Privacy Notice

THE KITE STUDY – Privacy Notice

Introduction

The Molecure S.A. informs, that the Privacy Note is dedicated for the natural persons located in and outside the European Economic Area (EEA) and based on the legal act named GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)) which is available under the link: https://eur-lex.europa.eu/eli/reg/2016/679/oj

On the basis of what legal provisions are or may be processed your personal data?

The rules on the protection of personal data (hereinafter referred to as the GDPR ) are set out, inter alia, in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), the Act of 10 May 2018 on the Protection of Personal Data and in country related special acts (lex specialist).

  1. “Personal data” – means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name and surname, identification number, location data, internet identifier or one or more specific physical, physiological, genetic, mental factors, economic, cultural or social identity of a natural person,
  2. “Processing” – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction,
  3. “Controller” – means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data,
  4. Supervisory authority” – means an independent public authority which is established by a Member State,
  5. “Recipient” – means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing,
  6. “Processor” – means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller,
  7. “Third party” – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data,
  8. “Third country” – an entity outside the EEA (European Economic Area) to which personal data is disclosed,
  9. “GDPR” – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation): https://eur-lex.europa.eu/eli/reg/2016/679/oj,
  10. “Regulations” – means other country regulated regulations of privacy and personal data, for example UK, US regulations,
  11. “Clinical Trial” – according to Art. 2 (2) 2) of Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC Text with EEA relevance. The clinical trial named KITE Study, Phase 2, randomized, double- blind, placebo-controlled, multicenter study to evaluate the efficacy and safety of OATD-01 in the treatment of subjects with active pulmonary sarcoidosis, provided by the Sponsor Molecure S.A. (the Controller).

Who does this Privacy Note apply to?

This Privacy Note applies to the processing of personal data of natural persons, potential participants in the phase II of the clinical trial named KITE Study conducted by Molecure S.A. as the Controller and the clinical trial Sponsor. Please note, that Absolutely Advertising acting as the operator and on behalf of and according to the instruction given by the Controller.

Who is the Controller

Please be advised that Controller is Molecure S.A. with headquarters in Warsaw, address: Żwirki I Wigury 101 Street, 02-089 Warsaw, Poland, Register No.: 0000657123.

Contact details to the Controller

Please send inquiries regarding the protection of personal data to the Controller by traditional mail to the above-mentioned address or by e-mail to the address CT.data.privacy@molecure.com

Joint controllership

Facebook (Meta) and Instagram
Please be informed that Controller may run a fanpage on social media (Facebook and Instagram) and according to art. 26 of GDPR the joint controllership can take place. We would like to inform you that the contollers have made joint arrangement regarding their obligations under the GDPR. The essence of the joint controllers’ arrangement is available here: https://www.facebook.com/legal/controller_addendum. The information about the joint controllership is provided at the request of the data subject.

Data Protection Officer

Please be advised that the Controller has not appointed a Data Protection Officer. Inquiries regarding the protection of personal data should be directed to the Controller by traditional mail to the Controller’s address or by e-mail to the following address: CT.data.privacy@molecure.com

For what purpose is or can your personal data be processed?

Personal data is or may be processed for the following purposes:

Purpose of processing The scope of data Lawfulness of processing
For the pre-screener questionnaire dedicated for potential clinical trial participants verification and contact after applying for clinical trial participation (off the clinical trial protocol): General personal data: name, email address and phone number, year of birth, IP address – to identify which country you are in and to present the correct language to you on the pre-screener questionnaire, For general categories of personal data: art. 6 (1) a) of GDPR – consent given by the person,

Special categories of personal data: health information including date of diagnosis, current treatments, any coexisting medical conditions – the data is collected for the KITE Study potential participation. This is a Phase 2, randomized, double-blind, placebo-controlled, multicentre study to evaluate the efficacy and safety of OATD-01 in the treatment of subjects with active pulmonary sarcoidosis.

 For special categories of personal data: art. 9 (2) a) of GDPR – consent given by the person,

 

How long will personal data be processed in accordance with the storage limitation principle (personal data retention)?

