Gan & Lee Pharmaceuticals USA Corp.
The purpose of this Policy is to provide guidance to Employees and Data Subjects (defined below) of Gan & Lee Pharmaceuticals USA Corp. (“Company”, “Gan & Lee USA”, “we”, “us”, or “our”), within the European Union (“EU”), the United Kingdom (“UK”), and Switzerland (collectively, “you” or “users”) about the nature of the Personal Data Company is collecting and processing. Company’s policy is designed to comply with applicable laws and regulations, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the FTC Privacy Shield (“Privacy Shield”), to ensure the privacy and security of Personal Data of its Employees and Data Subjects.
For purposes of this Policy, the Data Controller (as defined in the GDPR) is the Company affiliate or entity responsible for the manner in which the Personal Data of an Employee or Data Subject is Processed (as defined in Article 4(2) of the GDPR).
To provide adequate protection for certain Personal Data received in the U.S. from the EEA, the UK, and Switzerland, the Company has also elected to self-certify to the E.U.-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework administered by the U.S. Department of Commerce. Company complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Company has elected to self-certify to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. For more information about the Privacy Shield, or to review the Company’s representation on the Privacy Shield list when approved, see the U.S. Department of Commerce’s Privacy Shield website located at: http://www.privacyshield.gov.
The Company has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles as further set forth herein.
This Policy applies to all Personal Data that Company collects, receives, transmits, and maintains about its Employees, Job Applicants, and Data Subjects who are residents of the European Economic Area, the U.K., and Switzerland. The European Economic Area (“EEA”) consists of EU Member States and Iceland, Liechtenstein, and Norway. Personal Data may be collected, transmitted, or maintained in electronic, paper, or oral formats.
The Company adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability. For purposes of enforcing compliance with the Privacy Shield, the Company is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission (“FTC”). The Company further recognizes potential liability in cases of onward transfers to affiliates and third parties.
If there is any conflict between the terms in this Policy and the Privacy Shield, the Privacy Shield shall govern.
A. “Data Controller” means the person or entity who, either alone or jointly or in common with other persons or entities, determines the purposes for which and the manner in which any Personal Data are, or are to be, Processed.
B. “Data Subject(s)” means an identified or identifiable natural person residing in the EEA.
C. “Employees” means employees of Company residing in the European Economic Area, including employees of any subsidiary, affiliate, or other entity controlled by, or under common control of Company, and all persons engaged (directly or indirectly) to perform work for Company, including temporary agency personnel, contractors, and contingent workers, interns, former employees, and retirees.
D. “Job Applicant” means any individual seeking employment at Company who submits Personal Data about himself or herself to Company or to one of its recruitment partners for purposes of being considered for an employment position with Company.
E. “Personal Data” means any information relating to an identified or identifiable Employee, Job Applicant, or Data Subject. An identifiable Employee, Job Applicant, or Data Subject is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that Employee, Job Applicant, or Data Subject. Personal Data includes information that enables anyone to link information to a specific Employee, Job Applicant, or Data Subject, even if the person or entity holding that information cannot make that link. Additionally, Personal Data includes any information relating to identified or identifiable dependents, family members, or personal references of an Employee, Job Applicant, or Data Subject. For the avoidance of doubt, the meaning of Personal Data shall be consistent with the term as it is defined in Article 4(1) of the GDPR.
F. “Processing,” “Process,” or “Processed” are broadly defined to mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as its collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. For the avoidance of doubt, the meaning of Processing shall be consistent with the term as it is defined in Article 4(2) of the GDPR.
G. “Sensitive Personal Data” is a subset of Personal Data and means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data for the purpose of uniquely identifying an Employee, Job Applicant, or Data Subject; data concerning health; and data concerning an Employee, Job Applicant, or Data Subject’s sex life or sexual orientation.
H. “Supervisory Authority” means the public authority designated by an EEA Member State to monitor compliance with the GDPR.
I. “Usage Data” Means additional information regarding users’ activities on Company websites, applications, and/or other services or products, such as automatically collected information that includes, but is not limited to, analytics data, cookie information, and HTTP header information.
1. Company collects and Processes Personal Data in compliance with applicable laws and regulations. In particular, Company complies with the requirements of the GDPR and the local data protection laws of EEA Member States.
2. Company collects and Processes Personal Data only for legitimate business purposes. The categories of Personal Data that are collected and the nature of the Processing are proportionate to the status and role of the Employee (for example, Job Applicant, temporary Employee, full-time Employee, or retiree) and the purpose of the collection and Processing.
3. Company will only perform Processing activities that can achieve an intended purpose while having the least impact on Employees’, Job Applicants’ and Data Subjects’ privacy interests. Further, Company will only Process relevant information that is limited to the minimum necessary for purpose of the Processing activity.
