Global Data Protection and Privacy Policy

This notice is effective 17 July 2017 and last updated 17 July 2017

Almac Group Limited and its affiliates (collectively “Almac”) is committed to preserving the privacy of all individuals that share their information with Almac as an employer and a global service provider of contract pharmaceutical support services. Almac is committed to ensuring that if we handle information about any individual, we do so with full regard to the individual’s privacy and in full compliance with applicable laws on data privacy and confidentiality.

Our Global Data Protection and Privacy Policy (“Policy”) will define the main types of personal information that we may have access to and process within our organisation; how we use any personal information and the steps which are taken to protect the information that you provide to us. The Policy also sets out how Almac complies with data privacy laws and regulations, including European Data Protection Directive (95/46/EC), and where applicable the principles of the EU-US Privacy Shield and Swiss-US Privacy Shield, and other national laws implementing data privacy and confidentiality requirements.

Almac has put in place internal policies to ensure that our employees are fully aware of the legal requirements relating to data privacy and confidentiality.

By registering on any Almac site, you consent to the collection, use and transfer of your information under the terms of this policy.

TYPES OF INFORMATION THAT WE COLLECT FROM YOU AND HOW IT WILL BE USED

PERSONAL DATA

“Personal Data” means any information or set of information that identifies or can reasonably be used to identify an individual. Personal Data does not include information that is encrypted or anonymous.

SENSITIVE PERSONAL DATA

“Sensitive Personal Data” means personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health (including protected health information”) or sex life. References to Sensitive Personal Data in the Policy shall also include for the purposes of the Swiss-US Privacy Framework ideological views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings. Almac will process information as Sensitive Personal Information as appropriate. Additionally, information will be treated as Sensitive Personal Data where it is received from a third party that treats and identifies it as sensitive.

          1. ALMAC AS A DATA CONTROLLER

Almac as a data controller, will collect, process, and store Personal Data and Sensitive Personal Data of Almac employees, at all times in accordance with requirements of applicable laws. As a data controller, Almac determines the purpose and means of such processing. Almac collects and processes all employee information of staff for human resource purposes, including payroll, tax and performance reviews and assessments.  This may include Personal Data and Sensitive Personal Data. Almac also collects Personal Data and information from applicants (who may be employees or external individuals) who apply to recruitment offers and positions. This information may include contact details, professional qualifications, previous professional experiences and references. External advisors and consultants’ information will be collected and processed in the same manner and in accordance with Almac’s standard operating procedures.

When you visit or register on any Almac website, you may be asked to voluntarily provide certain information about yourself, including your name and contact details. We may also collect information about you from e-mails or letters you send to us. We may use your information to contact you for your views on our services and to notify you occasionally about important changes or developments to the site or our services. Further, where you have consented, we might also use your information to let you know about other products and services which we offer which may be of interest to you and we may contact you by post, telephone or fax, as well as by e-mail. If you change your mind about being contacted in the future, please let us know.

          2. ALMAC AS A DATA PROCESSOR

Almac may at times process Personal Data (and, if applicable, Sensitive Personal Data) during the provision of its service offering as a data processor, acting on behalf of its clients or other third party sponsors.  At all times, Almac shall process the Personal Data and Sensitive Personal Data in accordance with the client/sponsor’s instructions, who are the controllers of such data.  Almac does not control the purpose for which the Personal Data or Sensitive Personal Data, is collected, processed or stored. The following are non-exhaustive examples of where Almac acts as a data processor for clients or other third party sponsors:

          a) CONTRACT PHARMACEUTICAL SUPPORT SERVICES

Almac provides contract pharmaceutical support services on a global scale, which includes but are not limited to, formulation and development, manufacture, packaging, labelling and distribution services.

          b) IXRS SYSTEM

Almac develops and maintains interactive voice and web response systems (“IXRS”) on behalf of client/sponsor’s. Almac may receive and process Personal Data and Sensitive Personal Data as data processor (on behalf of client/sponsor’s) in relation to patients enrolled in Almac-supported clinical trials. This Personal Data and Sensitive Personal Data may include (but is not limited to) patient initials, date/year of birth, sex, health-related information, telephone numbers and e-mail addresses.

