Case Summary
The complainant stated that despite raising concerns several times internally, he/she had either been ignored or made to feel belittled. The complainant stated that under the guise of key account management (KAM), he/she was asked to discuss both customer and account insights elicited during calls with health professionals. The complainant provided internal documents, where ‘insights’ from health professional calls had been shared internally and had raised this internally both from a General Data Protection Regulation (GDPR) issue (health professionals were not aware that this data was shared) and secondly because it was clearly generating marketing insights; there was a clear and distinct process for doing this which was not followed.
Further, the complainant provided details of an engaging key customers event (EKC), the original purpose of which was to train Sanofi field teams in the art of remote selling during the pandemic which was changed close to the event to become an insights gathering exercise which was acknowledged in the after-action review (AAR) meeting.
The detailed response from Sanofi is given below.
The Panel noted Sanofi’s submission that there was a formal and informal process for the gathering of marketing insights. The formal process was under the remit of market research and was characterised by product- or market-related information. The Panel did not consider that the complaint concerned formal market research.
The Panel noted Sanofi’s submission that account executives were required to share fortnightly any business-relevant information collected during their interactions by completing and uploading a certified template form in a shared folder with access limited to the sales team and which were discussed in bi-weekly meetings. Account executives were, however, instructed that any customer or patient identifiable information should not be included in any responses provided as per the briefing document.
The Panel noted Sanofi’s submission that the primary aim of collecting account insights was to gather information regarding the priorities of Sanofi’s customers in a business-to-business context, not to collect personal data relating to customers as individuals and Sanofi submitted that it had a robust set of policies and processes in place to ensure compliance with data privacy codes, laws and regulations, including the GDPR and employees were appropriately trained. The Panel noted Sanofi’s submission that its Privacy Policy stated that it might collect personal data relating to customers from direct interactions with them in order to carry out Sanofi’s business operations and improve and develop its products and services and made it clear that Sanofi might share this information internally within Sanofi.
The Panel noted Sanofi’s submission that its investigations had not identified any GDPR breaches associated with the account insight gathering activities. The Panel noted that there did not appear to have been any formal finding by any judicial authority or appropriate body charged with formally determining matters in relation to GDPR. The Panel considered that in the absence of such a formal finding the complainant who bore the burden of proof had not established that Sanofi’s activities with regard to insight gathering had breached GDPR. Accordingly, no breach of the 2019 Code was ruled.
The Panel noted that according to Sanofi’s submission it appeared that within Sanofi there was a difference between market insights gathering for which the policy on market research was followed and the insight gathering of account executives during calls with health professionals as described by the complainant. In relation to process for the fortnightly business intelligence gathering, the Panel noted Sanofi’s submission that this was an example of a formal harmonised process, however, the collection of account insights was generally an informal procedure. The Panel noted that the spreadsheet provided by the complainant appeared to be part of such informal activity given its heading referred to weekly insights and details of health professionals’ names etc. It was clear that the activity was both formal and informal, the latter was not necessarily unacceptable provided it complied with the Code. The Panel noted Sanofi’s detailed submission about its privacy policies etc. The Panel did not consider that the complainant had established that what he/she described as the clear and distinct process for generating ‘marketing insights’ was not followed as alleged. In the Panel’s view, there was no evidence that high standards had not been adhered to and the Panel ruled no breach of the Code.
The Panel noted the complainant’s further concern that the original purpose of an engaging key customers event (EKC) held in the summer of 2020 was changed from an exercise to train Sanofi field teams in the art of remote selling during the pandemic to gathering marketing insights. The Panel further noted Sanofi’s submission that although the scope of the meeting was always intended to be a training event, the topic and style of conversation had been revisited because at that time in June 2020, the Covid pandemic was raging and any proactive reference to specific products was removed from the interactions and instead, the focus of the interactions was directed towards understanding the customer needs in relation to the sudden and rapid change in the dynamic of the interactions and the undue pressure they were under due to the Covid situation. The Panel noted Sanofi’s submission that the change in topic was discussed with the leadership team and communicated to the area business managers on 5 June 2020. The Panel further noted Sanofi’s submission that all involved personnel interviewed as part of the investigation were reportedly clear on the intent and scope of the meeting, particularly with reference to the change in scope and all attending account executives were only briefed once in line with the finalised certified scope via Zoom using the briefing slide deck. The Panel noted that this briefing slide deck stated that one of the objectives for the health professionals was appropriate discussion regarding brand which might have caused some confusion. Nonetheless, the weight of the briefing was in relation to account insight gathering.
