Astellas Pharma Inc. and its affiliates globally including Astellas Pharma Vietnam LLC (“Astellas”, “we”, “our”) respect your right to privacy and treat compliance concerning privacy obligations seriously; this is why we have developed this Privacy Notice (“Notice”), which informs you of our processing of, and explains why and how we collect, share and use, personal data, including “Sensitive Personal Data” as defined by applicable laws on personal data protection, including Decree No. 13/2023/ND-CP of the Government of Vietnam and other applicable Vietnamese laws and regulations on personal data protection (“Data Protection Regulations”) about you when you are working for Astellas (“Personal Data”), and how you can exercise your privacy rights, as a current or past employee, contractor, external service provider or temporary worker, intern, trainee or applicant for employment (“Employee”) or if you are a dependent of the above.
This Notice applies alongside our Global Data Privacy Policy, which describes the principles that Astellas applies to protect Personal Data in general and is available in Astellas’ global repository of policies & procedures.
Astellas Pharma Inc. (2-5-1, Nihonbashi-Honcho, Chuo-Ku, Tokyo 103-8411, Japan), together with the Astellas affiliate which has an employment relationship with you such as Astellas Pharma Vietnam LLC, are the data controllers of your Personal Data. You can find more information on the relevant Astellas affiliate in the following link: at https://www.astellas.com/en/worldwide.
Please take the time to read this Notice carefully. If you have any questions or comments, please use the contact details provided under the “How to contact us” heading below.
What Personal Data does Astellas process?
We collect Personal Data about you from a variety of sources, including directly from you such as from documents or forms that you provide to Astellas in order to participate in a recruitment process, in the course of your employment, or in other contexts. We also collect Personal Data about you indirectly, including information that you provide to vendors that work on our behalf, such as event or travel organization companies, recruiting agencies or background screening agencies. Such indirectly collected information include (among others): documents, records, logs and materials that are created in the course of our business processes and events; information from publicly available sources including social media platforms such as LinkedIn, Facebook, etc. and online search engines; and online and other databases and websites operated by certain of our vendors and third parties. We may also receive Personal Data about you from our customers and internal and external stakeholders, for example, if our customers provide feedback about the services you provide to them.
Your Personal Data processed by Astellas, which may include Sensitive Personal Data, such as your criminal record, financial information and heath-related information below, broadly falls into the following categories:
| Types of Personal Data | Examples |
| Personal identifiers and biographical information | Name; gender; nationality; place and date of birth; personal photos or images in videos for business purposes (where applicable); IP address; driving licence. |
| Contact information | Postal address (home & office); telephone numbers (home & office); e-mail addresses (business & private, where necessary). |
| Employment related information | Job titles and grades including pay grades; job descriptions and position in organizational charts; roles & responsibilities within Astellas; user identification numbers; data about employment contracts; type of employment; notes from interviews and other coaching or mentoring opportunities; data about grievances or internal investigations and disciplinary matters or employees complaints or questions; audits; compliance reviews and investigations including conflict of interest checks; participation in employee surveys; data about promotions and mobility to other positions and/or countries; data about redundancies, reorganizations and dismissals. |
| Past employment history | Prior employers and role & responsibilities in their organization; prior compensation; past employer references. |
| Education and training information | Academic degrees; training certificates; professional qualifications & skills acquired; membership in professional organizations; CVs and resumes; test results; training records. |
| Identifiers for payroll administration | Social security/insurance numbers; national identification numbers; bank account details; data about working time tracking and management. |
| Family data | Family status; children/dependent data; spouse/partner data; emergency contacts. |
| Health-related information | Medical data (e.g. Covid-19 related health data, if required under local rules); leave of absence data; health & safety assessments; data about accidents within the working environment. |
| Financial information | Data about salaries, benefits and bonuses; taxes; business expenses; pension administration records; salary review. |
| Security background check information | Information on criminal records and other background screening (where applicable). |
| Data required to ensure access to and use of Astellas systems and devices | User credentials, activity logs and other records about user interaction with Astellas systems or devices. |
| Performance evaluation information | Data about professional performance and rating; evaluation of personal skills; succession planning and assessments on current and future roles; results from internal and external assessments |
| Business travel and arrangements | Travel/accommodation/subsistence information related to business travel and events. |
| Work and process related data | Records including employee input, feedback, decisions or other steps or actions taken during a business process or activity (e.g. during the review and approval of promotional material) and records including employee data created during a business process, event or activity (e.g. the record of presence in official meeting minutes, photos or videos taken during company organized events). |
Where necessary and permitted by law, your Personal Data that we process may contain other Sensitive Personal Data relating to race or ethnic origin, political opinions or religious beliefs, physical or mental health or condition, sexual orientation, trade union membership, commission or alleged commission of criminal offences and any related legal actions.
