Data protection and IT security
As a healthcare service provider, both data protection and information security are top priorities at Galenica. We ensure that the personal rights and privacy of customers, patients, employees and other persons are protected at all times. We take appropriate security measures to protect both, this sensitive data and internal company information from unauthorised access, manipulation or loss.
GRI 3-3
Art. 964b para. 1 CO
Art. 964b para. 2 no. 4 CO
With the ongoing digitalisation of the Swiss healthcare system, the importance of data protection and information security as well as the legal requirements for handling data are growing. The aim of data protection is to protect the privacy of those people whose data is processed. Information security ensures the protection of sensitive information through effective measures.
We determine our security measures based on the risks that may arise from unauthorised access, unauthorised modification, loss or unavailability of information and attacks on our infrastructure – both for data subjects and for the Galenica Group.
We build trust among all stakeholders by ensuring that the principles of data protection, in particular with regard to transparency and security, are adhered to
|
Impacts, risks & opportunities |
Characterisation |
|
Data protection and data security incidents can compromise the privacy of customers, patients and employees, have financial, legal or contractual consequences and damage trust in Galenica in the long term, both among business partners and the general public. |
Negative; potential In-house operations |
|
Establishing strong data protection and security standards builds trust among customers, patients and business partners and strengthens Galenica's reputation as a responsible healthcare provider. |
Positive; differentiation and trust advantage in the market |
|
Cyber attacks on Galenica’s IT systems can affect the availability and integrity of business-critical processes, particularly in logistics and pharmacies, and require additional measures to stabilise and secure operations. |
Risk, potential In-house operations |
|
Proactive information security strategies and investments in resilience increase operational security and enable a stable digital transformation process that supports new services and efficiency gains. |
Opportunity, potential In-house operations, downstream value chain |
GRI 3-3
Art. 964b para. 2 no. 5 CO
Our objectives
We not only pursue the goal of protecting sensitive data and information through technical security standards, but also take organisational measures, such as raising awareness among our employees. We carry out information campaigns and provide training on how to handle data in compliance with data protection regulations as well as on identifying possible cyber attacks, for example, and supporting information security.
|
Goal |
Status |
Target year |
Measurement parameter |
|
2025 |
|
2024 |
|
We raise awareness of data protection among our employees at least six times a year, tailored to the respective target group. |
= |
Every year |
Number of measures |
|
12 |
|
9 |
|
We make our employees aware of IT security and cybercrime at least six times a year, tailored to the respective target group. |
= |
Every year |
Number of measures |
|
14 |
|
11 |
↗ Realistic
→ Partially delayed / critical
↘ Critical= Achieved
× Not achieved
GRI 3-3
Art. 964b para. 2 no. 2-3 CO
Our management approach
The topics of data protection and information security are highly relevant at Galenica and are distinctly embedded in organisational terms.
The Chief Information Security Officer (CISO) is responsible for information security. The underlying responsibilities and governance structures are regularly reviewed and, if necessary, adapted to current regulatory and organisational requirements. The CISO chairs the IT Security Board, which acts as an advisory body. The Board supports the strategic focus of the information security measures, ensures the reconciliation of interests between IT and the business units and coordinates security-relevant topics as well as measures implemented by the Board members in their respective areas. In addition, the Board decides on measures to be taken in the event of critical vulnerabilities or risks. The aim is reliable and efficient information security across the Group. The Board meets quarterly and has been active since 2023.
To ensure data protection, Galenica has a professionally qualified, independent and impartial internal data protection officer. In addition, the interdisciplinary Data & AI Governance Board was established in 2024 to create clear framework conditions for the responsible use of data and AI applications and ensure the coordination of governance requirements with Galenica’s data strategy and values. The Board is chaired by the internal Data Protection Officer, supported by experts from Information Security, Enterprise Architecture, Data Strategy, AI and a member of the Executive Committee.
Clear guidelines and processes govern operations
The objectives of information security are set out in several target group-specific policies and regulations. The Information Security Policy defines the objectives of the information security programme, the relevant competencies and responsibilities as well as the information security principles of the Galenica Group. The Policy applies to all companies of the Galenica Group and forms the basis for all information security directives. General rules for using ICT devices and applications are set out for all internal and external employees or consultants in the Acceptable Use Policy.
Galenica records and manages governance and risk management issues as part of an information security management system (ISMS). Part of this is a central risk register in which identified vulnerabilities are recorded, evaluated and assigned to the responsible product teams for attention.
Galenica has an established incident response process designed to deal with security incidents in a structured manner. The process governs the roles, responsibilities and procedures in the event of an incident and ensures coordinated collaboration with internal units and external partners, including the Security Operations Center
The Data Protection Policy forms the overarching framework for ensuring compliance with data protection principles and requirements in connection with processing data which is subject to confidentiality protection, and is supplemented by regulations and directives on specific topics. All employees and other auxiliary persons are obliged to comply with the Data Protection Policy. Data security incidents are handled and data protection risks addressed in close coordination with Information Security and Risk Management.
Raising awareness and employee training
People are one of the greatest risk factors in connection with cyber attacks, as many cyber attacks target employees, for example by means of fraudulent e-mails (phishing). The cooperation of all employees is therefore required to ensure information, data and IT security. New employees are made aware of the key elements of the ICT user regulations on their induction day.
Regular e-learning courses are the key tool for promoting safety awareness. We provide specific modules on topics such as data security, phishing and dealing with cyber threats. These e-learning courses are complemented by phishing simulations, which further raise awareness and help to measure and understand the effectiveness of the various awareness-raising topics.
Fourteen awareness-raising measures were carried out on the subject of information security. This year’s highlights included the hosting of three live security events – two webinars and a series of short films on security published on the intranet – as well as the launch of an InfoSec page on the intranet to raise awareness of information security issues among all employees.
The responsible handling of data and awareness of specific data protection issues are also ensured through training courses and a transparently structured information platform. The data governance managers, who were appointed in 2023, are the first point of contact in the corporate divisions and Group companies. They are regularly informed about developments, trained and supported in advance.
In 2025, a total of twelve awareness-raising measures were carried out on the subject of data protection. The focus was on strengthening the responsible data culture through personal interaction with employees, visiting the data governance teams at eleven Group companies and holding an all-day workshop for all data governance managers, as well as further increasing accessibility and transferring knowledge by offering the transparently structured information platform in four languages and developing new training courses.
GRI 418-1
Regular review
To ensure compliance with legal provisions and high standards in the handling of data and information, Galenica continuously monitors ongoing developments in legislation and practices relating to data protection, information security and regulations applicable to the use of digital technologies.
Regular internal and external reviews ensure that information security and data protection risks can be identified at an early stage, assessed through standardised means and addressed.
In the reporting year, there were no substantiated complaints relating to data protection breaches, and there were no official investigations into cases of data theft or loss.