The Panel further noted that additional guidance on how to frame the insight conversation was also provided to the account executives attending the training. The Panel noted Sanofi’s submission that account executives were instructed to gather, what in the briefing slides and in the certified preparatory slide was referred to as ‘account insights’. This specifically referred to gathering general information on the customer preferences for future interactions, particularly when conducted virtually, and on the overall impact of the pandemic on their practice and requirements.
The Panel did not consider that the complainant had established that the account executives had not been briefed on the scope of the meeting that took place and no breaches of the Code were ruled.
The Panel noted Sanofi’s submission that no one interviewed during the company investigation recalled any significant issue raised in relation to insights gathering as alleged by the complainant and all demonstrated good awareness and willingness to use, if required, all the channels that Sanofi offered to raise concerns, details of which were provided. The Panel did not consider that the complainant had established that his/her concerns had been ignored as alleged and no breach of the Code was ruled in that regard.
Case AUTH/3558/9/21 NO BREACH OF THE CODE
EMPLOYEE v SANOFI
Concerns about insight gathering
A Sanofi employee complained about insight gathering by Sanofi.
The complainant stated that despite raising concerns several times internally, he/she had either been ignored or made to feel belittled. The complainant stated that under the guise of key account management (KAM), he/she was asked to discuss both customer and account insights elicited during calls with health professionals. The complainant provided internal documents, where ‘insights’ from health professional calls had been shared internally and had raised this internally both from a General Data Protection Regulation (GDPR) issue (health professionals were not aware that this data was shared) and secondly because it was clearly generating marketing insights; there was a clear and distinct process for doing this which was not followed.
Further, the complainant provided details of an engaging key customers event (EKC), the original purpose of which was to train Sanofi field teams in the art of remote selling during the pandemic which was changed close to the event to become an insights gathering exercise which was acknowledged in the after-action review (AAR) meeting.
The detailed response from Sanofi is given below.
The Panel noted Sanofi’s submission that there was a formal and informal process for the gathering of marketing insights. The formal process was under the remit of market research and was characterised by product- or market-related information. The Panel did not consider that the complaint concerned formal market research.
The Panel noted Sanofi’s submission that account executives were required to share fortnightly any business-relevant information collected during their interactions by completing and uploading a certified template form in a shared folder with access limited to the sales team and which were discussed in bi-weekly meetings. Account executives were, however, instructed that any customer or patient identifiable information should not be included in any responses provided as per the briefing document.
The Panel noted Sanofi’s submission that the primary aim of collecting account insights was to gather information regarding the priorities of Sanofi’s customers in a business-to-business context, not to collect personal data relating to customers as individuals and Sanofi submitted that it had a robust set of policies and processes in place to ensure compliance with data privacy codes, laws and regulations, including the GDPR and employees were appropriately trained. The Panel noted Sanofi’s submission that its Privacy Policy stated that it might collect personal data relating to customers from direct interactions with them in order to carry out Sanofi’s business operations and improve and develop its products and services and made it clear that Sanofi might share this information internally within Sanofi.
The Panel noted Sanofi’s submission that its investigations had not identified any GDPR breaches associated with the account insight gathering activities. The Panel noted that there did not appear to have been any formal finding by any judicial authority or appropriate body charged with formally determining matters in relation to GDPR. The Panel considered that in the absence of such a formal finding the complainant who bore the burden of proof had not established that Sanofi’s activities with regard to insight gathering had breached GDPR. Accordingly, no breach of the 2019 Code was ruled.
