Global Privacy Program
Global Privacy Program
In all that we do, we strive to be good data stewards to balance our data needs with our responsibilities to the people and communities we serve.
Data about people—whether they’re employees, patients, physicians, veterinarians or other health professionals, customers, business partners, or other stakeholders—is essential to fulfilling our corporate mission and to operating our global research-intensive biopharmaceutical and animal-health businesses.
Over the past 17 years, we have developed and continually improved a comprehensive global privacy program that promotes organizational accountability for privacy, data governance, and data protection across our business, and with our collaborative partners and suppliers.
We were the first company in the world to obtain regulatory approval in the European Union (EU) for Binding Corporate Rules (BCRs) based in part on our existing Asia Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPRs) certified program.
This achievement demonstrates that organizations can rely on common internal standards and processes to govern international data transfers across both the EU and APEC regions to simplify their ability to address the growing regulatory challenges in this area.
We also self-certify to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. These frameworks were designed by the U.S. Department of Commerce together with the European Commission and with the Swiss Administration, respectively, following the invalidation of the EU-U.S. and Swiss-U.S. Safe Harbor programs.
Our holistic approach to privacy has its origins in biomedical research ethics and the protection of participants in the research studies that we sponsor and conduct. We have adapted human subject research ethics standards for risk-benefit analysis, transparency, anonymization, coding and prior review to other activities and processes involving data about people.
We also have established a set of privacy values to guide all of our privacy, data stewardship, and data protection decisions. These core tenets serve as the foundational ethical framework for our comprehensive global privacy program and our compliance with the continually evolving legal and regulatory standards for privacy and data protection.
|GLOBAL PRIVACY PROGRAM||2013||2014||2015||2016||2017|
|Number of countries in which we conduct privacy compliance verification and risk assessment||137||137||137||137||137|
|Number of concerns regarding privacy practices, breaches of privacy and losses of personal data that were substantiated1, 3||212||151||143||227||123|
|Percentage of reported concerns regarding privacy practices, breaches of privacy and losses of personal data that were substantiated2||26%||18%||96%||98%||98%|
|Number of privacy breaches requiring notification by Merck & Co., Inc., Kenilworth, N.J., USA, to individuals or government authorities|
|Number of privacy breaches requiring notification by third parties working for Merck & Co., Inc., Kenilworth, N.J., USA, to individuals or government authorities||1||1||3|
|1. Privacy concerns include all concerns about our privacy practices escalated to our company’s Privacy Office. Substantiated concerns are those that are determined to be consistent with our own privacy standards or that involve loss of, theft or unauthorized access to personal data. 2. In 2015, because of the scope of lost or stolen devices known to be encrypted, we ceased inclusion of lost or stolen MSD devices in our incident metrics. 3. Reporting in 2017 was impacted by cyber-incident.|