This notice is effective 18 May 2020 and last updated 18 November 2022.
Almac Group Limited and its affiliates (collectively “Almac”) is committed to preserving the privacy of all individuals that share their information with Almac as an employer and a global service provider of contract pharmaceutical support services. Almac is committed to ensuring that if we handle information about any individual, we do so with full regard to the individual’s privacy and in full compliance with applicable laws on data privacy and confidentiality.
Almac has put in place internal policies to ensure that our employees are fully aware of the legal requirements relating to data privacy and confidentiality.
By registering on any Almac site, you consent to the collection, use and transfer of your information under the terms of this policy.
TYPES OF INFORMATION THAT WE COLLECT FROM YOU AND HOW IT WILL BE USED
“Personal Data” means any information or set of information that identifies or can reasonably be used to identify an individual and includes in the context of GDPR all information defined as “Personal Data” within GDPR, comprising any information relating to an identified or identifiable natural person, where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data does not include information that is anonymous.
SENSITIVE PERSONAL DATA
References to “Sensitive Personal Data” in this Policy includes (in the context of GDPR) “Special Categories of Personal Data” (as such term is defined in GDPR) comprising personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, as well as information about criminal convictions and offences. References to Sensitive Personal Data in the Policy shall also include for the purposes of the Swiss-US Privacy Framework ideological views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings. Almac will process information as Sensitive Personal Information as appropriate and comply with applicable laws in respect of such processing (see Section 3 below for further details). Additionally, information will be treated as Sensitive Personal Data where it is received from a third party that treats and identifies it as sensitive.
1. ALMAC AS A DATA CONTROLLER
Almac as a data controller, will collect, process, and store certain Personal Data and Sensitive Personal Data including, but not limited to, the examples listed below.
- (a) Employee Data
Almac will collect Personal Data and Sensitive Personal Data of Almac employees, workers, contractors and applicants seeking employment with Almac as well as students or other individuals engaging in Almac programmes (such as STEM outreach initiatives). As a data controller, Almac determines the purpose and means of such processing. Almac collects and processes all employee information of staff for human resource purposes, including payroll, tax and performance reviews and assessments. Almac also collects Personal Data and information from applicants (who may be existing employees or external individuals) who apply to recruitment offers and positions (either directly or through an employment agency). This information may include contact details, professional qualifications, previous professional experience, references and relevant background checks. External advisors and consultants’ information will be collected and processed in the same manner and in accordance with Almac’s standard operating procedures.
- (b) Marketing and Website Visitors
Almac will collect and process Personal Data, including names and contact details, of customers, prospective customers and other business contacts in the course of our marketing activities and other legitimate business related purposes.
When you visit or register on any Almac website, you may be asked to voluntarily provide certain information about yourself, including your name and contact details. We may also collect information about you from e-mails, letters or business cards you provide to us. We may use your information to contact you for your views on our services and to notify you occasionally about important changes or developments to the site or our services. Further, where you have consented, we might also use your information to let you know about other products and services which we offer which may be of interest to you and we may contact you by post, telephone or fax, as well as by e-mail. If you change your mind about being contacted in the future, please let us know, either by availing of the “unsubscribe” option in our marketing-related correspondence or by contacting us (see Section 8).
- (c) Suppliers, Site Visitors and Virtual Audits
Almac may be required from time to time to process information relating to consultants, contractors, suppliers and other third parties engaged by Almac to provide services to it or who otherwise visit our premises (including for example, for the protection of health and wellbeing of personnel on site, site security records and CCTV for the purposes of maintaining site security, and which are in accordance with our standard operating procedures). Almac may also be required to process information of individuals on site (including employees) as part of filming for, or otherwise performing, virtual audits. There are prominent notices at the relevant locations throughout our sites where filming for virtual audits occurs and where CCTV is in operation.
- (d) Regulatory and Pharmacovigilance Activities
Almac may collect and process medical information queries, complaints and adverse event reports in connection with pharmacovigilance activities that we are required to perform as a legal obligation (e.g., reporting these to relevant regulatory bodies) or that we are otherwise contracted to perform on behalf of our customers or commercial partners.
2. ALMAC AS A DATA PROCESSOR
Almac may at times process Personal Data (and, if applicable, Sensitive Personal Data) during the provision of its service offering as a data processor, acting on behalf of its clients or other third party sponsors. At all times, Almac shall process the Personal Data and Sensitive Personal Data in accordance with the client/sponsor’s instructions, who are the controllers of such data. Almac does not control the purpose for which the Personal Data or Sensitive Personal Data, is collected, processed or stored. The following are non-exhaustive examples of where Almac acts as a data processor for clients or other third party sponsors:
a) CONTRACT PHARMACEUTICAL SUPPORT SERVICES
Almac provides contract pharmaceutical support services on a global scale, which includes but are not limited to, formulation and development, analytical testing, manufacture, packaging, labelling and distribution services (and such distribution services may also include direct-to-patient shipments from clinical sites directly to patient’s homes, where Almac act as data processor on behalf of our clients/sponsors who are the data controller).