The Panel noted that according to Sanofi’s submission it appeared that within Sanofi there was a difference between market insights gathering for which the policy on market research was followed and the insight gathering of account executives during calls with health professionals as described by the complainant. In relation to process for the fortnightly business intelligence gathering, the Panel noted Sanofi’s submission that this was an example of a formal harmonised process, however, the collection of account insights was generally an informal procedure. The Panel noted that the spreadsheet provided by the complainant appeared to be part of such informal activity given its heading referred to weekly insights and details of health professionals’ names etc. It was clear that the activity was both formal and informal, the latter was not necessarily unacceptable provided it complied with the Code. The Panel noted Sanofi’s detailed submission about its privacy policies etc. The Panel did not consider that the complainant had established that what he/she described as the clear and distinct process for generating ‘marketing insights’ was not followed as alleged. In the Panel’s view, there was no evidence that high standards had not been adhered to and the Panel ruled no breach of the Code.
The Panel noted the complainant’s further concern that the original purpose of an engaging key customers event (EKC) held in the summer of 2020 was changed from an exercise to train Sanofi field teams in the art of remote selling during the pandemic to gathering marketing insights. The Panel further noted Sanofi’s submission that although the scope of the meeting was always intended to be a training event, the topic and style of conversation had been revisited because at that time in June 2020, the Covid pandemic was raging and any proactive reference to specific products was removed from the interactions and instead, the focus of the interactions was directed towards understanding the customer needs in relation to the sudden and rapid change in the dynamic of the interactions and the undue pressure they were under due to the Covid situation. The Panel noted Sanofi’s submission that the change in topic was discussed with the leadership team and communicated to the area business managers on 5 June 2020. The Panel further noted Sanofi’s submission that all involved personnel interviewed as part of the investigation were reportedly clear on the intent and scope of the meeting, particularly with reference to the change in scope and all attending account executives were only briefed once in line with the finalised certified scope via Zoom using the briefing slide deck. The Panel noted that this briefing slide deck stated that one of the objectives for the health professionals was appropriate discussion regarding brand which might have caused some confusion. Nonetheless, the weight of the briefing was in relation to account insight gathering.
The Panel further noted that additional guidance on how to frame the insight conversation was also provided to the account executives attending the training. The Panel noted Sanofi’s submission that account executives were instructed to gather, what in the briefing slides and in the certified preparatory slide was referred to as ‘account insights’. This specifically referred to gathering general information on the customer preferences for future interactions, particularly when conducted virtually, and on the overall impact of the pandemic on their practice and requirements.
The Panel did not consider that the complainant had established that the account executives had not been briefed on the scope of the meeting that took place and no breaches of the Code were ruled.
The Panel noted Sanofi’s submission that no one interviewed during the company investigation recalled any significant issue raised in relation to insights gathering as alleged by the complainant and all demonstrated good awareness and willingness to use, if required, all the channels that Sanofi offered to raise concerns, details of which were provided. The Panel did not consider that the complainant had established that his/her concerns had been ignored as alleged and no breach of the Code was ruled in that regard.
A Sanofi employee, who could not be contacted using the contact details provided, was concerned about insight gathering by Sanofi.
COMPLAINT
The complainant stated that despite raising the concerns set out below several times internally, he/she had either been ignored or made to feel belittled. The complainant stated that Sanofi General Medicines had, for the past few years, been driving towards key account management (KAM) style working, which was now common-place across the industry. Furthermore, there was now a named KAM lead who drove such matters internally. The complainant stated that under the guise of KAM, he/she was always asked to discuss both customer and account insights, which he/she elicited during calls with health professionals. These insights were then used to develop both local plans and national strategy. The complainant provided various internal documents, where ‘insights’ from health professional calls had been shared internally. As mentioned above, the complainant stated that he/she had raised this internally both from a General Data Protection Regulation (GDPR) issue (health professionals were not aware that this data was shared) and secondly, this was clearly generating marketing insights, and there was a clear and distinct process for doing this, which this did not follow. Furthermore, the complainant provided details of an engaging key customers event (EKC), which was held in the summer of 2020. The original purpose of this event was to train Sanofi field teams in the art of remote selling during the pandemic. However, the purpose of this event was changed close to the event for it to become an insights gathering exercise – garnering marketing insights covertly through the field teams. This was acknowledged in the after-action review (AAR) (copy provided), where the lead for this event stated; ‘As the intent and objective changed, the certified briefing doc didn’t match, forced to try and make something fit that really didn’t, logistically stuff changed that had an impact on the overall intention of what were [sic] trying to do at the event’. The complainant stated that he/she had provided several pieces of evidence to substantiate the above and hoped the PMCPA could investigate the matter.
