Privacy Notice For Healthcare Professionals
(Updated and Effective: October 2021)
What is the scope of this Privacy Notice?
This Privacy Notice describes CNX Therapeutics Ltd.’s practices with respect to the collection, use, storage, and disclosure (“processing”) of Personal Data of healthcare professionals and other relevant decision makers defined by the EFPIA Code of Practice and covered by the European Union’s General Data Protection Regulation and the UK’s Data Protection Act for the purpose(s) outlined below. This Notice applies to CNX Therapeutics Ltd. and its subsidiaries (collectively, “CNX”). All healthcare professionals and other relevant decision makers (referred to below as “you” or “your”) should carefully read the provisions of this Privacy Notice.
For the purposes of EU and UK data protection laws, CNX is a controller of your Personal Data.
“Personal Data,” as used in this Privacy Notice, means any information that can be used to identify you, whether directly or indirectly, including by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity.
How do you contact us if you have any questions or concerns?
Please contact us to:
- Ask questions;
- File a concern or complaint;
- Opt-out of a program or service; and/or
- To exercise any of your rights listed above, including access, correction, portability, objection, restriction, and erasure.
CNX Therapeutics Ltd. 3 Bunhill Row, London, EC1Y 8YZ
What Personal Data do we collect about you?
We process the Personal Data we collect from you directly, such as during our communications with you about CNX, through your engagement with CNX online platforms, or in the course of any services you provide to CNX. The Personal Data we may collect from you directly includes, for example:
- Your name and contact information.
- Where applicable, your professional identification number.
- Your contact and communication preferences.
- Your training and qualifications.
- Your professional interests (such as healthcare topics in which you have expressed an interest).
- Your interest in CNX products and services.
- If you provide us with consulting or other services, your bank account number, tax identification number, and other information necessary to pay you.
In some cases, we will require that you provide certain information in order for CNX to provide you with a service or take an action that you request. We will indicate when such information is required. Failure to provide required or mandatory information may result in termination of our relationship or our inability to take an action you request.
In addition, we collect the following kinds of information about you from third parties:
- Additional information about your training and qualifications, such as your organisational or institutional affiliations, place of employment, educational history, publications, professional identification number, and professional experience.
- Information about debarment and any professional discipline measures from government sources or professional organisations.
- Information about prescriptions written, medical claims filed, and/or diagnostic tests ordered (“Prescribing Behavior”).
What is our legal basis for processing your Personal Data?
We process your Personal Data to:
- Respond to your requests for information about our products and services.
- Communicate other information that we think may be of interest to you through our web sites, via e-mail, call centers, postal mail and other channels, including promotional communications about our products and services.
- Keep track of our interactions with you, both online and offline.
- Conduct business and marketing research.
- Process and report adverse event information and product complaints.
- Identify and engage scientific experts.
- Identify speakers and invitees to conferences and other scientific and educational programs we host or sponsor.
- Track and report payments and other transfers of value to healthcare professionals in accordance with financial disclosure transparency requirements.
- Audit our programs and services for compliance purposes.
- Meet our compliance and legal obligations.
- Meet our contractual obligations to you, if you provide us with services.
We may process your Prescribing Behavior to enable us to tailor our messaging and communications to you, including messaging and communications for promotional purposes, based upon your Prescribing Behavior.
- Better understand the market for our existing products and services, and potential new products and services, and to adjust our research, development, and marketing strategies accordingly.
We may also use your Personal Data to determine your potential involvement in future activities with CNX and to contact you in relation to these activities.
We combine the Personal Data that we collect in order to provide these functions.
We have the following legal bases for processing the Personal Data you provide to us, that we collect in the course of interactions with you, or that we collect from third parties about you:
- We have a legitimate interest in communicating with you about our products and services; in communicating with you about scientific research opportunities; in analysing the market for our products and services; and in meeting our legal and compliance obligations. We process all the Personal Data we collect from or about you to meet these purposes. You can obtain additional information about the legitimate interests we have in processing your Personal Data by contacting the DPO.
- Where we engage in direct marketing communications, we will obtain your consent to do so in accordance with applicable laws (and subject to any reliance on an existing customer exemption).
- We may be required to process your Personal Data if you have or are seeking to enter into a contract with us, such as a contract to provide consulting services. You can obtain additional information regarding processing we do to enter into contracts with you by contacting the DPO.
- In the case of Sensitive Personal Data (which includes (i) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (ii) genetic and biometric data, and (iii) data concerning health, sex life, or sexual orientation), we process such information either (i) because we have your consent to do so or (ii) because we are required to process the information to comply with applicable laws. You can obtain more information about these laws by contacting the DPO. When we process your Sensitive Personal Data on the basis of your consent, you may withdraw that consent at any time by contacting the DPO. If you withdraw your consent, we may still be required to process your Sensitive Personal Data to comply with applicable law, but we will explain to you at the time your consent is withdrawn what processing activities will continue for legal compliance purposes.
With whom do we share your Personal Data?
Your Personal Data will be received and processed by CNX employees and personnel, including third parties who provide services to us in connection with the purposes of processing described above. These third parties may include, for example, our website providers, vendors that assist us in communicating with you, database providers, survey and marketing research organisations, and event organisers. We share your Personal Data with our service providers only when they have agreed to process your Personal Data only to provide services to us and have agreed to protect your Personal Data from unauthorised use, access, or disclosure. You may contact the DPO to learn more about the categories of service providers to whom your data is disclosed.
We may disclose your Personal Data, including your financial relationship with CNX and any amounts you have been paid by CNX, to government authorities and the public in response to authorised information requests, or as otherwise required by laws, regulations, regulatory guidance or standards, judicial or administrative proceedings, or industry codes.
We may disclose your Personal Data where necessary to protect our rights and safety or the rights and safety of one or more third parties.
We may also disclose your Personal Data for the purposes described above to our development and business partners. Finally, in the event CNX decides to reorganise or divest our business through sale, merger, or acquisition, CNX may share Personal Data about you with actual or prospective purchasers.
We keep Personal Data about healthcare professionals for (i) as long as we have an ongoing relationship with you; (ii) as required by a legal obligation to which we are subject; and (iii) as otherwise necessary for legal purposes (such as in regard to applicable statutes of limitations, litigation, or regulatory investigations). If you have any questions, you may contact the DPO.
You have the right to information regarding CNX’s processing of your Personal Data, including:
- The purposes of the processing.
- The categories of Personal Data concerned.
- The recipients or categories of recipients to whom the Personal Data have been or will be disclosed.
- Where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period.
This Notice is intended to provide this information. Any questions about these details may be directed to the DPO.
You also have the following additional rights with respect to your Personal Data:
- The right to request access to the Personal Data that CNX has about you, as well as the right to request rectification of any data that is inaccurate or incomplete.
- The right to request a copy of your Personal Data in electronic format so that you can transmit the data to third parties, or to request that CNX directly transfer your Personal Data to one or more third parties.
- The right to object to the processing of your Personal Data for marketing and other purposes.
- The right to erasure of your Personal Data when it is no longer needed for the purposes for which you provided it, as well as the right to restriction of processing of your Personal Data to certain limited purposes where erasure is not possible.
- The right to lodge a complaint with the data supervisory authority in the country where you live or work or where you believe that your rights have been violated.