Sanofi puts in place measures to protect the personal data it processes or has processed on its behalf. Our publicly available Code of Conduct identifies privacy as one of the 16 fundamental principles, specifically addressed in the “Safeguarding Data Privacy and Protecting Information” chapter. This Code requires us to implement measures to maximize opportunities and minimize risks associated with processing personal data of all relevant stakeholders, particularly patients and users of Sanofi’s healthcare solutions. Key commitments include the implementation of a Global Privacy Framework and privacy-by-design principles for projects involving personal data.
Sanofi has established its “8 Golden Privacy Principles” for managing personal data, which are integrated into both internal and external policies, forming a comprehensive data privacy framework.
Global Privacy Framework
To implement these principles, Sanofi has adopted a global framework of policies detailing the manner in which these may be applied, taking into account the nature of personal data processed, the data subjects affected, or the type of processing implemented. The framework encompasses:
-
Sanofi’s Global Privacy Standard: detailing the 8 Golden Privacy Principles and their implementation.
-
Binding Corporate Rules (BCRs): binding commitments by all Sanofi Group companies to comply with privacy principles, approved by European Data Protection Authorities.
-
Sanofi’s Data Subject Rights Procedure: managing requests from data subjects to exercise their rights under applicable law.
-
Sanofi’s Personal Data Breach Procedure: ensuring efficient management and protection of personal data in the event of a security breach.
Patient Data Privacy
Sanofi has specific measures for managing personal data in medical and clinical contexts:
-
Quality Standard for Personal Data Management in the Context of Medical and Clinical Activities: applicable to all activities conducted by Sanofi, its employees and third parties operating on its behalf in all medical and clinical activities (clinical trials, medical activities, pharmacovigilance, etc.).
-
Transparency and Information Policy for Patients and Consumers: Available on Sanofi's website, providing clear information on personal data processing.
-
Privacy Section of the Informed Consent Form: Informing clinical trial participants how their data will be used.
-
Procedure and Governance for Reusing Clinical Trial Health Data: Evaluating the potential reuse of clinical trial data, overseen by the Data Reuse Oversight Council (DROC).
Our Actions
Sanofi’s Privacy Program, established in early 2023, is organized into four pillars: Empowering the Privacy Organization, Improving Operational Efficiency, Tailoring a Privacy Framework, and Fostering Business Innovation.
We ensure privacy compliance through continuous measures governing projects involving personal data, especially patient- or health-related data. Mandatory employee training and awareness programs ensure everyone understands core privacy concepts and the 8 Golden Privacy Principles.
All projects involving the processing of personal data must undergo a Personal Data Protection Assessment to evaluate risks. In clinical trials, the Study Compliance Form assesses compliance with French Data Protection Authority (CNIL) methodologies, complemented by a Data Protection Impact Assessment.
Finally, Sanofi evaluates third-party vendors for privacy compliance, especially in clinical trials, ensuring they meet specific criteria. Selected vendors sign agreements based on the European Commission’s Standard Contractual Clauses to uphold privacy standards.