4. Company will not store Personal Data for a longer period of time than is necessary to accomplish the intended purpose of the Processing activity.
5. Company will take reasonable steps to ensure the integrity and accuracy of the Personal Data it Processes.
6. Company will inform Employees, Job Applicants, and Data Subjects of the purposes and methods of its Processing activities. Additionally, Company will permit Employees, Job Applicants, and Data Subjects to exercise their rights with respect to Personal Data under the GDPR and applicable local laws, including the rights to correction, erasure, inspection, portability, and restriction of Processing.
7. Company will use commercially reasonable security measures to protect the Personal Data it collects and Processes against unauthorized uses and disclosures.
B. TYPES OF PERSONAL DATA COLLECTED
Unless restricted by applicable local law, Company will Process the following types of Personal Data about its Employees or Data Subjects:
1. Personally Identifiable Information. In the case of Employees and Data Subjects, personally identifiable information includes, but is not limited to, name, business name, marital name, gender (not permitted in some countries), age, date and country of birth, race (not permitted in some countries), nationality (not permitted in some countries), personal and business address, personal and business telephone number, email address, name and telephone number of a contact in case of emergency, passport number (if applicable), driver’s license number (if applicable), work permit number, Social Security or National Identification number (if applicable), bank account details (for direct deposit), employee or other identification number, disability rate (if applicable), photographs, and other information as required for Company to comply with its legal duties.
2. Family Status. In the case of Employees and Data Subjects, information related to family status includes, but is not limited to, marital status, dependent information, insurance information, and pension information.
3. Employment Terms & Conditions. In the case of Employees, information related to employment terms and conditions includes, but is not limited to, employment contract, hire date, termination date, division, department, reporting structure, job title, pay grade, job description, work telephone number and email address, track of salary and other compensation elements, stock options plan, purchase option plan, related payments, hours worked, pension fund contribution, tax and source tax deductions, absence management (in particular sick leave, special leave of absence, maternity leave, parental leave), paid holidays (if applicable) and time off given in compensation for extra time worked); and Employees’ representative status (such as works council or labor representatives in certain countries).
4. Education and Professional Development. In the case of Employees, information related to education and professional development includes, but is not limited to, degrees, diplomas, professional qualifications and training certificates held, practice of foreign languages, curriculum vitae detailing work experience and, if applicable, military situation (but not the reasons for deferment or rejection from the military service, if any), continuous training, mobility situation, management of career development actions, and records of annual performance evaluations.
5. Assignment of Equipment and Access Rights. In the case of Employees, information related to the assignment of equipment and access rights includes, but is not limited to, the allocation of Company systems and devices to Employees (such as work computers, offices, telephones, and access to databases, servers, and electronic information) and Employees’ usage of such systems and devices.
6. Compliance and Performance Information. In the case of Employees, information related to compliance and performance includes, but is not limited to, records of promotions, bonuses, annual and interim performance reviews, goal setting, disciplinary actions, and compliance evaluations.
7. Health or Medical Information. In the case of Employees, health or medical information includes, but is not limited to, requests for reasonable accommodations for their disabilities, health insurance applications, information needed to administer insurance benefits, absence records associated with illness or accidents, records related to maternity leave, information related to exposures and work-related injuries or claims, and other information required for Company to comply with its legal obligations or to manage the safety of its workplace.
In the case of Data Subjects subject to clinical trials, health or medical information includes, but is not limited to, information on the individual’s medical history, laboratory testing results (including blood work and urinalysis), recording of vital signs, BMI (body mass index) and weight, medication and dosing information and any other information listed in the Informed Consent form or otherwise required for Company to comply with its legal obligations or for other lawful purposes.
8. Job Applicant Information. In the case of Job Applicants, Job Applicant information includes, but is not limited to, information supplied to Company when applying for a position with Company or information which Company has obtained from other sources in connection with a job application (in compliance with applicable local law), such as resumes, application letters, assessment reports from external recruiting companies, references, and information provided by managers about previous work performance.
9. Server Logging Information. In the case of Employees and Data Subjects, server logging information includes, but is not limited to, automatically collected information through online services which includes, but is not limited to, analytics data, cookie information, and HTTP header information.
Company will take reasonable steps to ensure the integrity and accuracy of the Personal Data it Processes.