Please be advised that personal data are or may be processed for the period of:

Purpose of processing The scope of data Period of processing
For the pre-screener questionnaire dedicated for potential clinical trial participants verification and contact after applying for clinical trial participation:

General personal data: name, email address and phone number, year of birth, IP address – to identify which country you are in and to present the correct language to you on the pre-screener questionnaire,Special categories of personal data: health information including date of diagnosis, current treatments, any coexisting medical conditions – the data is collected for the KITE Study. This is a Phase 2, randomized, double-blind, placebo-controlled, adaptive, multicentre study to evaluate the efficacy, safety, tolerability, PD, and PK of OATD-01 in the treatment of subjects with active pulmonary sarcoidosis,
  1. Until to withdraw the consent,
  2. If you fail the pre-screened questionnaire your data will not be collected.
  3. If you are successful within the pre-screened questionnaire your data is held according to the Study Protocol (under the CT Protocol). The information about the personal data processing is delivered as a separated and dedicated clause.

Absolutely Advertising will retain your personal data for three months to ensure its availability to the investigators involved with the completion of the study. The investigators will use the information both for the purposes of the study and in order to contact you regarding on boarding and the provision of additional information specific to your participation in the study. Absolutely Advertising will not retain your personal data for any longer than three months, however the investigators and controller will do so for an additional of twenty – five years, as per Article 58 of Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on Clinical Trials on Medicinal Products for Human Use.

How long will personal data be processed in accordance with the storage limitation principle (personal data retention)?

Please be advised that personal data are or may be processed for the period of:

Purpose of processing The scope of data Lawfulness of processing Processing
For the pre-screener questionnaire dedicated for potential clinical trial participants verification and contact after applying for clinical trial participation: data: name, email address and phone number, year of birth, IP address – to identify which country you are in and to present the correct language to you on the pre-screener questionnaire, For general categories of personal data: art. 6 (1) a) of GDPR – consent given by the person, The processing is voluntary, failure to provide personal data will result in the inability to verify participation in the clinical trial,
Special categories of personal data: health information including date of diagnosis, current treatments, any coexisting medical conditions – the data is collected for the KITE Study. This is a Phase 2, randomized, double-blind, placebo-controlled, multicentre study to evaluate the efficacy and safety of OATD-01 in the treatment of subjects with active pulmonary sarcoidosis, For special categories of personal data: art. 9 (2) a) of GDPR – consent given by the person, The processing is voluntary, failure to provide personal data will result in the inability to verify participation in the clinical trial,

Under what circumstances is the provision of personal data a statutory or contractual requirement or a requirement necessary to enter into a contract?

Please be advised that providing data is:

Purpose of processing The scope of data Lawfulness of processing The consent of processing
For the pre-screener questionnaire dedicated for potential clinical trial participants verification and contact after applying for clinical trial participation: General personal data: name, email address and phone number, year of birth, IP address – to identify which country you are in and to present the correct language to you on the pre-screener questionnaire, For general categories of personal data: art. 6 (1) a) of GDPR – consent given by the person, The data subject has the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Withdrawal of the consent granted should be reported to the e-mail address: CT.data.privacy@molecure.com
Special categories of personal data: health information including date of diagnosis, current treatments, any coexisting medical conditions – the data is collected for the KITE Study. This is a Phase 2, randomized, double-blind, placebo-controlled, multicentre study to evaluate the efficacy and safety of OATD-01 in the treatment of subjects with active pulmonary sarcoidosis. For special categories of personal data: art. 9 (2) a) of GDPR – consent given by the person,

Processing of personal data based on the consent of the data subject

Please be advised that in the case of processing personal data based on the consent of the data subject (Article 6 (1) (a) of the GDPR):

Disclosure of personal data by the Controller

We hereby inform that personal data is or may be disclosed by the Controller:

  1. disclosed to data recipients providing services to the Controller pursuant to art. 28 GDPR – personal data entrustment. Depending on the purpose of personal data processing, the categories of data recipients may be: Clinical Research Organization, Clinics/Sites, Clinical Trial Investigator, IT infrastructure (software and hardware), website hosting. The list of the processors to whom the Controller entrusts the processing of personal data is available at the request of the data subject,
  2. disclosure of data to recipients cooperating with the Controller. Depending on the purpose of personal data processing, the categories of recipients to whom personal data may be disclosed are entities operating in the field of audits, postal services, courier services, law offices. We would like to inform you that after disclosing personal data, the data recipient becomes the Controller. The list of recipients to whom the Controller discloses personal data is available at the request of the data subject,
  3. disclosure of data to recipients who are public / state authorities. Depending on the purpose of personal data processing, the categories of data recipients may be such bodies as the the supervisory authority or other entities to which the Controller discloses personal data under applicable law. Please be advised that after disclosing personal data, their recipient becomes the Controller of the data. The list of recipients to whom the Controller discloses personal data is available at the request of the data subject,
  4. disclosure of personal data to third parties. The list of third parties to whom the Controller discloses personal data is available at the request of the data subject.