          c) DIAGNOSTIC SERVICES

Almac provides a wide range of services to biopharma companies including pre-clinical biomarker discovery and companion diagnostic development. Almac as a data processor may receive Personal Data and Sensitive Personal Data from client/sponsor’s patients enrolled in clinical trials which may include (but is not limited to) patient initials, date/year of birth, sex, race and ethnicity. Almac shall process the Personal Data and Sensitive Personal Data on behalf of the client/sponsor for the purposes of carrying out biomarker analysis by Almac, at all times in accordance with the client/sponsor’s instructions.

          d) WEBEZ SYSTEM

Almac develops and maintains a randomization and drug ordering system (“WebEZ”) on behalf of client/sponsor’s. Almac may receive and process Personal Data and Sensitive Personal Data as data processor (on behalf of client/sponsor’s) in relation to this WebEZ system.

          3. DISCLOSURE OF INFORMATION

The information you provide to us may be held on our computer systems in the UK (or in respect of information provided to our affiliates outside the UK, in the jurisdictions where those affiliates are established). This information may be accessed by, or given to our staff or other third parties (including third party service providers) working either within or outside the UK, for the purposes set out in this policy or for other purposes approved by you. At times, personal information will be shared by Almac with companies working as agents of Almac and third parties strictly on a “need to know” basis and to satisfy business requirements. Almac does not trade or sell any personal information. Under certain circumstances, Almac may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.   Finally, if our business enters into a joint venture with or is sold to or merged with another business entity, your information may be disclosed to our new business partners or owners.

          4. SECURITY AND DATA RETENTION

Almac has implemented both organizational and technological measures to protect Personal Data and Sensitive Personal Data against accidental or unlawful destruction, loss, alteration, disclosure or access including, but not limited to, documented policies, procedures, and instructions, documented training, physical and logical secure access, role based access to minimum level required for job functionality, and data encryption. Your information will only be retained for as long as necessary for the purposes of the processing.

          5. TRANSFERS OUTSIDE OF THE EUROPEAN UNION AND COMPLIANCE WITH THE EU-U.S. PRIVACY SHIELD FRAMEWORK AND SWISS-U.S. PRIVACY SHIELD FRAMEWORK

Almac is a global service provider with sites and operations worldwide.  Almac has put in place measures to ensure that adequate protection is provided to such data where legally mandated. Countries outside the European Union do not always have strong data protection laws. However, we will always take steps as a data controller to ensure that your information is used by third parties in accordance with this policy. For example, Almac has at times entered into EU approved Model/Standard Contractual Clauses for the purpose of transferring personal information from the European Union.

Almac Clinical Technologies complies with the EU-U.S. Privacy Shield Framework (as well as the SWISS-U.S. Privacy Shield Framework) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States (and from Switzerland to the United States, in respect of the SWISS-U.S. Privacy Shield Framework), together the “Privacy Shield Principles”.

Almac Clinical Technologies has certified to the Department of Commerce that it adheres to the Privacy Shield Principles (including to the SWISS-U.S. Privacy Shield Framework). If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. Almac is committed to subject to the Privacy Shield Principles all personal data transferred to the US from the EU (and Switzerland, as applicable) in reliance on the Privacy Shield The Federal Trade Commission has jurisdiction over Almac Clinical Technologies’ compliance with the Privacy Shield Principles. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

Almac’s accountability for Personal Data/Sensitive Personal Data that it receives under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Almac remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Privacy Shield Principles, unless Almac proves that it is not responsible for the event giving rise to the damage. As further explained in Section 8 below, we encourage you to contact us in the first instance should you have a Privacy Shield-related (or general privacy-related) complaint.

          6. ACCESSING AND UPDATING YOUR INFORMATION

Your information will only be used for the purpose for which it was originally collected and which you have consented to. You have the right to know what Personal Data/Sensitive Personal Data is held by Almac as data controller and to ensure that such data is accurate and relevant for the purposes for which Almac collected it. Upon reasonable request and as required by applicable law (including the Privacy Shield Principles as defined in Section 5), Almac allows you to access your Personal Data/Sensitive Personal Data held by Almac as data controller, in order to request the correction, amendment or deletion of such data that you demonstrate to be incorrect or incomplete at any time, or where such data is being processed in violation of applicable law (including the Privacy Shield Principles). Such requests can be made by contacting Almac by email or otherwise in writing (using the contact details set out in Section 7). Requests from Almac employees may also be made to Almac’s HR Department. Almac will respond in a timely manner to all reasonable requests to access, amend or delete any such Personal Data/Sensitive Personal Data, and in accordance with applicable law (including, where relevant, the Privacy Shield Principles), and reserves the right to charge up to the maximum fee payable (as permitted by applicable law) for such requests in order to cover administration costs.