C. LAWFULNESS OF PROCESSING PERSONAL DATA
1. Legal Basis for Processing. Company will not Process the Personal Data of Employees, Job Applicants, or Data Subjects unless there is at least one of the following legal bases for the Processing activity under the GDPR:
a. Company has obtained a Data Subject’s consent for a specific purpose;
b. The Processing activity is necessary for the performance or preparation of a contract to which the Employee, Job Applicant, or Data Subject is a party, such as a contract for employment with Company, clinical trial participation agreement, purchase agreement, master services agreement, license agreement, or otherwise;
c. The Processing activity is necessary for Company’s compliance with a legal obligation to which Company is subject;
d. The Processing activity is necessary to protect the vital interests of an Employee, Job Applicant, Data Subject, or other individual; or
e. The Processing activity is necessary for the “Legitimate Interests” pursued by Company, unless such interests are overridden by the interests of Employees, Job Applicants, or Data Subjects or fundamental rights and freedoms which require the protection of their Personal Data (collectively, “Employees’ and Data Subjects’ Interests”). The Legitimate Interests that Company may pursue are outlined in Section IV(C)(3) of this policy.
2. Employee & Job Applicant Consent. Company will not base any Processing activity on consent from an Employee or Job Applicant unless there are exceptional circumstances that warrant using consent as a legal basis for the Processing, and Company’s leadership and legal counsel determine that the consent will meet the GDPR’s criteria for sufficient consent.
3. Legitimate Interests. Company is permitted to engage in the following Processing activities that fall within the following categories of Legitimate Interests, as long as such interests are not outweighed by Employee’s and Data Subjects’ interests:
a. Sponsoring, administering, and supporting clinical trials;
b. Improving or gauging the productivity and performance of its Employees;
c. Detecting and preventing the loss or theft of Company’s business equipment and property;
d. Detecting and preventing the loss or theft of Company’s intellectual property, including, but not limited to, trade secrets, proprietary information, and customer information;
e. Detecting and preventing the loss or theft of Personal Data about Employees, Job Applicants, or Data Subjects;
f. Detecting and preventing any fraudulent or illegal activities;
g. Ensuring the security of Company’s networks and information systems and containing, eradicating, and mitigating the effects of any incidents that may affect the security of Company’s confidential information, intellectual property, or Personal Data;
h. Promoting health and safety in the workplace;
i. Allowing Employees to exercise and enjoy their rights and benefits related to employment;
j. Processing Job Applicant information in connection with the recruitment and hiring of Employees;
k. Terminating the employment relationship; and
l. Performing general management, human resources administration, and other administrative activities.
4. Processing Sensitive Personal Data. Company is permitted to Process Sensitive Personal Data only when it is authorized to do so by European Union law, Member State law, a collective bargaining agreement, or other agreement. Should Company inadvertently receive Sensitive Personal Data when it is not authorized to receive such data, Company will take reasonable steps to delete the data as soon as practicable.
5. Analysis & Documentation of Processing Activities. Company will periodically, and at least annually, review and analyze each of its Processing activities and document the results of each analysis. Further, Company will use the results of each analysis to guide its decision as to whether to continue, cease, or modify the respective Processing activity. Company will also evaluate and document the results of the analysis of new or material changes to Processing activities.
D. PERSONAL DATA PROCESSING ACTIVITIES
1. We may engage in the following Processing activities with respect to Personal Data (and, where noted, Sensitive Personal Data). To perform the following tasks, we may transfer your data to countries outside the European Economic Area, the U.K., and/or Switzerland using appropriate safeguards when necessary. When necessary, we will obtain your consent before using your data for these purposes.
a. Clinical Trials. Company may collect Personal Data from Data Subjects when sponsoring clinical trials, including the transfer of and receipt of information from third party clinical trial administrators.
b. Recruiting. Company may collect Personal Data from Job Applicants when they submit resumes, application forms and letters, and related materials to Company for consideration. Company may also collect Personal Data about Job Applicants from third-party sources, such as the applicant’s references or a vendor providing background check services.
c. Pre-Employment Screening and Hiring Process. Company may collect Personal Data from Job Applicants during the hiring process that it uses to employ the applicants in Company. Company may participate in pre-employment screenings that involve the collection of Sensitive Personal Data, such as criminal histories or health-related information, only in accordance with Section IV(C)(4) above (where authorized by local law).
d. Time & Attendance. Company may use the Personal Data of hourly paid Employees for administrative purposes related to tracking their time and attendance.
e. Payroll and Benefits. Company may use Personal Data to administer the salaries and benefits due to Employees, including any annual merit increases, other salary adjustments, annual bonus payments, pension management, income tax and other tax withholdings, and life, health, disability insurance benefits, wellness exam information (where authorized by local law).
f. Legal Obligations. Company may also use Personal Data, including Sensitive Personal Data, to comply with legal obligations, such as income tax and other tax withholdings, maternity leave, or cooperation with courts (including civil actions) and law enforcement agencies in legal investigations regarding suspected criminal activities or other suspected illegal activities, to protect its legal rights or support any claim, defense, or declaration in a case or before any jurisdictional and/or administrative authority, arbitration, or mediation panel, and in the context of disciplinary actions/investigations or of internal or external audits and inquiries. Company will collect and process trade union information only if the Employee has given his or her express written consent and to the extent that this information is required by the local applicable law. Additionally, Company may Process Employees’ health information (such as absence records associated with illness or accidents, maternity leave, disabilities, exposures, or work-related injuries or claims) to the extent Company is required to do so in order to comply with its legal obligations or to manage the safety of its workplace.