Although we aim to minimize the amount of Sensitive Personal Data that we process, we may process Sensitive Personal Data in certain circumstances, for example, when required to do so by the Data Protection Regulations or it is necessary to provide you with a service (such as a health or other benefit) or we are performing a criminal background check, subject to your valid consent. If we are not already permitted by the Data Protection Regulations to process your Sensitive Personal Data for the purpose it is required, then we will obtain your consent to our use of your Sensitive Personal Data. Where we ask for your consent, you have the right to decline to provide your consent and (if provided) to withdraw your consent at any time.
Please note that if you choose not to provide us your Personal Data or withhold or withdraw consent to processing your personal data, Astellas may not be able to proceed with your application or perform your employment contract (or aspects of your employment contract).
Why does Astellas process Employee Personal Data?
We process your Personal Data, for legitimate interests and contractual purposes, to operate effectively in our role as your employer or when using approved service providers, which includes undertaking the following processing activities:
| Nr | Processing Activities |
| 1 | Manage workforce and budget-planning, incl. reporting on headcount for each line of business, geography and function, budget progress and HR compliance matters. |
| 2 | Manage the entire recruitment process and in particular new hires onboarding to Astellas, incl. management of candidate profile, screening and background check, candidate interview process, and new hire data. |
| 3 | Monitor and manage Employee performance, incl. regular monitoring vs KPI or status reporting, objective-setting, performance feedback and appraisals, career development and/or performance improvement plans. |
| 4 | Provide Employee training, incl. coaching, mentoring and general or tailor-made development programs. |
| 5 | Manage and develop talents internally, including succession planning, based on business priorities, and talent profile maintenance. |
| 6 | Develop and conduct Employee surveys and other similar initiatives to monitor organizational effectiveness of Astellas or seek other types of feedback from the Employees. |
| 7 | Design and deliver organizational changes for key business and HR projects. |
| 8 | Develop and implement plans that manage diversity and inclusion within Astellas. |
| 9 | Manage collective agreements and relationships with labour unions and/or work councils and other labor representation bodies. |
| 10 | Manage and resolve Employee queries, complaints and/or grievance cases or other similar cases or appeals, incl. whistleblowing/Speak Up hotlines and other similar reporting tools and resources; to conduct compliance and/or legal investigations on reported events or incidents and to manage Employee disciplinary matters. |
| 11 | Conduct internally or externally initiated audits, incl. handling and administering relevant corrective and preventive action plans. |
| 12 | Manage Employee payroll, incl. salaries/compensation, social security contributions, taxes and benefits, as well as incentives, recognition plans and related initiatives, incl. bonuses, long term incentive plans, one-off payments, pension and shares plans and any other benefits. |
| 13 | Establish, define and manage job positions and job descriptions within Astellas. |
| 14 | Manage changes in Employee files, incl. personal data maintenance and integrity, management of employment data changes, promotions and other job moves within Astellas. |
| 15 | Manage voluntary and involuntary exit of Employees from Astellas including resignations, termination of employment, redundancies and retirement. |
| 16 | Manage occupational health, annual leave, short term and long-term sickness leave or other leave of absence, incl. managing return to work and flexible working. |
| 17 | Manage Employee relocation and global mobility, incl. complying with tax, visa and immigration requirements globally. |
| 18 | Conduct administrative and managerial tasks, incl. the management of events and meetings or other project management, and the management of relationships with vendors, incl. due diligence and vendor payment administration. |
| 19 | Manage Employee traveling, expense tracking and reimbursement, as well as Employee time-tracking and working time-management as well as to effectively manage the use of company car fleet and devices. |
| 20 | Ensure Employee compliance with Astellas policies and applicable legal and other requirements. |
| 21 | Record, store, manage and follow up on adverse events that may be reported by Astellas Employees for Astellas medicinal products. |
| 22 | Enable internal contacts and communication, incl. to provide IT support to Employees, manage and maintain the functioning and security of IT systems and network and give access to Employees to Astellas tools and systems that may be relevant to their tasks and job descriptions, e.g. create Employee accounts in Astellas Global Account Management System to provide access to Astellas systems such as Astellas mailboxes. |
| 23 | Promote, internally and externally Astellas’ events, initiatives and projects incl. material published using internal communication channels such as intranet and SharePoint sites and emails, as well as external channels such as corporate websites and Company’s social media channels. |
| 24 | Facilitate communications with external stakeholders (e.g.. publishing employee business contact details and/or photos in dedicated Company websites, portals, assets or relevant material). |
| 25 | Create and maintain business records, general administrative information and transitory information required by business processes. |
| 26 | Design, develop, implement and manage Astellas strategy in various HR business areas such as rewards & benefits, recruitment, talent management, performance management, organizational structure & effectiveness, HR technology, labor and work council relations (where applicable), and policies and procedures. |
| 27 | When required or allowed to do so by law or as necessary to enable Astellas to protect its interests, establish legal rights, pursue legal actions or litigation (for instance, when necessary to prevent or detect fraud or crime or respond to a regulatory investigation). |
| 28 | Respond to requests for references from mortgage providers, estate agents or landlords. |
| 29 | Respond to requests for employment references, to which Astellas will offer factual information only. If you require a character reference from a colleague/manager, these must be in a personal capacity only. Such references will not be regarded as official Astellas references and must not be issued on behalf of Astellas or written on company headed paper. Please note that requests must be made in writing to the HR department and will only be answered once your written consent has been obtained. We will not provide employment references by telephone. |
| 30 | Promote Astellas activities and events in social media platforms and in Astellas sponsored sites. |
| 31 | Ensure safety and security of employees, visitors and Astellas’ property. |
| 32 | Carry out any other obligation and exercise specific rights of the Astellas or of Employees in the field of employment and social security and social protection law. |
Legal basis for processing Personal Data
We collect and process your Personal Data in order to:
- Make your Personal Data publicly available under the applicable law or to serve the competent authority’s operation as required under specialized law.