Where Almac is a data processor, Almac will direct you to the relevant client/sponsor who is the data controller of the Personal Data/Sensitive Personal Data.

          7. CONTACT

Please contact us at the address below if you have any comments, queries, requests or complaints relating to our use of your information.

Almac Data Protection Officer

Almac House

20 Seagoe Industrial Estate

Craigavon

BT63 5QD

Email address: dataprotectionofficer@almacgroup.com

          8. DISPUTE RESOLUTION

Almac has put in place mechanisms to verify our ongoing adherence to these privacy principles. We encourage individuals covered by this policy to raise any concerns that they have about the way that we process their Personal Data/Sensitive Personal Data by contacting us at the contact address above in the first instance, and we will endeavour to resolve them promptly. Please contact the Almac Data Protection Officer with any concerns about the use of your Personal Data/Sensitive Personal Data. Almac will respond in a timely manner to such complaints, and in accordance with applicable law (including, where relevant, the Privacy Shield Principles, which requires the data controller to respond to a complaint from a data subject within 45 days of receiving the complaint).

For any Privacy Shield-related complaints that cannot be resolved with Almac directly, Almac commits to cooperate with the panel established by the EU data protection authorities (DPAs) and/or the Swiss Federal Data Protection and Information Commissioner, as applicable, and comply with the advice given by the panel and/or Swiss Commissioner, as applicable, with regard to data transferred to the U.S. from the EU and/or Switzerland. Please contact us to be directed to the relevant DPA and/or Swiss Commissioner contacts.

You also have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding EU/U.S. Privacy Shield and/or Swiss/U.S. Privacy Shield compliance not resolved by any of the other mechanisms set out in the Privacy Shield Principles – see the following link for additional information: https://www.privacyshield.gov/article?id=ANNEX-I-introduction

          9. CHANGES TO OUR PRIVACY POLICY

Any changes to our Policy in the future will be posted to our website at www.almacgroup.com.

          10. ALMAC – COOKIE POLICY

Almac may from time to time collect information from you by using “cookies”. At Almac, we are strongly committed to protecting your privacy and as such we want to ensure that you are always aware of how we are using cookies on our websites and how this may affect you.

You can navigate around our websites without giving us any personal information.  However, the cookie policy in this section sets out a brief explanation explaining our practices for the occasions where cookies are used.

WHAT ARE COOKIES?

A cookie is a text file that is placed on your computer, mobile phone or tablet by the websites. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you.

HOW WE USE COOKIES

Almac uses cookies to improve services for you by:

  • Measuring how many people are using the different areas of the websites so that popular sections can be improved.
  • Analysing anonymous data to help us understand how visitors interact with the websites so we can improve the services offered.
  • Enabling a service to recognise your computer so you don’t have to give the same information several times during one task.

Cookies may be used on our customer facing applications, and although we are not actively storing any information pertaining to the user in a form of a cookie, some of the application servers which Almac uses may write temporary files to enable them to perform as part of their normal usage. This data is not recorded by Almac.

Cookies do not usually contain personally identifiable information, and if at times Almac requires you to register your information, the cookie which is associated with your registration information is used in a limited manner to allow Almac to offer increased functionality of our websites.  We do not share any of our data with any third parties. The personal or system information is not stored in the cookie.

To allow you to control your own use of cookies, you will need to reset your web browser to either allow you to accept cookies, reject cookies or notify you on each occasion that a cookie is sent to you. To find out more about cookies, and how to actively manage how they are used on your computer, please visit www.allaboutcookies.org.  Please check our website periodically to inform yourself of any updates.

Almac also uses industry standard web analytics to track web visits, Google Analytics. The information generated by the cookie about your use of our websites (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of our websites, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. You may opt out of web analytics by installing these tools on your computer: https://tools.google.com/dlpage/gaoptout