g. Equipment & Usage Assignment. Company may use Personal Data to assign workspaces, offices, computers, mobile devices, telephones, printers, copiers, and other equipment to Employees and to keep track of the Employees to whom these items are assigned. Company may also use Personal Data to assign, track, and audit Employees’ user rights in its databases and information systems. For example, Company may monitor Employees’ access to its systems to verify that they are only accessing information that they need to perform their job responsibilities.
h. Performance Management. Company may use Personal Data to facilitate the performance management and career development of Employees, such as through annual performance appraisals, annual salary reviews, and, as necessary, disciplinary sanctions in accordance with local applicable law.
i. Employee Monitoring. Company may monitor Employees’ activities as necessary to achieve a Legitimate Interest or comply with its legal obligations. Company will limit the scope and frequency of any monitoring to that which is necessary to furthering its objectives. Further, Company will ensure that its monitoring activities comply with any limitations or prohibitions imposed by local applicable law.
i. Social Media Account Screening. Company will not monitor Employees’ personal social media accounts on a generalized basis, except if it has a Legitimate Interest in conducting the screening, is authorized to do so by applicable local law, sufficiently informs the Employee subject to the screening about Company’s review of his or her social media accounts, and confirms there are no alternative means to achieve the intended purpose of the screening that has a lesser impact on the Employee’s privacy.
ii. Monitoring of Contents of Electronic Communications. Company will not continuously monitor its Employees’ electronic communications (e.g., personal or business email accounts, VoIP, instant messaging, and online calendar appointments), but may monitor the contents of Employees’ electronic communications under limited circumstances and through random checks or when reasonably suspicious activities warrant such monitoring, where performed for a Legitimate Interest and in compliance with local applicable law.
iii. Monitoring Email Traffic. Company may have Legitimate Interests in monitoring Employees’ email traffic, such as gauging the Employees’ productivity. If Company monitors email traffic, then its monitoring should be limited to traffic data and the times of communications and should not extend to the contents of the communications. Company must ensure that any such monitoring of Employees’ email is performed for a Legitimate Interest and complies with any limitations or prohibitions imposed by local applicable law.
To the extent that Company uses a data loss prevention tool to automatically monitor Employees’ outgoing emails for potential data leakage, Company will take measures to mitigate the risk that such tool creates a “false positive” alert for a legitimate email. For example, Company may configure the tool such that the Employee receives a warning message after attempting to send an email with a large attachment that gives the Employee the option to cancel the transmission of the email.
iv. Monitoring Internet Activities. Company may have a Legitimate Interest in monitoring Employees’ internet traffic for suspicious or malicious activity, such as protecting the security of its network or restricting access to websites with inappropriate content. Rather than deciding to permanently log all of its Employees’ internet activities, Company should first consider other, less intrusive options, such as blocking suspicious incoming or outgoing traffic. However, if Company determines that general logging of all internet traffic is necessary, then it should configure the logging mechanism to store the minimum amount of log data that is necessary. Company must ensure that any such monitoring of Employees’ internet activities is performed for a Legitimate Interest and complies with any limitations or prohibitions imposed by local applicable law.
v. Video Surveillance of Premises. In some cases, Company may implement a video surveillance system after business hours to promote the security of the facility. If the after-hours security surveillance footage captures images of any Employees, such footage will only be used to the extent that it supports Company’s Legitimate Interest in protecting the security of the facility. Company will ensure that any usage of security surveillance footage featuring Employees complies with any limitations or prohibitions imposed by local applicable law. Company will also destroy such footage within a reasonable period of time after its use. Moreover, Company will not use video surveillance to monitor its Employees’ productivity, work performance, or workplace behaviors that are unrelated to Company’s Legitimate Interest in the security of its facility.
vi. Employees Working Remotely. Company will not monitor the online activities of Employees who access its systems and work remotely by logging their keystrokes and mouse movements, capturing their screens, logging the applications they used and the duration for which they are used, or enabling webcams and collecting video footage of Employees.
vii. Auditing Employees’ Access of Information Systems. Company may use Personal Data when auditing Employees’ access of its databases and systems. For example, Company may monitor Employees’ access to its systems to verify that they are only accessing information that they need to perform their job responsibilities.
viii. Monitoring Employees’ Facility Access. Company may have a Legitimate Interest in monitoring Employees’ access to its facilities or rooms within its facilities that are equipped with access control systems that record the entrance and exit of Employees who have permission to enter the room. For instance, such monitoring may be used to identify the source of the loss or theft of equipment in a secure room. Company will ensure that monitoring Employees’ facility access complies with any limitations or prohibitions imposed by local applicable law. Further, Company will not use the results of monitoring Employees’ facility access for other purposes, such as tracking time and attendance for employee performance evaluations.
j. General Management & Administration. Company may use Personal Data for Company’s planning and budgeting, headcount, financial reporting, corporate reorganizations, outsourcing, restructuring, acquisitions, divestments, and compliance with regulatory reporting requirements. Company may also use Personal Data for human resources administration, such as obtaining feedback from employees through surveys or to identify areas for improvement.
