The purpose of this Policy is to describe Toxeos GmbH (Toxeos) privacy policy within the setting of the EU-U.S. Privacy Shield, Swiss-U.S. Privacy Shield framework and General Data Protection Regulation regarding the processing, transfer and hosting of personally identifiable information. This Privacy Policy describes our commitment to respect relevant privacy and security considerations with respect to personal data processed or stored by Toxeos.

Scope

This Policy applies to information, including personal data (i.e. information that relates to an identified or identifiable individual). Specifically, this policy relates to data which is collected, processed and stored by Toxeos and its affiliated partners. As an international company serving the global Life Sciences industry, our employee, partner, customer and user data may be used and stored outside of the country of residence of the data subjects. We will take necessary steps to ensure that the use of personal data is in compliance with this Privacy Policy and the General Data Protection Regulation (GDPR). 

Our Beliefs

Toxeos respects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. This includes data from customers, sponsors, employees, healthcare professionals, researchers, data managers, regulatory affairs officers, clinical investigators, investors, business partners, and others. Toxeos collects, processes and uses personal information in a manner that is consistent with the laws of countries in which the organization does business. Furthermore, data is only collected for specific and legitimate purposes on behalf of customers. Data is not further processed in a manner that is incompatible with those purposes.

In support of our beliefs, a data protection officer has been appointed. The data protection officer monitors compliance with the regulations, provides advice in regards to data protection, and acts as contact point for supervisory authorities.

Toxeos respects and is guided by the privacy principles as set forth by GDPR, the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield Framework including the transfer of personal information in electronic, paper, or verbal formats from the member states of the European Union, Switzerland and the United States.

 Toxeos works within the principles outlined in the GDPR:

Personal data shall be:

• • Processed lawfully, fairly and in a transparent manner.
  • Collected and processed for a specific, limited and legitimate purpose.
  • Minimised to what is necessary in relation to the purposes for which they are gathered. Validated to ensure that personal information is appropriate to its use.
  • Accurate and, where necessary, updated periodically.
  • Stored in a form which permits identification of data subjects for no longer than is necessary (subject to purpose).
  • Maintained and shared using documented and robust security protocols to support an environment that ensures integrity and confidentiality.
  • Processed with ‘data protection by design and default’ in mind and supportive of demonstrably accountable practices

For further information on how Toxeos supports these principles, please read below.

Notice

Where Toxeos, as a data controller, intends to collect and process personal information with respect to a data subject, Toxeos informs said subjects about the purposes for which it collects and uses the personal information. The notice is provided in clear language in a conspicuous manner. The use of the data is limited to the purpose first identified and no more information is collected than is required to satisfy the business purpose. Any personal information that is related to the use of the Toxeos software products or personal data collected and/or processed for a specific customer project is the responsibility of the customer, as the controller.

Data types

Toxeos may collect the following types of personal information:

• • Information about future employees collected during the hiring process such as first name, last name, contact email, phone number, address, education, and work history.
  • Personal information from customers (such as an e-mail address, system information, telephone numbers, and problems descriptions) in order to communicate with customer and to provide online technical support and troubleshooting. If any customers choose to correspond with us through electronic communication (e.g. email, online chat, or instant messaging), we may retain a copy of the electronic communication together with the customer’s email address and our responses. We provide the same protections for these electronic communications that we employ in the maintenance of information received by mail and telephone.
  • Information about users of our software deliverables that helps us conduct business, such as the types of releases, versions, recipients.
  • Transaction Information about how the user interacts with Toxeos, including purchases, inquiries, customer account information, and information about the use of the Toxeos website and applications. We collect this information when users visit our website, use our software releases or contact us, such as for customer service purposes.
  • When visiting Toxeos’s website, we use cookies to collect information about individuals using our website and applications. We treat this information as personal information when it is associated with personally identifiable information. 

Data Retention

personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes with respect to maintenance of existing contracts and legitimate interests.

Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Where Toxeos has a direct relationship with a data subject, it offers individuals the option of choice as to whether their personal information is disclosed to a third party. 

Data transfers

Personal data is only shared by Toxeos with third parties who require it for specific business purposes. In this context, data is only transferred within the scope of purpose it was initially intended. These third parties must agree to abide by the same level of privacy protection as Toxeos does with its customers. Where Toxeos has knowledge that an agent is using or disclosing personal information in a manner contrary to this, Toxeos will take reasonable steps to prevent or stop the use of disclosure. 

Toxeos provides services internationally and receives information from multiple international sources. Whenever Toxeos is required to transfer personal information, regardless of where data is sourced, Toxeos protects confidentiality, integrity and availability of personal information by physical and logical security measures. 

Data Security

Toxeos utilizes reasonable and appropriate physical, technical, and administrative procedures to safeguard the information it collects and processes and to prevent unauthorized disclosure of said data. This protection includes the use of firewalls, access control, pseudonymization, anonymization, masking and encryption technology. Toxeos has written procedures in place regulating the protection of confidential data from loss, misuse and unauthorized access, disclosure, alteration and destruction.

Data Integrity

Toxeos takes steps through Toxeos’s validation process to ensure that personal information is appropriate to its use, that the data is accurate and up to date. 

Subject Access Requests

Upon request, individuals will be granted reasonable access to personal information that Toxeos holds about them. In addition, upon request, Toxeos will take reasonable steps to allow individuals to correct, amend, or delete information that is found to be inaccurate or incomplete.

Data subjects can request their data in a structured, commonly used and machine readable format and may also choose to not have their data shared if the purpose is incompatible with the original purpose of data collection. Toxeos provides individuals with a reasonable mechanism to exercise their choices, including the ability to request to be forgotten (as long as it does not contradict legal requirements), and the ability to withdraw consent and opt out.

Data subjects are provided readily available mechanisms to exercise choice whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected.

Individuals may email gdpr@Toxeos.com to exercise this option.

Dispute resolution

In compliance with the principles, Toxeos commits to resolve complaints about our collection or use of personal information.

All individuals are encouraged to forward any complaints, issues, concerns, or questions regarding the collection, the use or disclosure of personal information to dataprotection@Toxeos.com or mail 

Policy change notification

If major content changes are made to Toxeos Privacy Policy the changes will be outlined and published along with the new version of the Privacy Policy and the date of its release on the corresponding Toxeos website.

Public Authority Requests

Toxeos is required to disclose personal information in response to lawful requests by public authorities, including those necessary to meet national security or legal requirements.

Data Retention

Toxeos will retain personal information for as long as it is legitimately needed to provide products or services; as outlined in previously stated agreements at the time of collection; and as necessary to comply with Toxeos’ legal obligations, resolve disputes, and enforce agreements; or to the extent permitted by law.

At the end of the retention period, Toxeos will delete this personal information in a manner designed to ensure that it cannot be reconstructed or read.