When writing to Sanofi, the Authority asked it to consider the requirements of Clauses 1.11, 9.1 and 15.9 of the 2019 Code.
RESPONSE
Sanofi submitted that it took its obligations under the Code very seriously and was concerned to have received such a complaint originating from a member of staff. Sanofi had conducted a thorough investigation, which included interviews with relevant members of staff, while taking particular care to protect the anonymity of the complainant.
Sanofi submitted that in order to gather evidence and formulate the response, it had interviewed all available staff from the division involved in the activities listed above and in the organisation of the EKC meeting; this included interviews with all area business managers within the division and a randomly selected representation of account executives (ie sales representatives). As the complainant had waited over 12 months since the event included in the complaint, it was not possible to interview all due to staff changes.
In responding, Sanofi focussed on three elements of the complaint individually.
Alleged UK GDPR issues and disguised method for capturing marketing insights
Sanofi noted that the complainant alleged that, under the guise of key account management, he/she was asked to collect, discuss and share internally customer and account insights, and that this was a ‘GDPR issue (HCPs are not aware that we share this data)’ and not in line with the process for capturing marketing insights.
The collection of what was termed ‘account insights’ was a pivotal part of the role of account executives (AEs) enabling them to understand the key priorities of the account they operated in and helped shape their activities, in order to develop a way of working which optimised promotional activities whilst addressing the customer needs more effectively. An overview of the rationale and criteria for gathering account insights was outlined in the Key Account Excellence document (copy provided).
Different methods contributed to the generation of account insights which included the formal acquisition of NHS data, internal business intelligence data which aimed at depicting the performance of the account and shape the strategy, and the collection of relevant account information from routine interactions between account executives and customers, which appeared to be the focus of the complainant’s concerns. This information was gathered spontaneously during promotional calls and was generally an informal process.
With respect to the complainant’s concerns regarding compliance with the UK GDPR, the primary aim of collecting account insights was to gather information regarding the priorities of Sanofi’s customers in a business-to-business context, not to collect personal data relating to customers as individuals (see example described below). However, Sanofi had a robust set of policies and processes in place to ensure compliance with data privacy codes, laws and regulations, including the GDPR, and appropriate level of training to all employees, in the event that personal data was collected relating to customers. Copies of the Sanofi Global Internal Privacy Standard as well as screenshots of the ‘Data Privacy’ homepage on the Sanofi intranet where all employees could find relevant guidance and resources to understand Sanofi’s governance framework in this area and ensure compliance were provided. The collection of account insights was common practice across the industry and Sanofi contended that customers would expect companies to retain a record of their interactions. In any event, Sanofi’s Privacy Policy, which was available at https://www.sanofi.co.uk/en/privacy-policy, also made clear that it might collect personal data relating to customers (such as identity and professional data as well as information about their use of Sanofi products and services and communication preferences) from direct interactions with them in order to carry out Sanofi’s business operations and improve and develop its products and services (including customer relationships and experiences). It also made clear that Sanofi might share this information internally within Sanofi.
As part of Sanofi’s investigation, it had looked for examples of processes through which information gathered by account executives during routine interactions with customers was captured and discussed within the account team. This process might also be referred to by some as ‘insights gathering’ and might feed into overall account insights whilst constituting a legitimate component of business activities enabling the team to have an overview of the trends and needs in the relevant geographical area. From the interviews conducted, it was confirmed that the Account executives were required to share fortnightly any business-relevant information collected during their interactions, by completing and uploading the certified template form (copy provided) in a shared folder with access limited to the sales team and discussed in bi-weekly meetings. Account Executives were, however, instructed that any customer or patient identifiable information should not be included in any responses provided as per the briefing document (copy provided). While this was an example of a formal harmonised process, the collection of account insights was generally an informal procedure which was part of account management, as mentioned above. The information was discussed within the team to assess trends and did not include information specifically identifying or referring directly to customers.