2. Company may engage in the following Processing activities with respect to its Data Subjects’ Personal Data. To perform the following tasks, we may transfer your data to countries outside the European Economic Area, the U.K., and/or Switzerland using appropriate safeguards when necessary. When necessary, we will obtain your consent before using your data for these purposes.
a. Marketing. Company may use Personal Data for general marketing purposes, including electronic communications, social media postings, and the like.
b. Provision of and/or Support of Services. Company may use Personal Data for the purpose of providing and supporting the Company’s services.
c. Legal Obligations. Company may use Personal Data, including Sensitive Personal Data, to comply with legal obligations, such as income tax and other tax withholdings or cooperation with courts (including civil actions) and law enforcement agencies in legal investigations regarding suspected criminal activities or other suspected illegal activities. Subject to local law requirements, Company may use Personal Data to protect its legal rights or support any claim, defense, or declaration in a case or before any jurisdictional and/or administrative authority, arbitration, or mediation panel in the context of disciplinary actions/investigations or of internal or external audits and inquiries.
d. Monitoring Internet Activities. Company may have a Legitimate Interest in monitoring Data Subjects’ access to Company internet services traffic for suspicious or malicious activity, such as protecting the security of its network.
e. General Management and Finance Administration. Company may use Personal Data for Company’s planning and budgeting, financial reporting, corporate reorganizations, outsourcing, restructuring, acquisitions, divestments, and compliance with regulatory reporting requirements.
E. HOW TO WITHDRAW CONSENT
Before the Company uses Personal Data for a purpose that is materially different than the purpose in which it was collected, the Company will provide Data Subjects with the opportunity to opt out. The Company maintains reasonable procedures to help ensure that Personal Data is reliable for its intended use, accurate, complete, and current.
At any time, a Data Subject may withdraw consent for using, disclosing, or otherwise processing Personal Data by emailing the Company at the information provided below.
Any withdrawal of consent to process certain Personal Data about a Data Subject (1) may limit the Company’s ability to deliver services to such Data Subject, and (2) does not affect the lawfulness of the Company’s processing activities based on the Data Subject’s consent before its withdrawal.
F. SECURITY OF PERSONAL DATA
Company will apply commercially reasonable technical and organizational security measures to ensure that Processing activities occur in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful Processing, and against accidental loss, destruction, or damage, and protects the confidentiality, availability, and integrity of Personal Data.
The Company maintains reasonable and appropriate security measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration, or destruction in accordance with the Privacy Shield.
G. PERSONAL DATA RETENTION PERIOD
Company will retain Personal Data consistent with applicable local law and industry standards. Company will not store Personal Data for longer than is necessary to achieve the intended purposes of a Processing activity (such as when it is no longer necessary to perform a Processing). In any case, Company will delete Personal Data upon expiration of the maximum storage term of the type of Personal Data as set forth by the applicable local law or Company’s Record Retention Policy, unless the Personal Data is required to be maintained for a longer period, such as in the case of an administrative claim, lawsuit, or investigation.
H. TRANSFERS OF PERSONAL DATA TO OTHER COUNTRIES
Company may transfer Personal Data to another country for Processing only if the European Commission has determined that the country ensures an adequate level of protection of Personal Data, the Company implements appropriate safeguards, or an appropriate derogation applies. Before transferring Personal Data to another country, Company will ensure that it has in place an appropriate mechanism for the onward transfer of the Personal Data. For example, Company may rely on Standard Contractual Clauses, Binding Corporate Rules, or participation in the EU-U.S. Privacy Shield program to transfer Personal Data from the European Union to its facility or vendors in the United States for Processing.
I. DATA TRANSFERS TO THIRD PARTIES
1. Third-Party Agents or Service Providers
The Company may transfer Personal Data to its third-party agents or service providers who perform functions on the Company’s behalf. Where required by the Privacy Shield, the Company enters into written agreements with those third-party agents and service providers requiring them to provide the same level of protection the Privacy Shield requires and limiting their use of the data to the specified services provided on the Company’s behalf. The Company takes reasonable and appropriate steps to ensure that third-party agents and service providers process Personal Data in accordance with the Company’s Privacy Shield obligations and to stop and remediate any unauthorized processing. Under certain circumstances, the Company may remain liable for the acts of its third-party agents or service providers who perform these services.