- Perform the obligations under our contractual agreement with you or to take relevant steps at your request prior to entering into a contractual relationship with you
- Perform the activities where we have your valid consent to do so (in such cases, you can withdraw your consent at any time)
- Protect your and others’ lives or health in case of an emergency
In cases where our processing of your Personal Data hereunder is not already covered by any of the above legal bases, we will either provide you with a separate privacy notice stating relevant legal basis for the processing of your Personal Data without consent or obtain your prior, explicit and specific consent to do so (e.g., to manage diversity and inclusion in our organisation), unless we are permitted to process your Personal Data without your consent under the Data Protection Regulations.
If you have questions about or need further information concerning the legal basis on which we collect and use your Personal Data, please contact us using the contact details provided under the “How to contact us” heading below.
How does Astellas process Employee Personal Data?
We will process your Personal Data in accordance with this Notice and apply all principles for data processing as required under the Data Protection Regulations, including the following key principles:
- Fairness: We will process your Personal Data fairly. This means that we are transparent about how we process Personal Data and that we will process it in accordance with applicable law.
- Purpose limitation: We will process Personal Data for the above-specified, lawful purpose, and will not process it in a manner that is incompatible with this purpose.
- Proportionality: We will process Personal Data in a way that is proportionate to the purpose which the processing is intended to achieve.
- Data accuracy: We take appropriate measures to ensure that the Personal Data that we hold is accurate, complete and, where necessary, kept up to date. However, it is also your responsibility to ensure that your Personal Data is kept as accurate, complete and current as possible by informing Astellas of any changes or errors. You should notify HR via myHR (where available) or via your local HR department of any changes to the Personal Data that we hold about you and your family (e.g. a change of address).
How does Astellas keep Employee Personal Data secure?
We implement appropriate physical, technical and organizational security measures to protect your Personal Data against unauthorized or unlawful processing or disclosure. The measures we use are designed to provide a level of security appropriate to the risk of processing of your Personal Data. For further information on the steps that we take to keep Personal Data secure and your responsibilities in this regard, please refer to the Global Information Technology Security Policy and Global Information Technology Security Standard.
Who does Astellas share Employee Personal Data with?
We may engage third parties to process Personal Data for and on behalf of Astellas. We require such data processors to process Personal Data and act strictly on our instructions and to take steps to ensure that Personal Data remains protected. We may disclose your Personal Data to the following categories of recipients:
| Our affiliates and group companies | Disclosure for purposes consistent with this Notice. A list of our current group companies is available at https://www.astellas.com/en/worldwide |
| Third-party service providers and partners |
Third parties who provide data processing services to us or who otherwise process Personal Data for the purpose described in this Notice or notified to you when we collect your Personal Data. Such third parties may be processing your Personal Data in the context of the following categories of activities:
|
| Consultants | Provision of advisory services by agencies, consultants, auditors, accountants, advisors, legal counsels and similar agents in connection with the advisory services they provide to us for legitimate business purposes and under contractual prohibition of using the Personal Data for any other purpose. |
| Competent Authorities | Any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, (iii) to respond to regulatory requests or investigations or investigate whistleblowing issues, or (iv) to protect your life or health or those of any other person. |
| Potential buyers (and their agents and advisers) | In connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your Personal Data only for the purpose disclosed in this Notice. |
| Any other person | Such disclosure will only be based on your consent. |
Astellas does not, and especially will not without a legal ground, sell your Personal Data to third parties.