b) IXRS SYSTEM
Almac develops and maintains interactive voice and web response systems (“IXRS”) on behalf of clients/sponsors. Almac may receive and process Personal Data and Sensitive Personal Data as data processor (on behalf of client/sponsor’s) in relation to patients enrolled in Almac-supported clinical trials. This Personal Data and Sensitive Personal Data may include (but is not limited to) patient initials, date/year of birth, sex, health-related information, telephone numbers and e-mail addresses.
c) DIAGNOSTIC SERVICES
Almac provides a wide range of services to biopharma companies including pre-clinical biomarker discovery and companion diagnostic development. Almac as a data processor may receive Personal Data and Sensitive Personal Data from client/sponsor’s patients enrolled in clinical trials which may include (but is not limited to) patient initials, date/year of birth, sex, race and ethnicity. Almac shall process the Personal Data and Sensitive Personal Data on behalf of the client/sponsor for the purposes of carrying out biomarker analysis by Almac, at all times in accordance with the client/sponsor’s instructions.
d) WEBEZ SYSTEM
Almac develops and maintains a randomization and drug ordering system (“WebEZ”) on behalf of clients/sponsors. Almac may receive and process Personal Data and Sensitive Personal Data as data processor (on behalf of client/sponsor) in relation to this WebEZ system.
e) CLIENT/SPONSOR CONTACT DETAILS
Almac may process Personal Data (comprising name and contact details) of client/sponsor’s employees or other individuals acting on behalf of client/sponsor, as an incidental part of providing services to client/sponsor.
3. LEGAL BASIS FOR PROCESSING (WHERE ALMAC ACTS AS A DATA CONTROLLER)
Unless we specify at the point of collection that we are relying on a data subject’s consent to process their Personal Data (in which case we will comply fully with all applicable legal requirements in relation to consent, including under GDPR) Almac relies on one or more of the other legal bases available for processing Personal Data, including (from a GDPR perspective):
- (i) the processing is necessary for the purposes of the legitimate interests pursued by Almac or by a relevant third party;
- (ii) the processing is necessary for compliance with a legal obligation;
- (iii) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
- (iv) the processing is necessary to protect the vital interests of the data subject or another individual.
Where Sensitive Personal Data is processed, GDPR requires us to have (as well as one of the legal grounds described above), an additional legal ground to justify using this sensitive information. The appropriate additional legal ground will depend on the circumstances and includes (a) processing that is necessary for carrying out obligations and exercising specific rights in the field of employment or social security, (b) processing in connection with the establishment, exercise or defence of legal claims, (c) processing that is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care and of medicinal products or medical devices, and (d) explicit consent of the data subject – where we choose to rely on consent to process Sensitive Personal Data we always obtain the explicit consent of the individual data subjects concerned.
Almac will also conduct Data Protection Impact Assessments (“DPIA”) as and when required, and in accordance with applicable law, taking into account, inter alia the nature, scope, context and purposes of the processing. Such DPIAs include a description of the processing operations and purposes of processing, the necessity and proportionality of the processing operations in relation to the purposes, the risks to the rights of data subjects and controls to mitigate the risks
4. DISCLOSURE OF INFORMATION
The information you provide to us may be held on our computer systems in the UK (or in respect of information provided to our affiliates outside the UK, in the jurisdictions where those affiliates are established). This information may be accessed by or given to our staff or other third parties (including third party service providers) working either within or outside the UK, for the purposes set out in this policy or for other purposes approved by you. At times, personal information will be shared by Almac with companies working as agents of Almac and third parties strictly on a “need to know” basis and to satisfy business requirements. Almac does not trade or sell any personal information. Under certain circumstances, Almac may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Finally, if our business enters into a joint venture with or is sold to or merged with another business entity, your information may be disclosed to our new business partners or owners.
5. SECURITY AND DATA RETENTION
Almac has implemented both organizational and technological measures to protect Personal Data and Sensitive Personal Data against accidental or unlawful destruction, loss, alteration, disclosure or access including, but not limited to, documented policies, procedures, and instructions, documented training, physical and logical secure access, role based access to minimum level required for job functionality, and data encryption. Your information will only be retained for as long as necessary for the purposes of the processing.
6. TRANSFERS OUTSIDE OF THE EUROPEAN UNION AND COMPLIANCE WITH THE EU-U.S. PRIVACY SHIELD FRAMEWORK AND SWISS-U.S. PRIVACY SHIELD FRAMEWORK
Almac is a global service provider with sites and operations worldwide. Almac has put in place measures to ensure that adequate protection is provided to such data where legally mandated. Countries outside the European Union do not always have strong data protection laws. However, we will always take steps as a data controller to ensure that your information is used by third parties in accordance with this policy, and applicable laws (including GDPR). For example, Almac has entered into EU approved Model/Standard Contractual Clauses for the purpose of transferring personal information from the European Union.
Almac Clinical Technologies complies with the EU-U.S. Privacy Shield Framework (as well as the SWISS-U.S. Privacy Shield Framework) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of non-HR personal information transferred from the European Union to the United States (and from Switzerland to the United States, in respect of the SWISS-U.S. Privacy Shield Framework), together the “Privacy Shield Principles”.