2. Third-Party Data Controllers
In some cases, the Company may transfer Personal Data to unaffiliated third-party data controllers. These third parties do not act as agents or service providers and are not performing functions on the Company’s behalf. The Company may transfer Personal Data to third-party data controllers for the purposes identified in herein. The Company will only provide Personal Data to third-party data controllers where the Data Subject has not opted-out of such disclosures, or in the case of sensitive Personal Data, where the Data Subject has opted-in if the Privacy Shield requires consent. The Company enters into written contracts with any unaffiliated third-party data controllers requiring them to provide the same level of protection for Personal Data the Privacy Shield requires. The Company also limits their use of your Personal Data so that it is consistent with any consent the Data Subject has provided and with the notices such Data Subjects have received. If the Company transfers Personal Data to one of its affiliated entities within the Company’s corporate group, the Company will take steps to ensure that Personal Data is protected with the same level of protection the Privacy Shield requires.
3. Disclosures for National Security or Law Enforcement
Under certain circumstances, The Company may be required to disclose Personal Data in response to valid requests by public authorities, including meeting national security or law enforcement requirements. The Company will share information with law enforcement, government officials, regulatory agencies, or other parties when we are required to do so by applicable law. The Company will also disclose information to comply with a judicial proceeding, court order, subpoena, or legal process.
J. Employees’ & DATA SUBJECTS’ RIGHTS WITH RESPECT TO PERSONAL DATA
Company will afford Employees, Job Applicants, and Data Subjects the following rights with respect to Personal Data about them. In order to exercise these rights, an Employee may submit requests to Justin Klein, Partner, Ice Miller LLP at Justin.Klein@icemiller.com. To the extent feasible, Company will notify any recipient of Personal Data about the rectification or erasure of such data that occurred pursuant to an Employee’s, Job Applicant’s, or Data Subject’s request.
1. Right to Access Personal Data. An Employee, Job Applicant, or Data Subject may request that Company provide confirmation as to whether certain Personal Data about him or her is being Processed and may also request to access copies of, or inspect, the Personal Data about him or her that is undergoing Processing. You may also have the right to access the Personal Data that we hold about you and to request that we correct, amend, or delete it if it is inaccurate or processed in violation of the Privacy Shield. Company may use reasonable methods to verify the identity of the individual request access to the data before fulfilling the request. Company may charge a reasonable fee based on administrative costs for copies of additional Personal Data maintained about him or her. The Employee’s, Job Applicant’s, or Data Subject’s access right should not adversely affect the rights or freedoms of others, including intellectual property rights, but any potential adverse effect should not result in a refusal to provide the Employee, Job Applicant, or Data Subject with access to any Personal Data about him or her. Additionally, Company will provide an Employee, Job Applicant, or Data Subject with the following information:
a. The purposes of the Processing and categories of Personal Data being Processed;
b. The recipients or categories of recipients to whom the Personal Data has or will be disclosed, including third parties and entities in other countries;
c. The time period during which the Personal Data will be stored or the criteria that Company will use to determine that time period;
d. The existence of the right to request rectification or erasure of Personal Data;
e. The existence of the right to request a restriction on the Processing of Personal Data or to object to the Processing;
f. The right to file a complaint with a Supervisory Authority;
g. Information about the source(s) of the Personal Data, if the Personal Data was not collected directly from the Employee, Job Applicant, or Data Subject; and
h. A description of any automated decision-making using the Personal Data, including profiling the Employee, Job Applicant, or Data Subject.
These access rights may not apply in some cases, including where providing access is unreasonably burdensome or expensive under the circumstances or where it would violate the rights of someone other than the individual requesting access. If you would like to request access to, correction, amendment, or deletion of your Personal Data, you can submit a written request to the contact information provided below. We may request specific information from you to confirm your identity. In some circumstances we may charge a reasonable fee for access to your information.
2. Right to Rectification of Personal Data. An Employee, Job Applicant, or Data Subject may request Company to rectify inaccurate Personal Data about him or her. Company will fulfill such a request without undue delay. An Employee, Job Applicant, or Data Subject also has the right to request Company to complete any incomplete Personal Data about him or her, such as by allowing the Employee, Job Applicant, or Data Subject to submit a written statement to supplement the incomplete Personal Data. To the extent practicable, Company will permit Employees, Job Applicants, and Data Subjects to log into applications storing electronic Personal Data about him or her and directly amend such data.