Transferring personal data to a third country (outside the EEA)

  1. Please be advised that personal data may be transferred to a third country, i.e. outside the EEA. In the event of transferring personal data outside the European Economic Area, such transfer may only take place on the terms set out in Chapter V of the GDPR:
      1. pursuant to art. 45 GDPR – transfer based on an adequacy decision,
      2. pursuant to art. 46 GDPR – transfer subject to appropriate safeguards, including the use of standard data protection clauses adopted by the European Commission,
  2. We hereby inform that the transfer of personal data outside the EEA may involve the risk of not ensuring sufficient security of personal data. In the event of a risk related to the transfer of personal data outside the EEA, the Controller provides such information in this Privacy Note,
  3. Please be advised that the list of entities outside the EEA to which the Controller discloses personal data is available at the request of the data subject.

What are the rights of the data subject?

  1. Information for the EEA and UK Residents

We would like to inform you about the right to request the Controller to exercise the following rights:

  1. the right to access personal data relating to the data subject,
  2. the right to rectify personal data,
  3. the right to delete personal data (erasure of personal data),
  4. the right to limit the processing of personal data (restriction of processing),
  5. the right to object to the processing,
  6. the right to transfer data (the right to data portability),
  7. the right to receive a copy of your personal data,
  8. the right to lodge a complaint with the country related supervisory authority.
  1. Information for the United States – Nevada Residents
    If you are a Nevada resident, you can opt-out of sales of certain covered information that a website operator has collected or will collect about you. To submit an opt-out request, please contact us through info@absolutelyadvertising.com and specify that you are a Nevada resident.
  2. Information for the United States – California Residents
    You have the following rights concerning your personal data and can exercise these by using the contact details at the top of this notice:
    a) Right to make a deletion request
    b) Right to opt out of sales of your personal information
    c) Right to non-discrimination

Who is the supervisory authority?

  1. Please be informed that the supervisory authority is the President of the Office for Personal Data Protection, Stawki 2 Street, 00-193 Warsaw, Poland (https://uodo.gov.pl/en). Please be informed about the right to lodge a complaint to the President of the Office for Personal Data Protection: https://uodo.gov.pl/en/p/for-citizens,
  2. Please note, that you can contract the supervisory authority according to your country related regulation. The list of supervisory authorities in the EEA is available under the link: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Profiling and automated processing

Your answers to the pre-screener questionnaire use automated decision making to identify if you are eligible for the next round of the study. We implemented the proper measures to ensure the safeguard of yours rights and freedoms and legitimate interests with regard to automated processing.

Absolutely Advertising performs automated decision making based on personal data when you complete our questionnaires it should be noted that the data subject have the right to object to automated decision making however, it could mean that we are unable to continue with the questionnaire. The automated processing involved is the automatic detection of answers provided by data subjects which may or would exclude them from participating in the study.

What is the source of the data?

Personal data come directly from the data subject.

What scope of personal data is processed?

The Controller processes personal data to the extent necessary to achieve the purposes of processing indicated in the Privacy Note. In accordance with the principle of minimization, we process only the scope of personal data necessary to achieve the purpose of processing.

How do we secure personal data?

Please be advised that in order to protect privacy and personal data, the Controller has implemented appropriate physical, technical, organizational and legal measures to ensure the security of personal data processing and to ensure the implementation of the rights and freedoms of natural persons.

Personal data breach notifications

We hereby inform that pursuant to Art. 34 GDPR, in the event of a breach of personal data protection that may result in a high risk of violation of the rights or freedoms of natural persons, the Controller shall notify the data subject of such a personal data breach without undue delay. Please be advised that pursuant to Art. 34 GDPR, personal data may be processed in connection with the personal data breach referred to above. Please be noted that the legal basis for the processing of personal data is art. 6 sec. 1 lit. c) GDPR. Please be advised that in the event of a personal data breach, the Controller will take all possible and available technical and organizational measures to meet the requirements set out in art. 33 and art. 34 GDPR.