During Sanofi’s investigation, it took particular care to protect the anonymity of the complainant. In that context, Sanofi had not been able to identify the source or any evidence clarifying the use of the spreadsheet provided by the complainant. Without such evidence, it had not been possible to determine the specific circumstances surrounding the collection of this information. However, on the face of it, the content of the spreadsheet was limited to a record of business interactions between account executives and customers, with personal data largely limited to customers names. As noted above, Sanofi had robust policies and processes in place to ensure compliance with data privacy codes, laws and regulations, including the GDPR. Sanofi’s Privacy Policy also made clear that it would collect this type of information from interactions with its customers and share it internally within Sanofi. Sanofi’s investigations had not identified any GDPR breaches associated with the account insight gathering activities highlighted by the complainant and it therefore refuted this allegation.
Sanofi submitted that, in addition, the complainant claimed that, in the guise of KAM, the gathering of customer and account insights by means of the activities described above, and giving the spreadsheet as an example, was ‘generating marketing insights’. For the purposes of this response, Sanofi had assumed that the complainant was referring to the gathering of market insights through market research, which was governed by a formal process within Sanofi and was usually characterised by product- or market-related information. Sanofi refuted this allegation as the example provided and none of the activities contributing to the generation of account insights that it had described above came within the definition of market research. Sanofi wished to emphasise that gathering of marketing insights, which was usually a formal process dictated by the process for market research, was an entirely different activity from collection of insights related to the workplace business environment. The activity of the account executives highlighted by the complainant was an informal gathering of information related to the day-to-day work and contributed to the understanding of the external environment. This information was crucial to ensure that the needs of the health professionals and patients were met. This also ensured that Sanofi’s AEs were most highly effective in the work environment.
Also, with respect to the enclosure named ‘It customer insights’, Sanofi believed that from a GDPR perspective, any insights recorded in the slides were not attributed to individual customers and were not formal marketing insights as per the definitions above.
EKC meeting – alleged change in scope
Sanofi noted that the complainant alleged that a change in scope of an EKC event held in June 2020 resulted in inadequate briefing of participating staff as well as the event becoming a marketing insights gathering exercise in the guise of a training event.
The EKC meeting took place between 15 and 19 June 2020 and was intended, as part of the Sanofi Academy training programme, to be a platform for enabling account executives across the General Medicines Business Unit to train on effectively working remotely with customers whilst practising virtual interactions using the different digital platforms. In addition to account executives, the meeting was attended by area business managers and members of the head office marketing and sales team witnessing the interactions to provide feedback at the end of each session. Various health professionals were contracted to attend the interaction and provide feedback on the session both in terms of overall ease and quality of the virtual interaction and preferences for potential future engagements (eg preferred virtual platform). A copy of the certified briefing sent to contracted health professionals was provided. Health professionals were also briefed via Zoom ahead of the event by using the certified presentation.
Although the scope of the meeting was always intended to be a training event, the topic and style of conversation had been revisited because at that time in June 2020, the Covid pandemic was raging and the country was in lockdown. In particular, any proactive reference to specific products was removed from the interactions and instead, the focus of the interactions was directed towards understanding the customer needs in relation to the sudden and rapid change in the dynamic of the interactions and the undue pressure they were under due to the Covid situation. In doing so, Sanofi was particularly respectful of an extremely sensitive and challenging period affecting the health professionals. Sanofi felt that during these challenging times, account executives should understand the needs of the health professionals and only act in response to those needs rather than engaging in overtly promotional calls without taking into account other commitments of the health professionals due to the Covid situation, especially as some of the health professionals were delegated to Covid wards. The change in topic was discussed with the leadership team and communicated to the area business managers on 5 June 2020. All attending account executives were only briefed once in line with the finalised certified scope via Zoom by using the briefing slide deck (copy provided). Additional guidance on how to frame the conversation was also provided to the account executives attending the training.
All involved personnel interviewed as part of the investigation were reportedly clear on the intent and scope of the meeting, particularly in reference to the change in scope.
