Privacy Policy

SOP/Policy/Manual Number:
PRIO-DA-POL002

Version: 2.0

Author:
Benjamin Ouzia
Data Protection Officer

Approver:
Florent Gros
Chief Executive Officer

QA Approver:
Velina Georgieva

1.  PURPOSE

The Policy provides the principles, guidelines and the Priothera commitments to ensure that Personal Data are processed in accordance with applicable laws and the current Policy.

2.  SCOPE

This Policy applies to all personnel of Priothera Ltd and Priothera SAS including the management, employees, consultants and Priothera Board of Directors.

The Policy applies to all processing activities with regard to Personal Data as conducted by Service Providers under the responsibility of Priothera.

This Policy relates to the Personal Data processing (e.g. collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction).

 

3.  DEFINITIONS AND ABBREVIATIONS

CDA
Data Privacy
Data Subject
DPA
EEA
GDPR
MSA
OECD
Personal Data
Processing
SOP
SP
Confidentiality Disclosure Agreement
Data privacy generally means the ability of a person to determine for themselves when, how, and to what extent personal information about them is shared with or communicated to others.
As defined by GDPR: Data Subject refers to any living individual whose Personal Data is collected, held or processed by an organization.
Data Processing Agreement
European Economic Area
General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area.
Master Services Agreement
Organization for Economic Cooperation and Development
As defined by GDPR: Personal Data means any information relating to an identified or identifiable natural person called Data Subject; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Standard Operating Procedure
Service Provider

4.  PRINCIPLES

Priothera outsources the conduct of its clinical studies to Service Providers (SPs), therefore Data Subject is held by their applicable SOPs.
All Personal Data processed by or on behalf of Priothera shall be relevant to the purposes for which they are to be used, and processed only to the extent necessary for those purposes.
The principles of this Policy are based upon the following:

  • General Data Protection Regulation (GDPR)
  • UK GDPR
  • Fair Information Principles from the Organization for Economic Cooperation and Development (OECD)

Priothera is committed to ensuring that Personal Data are processed in accordance with all applicable laws within EEA (European Economic Area) related to Data Processing Agreement (DPA) and GDPR, and in accordance with UK GDPR.

Priothera is committed to processing data relating to an identified or identifiable natural person called Personal Data for its business processes, lawfully and in a reliable and secure way.

Priothera is committed to ensuring that Priothera employees, consultants are regularly trained on the current Policy and its related principles.

Priothera is committed to protecting the Personal Data and information of its clients and the personal information of its personnel. All work is conducted under the terms of mutually agreed Confidentiality Agreements (CDA).

Data Subjects whose Personal Data are or may be processed by Priothera shall have the right:

  1. to obtain confirmation from Priothera and/or SP as to whether Priothera processes Personal Data relating to such Data Subject
  2. to receive complete information on their Personal Data, if any, within a reasonable time period, free of charge, in a reasonable manner, and in a form that is readily intelligible to the Data Subject
  3. to be given reasons if a request made under (A) or (B) is denied, and to be able to challenge such denial; and to challenge data relating to the Data Subject and, if the challenge is successful to have the Personal Data erased, rectified, completed or amended, unless Priothera is required to retain such Personal Data to fulfil its obligations under applicable laws (e.g., labor law, tax law, or clinical trial regulations);
  4. to receive assurance that Personal Data processed for any purpose or purposes will not be kept for longer than is necessary or required for that purpose or those purposes.

5.  RESPONSIBILITIES

The main responsibilities of the following roles and functions are summarized in the table below:

Roles / Functions
Any employee or consultant
CEO
Data Protection Officer
Main Responsibilities
Employee or consultant is responsible for:
• Complying with the current Policy
• Complying with the applicable laws
• Enforcing the Policy within Priothera and their Service Providers
CEO is responsible for:
• Ensuring that processing Personal Data have policy and procedures in place describing the guidelines and specific measures to handle Personal Data they process
• Assigning a Data Protection Officer for conducting, implementing and checking the Priothera operations sites
• Ensuring that any external communication about matters relating to the protection of Personal Data shall be issued in compliance with the current Policy
• Ensuring an adequate mechanism in place to inform employees, consultants, SPs about developments of applicable laws
Data Protection Officer is responsible for:
• Informing and advising Priothera and its employees on the applicable laws relating to the protection of Personal Data and Priothera‘s obligations under applicable laws
• Monitoring compliancy and the impact of new and existing processing activities of Personal Data
• Cooperating with authorities when applicable

6. POLICY

6.1 Data Privacy

6.1.1 Data Subject held by SPs, on behalf of Priothera, is governed by the Data Privacy and Confidentiality terms agreed in the Master Service Agreement (MSA) between Priothera and the SP.

6.1.2 Requests for access to personal information of Data Subject or employees, consultants whether internal or from an external source should be referred to the Data Protection Officer and Chief Executive Officer.

6.1.3 Personal Data shall not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the purpose except:

  • with the consent of the Data Subject
  • if required to fulfil Priothera’s obligations under applicable laws
  • authorized by applicable laws

6.1.4 Personal Data shall not be transferred to a country or territory. Transfer of Personal Data between affiliated companies within Priothera shall be done in accordance with appropriate safeguards to ensure the protection of Personal Data in accordance with applicable laws.

6.1.5 Where processing is to be carried out on behalf of Priothera, Priothera shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of applicable laws and ensure the protection of the rights of the Data Subjects.

6.1.6 Personal Data shall be protected by adequate security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.

6.1.7 The purposes for which Personal Data are processed shall be specified not later than at the time of data collection, and the subsequent processing shall be limited to the fulfilment of those purposes, or such others as are not incompatible with those purposes, and as are specified on each occasion of change of purpose.

6.2 Data Subject Confidentiality

6.2.1 Priothera employees and consultants would not usually have direct access to Data Subject if, however, Data Subject was received erroneously, the following should be implemented:

The recipient of the Data Subject immediately notifies the sender and informs them that the document will be securely destroyed. Secure destruction entails:

  • Paper documents – the recipient obscures the Data Subject on the document with a permanent black marker before shredding the document
  • Electronic documents – the recipient deletes the document from all applicable IT systems

6.2.2 If the recipient requires the document to perform their duties, they either:

Request a confidential version of the document from the sender before securely destroying the document containing the Data Subject or

Redact the Data Subject by

  • Obscuring the Data Subject using a black permanent marker on a paper copy of the document.
  • Photocopies the page until it is impossible to see the Data Subject, even if the page is turned or held up to the light.
  • Securely destroys any paper or electronic copies of the document containing the subject data.
  • Scans the new confidential version of the document so there is a paper and electronic version.

6.3 Access and Management of Former Employee Email Accounts

Employees should not engage in private communications (particularly personal data) using the corporate email address. When an employee leaves the company his manager and the IT SP can have access to his email account. The employee must clean out all private information particularly personal data he/she does not want to share when leaving.

 

7. HISTORY OF CHANGES

Date
23 JUN 2021
Version Number
1.0
Log of changes and reason (include reviews where changes were not required)
Initial version

8.  RELATED SOPS/POLICIES

None

9.  REFERENCES

General Data Protection Regulation 2016/679

UK GDPR

10.  LIST OF ATTACHMENTS

None