GDPR POLICY

1         About GDPR

The European Union (EU) General Data Protection Regulation, or GDPR, is a comprehensive data privacy law designed to safeguard personal data and privacy for citizens and legal residents of the EU and European Economic Area (EEA). The United Kingdom (UK) and Switzerland (Swiss) have parallel laws. Throughout this document, the use of EU encompasses EU, UK, and Swiss GDPR. EU GDPR was approved in 2016 with full compliance enforced starting 25 May 2018 and addresses targeting or collecting personal data within and outside the EU and EEA. GDPR gives individuals control over their data and how it is collected and used. Failure to comply with GDPR can result in harsh fines and penalties. While GDPR is an EU law, it is administered by individual member states (see https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.

2         About this GDPR policy

This policy outlines how Immunologix Laboratories adheres to GDPR and can be found here: https://www.immunologixlabs.com/gdpr-policy. Immunologix complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) set forth by the U.S. Department of Commerce. The EU-U.S. DPF is considered an adequate GDPR data protection method for U.S. companies that make a public commitment to adhere to DPF principles. For additional details regarding the types of personal information that Immunologix Laboratories collects and processes and how this information is used and disclosed, see the Immunologix Laboratories Privacy Policy (https://www.immunologixlabs.com/privacy-policy).

3         GDPR Definitions

Personal Data – Personal data is any information that relates to an individual who can be directly or indirectly identified. Examples include names and email addresses. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data.

Data Processing – Any action performed on data, whether automated or manual, including collecting, recording, organizing, structuring, storing, using, and erasing.

Data Subject – The identified or identifiable person whose data is collected and processed.

Data Controller – The legal person, public authority, agency, or any other body that decides why and how personal data will be processed.

Data Importer – The data controller or processor located in a non-EU country that receives data from a Data Exporter.

Data Exporter – A data controller or processor within the EU that transfers personal data to a Data Importer in a third country. The data exporter is responsible for ensuring that the transfer complies with GDPR requirements, including implementing appropriate safeguards to protect the transferred data.

Data Processor – A legal person, public authority, agency, or other body that processes personal data on behalf of a data controller.

Data Protection Officer (DPO) – Senior member responsible for overseeing an organization’s data protection strategy and ensuring compliance with GDPR requirements. The DPO must report to the highest levels of management in the organization and is bound by confidentiality. Additional details can be found below.

4         GDPR Data Protection Principles

Processing of data must be lawful, fair, and transparent to the data subject. Data must be processed for legitimate purposes, as detailed in the Immunologix Laboratories Privacy Policy and other guiding documents. Immunologix collects the minimum personal data necessary for the specified purpose. Whenever possible, personal data should be kept accurate and up to date. Data should only be stored for the specified purpose. Processing of personal data must be done in a way that ensures security, integrity, and confidentiality. Data Subjects have the right to withdraw consent to use their data and may ask that any personal data stored at Immunologix be erased.

5         GDPR Accountability

Immunologix is a data controller that collects personal data from website visitors, industry professionals, customers, and job applicants in the EU. When receiving pseudonymized clinical and medical information for clinical protocols, Immunologix is a data importer/processor. Data controllers/exporters for clinical and medical personal data (the study sponsor) must demonstrate their GDPR compliance. As a data processor, Immunologix must maintain detailed documentation on the data being collected, how it is used, where it is stored, and which employees are responsible for it. The DPO must ensure that staff handling confidential data are trained in handling data subject to GDPR. Immunologix generally does not share confidential private information outside of the company. However, should sharing data with a third-party organization be necessary, a data processing agreement must be established to govern how the third party handles personally identifiable data.

6         Standard Contractual Clauses

Standard Contractual Clauses (SCCs) are legal tools provided under GDPR to ensure that personal data transferred from the EU to countries outside the EU is adequately protected. SCCs are designed to provide appropriate data protection safeguards for international data transfers. These clauses are pre-approved by the European Commission, meaning they meet the GDPR’s requirements for data protection. Organizations can incorporate SCCs into their contracts to comply with GDPR when transferring personal data to third countries. For studies with samples drawn from EU patients, SCCs must be appended to the Immunologix Scope of Work (SOW), Master Services Agreement (MSA), or Data Processing Agreement (DPA).

7         GDPR Breaches and Potential Penalties

Breaches to GDPR should be reported to the data controller without delay. For the EU, fines up to €10 million, or 2% of worldwide annual revenue (whichever is higher), are possible for breaches due to the conduct of controllers and processors. Fines of up to €20 million, or 4% of worldwide annual revenue (whichever is higher), may be levied for violating basic principles of processing, conditions of consent, the data subjects’ rights, or transfer to a third-party without a data processing agreement and disclosure to the data subject. Fines for or other Supervisory Authorities are unique to each locale. In the event of a breach, the DPO will serve as the point of contact for data protection supervision authorities.

8         GDPR Responsibilities for the Data Protection Officer (DPO)

The role is assigned to ensure proper handling of the personal data of citizens and residents of the EU. The Immunologix Laboratories Organization Chart identifies the DPO under the Critical Roles section.

The DPO must be involved and informed of any issues relating to protecting personal data. The DPO has six main tasks:

  1. Receive comments and questions from data subjects regarding the processing of their data
  2. Inform employees of their obligations under GDPR
  3. Monitor compliance with GDPR, train staff, and perform annual compliance reviews
  4. Perform data impact assessments (if necessary)
  5. Cooperate with data protection supervision authorities when appropriate
  6. f) Be the point of contact in the event of a breach

9         Independent Resolution Mechanism

Immunologix has committed to refer unresolved EU privacy-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. For additional information regarding this service, see the Immunologix Laboratories Privacy Policy (https://www.immunologixlabs.com/privacy-policy).

10     Review and Changes to this Policy

Data integrity practices at Immunologix are reviewed regularly. The Immunologix Laboratories GDPR Policy will be reviewed annually to ensure compliance with EU regulations. Updates will be published and available here: https://www.immunologixlabs.com/gdpr-policy.

11     Legal Status of the Immunologix Laboratories GDPR Policy

GDPR is designed to protect the privacy of Data Subjects who are citizens and legal residents of the EU. Immunologix may occasionally collect and handle data from EU citizens and residents, therefore making necessary efforts to comply with GDPR. Additionally, many of the concepts contained within the GDPR apply to the California Consumer Privacy Act (CCPA) of 2018, a US state-level regulation regarding data protection for residents of California. The Immunologix Laboratories GDPR Policy is not a contract and does not create any legal rights or obligations. Immunologix reserves the right to modify or amend this policy at any time.

General inquiries regarding the processing of personal data should be submitted in writing to privacy@immunologixlabs.com. To withdraw consent for Immunologix Laboratories to use personal data and have any personal data stored at Immunologix Laboratories deleted, contact GDPR@immunologixlabs.com. A reply will be sent with a summary outlining the data stored and the final data disposition.