[go: up one dir, main page]

Privacy Notice Center - Bristol Myers Squibb

General Privacy Notice
Click here to download or print a copy of this BMS general privacy notice.
If you are a healthcare professional, you can access our other notice here:
HCP Privacy Notice.
BMS-acquired companies:
  • For Mirati, click here
  • For Karuna, click here
United States Privacy laws
If you reside in California, Colorado, Connecticut, Virginia, or Utah, please find additional information here: State Privacy Rights section.

BMS US Consumer Health Data Privacy Policy

Our Commitment

At Bristol Myers Squibb (BMS), your privacy matters to us. For us, data privacy goes beyond mere compliance with the law. BMS aims to collect, use, and share information that we obtain about you in a manner consistent with our company values, including high ethical standards, integrity, inclusion, fairness, and transparency. We have a dedicated internal team that reviews how BMS accesses, collects, uses, shares, stores, transfers, deletes and protects information about you. To safeguard your data, BMS employs reasonable and appropriate security measures. When upholding your rights as a data subject, you can contact us to respond to any questions you might have that are not answered in this Notice at eudpo@bms.com or as described below.

Healthcare Professionals Privacy Notice

Click here  to download or print a copy of this BMS healthcare professionals privacy notice.

If you are not a healthcare professional, or if you want to read additional information about our general processing activities, you can access our General Privacy Notice.

If you reside in California, please find additional information in our section for California residents.

Our Commitment

At Bristol Myers Squibb (BMS), your privacy matters to us. For us, data privacy goes beyond mere compliance with the law. BMS aims to collect, use, and share information that we obtain about you in a manner consistent with our company values, including high ethical standards, integrity, inclusion, fairness, and transparency. We have a dedicated internal team that reviews how BMS accesses, collects, uses, shares, stores, transfers, deletes and protects information about you. To safeguard your data, BMS employs reasonable and appropriate security measures. When upholding your rights as a data subject, you can contact us to respond to any questions you might have that are not answered in this Notice at dpo@bms.com or as described below.

BMS Global Employee Privacy Notice

If you are an applicant, you can read more details here: https://www.bms.com/privacy-policy.html#job.

For questions about this notice or data protection as a worker, please refer to the contact us section. 

Click here to download or print a copy of this BMS employee privacy notice.

What You Will Learn in This Notice

This notice is specific to the use of your personal data by Bristol Myers Squibb (“BMS”, “we”, “us”, “our”) if you are or were part of our workforce. It explains what personal data processing activities are conducted at BMS worldwide covering BMS direct employees, consultants, contractors, interns and third parties as defined in this Notice – collectively called ‘workers’ or ‘employees’ (or “you”, “your”, “yours”) in this notice (“Employee Notice” or “Notice”). We use the term “processing activities” or “use” to refer to accessing, collecting, storing, transferring or any other use of your personal data.

Click on the icons or text below to find out more about how, why, and where BMS uses your data:


In this Notice, we provide you with an overview of how and why we collect your personal data - also known as personal information. We also inform you about your privacy rights related to our use of your data.

You should read this Employee Notice in combination with the BMS General Privacy Notice which explains the collective privacy standards and commitments that apply to all processing of personal data at BMS. It is available on the footer of our corporate www.bms.com websites for markets where we have a presence or operate.


A controller decides why and how to process your personal data. However, central teams at BMS located in another country (for example, teams in the US and support services provided by our authorized business partners) may also access and process your personal data as described in this notice. For each activity, Bristol-Myers Squibb Company and its affiliates will act as controller together or jointly for using your data.

Note: If you have an employment contract, the BMS legal entity who is your employer, or who has the contract with your employer, is the controller of your personal data. If you are a consultant, contractor, intern or independent worker), then the entity listed in your employer’s contract with BMS is the controller.



This section describes the type of personal data we collect for our processing activities, which may vary depending on your role at BMS.