3. Right to Erasure of Personal Data. An Employee, Job Applicant, or Data Subject may request that Company delete Personal Data about him or her.
a. Company will fulfill such a request without undue delay and irrespective of the relevant document retention period outlined in Company’s Record Retention Policy, as long as one of the following applies:
· The Personal Data is no longer necessary in relation to the purposes of the Processing activity for which the data was collected;
· There is no longer any legal basis under the GDPR for the Processing activity;
· The Employee, Job Applicant, or Data Subject objects to the Processing activity, and there are no overriding legitimate grounds for continuing the Processing activity;
· The Personal Data has been Processed unlawfully; or
· The Personal Data needs to be deleted in order to comply with European Union law or applicable Member State law.
b. However, Company is not required to fulfill an Employee’s, Job Applicant’s, or Data Subject’s request for the deletion of Personal Data about him or her if one of the following applies:
· The Processing is necessary for exercising the right of freedom of expression and information;
· The Processing is necessary for Company to comply with a European Union law or Member State law that requires Processing for the performance of a task carried out in the public interest;
· The Processing is necessary for the public interest in the area of public health;
· The Processing is necessary for archiving purposes in the public interest or scientific or historical research purposes; or
· The Processing is necessary for Company’s establishment, exercise, or defense of legal claims.
4. Right to Restrict Processing. An Employee, Job Applicant, or Data Subject may request Company to place a restriction on the Processing of his or her Personal Data.
a. Company will fulfill such a request if one of the following applies:
· The Employee, Job Applicant, or Data Subject is contesting the accuracy of the Personal Data, and the restriction will be placed on the Processing activity to allow Company sufficient time to verify the accuracy of the Personal Data;
· The Processing is unlawful, and the Employee, Job Applicant, or Data Subject opposes the deletion of the Personal Data and instead requests a restriction on the Processing activity;
· Company no longer needs the Personal Data for the purpose of Processing, but the Personal Data is required by the Employee, Job Applicant, or Data Subject for his or her establishment, exercise, or defense of legal claims; or
· The Employee, Job Applicant, or Data Subject has objected to the Processing activity pending the verification of whether Company’s Legitimate Interest in the activity overrides Employees’ and Data Subjects’ Interests.
b. However, Personal Data that is subject to a Processing restriction may continue to be Processed:
· For Company’s establishment, exercise, or defense of legal claims;
· For the protection of the rights of another natural or legal person; or
· For reasons of important public interest.
5. Right to Data Portability. An Employee, Job Applicant, or Data Subject may request that Company provide Personal Data about him or her in a commonly used and machine-readable format so that the Employee, Job Applicant, or Data Subject can transmit the Personal Data to another Data Controller, such as a different employer. An Employee, Job Applicant, or Data Subject may also request that Company transmit the Personal Data directly to another Data Controller. An Employee’s, Job Applicant’s, and Data Subject’s right to data portability applies only with respect to Personal Data that Company is Processing in connection with the performance of a contract, such as an employment contract, to which the Employee, Job Applicant, or Data Subject is a party. The right to data portability does not apply to Personal Data that is Processed for a Legitimate Interest, compliance with a legal obligation, the exercise or defense of legal claims, or the performance of tasks carried out in the public interest (such as public health activities). Company will fulfill such a request if one of the following applies:
a. The Processing activity is being performed pursuant to a contract to which the Employee, Job Applicant, or Data Subject is a party, such as an employment contract; or
b. The Processing activity is carried out by automated means.
Please be aware that under certain circumstances, the GDPR may limit your exercise of these rights.
V. JOINT CONTROLLER POLICY
1. This Section V shall apply to Gan & Lee (defined below) and its Affiliates (defined below) in regards to the Processing of Personal Data shared between Gan & Lee and its Affiliates.
1. “Affiliate” means an entity that owns or controls, is owned or controlled by or is under common control or ownership with Gan & Lee Pharmaceuticals, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
2. “Gan & Lee” as used in this Section V shall mean Gan & Lee Pharmaceuticals, and any parent entity to an Affiliate in which this policy applies;
3. “Gan & Lee USA” as used in this Section V shall mean Gan & Lee Pharmaceuticals USA Corp., an Affiliate of Gan & Lee;
4. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed, as well as any breach of this Addendum, or of the data protection or security provisions of the Principal Agreement; and
5. “Supervisory Authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws.
C. JOINT CONTROLLER TERMS
1. Each of Gan & Lee and its Affiliates is solely responsible for the Processing of Personal Data in the context of operating its business, including, without limitation, managing its employees, providing services to its customers, and otherwise.
2. Gan & Lee and its Affiliates are jointly responsible for the Processing of Personal Data for the purpose of collaborating in furtherance of scientific research initiatives, and for the respective financial health and growth opportunities for each Affiliate’s business which may involve Affiliate employees, customers, service providers, and other individuals to whom an Affiliate interacts through its operation of its business.
3. Compliance. Each of Gan & Lee and its Affiliates shall comply with its respective obligations under applicable data protection laws.
