercial purpose for collecting PI.
- The categories of PI we disclosed for a business purpose.
- The categories of third parties with whom we share PI.
- The specific pieces of PI we collected about you.
Upon receipt of a verifiable consumer request (see below), and as required by the CCPA, we will provide a response to such requests.
- Non-discrimination. We will not discriminate against you in violation of the CCPA for exercising any of your CCPA rights. For example, we generally will not provide you a different level or quality of goods or services if you exercise your rights under the CCPA.
- Submitting Consumer Rights Requests. To submit any of the Consumer Rights requests as outlined above, please contact us at firstname.lastname@example.org . We reserve the right to only respond to verifiable consumer requests. A verifiable consumer request is one made by any individual who is:
- the consumer who is the subject of the request,
- a consumer on behalf of the consumer’s minor child, or
- by a natural person or person registered with the Secretary of State authorized to act on behalf of a consumer.
If we request, you must provide us with sufficient information to verify your identity and/or authority to act on behalf of the consumer. In general, we may ask you to provide identifying information that we already maintain about you or we may use a third-party verification service. In either event, we will try to avoid asking you for sensitive PI to verify your identity. We may not be able to respond to your request or provide you with PI if we cannot verify your identity or authority to make the request and confirm the PI relates to you. However, making a verifiable consumer request does not require you to create an account with us. Additionally, you will need to describe your request with sufficient detail to allow us to review, understand, assess, and respond. PI collected from an individual to determine whether a request is a verifiable consumer request may not be used or disclosed for any other purpose except as required by law. We will endeavor to respond to a verifiable consumer request within forty-five (45) calendar days of receipt, but we may require an extension of up to forty-five (45) additional calendar days to respond and we will notify you of the need for the extension.
If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the receipt of your verifiable consumer request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. To the extent permitted by the CCPA, we will respond to no more than two requests during any 12-month period.
You may authorize a natural person or a business registered with the California Secretary of State to act on your behalf with respect to the right under this CA Policy. When you submit a Request to Know or a Request to Delete, unless you have provided the authorized agent with a qualifying power of attorney, you must provide your authorized agent written permission (signed by you) to act on your behalf and verify the authorized agent’s identity with us. We reserve the right to deny requests from persons or businesses claiming to be authorized agents that do not submit sufficient proof of their authorization.
- For PRC Residents
The PRC Policy describes Lonza Group’s policies and practices regarding the personal information we collect, use, and disclose about you, including personal information you submit or we obtain when you access the Site and other sources. This PRC Policy is adopted in part to comply with the Personal Information Protection Law of PRC (“PIPL”).
Consumer Rights. Unless otherwise regulated in other laws and regulations, pursuant to Chapter 4 of the PIPL, consumers have below rights with respect to their PI.
- Right to Know and decision
- Request to Review, Copy his/her PI, except as described in Art. 18 and 35 of the PIPL
- Request to Rectify. You have the right to request we rectify your PI where you found it is not accurate.
- Request to Know. You have the right to request us to explain our data processing rules.
- Request to Delete. You have the right to request that we delete your PI from our records and direct any service providers to delete your PI from their records, subject to certain exceptions. Upon receipt of a confirmed verifiable consumer request (see below), and as required by the PIPL, we will delete and direct any service providers to delete your personal information from our records.
Lonza Group may not be able to comply with your request to delete your PI under the circumstances as described below, under which Lonza Group shall stop all data processing except data storage and necessary data protection actions:
- Within the archive term required by relevant laws or administrative regulations.
- Technically impossible to delete such PI.
Upon receipt of a confirmed verifiable consumer request (see below), and as required by the PIPL, we will provide a response to such requests.
Submitting Consumer Rights Requests. To submit any of the Consumer Rights requests as outlined above, please contact us at email@example.com. We reserve the right to only respond to verifiable consumer requests. A verifiable consumer request is one made by any individual who is:
- the consumer who is the subject of the request,
- a consumer on behalf of the consumer’s minor child, or
- by a natural person authorized to act on behalf of a consumer.
If we request, you must provide us with sufficient information to verify your identity and/or authority to act on behalf of the consumer. In general, we may ask you to provide identifying information that we already maintain about you or we may use a third-party verification service. In either event, we will try to avoid asking you for sensitive PI to verify your identity. We may not be able to respond to your request or provide you with PI if we not verify your identity or authority to make the request and confirm the PI relates to you. However, making a verifiable consumer request does not require you to create an account with us. Additionally, you will need to describe your request with sufficient detail to allow us to review, understand, assess, and respond. PI collected from an individual to determine whether a request is a verifiable consumer request may not be used or disclosed for any other purpose except as required by law. We will endeavour to respond to a verifiable consumer request within forty-five (45) calendar days of receipt, but we may require an extension of up to forty-five (45) additional calendar days to respond and we will notify you of the need for the extension.
If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the receipt of your verifiable consumer request. The response we provide will also explain the reasons we not comply with a request, if applicable. To the extent permitted by the PIPL, we will respond to no more than two requests during any 12-month period.
You may authorize a natural person to act on your behalf with respect to the right under this Policy. When you submit a Request to Know, Request to Rectify or a Request to Delete, unless you have provided the authorized agent with a qualifying power of attorney, you must provide your authorized agent written permission (signed by you) to act on your behalf and verify the authorized agent’s identity with us. We reserve the right to deny requests from persons or businesses claiming to be authorized agents that do not submit sufficient proof of their authorization.
Exemption of individual consent. According to Section13 of the PIPL, individual consent is not required under below circumstances:
- where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract concluded in accordance with the law;
- where it is necessary for the performance of statutory duties or statutory obligations;
- where it is necessary for the response to a public health emergency or for the protection of the life, health and property safety of a natural person;
- where such acts as news reporting and supervision by public opinions are carried out for the public interest, and the processing of personal information is within a reasonable scope;
- where it is necessary to process the personal information disclosed by the individual concerned or other personal information that has been legally disclosed within a reasonable scope in accordance with the provisions of this Law; and
- other circumstances prescribed by laws and administrative regulations
Export of Personal Data from PRC. Personal information collected in the territory of the PRC may be accessed in, transferred to, and/or stored at, a destination outside the PRC in which data protection laws may be of a higher or lower standard. We shall, in the territory of PRC, perform the standard no lower than such required by laws of PRC.
Last update: January 13, 2022