Top of this page
Skip navigation, go straight to the content

Home Data protection notice suppliers

UCB Data protection notice for suppliers



UCB” or “we” means UCB S.A., a Belgian company with registered office at 60, Allée de la recherche, 1070 Anderlecht and its affiliates. For more information on the contact details of the UCB affiliate in your jurisdiction, please visit the ‘UCB Worldwide’ overview and select your country.

As controller, i.e. the legal entity that decides on the why and how information relating to you (“personal data”) is collected and processed by us in the context of your or your company/employer’s commercial relationship with UCB, we respect your right to privacy. We will only process your personal data as described in this UCB Data Protection Notice for Suppliers (the “Notice”) and in accordance with the relevant data protection legislation, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “GDPR”).

At UCB we have a data protection officer (DPO), who can be contacted by any of the following means for any privacy-related questions, including regarding how we collect, store and use your personal data:

  • Regular mail:  To the attention of the (global) Data Protection Officer, Allée de la recherche 60, 1070 Anderlecht or to the attention of the local UCB Data Protection Officer at the postal address of the UCB affiliate in your jurisdiction. For more information, please visit 'UCB Worldwide' and select your country.


The Notice governs the collection, use and retention by UCB of personal data relating to (i) employees, workers, agents, delegates, and representatives of any third party vendors or suppliers (legal entities) delivering services to UCB, and (ii) UCB suppliers and service providers that are natural persons, including self-employed individuals.

The Notice consists of five main components and informs you about:

  1. Who we are and how you can contact us;
  2. The reason behind this Notice;
  3. The purposes for which we process your personal data and the related legal basis under the General Data Protection Regulation (GDPR);
  4. What your rights are in relation to the personal data we hold about you and how you can exercise them; and
  5. Further details on how we process (including share and retain) your personal data.

This Policy may be updated periodically to reflect changes in our personal data processing practices. In that case we will inform you of any significant changes through the same channel we normally communicate with you.


UCB collects and processes your personal data for the purposes mentioned below. This information will either be obtained directly from you or provided by the company you work for. Above each set of purposes, you will also find the legal basis for processing required under GDPR.



A.    Your rights


B.    How to exercise your rights

If you wish to exercise any of the rights mentioned above, please contact UCB as set out under section 1 (“Who we are and how you contact us”). Please clearly identify the right(s) you wish to exercise and include your contact details (including a valid e-mail or postal address) so that we can respond to your request. Please note that you may be asked to provide proof of your identity for verification purposes.

When you contact us to exercise any of the rights mentioned above, we will respond to your request within one month following receipt of the request. This period may be extended by two additional months where necessary, but in that case we will inform you of any such extension within one month of receipt of your initial request together with the reasons for the delay.

Right to lodge a complaint with supervisory authority

In accordance with article 77 GDPR you have the right to lodge a complaint with a supervisory authority, in particular in the European Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that UCB’s processing of your personal data infringes the GDPR. Please visit the website of the relevant supervisory authority for more information on how to submit such a complaint.



A.    Categories of personal data we collect about you and retention periods

Processing activityPersonal data collectedConsequences of failure to provide dataRetention period (**)
Management of a professional relationship with suppliers
  1. Your contact details: your full name (*); company e-mail address (*); company postal address; your business landline/GSM number;
  2. Your professional background: organization/company name, your job title/position
Failure to provide the personal data with an (*), prevents UCB from maintaining a commercial relationship with you/ your employer.For the duration of the professional relationship between UCB and you/your employer, plus for [2] years thereafter.
Execution/performance of a contract with you/ your employer
  1. Your contact details: your full name, company e-mail address; company postal address; your business landline/GSM number
  2. Your identification information: your gender, date of birth, nationality, your national ID number or passport number, your license plate number (insofar required for the delivery of the services to UCB, including onsite access to UCB premises, and in accordance with applicable laws)
  3. Your professional background information: your job title, position, CV (insofar required for performance of contract), company name;
  4. Your financial information (for suppliers who are natural persons): bank account details;
  5. Your electronic identification information (insofar required for the delivery of services to UCB): login details including passwords, your access level and rights, badge number, IP address, online identifiers, cookies, logs, metadata (including access and connection times), photographs (e.g. on company badge), CCTV or image recordings
Failure to provide this personal data prevents UCB from entering into and maintaining a contractual relationship (including receiving the services, allowing you access to UCB premises, handling billing and invoicing, etc.) with you/ your employer.For the duration of the contractual relationship between UCB and you/ your employer, plus for [2] years thereafter.

B.    Who we share your personal data with

We will disclose your personal data only as described in this Policy (including any updates to this Policy).

Subsidiaries/affiliated companies and third party processors

UCB transfers or discloses your personal data to its subsidiaries/affiliated companies and to third party service providers processing personal data on UCB’s behalf for the purposes set out above. Third party service providers include cloud service providers, IT services/ consulting/ outsourcing companies, database providers, event agencies, travel agencies, and banks and insurance companies that deliver service to us.  These service providers provide their services from locations within and outside of the European Economic Area (EEA).
Finally, other third parties include regulatory and government agencies (see further below in this Policy), our advisors and external legal counsel, our auditors and potentially, third parties with whom UCB may merge or which may be acquired by UCB (see further below in this Policy).  

Compliance with laws and legal proceedings

UCB will disclose your personal data where:

  •  UCB is required to do so by applicable law, by a governmental body or by a law enforcement agency;
  •  To establish or exercise our legal rights or defend against legal claims;
  •  To investigate, prevent or take actions against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our policies or as otherwise required by law.

If a third party acquires all (or substantially all) of our business and/or assets, we will disclose your personal data to that third party in connection with the acquisition. However, such disclosure will occur subject to and in accordance with applicable data protection laws.

C.    International transfers

UCB will transfer your personal data to its affiliates, including our affiliates outside of the EEA. In that case  UCB relies on UCB’s Binding Corporate Rules, which can be accessed through the following link.

The transfer of your personal data to third party service providers (as set out above under section 5B) in countries outside of the EEA that do not ensure an adequate level of (data) protection occurs on the basis of Standard Contractual Clauses that have been executed between UCB and the relevant third party service provider. You may - by exercising your rights set out below above under section 4.B (How to exercise your rights) - obtain  a copy of the relevant safeguard UCB has put in place or ask UCB to redirect you to the place where they have been made available.

In the absence of the aforementioned appropriate safeguards, UCB may – to the extent permitted under and in accordance with applicable data protection laws (including the GDPR) - rely on a derogation applicable to the specific situation at hand (e.g. the data subjects’ explicit consent, the necessity for the performance of an agreement, the necessity for the establishment, exercise or defense of legal claims).