We describe this personal data as “Work-Related Data” or “Sensitive Work-Related Data” that BMS needs for the creation of your work contracts and to run our day-to-day work activities. Remember, depending on where you live, the relevant data protection law in your jurisdiction may define personal data differently from the descriptions used in this notice.

We use the categories of personal data in the following context:

Onboarding & HR day-to-dayonboarding icon

Compensation, benefits & performance

Security, IT, devices, trainingSecurity icon

Surveys, events, images, videosSurveys, events, images, videos icon

Sensitive dataSensitive data icon

Environmental, health & safetyhealth monitor icon

Data for legal & compliance

Family & your relatives’ data

Roles & positions, relocation, leaving

Note: Most data we use about you is necessary for our day-to-day operations. In certain cases, you might decide to participate in activities that are not mandatory, such as attending events, accessing benefits, apply to internal jobs, responding to surveys or sharing your image or video recordings with BMS. In this case, we will let you know what your options are before processing your data.

You can learn more about our purposes and why we use your data in section 4.


This section describes the main types of activities where BMS processes your personal data and the context in which BMS uses it. Our main processing activities consist in:

  • handling your data for day-to-day operations, such as for onboarding you as a new hire or worker, handling your payroll, requests, enabling access to our systems and intranet and BMS social media platforms to interact with other colleagues, for internal interactions, and, if applicable, performance reviews;
  • offering benefits such as learning, career development programs, fitness, rebates on goods, wellbeing programs, BMS or external events or initiatives that you can access or participate in depending on your role;
  • implementing appropriate security measures and infrastructures that prevent data losses, ensure compliance with applicable laws, maintain whistleblowing hotlines and channels to report misconducts, conflict of interest or unlawful behaviors which may require preserving information as evidence to comply with applicable employment legislation; and,
  • processing in the context of our working culture and environment as a multinational company, such as participating in diversity and inclusion groups, activities or discussions or responding to surveys about the working environment.


As a BMS Worker, there are many times when we need to process or share your data using digital means. In most cases, your online connection to BMS systems is securely managed through the BMS single sign-on (SSO) process or through our VPN (virtual private network). You may access other systems, such as Outlook or Workday using double factor authentication. 

For more information about how we collect personal data from visitors to our websites or users of our products and services, please review our General Privacy Notice.


BMS collects personal data directly from you for most of our processing activities, although sometimes we obtain personal data automatically via certain internal BMS sites or indirectly from alternative sources.

For example: we collect personal data indirectly from service providers (such as recruitment agents and background checking services), online platforms, government bodies (criminal records, wage garnishments) or authorities where required by law (such as tax authorities) to manage your work relationship with us.

We also collect information about you automatically, through physical or online security, systems monitoring (for example through video (CCTV) recording) or building access control logs when you enter the workplace or in other similar contexts. BMS will always strive to make you aware of this type of processing before collection of your personal information takes place. 


Only limited BMS teams and approved third parties or authorities who need to manage or obtain your information may access Work-Related Data. When your personal data is more sensitive, BMS will apply more restrictions and protections to protect it. For details on our cross-border transfer mechanisms, please see the relevant section in our General Privacy Notice available on all bms.com websites.


In this section, we describe our legal justifications (commonly referred to as “legal basis”) for the use of your data related to each of purpose for using it. We will use the legal basis that is most appropriate for the purpose and circumstances related to such processing. Below, we have explained which legal bases we may choose or have to use when using your personal information.

Note: Depending on the country or State where you reside, the law of your country may not require that BMS justifies how it uses your data (such as in the US or Hong-Kong). This applies to ordinary use of your data, transfers outside of your residence, or when sharing or disclosing your Work-Related Data with a third party. If you are from a jurisdiction or a State that requires a legal basis for processing personal data (such as China, the EEA, UK, or Brazil), our legal basis will depend on the personal data concerned and the context in which we collect it. Where required by applicable law, BMS will obtain your prior consent for certain processing activities – for example, using cookies or trackers, when using your images or recording materials, disclosing your personal data outside of your country of residence or disclosing it with BMS-approved third parties.


