Privacy Notice – Novo Nordisk Employees

We obtain your personal data through/from the following sources:

From you directly
From your manager
From other Novo Nordisk affiliates or entities
From publicly available publications and websites
From vendors or public authorities

Novo Nordisk keeps your personal data for as long as it is needed to carry out the business purpose for which the data was collected and/or for as long as required under applicable law. Retention periods for Novo Nordisk records, including records containing employee personal data, are set out in the ATLAS document catalogue.

Retention periods for GxP data

As a pharmaceutical company, many Novo Nordisk records (including employee records containing personal data) are covered by specific GxP requirements that mandate certain, typically quite long, retention periods. The following table lists retention periods for categories of employee personal data that are covered by GxP requirements:

Data category	Retention time
Signature sheet	50 years
Full name, initials, department, period of employment in department	End of employment +30 years
Documentation of completed training and education in GxP regulated processes	50 years
IT user activity for GxP regulated IT systems	Depending on the specific purpose for which data is stored in the IT system, the retention period ranges from 7 to 75 years
Access logs for GxP regulated facilities	10 years
QA surveillance (video) of GMP^[1] regulated areas	5 years

[1] Good Manufacture Practices may require some areas are controlled and monitored by cameras (always marked with sign postings) and stored by a certain period in order to comply with QA surveillance.

Please find a detailed description of which Personal Data is processed by Novo Nordisk in Appendix A below.

Please inform local P&O if there are any changes to the personal data you have shared with Novo Nordisk.

We may share your personal data with:

Public authorities
Other Novo Nordisk entities (e.g. Novo Nordisk affiliates in other countries)
Suppliers or vendors that assist our company (e.g. consultants, IT service providers, financial institutions, law firms)

Novo Nordisk may process the following Personal Data from you:

Name and personal contact details (e.g. private email, private phone, physical address)
Business contact information (e.g. Novo Nordisk initials, phone number, e-mail)
Position, department, and photograph (e.g., for the employee phone book or ID card)
Nationality and language
Signature

Information regarding current and former positions in Novo Nordisk
Job application and Curriculum Vitae (CV)
Ability and personality tests, if used for recruitment or development activities
Criminal background check for recruitment process

Terms of employment, incl. salary, allowances, incentive schemes, and bonus payments
Social security number and bank details
Marital status and dependents, including emergency contact information
Tax, insurance, and pension scheme information
Union membership, if provided by the employee

Information related to employee accidents and illnesses
Absence data, including sickness, holidays and leave
Disciplinary warnings
Resignation or dismissal (including reason)

Performance objectives and evaluations
Documentation of accomplished training and education
Participation in talent, career development, and leadership programmes
Personal information relating to international transfers and expat assignments
Promotion and succession plans (certain positions only)

IT user activity on Novo Nordisk's IT infrastructure, systems, and equipment
Facility access logs and security surveillance recordings in certain facilities (always marked with sign postings)

Travel details (e.g., passport number, itineraries):
Company credit card details and documentation of expenses
Company car, including information about use of petrol and any fines
Details related to dietary requirements, health alerts, or mobility assistance, if voluntarily provided by the employee