As well as being a training exercise, account executives were instructed to gather, what in the briefing slides and in the certified preparatory slide was referred to as, ‘account insights’. This specifically referred to gathering general information on the customer preferences for future interactions, particularly when conducted virtually, and on the overall impact of the pandemic on their practice and requirements. In this context, Sanofi refuted the complainant’s allegation that this would represent a covert method for gathering marketing insights. As stated in the section above, marketing insights gathering would be characterised by product- or market-related information and conducted via alternative processes within the remit of the market research. In this instance, any pro-active conversation around any product was discouraged and account executives during the meeting did not interact with any of the customers that they would normally promote to. The document provided by the complainant was a summary of the key outcomes of the meeting and in which any ‘insights’ were recorded anonymously. Consequently, Sanofi did not believe that this information fell within the scope of the GDPR.
An AAR meeting took place after the EKC meeting within the core Head Office team involved in the organisation of the event with the aim of undertaking a retrospective analysis to enable the assessment and improvement of the activities that the company organised. While the change of scope was addressed as part of this AAR, subsequent interviews as part of the investigation of this complaint confirmed that all attending account executives were only briefed once in line with the finalised certified brief.
Complainant allegedly ‘ignored or made to feel belittled’ when raising the concerns internally.
Sanofi submitted that as part of the investigation members of the Leadership Team, Sales and Account management, all Area Business Managers and a representation of the account executives were interviewed and no evidence of concerns in relation to reporting, addressing or appropriately escalating eventual issues or concerns from any member of staff were highlighted. Furthermore, no one recalled any significant issue raised in relation to insights gathering as alleged by the complaint.
All members of staff who were interviewed demonstrated good awareness and willingness to use, if required, all the channels that Sanofi offered to raise concerns. In addition to reporting issues to line management or higher management lineage, Sanofi offered alternative channels for reporting any concern that would be addressed confidentially and independently of line management.
Sanofi supported a culture of openness and encouraged employees to report any concerns in relation to business conduct or other matters in the Sanofi Code of Ethics.
The Code of Ethics set out the ethical standards by which the company operated and applied to every Sanofi employee and anyone conducting business on behalf of the company. The Code of Ethics required employees and those conducting business on behalf of Sanofi to raise concerns, through various channels if they believed its principles were being compromised.
The UK Ethics & Business Integrity Intranet page advised employees:
‘If you have a concern or if you believe in good faith that a law, a rule or one of the principles in the Code of Ethics has been or is about to be violated, you can report the matter to the relevant Head of Ethics & Business Integrity (Compliance Officer) or to the secured compliance helplines.
A secured communication system is available, composed of a dedicated webpage and a toll-free number available in 28 languages, 24 hours a day, 7 days a week.
Employees will not be disciplined or discriminated against even provided that they act in good faith and with no malicious intent, even if the facts reported proved to be inaccurate or no further action is taken.’
The Compliance Helpline was operated by an external third party. Once a report was received, the Global Ethics and Business Integrity (EBI) Team at Sanofi received a notification of the report and the local Head of EBI was notified to support in initiating an investigation.
All employees were required to undergo training on the Code of Ethics, including an induction session provided by the UK Head of Ethics and Business Integrity to all new joiners, mandatory training courses covering the Code of Ethics, Fighting Corruption, Conflicts of Interests and Essentials of Ethics in the Workplace, and regular updates. Details of the Compliance Helpline were provided in many of these trainings.
Summary
The provisions of Clause 1.11 of the 2019 Code required that pharmaceutical companies must comply with all applicable codes, laws and regulations to which they were subject. In respect of the allegation of a breach of Clause 1.11, Sanofi noted that the PMCPA supervised the ABPI Code of Practice, which focussed on the promotion of medicinal products and related activities. It was not the competent authority for the purposes of codes, laws and regulations applicable to data privacy, and it respectfully suggested that the PMCPA might not properly make adverse findings in relation to these matters. Notwithstanding this, Sanofi had investigated the matters raised by the complainant and had not identified any breaches of the GDPR.