BMS has developed internal policies and guidance on responsible use of AI. When using AI tools involving Work-Related Data, we will apply globally recognized data privacy & protection principles. When using third party technology, we ensure to apply:

(i) BMS principles on responsible use of AI;
(ii) appropriate technical and security measures;
(iii) contractual arrangement to protect your personal data.

BMS will provide you with more detailed information in a privacy notice, and if required, obtain your prior consent before using such technologies. You can read more information about your rights, including your right to object or to request human intervention, in section 10.


This section describes the rights you may have and the potential actions you can take in relation to how BMS processes your personal data.

You have several privacy rights in relation to the processing of your personal data at BMS, but these will depend on the country where you reside and on the legal basis that we used to process your personal data. Exercising your rights is usually free of charge, except if your request is excessive or requires disproportionate efforts, in which case we may ask you for a reasonable fee. 

BMS assesses every request received based on who you are and the jurisdiction or State in which you are based. If we cannot comply with your request, we will let you know the reasons why. You can always contact BMS at dpo@bms.com to find out more about your rights and how you can exercise them.  

The rights described below are not absolute and will only apply in certain circumstances.  This means that we may be unable (for example, due to legal requirements) or not obligated to act on your request.  In some cases, we may need to collect additional personal data from you to verify your identity before we provide access or delete your information, for example a copy of your government-issued identification.


BMS uses appropriate technical and organizational measures to protect your personal data online and offline. We do this to prevent unauthorised processing, loss of data, disclosure, use, alteration, or destruction of your personal data. The measures that we deploy are dependent on the sensitivity of the personal data and the most recent advancements made in security technology. Where appropriate, we use encryption, pseudonymisation (such as key coding), de-identification and other technologies that can assist us in securing your data, including measures to restore access to your data. We also require our service providers to comply with reasonable and recognized data privacy and security requirements.


Data retention schedules

BMS will only retain your personal data for as long as necessary for the processing purposes listed in section 4. When retaining and storing data about you in our systems, we have put in place specific data retention schedules in accordance with our company policy and in compliance with applicable data protection and local employment laws.


After you end your employment with, BMS we will need to retain certain information about you, including your contact details, to fulfil certain business obligations, to administer or manage retirement plans, payment for outplacement services, respond to queries from your new employer.


This section contains additional information for jurisdictions that give additional privacy rights in the context of work with BMS. Note that these rights will depend on the nature of your contract or relationship with BMS, your residency, jurisdiction, State from which you originate or the BMS entity that you work for.  BMS will not discriminate against you for exercising your rights but may not be able to provide you with services or programs that you have requested if we are not able to use your personal data.  Please refer to section 10  for general information about your privacy rights.


Data sharing in connection with a transfer of control

Circumstances may arise where we decide to reorganize or divest part (or all) of our business or a line of our business (or any portion of our assets). This can include our information databases and websites, through a sale, divestiture, merger, acquisition, in the event of a bankruptcy, or other means of transfer.

In such circumstances, your personal data may be shared with, sold, transferred, rented, licensed, or otherwise provided or made available by us or on our behalf to actual or potential parties to, and in connection with, the contemplated transaction (without your consent or any further notice to you). In such circumstances, we will seek written assurances that your personal data will be protected appropriately.


BMS may update its privacy notices from time to time. If there are any important revisions which might impact the way we process your personal data, BMS will notify you to inform you of these changes either directly or through our internal communication channels.


If you have questions about this notice, or you want to obtain more information about our use of your personal data as a BMS Worker, you can ask a question by raising a ticket on myBMS. For current and previous employees, you can also contact us by email at eudpo@bms.com for the EU/EEA, Switzerland and the UK. If you are located elsewhere, please email the team at dpo@bms.com or by post at the contact details as described on the relevant footer of our corporate websites that applies in your own language under the contact section.