We also take precautions to allow access to Personal Data only to those Employees who have a legitimate business need for access and with a contractual prohibition of using the Personal Data for any other purpose.
International data transfers
Your Personal Data may be transferred to, and processed in, countries other than the country in which you are resident, including China, India, Philippines, Singapore, and the United States. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective). Also, our group companies and third-party service providers and partners operate around the world. This means that when we collect your Personal Data we may process it in any of these countries.
We have taken appropriate safeguards to require that your Personal Data will remain protected in accordance with this Notice. These include, among others, implementing the European Commission’s Standard Contractual Clauses for transfers of personal data between our group companies, which require all group companies to protect personal data they process in accordance with the Data Protection Regulations. You may also exercise any of your rights described under the "Your data protection rights and obligations" heading below in relation to Personal Data that we transfer to group companies outside the country where you reside. We implement similar appropriate contractual safeguards with our third-party service providers and partners.
Further details can be provided upon request by contacting our Data Protection Officer using the contact details provided under the “How to contact us” heading below.
Data retention
Unless indicated otherwise or provided by the Data Protection Regulations, we will start processing your Personal Data from the date we receive your consent or upon having a legal basis for processing. We retain Personal Data we collect from you where we have an ongoing legitimate business need or legal obligation to do so. We will not keep your Personal Data for longer than is necessary for the purpose for which we process it or as required by law, contract, the Astellas Global Policy for Records and Information Management and the Astellas Records Retention Schedule which are available at Astellas global repository of policies & procedures.
Unexpected consequences and damage during the processing of your Personal Data
We commit to the protection of the Personal Data received from you or from other legal sources and have implemented reasonable technical and organizational measures to achieve this goal. However, you acknowledge that no data transmission over the internet is completely secure and may be exposed to cyberattacks causing leakage of or unauthorized access to the Personal Data we collect, and that you or other sources transmit such information to us at your/their own risk.
Your data protection rights and obligations We respond to requests we receive from individuals wishing to exercise their data protection rights in accordance with all applicable data protection laws. Where provided by applicable data protection laws in your country and/or state of residence:
- You have the right to consent or not consent to our processing of your Personal Data through your expression in the Consent Form enclosed herewith.
- If you wish to know, access, correct or update your Personal Data, you can do so at any time by contacting us using the contact details provided under the “How to contact us” heading below.
- You may be entitled to ask us to delete your Personal Data in certain circumstances, subject to the Data Protection Regulations. If you wish to exercise your right to deletion, please contact us using the contact details provided under the “How to contact us” heading below.
- In addition, you may be entitled under certain circumstances to object to processing of your Personal Data, ask us to restrict processing of your Personal Data or request provision /portability of your Personal Data. Again, you can exercise these rights by contacting us using the contact details provided under the “How to contact us” heading below.
- Similarly, if we have collected and processed your Personal Data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Data conducted in reliance on legal bases other than consent.
- You have the right to complain, denounce to a data protection authority or file a lawsuit against our collection and use of your Personal Data. For more information, please contact your local data protection authority.
- You are entitled to claim compensation for damage due to any infringement of the Data Protection Regulations in accordance with applicable laws.
- If we apply any automated decision-making, including profiling, we will provide to you promptly meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
- At any time, you have the right to self-defense or to request competent authorities or organizations to protect your civil rights in accordance with the laws in your jurisdiction.
Besides the rights above, you have some obligations prescribed by the Data Protection Regulations, such as the following:
- Protect your Personal Data; request other relevant organizations and individuals to protect your Personal Data.
- Respect and protect others’ Personal Data.
- Provide your Personal Data fully and accurately once you consent to the processing of your Personal Data.
- Participate in propagating and disseminating skills to protect Personal Data.
- Comply with, and prevent and combat violations of, the Data Protection Regulations.
Monitoring
Astellas retains the right to monitor all IT systems, physical areas of the business and/or work-related activities to protect Astellas and ensure the appropriate use of Astellas resources and information assets in compliance with applicable law and in accordance with the Astellas Acceptable Use Policy which is available at the Astellas global repository of policies & procedures.
Updates to this Notice
We may update this Notice from time to time in response to changing legal, technical or business developments. When we update our Notice, we will take appropriate measures to inform you, consistently with the significance of the changes we make. You can see when this Notice was last updated by checking the “last updated” date displayed at the bottom of this Notice.
How to contact us
If you want to exercise any of your data protection rights, please use this link.
If you have any questions or concerns about our use of your Personal Data, you can always contact Astellas Data Protection Officer using the following details: [email protected].
You can also contact the data controller via the HR department through myHR (where available) or via your local HR department.
Last updated: June 2023