The provisions of Clause 15.9 of the 2019 ABPI Code of Practice required that companies must prepare detailed briefing material for medical representatives on the technical aspects of each medicine which they would promote. Briefing material must not advocate, either directly or indirectly, any course of action which would be likely to lead to a breach of the Code. On the basis of the investigation conducted and of the materials provided by Sanofi, AEs received detailed and clear instructions on the activities that they were asked to participate in as discussed in this complaint, and the evidence provided by the complainant did not prove otherwise. Therefore, Sanofi refuted a breach of Clause 15.9.
The provisions of Clause 9.1 of the 2019 ABPI Code of Practice required that pharmaceutical companies must maintain high standards at all times. Sanofi had demonstrated empathy and sensitivity because due to the sudden and critical changes to the environment caused by Covid in June 2020, the scope of the meeting was changed to respect the situation of health professionals who were under undue pressure. At the same time, steps were taken to understand and consistently address the changes in customer needs. Furthermore, Sanofi had demonstrated that it supported an open culture and encouraged open reporting of any issue through appropriate channels. Based on this, Sanofi refuted a breach of Clause 9.1.
PANEL RULING
The Panel noted that the complainant was anonymous and could not be contacted for further information. The Constitution and Procedure stated that anonymous complaints would be accepted but that like all other complaints, the complainant had the burden of proving his/her complaint on the balance of probabilities. All complaints were judged on the evidence provided by the parties.
The Panel noted the complainant’s concern that under the guise of key account management, he/she was asked to discuss customer and account insights elicited during calls with health professionals which were shared internally which raised a General Data Protection Regulation (GDPR) issue as health professionals were not aware that this data was shared. The complainant was further concerned that this was clearly generating marketing insights, and there was a clear and distinct process for doing this, which was not followed.
The Panel noted that in principle gathering business intelligence was a legitimate activity and insofar as it fell within the scope of the Code had to comply with it. The Panel noted Sanofi’s submission that there was a formal and informal process for the gathering of marketing insights. The formal process was under the remit of market research and was characterised by product- or market-related information. The collection of relevant account information from routine interactions between account executives and customers, which Sanofi considered to be the focus of the complainant’s concerns, was generally an informal process. The Panel did not consider that the complaint concerned formal market research.
The Panel noted Sanofi’s submission that from the interviews conducted, it was confirmed that the account executives were required to share fortnightly any business-relevant information collected during their interactions, by completing and uploading a certified template form in a shared folder with access limited to the sales team and which were discussed in bi-weekly meetings. Account executives were, however, instructed that any customer or patient identifiable information should not be included in any responses provided as per the briefing document. The Panel noted Sanofi’s submission that whilst this was an example of a formal harmonised process, the collection of account insights was generally an informal procedure which was part of account management; the information was gathered spontaneously during promotional calls.
The Panel noted Sanofi’s submission that the primary aim of collecting account insights was to gather information regarding the priorities of Sanofi’s customers in a business-to-business context, not to collect personal data relating to customers as individuals and Sanofi submitted that it had a robust set of policies and processes in place to ensure compliance with data privacy codes, laws and regulations, including the GDPR and employees were appropriately trained. The Panel noted Sanofi’s submission that its Privacy Policy stated that it might collect personal data relating to customers (such as identity and professional data as well as information about their use of Sanofi products and services and communication preferences) from direct interactions with them in order to carry out Sanofi’s business operations and improve and develop its products and services (including customer relationships and experiences) and made it clear that Sanofi might share this information internally within Sanofi.
Sanofi submitted it had not been able to identify the source or any evidence clarifying the use of the spreadsheet provided by the complainant which it stated was limited to a record of business interactions between account executives and customers, with personal data largely limited to customers names. Also, with respect to the enclosure named ‘It customer insights’, the Panel noted Sanofi’s submission that from a GDPR perspective, any insights recorded in the slides were not attributed to individual customers and were not formal marketing insights. As noted above the Panel was unable to contact the complainant for further information about the spreadsheet which contained intelligence information associated with named individuals such as permissions granted and contact channels.