4. Security. Each of Gan & Lee and its Affiliates shall implement appropriate technical, physical and organizational security measures consistent with industry standards having regard to the state of the art and the costs of implementation to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other forms of unlawful Processing.
5. Access. Each of Gan & Lee and its Affiliates will have in place procedures so that any third party it authorizes to have access to Personal Data will respect and maintain the confidentiality and security of Personal Data. Any person acting under the authority or on behalf of Gan & Lee or an Affiliate may only Process Personal Data on instructions from such party. This provision does not apply to persons authorized or required by law or regulation to Process Personal Data.
6. Inspection. Each of Gan & Lee and its Affiliates shall submit their relevant Processing systems, facilities and supporting documentation to an inspection or audit relating to the Processing by a Supervisory Authority if this is necessary to comply with a legal obligation. In the event of any inspection or audit, Gan & Lee and its Affiliates (including Gan & Lee USA) shall provide all reasonable assistance to each other in responding to that inspection or audit.
7. Noncompliance. Each of Gan & Lee and Gan & Lee USA shall immediately notify the other in the event that it cannot comply with its obligations hereto or becomes aware of any circumstance or change in applicable data protection laws that prevents it from complying with such obligations.
8. Notice of Disclosure. Each of Gan & Lee and Gan & Lee USA shall provide timely notice to the other if: (a) it receives an inquiry, a subpoena or a request for inspection or audit from a Supervisory Authority relating to the Processing that impacts the other; or (b) it intends to disclose Personal Data or the subject of Processing that impacts the other to a Supervisory Authority, to the extent legally possible.
9. Personal Data Breach.
a. Gan & Lee shall notify Gan & Lee USA without undue delay, and in any case within twenty-four (24) hours, upon becoming aware of or reasonably suspecting a Personal Data Breach involving Personal Data shared between Gan & Lee and and Gan & Lee USA, with sufficient information which allows for the satisfaction of any obligations to report a Personal Data Breach under applicable law. Such notification shall at a minimum:
i. describe the nature of the Personal Data Breach, the categories and number of Data Subjects concerned, and the categories and number of Personal Data records concerned;
ii. communicate the name and contact details of any third party involved in the Personal Data Breach, including, without limitation, service providers;
iii. describe the likely consequences of the Personal Data Breach; and
iv. describe the measures taken or proposed to be taken to address the Personal Data Breach.
b. In the event of a Personal Data Breach, Gan & Lee or an Affiliate thereof shall not inform any third party without first obtaining Gan & Lee USA’s prior written consent, unless notification is required by EEA law to which Gan & Lee or the Affiliate is subject, in which case Gan & Lee or the Affiliate shall, to the extent permitted by such law, inform Gan & Lee USA of that legal requirement, provide a copy of the proposed notification and consider any comments made by Gan & Lee USA before notifying the relevant Supervisory Authority of the Personal Data Breach.
10. Data Subject Rights Requests. In the event that either Gan & Lee or an Affiliate receives a request from a Data Subject to exercise his or her rights under the GDPR, Gan & Lee and the Affiliate shall work together to respond timely and accurately to such request. In the event that the request goes to Gan & Lee or an Affiliate thereof, Gan & Lee or the Affiliate shall promptly route the request to Gan & Lee USA, who will work with Gan & Lee or the Affiliate to respond timely and accurately to such request.
VI. QUESTIONS OR COMPLAINTS
A. GDPR OR PRIVACY SHIELD QUESTIONS OR COMPLAINTS
A Data Subject may direct any questions or complaints about the use or disclosure of his or her Personal Data to the Company via the information in the section below. The Company will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of Personal Data within 45 days of receiving a complaint.
The Company has further committed to refer unresolved Privacy Shield complaints to ICDR/AAA, an alternative dispute resolution provider located in the United States. Any Data Subject who does not receive timely acknowledgment of his or her complaint from the Company, or if the Company has not addressed the complaint to his or her satisfaction may contact or visit www.adr.org for more information or to file a complaint.
For any unresolved complaints, the Company has also agreed to cooperate with EU data protection authorities (DPAs); the UK Information Commissioner; or the Swiss Federal Data Protection and Information Commissioner.
A list of DPAs from the European Commission may be found here: http://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=50061.
The UK Information Commissioner’s Office may be contacted here: http://ico.org.uk/make-a-complaint/.
Information for the Swiss Federal Data Protection and Information Commissioner may be found here: http://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html.
The Company is also subject to the investigatory and enforcement powers of the Federal Trade Commission with respect to the Privacy Shield Framework. In addition, under certain conditions, more fully described on the Privacy Shield website, a Data Subject may invoke binding arbitration for non-monetary issues when other dispute resolution procedures have been exhausted.
For more information on binding arbitration, see the U.S. Department of Commerce’s Privacy Shield Framework: Annex I (Binding Arbitration).
VII. UPDATES TO THIS POLICY