Almac’s accountability for Personal Data/Sensitive Personal Data that it receives under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Almac remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Privacy Shield Principles, unless Almac proves that it is not responsible for the event giving rise to the damage. As further explained in Section 9 below, we encourage you to contact us in the first instance should you have a Privacy Shield-related (or general privacy-related) complaint.
7. ACCESSING AND UPDATING YOUR INFORMATION
Your information will only be used for the purpose for which it was originally collected and which you have consented to. You have the right to know what Personal Data/Sensitive Personal Data is held by Almac as data controller and to ensure that such data is accurate and relevant for the purposes for which Almac collected it. Upon reasonable request and as required by applicable law (including GDPR and the Privacy Shield Principles as defined in Section 6), Almac allows you to access your Personal Data/Sensitive Personal Data held by Almac as data controller, in order to request the correction, amendment or deletion of such data that you demonstrate to be incorrect or incomplete at any time, or where such data is being processed in violation of applicable law (including GDPR and the Privacy Shield Principles), or where such data is no longer necessary in relation to the purposes for which it was collected, or to request a limiting of the use and disclosure of your personal data. Such requests can be made by contacting Almac by email or otherwise in writing (using the contact details set out in Section 8). Requests from Almac employees may also be made to Almac’s HR Department. Almac will respond in a timely manner to all reasonable requests to access, amend or delete any such Personal Data/Sensitive Personal Data, and in accordance with applicable law (including, where relevant, the Privacy Shield Principles), and reserves the right to charge up to the maximum fee payable (as permitted by applicable law) for such requests in order to cover administration costs.
Where Almac is a data processor, Almac will direct you to the relevant client/sponsor who is the data controller of the Personal Data/Sensitive Personal Data.
Additional Privacy Statement for Residents of the State of California, USA
California consumers have a right to knowledge, access, and deletion of their personal information under the California Consumer Privacy Act. California consumers also have a right to opt out of the sale of their personal information by a business and a right not to be discriminated against for exercising one of their California privacy rights. Almac does not sell or trade any personal information and does not discriminate in response to privacy rights requests.
Please contact us at the address below if you have any comments, queries, requests or complaints relating to our use of your information.
Almac Data Protection Officer
20 Seagoe Industrial Estate
Email address: [email protected]
9. DISPUTE RESOLUTION
Almac has put in place mechanisms to verify our ongoing adherence to these privacy principles. We encourage individuals covered by this policy to raise any concerns that they have about the way that we process their Personal Data/Sensitive Personal Data by contacting us at the contact address above in the first instance, and we will endeavour to resolve them promptly. Please contact the Almac Data Protection Officer with any concerns about the use of your Personal Data/Sensitive Personal Data. Almac will respond in a timely manner to such complaints, and in accordance with applicable law (including, where relevant, the Privacy Shield Principles, which requires the data controller to respond to a complaint from a data subject within 45 days of receiving the complaint).
For any Privacy Shield-related complaints that cannot be resolved with Almac directly, Almac commits to cooperate with the panel established by the EU data protection authorities (DPAs) and/or the Swiss Federal Data Protection and Information Commissioner, as applicable, and comply with the advice given by the panel and/or Swiss Commissioner, as applicable, with regard to data transferred to the U.S. from the EU and/or Switzerland. Please contact us to be directed to the relevant DPA and/or Swiss Commissioner contacts.
You also have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding EU/U.S. Privacy Shield and/or Swiss/U.S. Privacy Shield compliance not resolved by any of the other mechanisms set out in the Privacy Shield Principles – see the following link for additional information: https://www.privacyshield.gov/article?id=ANNEX-I-introduction
Any changes to our Policy in the future will be posted to our website at www.almacgroup.com.
Almac may from time to time collect information from you by using “cookies”. At Almac, we are strongly committed to protecting your privacy and as such we want to ensure that you are always aware of how we are using cookies on our websites and how this may affect you.
WHAT ARE COOKIES?
A cookie is a text file that is placed on your computer, mobile phone or tablet by the websites. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you and can only be read by a web server in the domain that issued the cookie to you.
- Measuring how many people are using the different areas of the websites so that popular sections can be improved.
- Analysing anonymous data to help us understand how visitors interact with the websites so we can improve the services offered.
- Enabling a service to recognise your computer so you don’t have to give the same information several times during one task.
Cookies may be used on our customer facing applications, and although we are not actively storing any information pertaining to the user in a form of a cookie, some of the application servers which Almac uses may write temporary files to enable them to perform as part of their normal usage. This data is not recorded by Almac.
Cookies do not usually contain personally identifiable information, and if at times Almac requires you to register your information, the cookie which is associated with your registration information is used in a limited manner to allow Almac to offer increased functionality of our websites. We do not share any of our data with any third parties. The personal or system information is not stored in the cookie.
Almac also uses industry standard web analytics to track web visits, Google Analytics. The information generated by the cookie about your use of our websites (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of our websites, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may opt out of web analytics by installing these tools on your computer: https://tools.google.com/dlpage/gaoptout