The Panel noted Sanofi’s submission that its investigations had not identified any GDPR breaches associated with the account insight gathering activities highlighted by the complainant and it therefore refuted this allegation. The Panel noted that there did not appear to have been any formal finding by any judicial authority or appropriate body charged with formally determining matters in relation to GDPR. The Panel considered that in the absence of such a formal finding the complainant who bore the burden of proof had not established that Sanofi’s activities with regard to insight gathering had breached GDPR. Accordingly, no breach of Clause 1.11 of the 2019 Code was ruled.
The Panel noted that according to Sanofi’s submission it appeared that within Sanofi there was a difference between market insights gathering for which the policy on market research was followed and the insight gathering of account executives during calls with health professionals as described by the complainant. In relation to process for the fortnightly business intelligence gathering, the Panel noted Sanofi’s submission that this was an example of a formal harmonised process however the collection of account insights was generally an informal procedure. The Panel noted that the spreadsheet provided by the complainant appeared to be part of such informal activity given its heading referred to weekly insights and details of health professionals’ names etc. It was clear that the activity was both formal and informal, the latter was not necessarily unacceptable provided it complied with the Code. The Panel noted Sanofi’s detailed submission about its privacy policies etc. The Panel did not consider that the complainant had established that what he/she described as the clear and distinct process for generating ‘marketing insights’ was not followed as alleged. In the Panel’s view, there was no evidence that high standards had not been adhered to and the Panel ruled no breach of Clause 9.1.
The Panel noted the complainant’s further concern that the original purpose of an engaging key customers event (EKC) held in the summer of 2020 was changed from an exercise to train Sanofi field teams in the art of remote selling during the pandemic to gathering marketing insights covertly through the field teams. The after-action review (AAR) highlighted that as the intent and objective changed, the certified briefing document did not match. The Panel noted Sanofi’s detailed submission with regards to the circumstances surrounding the comments made at the after-action review meeting as highlighted by the complainant. The Panel further noted Sanofi’s submission that although the scope of the meeting was always intended to be a training event, the topic and style of conversation had been revisited because at that time in June 2020, the Covid pandemic was raging and any proactive reference to specific products was removed from the interactions and instead, the focus of the interactions was directed towards understanding the customer needs in relation to the sudden and rapid change in the dynamic of the interactions and the undue pressure they were under due to the Covid situation. The Panel noted Sanofi’s submission that the change in topic was discussed with the leadership team and communicated to the area business managers on 5 June 2020. The Panel further noted Sanofi’s submission that all involved personnel interviewed as part of the investigation were reportedly clear on the intent and scope of the meeting, particularly with reference to the change in scope and all attending account executives were only briefed once in line with the finalised certified scope via Zoom using the briefing slide deck. The Panel noted that this briefing slide deck stated that one of the objectives for the health professionals was appropriate discussion regarding brand which might have caused some confusion. Nonetheless, the weight of the briefing was in relation to account insight gathering.
The Panel further noted that additional guidance on how to frame the insight conversation was also provided to the account executives attending the training. The Panel noted Sanofi’s submission that account executives were instructed to gather, what in the briefing slides and in the certified preparatory slide was referred to as ‘account insights’. This specifically referred to gathering general information on the customer preferences for future interactions, particularly when conducted virtually, and on the overall impact of the pandemic on their practice and requirements.
The Panel noted that according to the briefing for health professionals, the internal Sanofi training event which took place virtually during the week beginning 15 June aimed to support the skills and capabilities around communicating Sanofi product information and promotional messages of Account Executives from the UK & Ireland. The Panel queried if the change in scope of the meeting had been communicated to the health professionals taking part.
Nonetheless, the Panel noted the complainant’s allegation and did not consider that the complainant had established that the account executives had not been briefed on the scope of the meeting that took place and no breach of Clauses 15.9 and 9.1 was ruled.
The Panel noted Sanofi’s submission that no one interviewed during the company investigation recalled any significant issue raised in relation to insights gathering as alleged by the complaint and all demonstrated good awareness and willingness to use, if required, all the channels that Sanofi offered to raise concerns, details of which were provided. The Panel noted Sanofi’s detailed submission in this regard. The Panel did not consider that the complainant had established that his/her concerns had been ignored as alleged and no breach of Clause 9.1 was ruled in that regard.
Complaint received 5 September 2021
Case completed 23 June 2022
