Privacy Notice
This Privacy Notice describes how SpyBiotech (“SpyBiotech,” “we,” “us”, “our”) may collect and use personal information about you in connection with our business activities, communications and websites, as a data controller. Our company’s address and the details of our data protection officer are here.
We are committed to safeguarding your personal information (or personal data) in line with all applicable laws, including the UK Data Protection Act 2018 and UK General Data Protection Regulation (the “GDPR”). SpyBiotech is the ‘controller’ of your personal data i.e., it is responsible for deciding how it holds and why it uses your personal information.
This Privacy Notice explains:
- The types of data subject and personal information we collect
- How we use your personal information and the lawful basis/condition relied upon
- Our use of cookies and other similar technologies
- With whom we may share your personal information and where we may transfer it
- Other ways we collect your personal information
- How long we retain your personal information for
- How we protect your personal information
- Your data subject rights regarding your personal information
- What to do if you do not wish for us to collect or hold your personal information
- Contacting us and the Information Commissioner’s Office
In some cases, additional or supplemental privacy notices may be created to apply to certain personal information that we collect and process in particular circumstances. For example, more specific information is provided to employees and clinical trial participants.
We may amend this Privacy Notice from time to time, therefore we encourage you to refer to it periodically. If you have any questions, please contact us at [email protected]. If the alterations are material or affect your GDPR rights, we will let you know before the updated version becomes effective so that you may object.
The types of data subjects and personal information we collect
We collect now (or may in the future) personal information about individuals who visit our website (“Visitors”), people who submit comments, or questions to us (including via our website) (“Enquirers”), potential or current investors (“Investors”), applicants for job roles (including speculative enquiries) (“Applicants”), key opinion leaders (“KOLs”) and/or investigators, including those with whom we have a contract for services (“Consultants”) and representatives of our business partners and suppliers (“Representatives”) collectively (“Everyone”).
We collect and process the following types of personal information which we categorise into the following buckets:
- Contact Information: including email and physical home and work addresses, mobile and landline phone numbers;
- Identifiers: including name, title, age, date of birth, Government-issued identifier such as driver’s licence, passport or National Insurance number;
- Qualifications: including educational and professional history and qualifications, membership of professional bodies and societies;
- Sensitive Information: information which is sensitive in its nature, but is not legally classified as “special category”) including bank details, passwords, complaint data;
- Special Category Data: including health data (e.g. disabilities, dietary requirements), racial or ethnic origin, religious or philosophical beliefs; and
- Status: including gender, sex, marital status, nationality, citizenship or location of birth, relationship to others e.g. parent, spouse etc.
We take appropriate steps to keep your personal information accurate, complete and up to date. If you believe your personal information is out of date or incomplete, contact our Senior Responsible Officer.
How we use your personal information and the lawful basis/condition relied upon
- Enquirers
- Visitors
- Contact Information
- Identifiers
- Consent
- Legitimate Interests in running and improving our business and website
- Applicant
- Consultants
- Investors
- KOLs
- Representatives
- Contact Information
- Identifiers
- Qualifications
- Sensitive Information
- Special Category Data
- Status
- Consent
- Legal Obligation
- Performance of a Contract
- Publicly Available
- Investors
- KOLs
- Representatives
- Contact Information
- Legitimate Interests in keeping stakeholders up to date on our strategy, achievements and progress
- Everyone
- All categories
- Comply with a Legal Obligation
- Legitimate Interests in responding to compelling voluntary requests for information
- Consultants
- Investors
- KOLs
- Representatives
- Contact Information
- Identifiers
- Qualifications
- Special Category Data
- Status
- Consent
- Legal Obligation
- Performance of a Contract
- Publicly Available
- Vital Interests
- Everyone
- All categories
- Comply with a Legal Obligation
- Legal Claims
- Legitimate Interests in ensuring compliance with internal policies and procedures and applicable laws/regulations
Lawful processing grounds
Comply with a Legal Obligation means processing your personal information where it is necessary for us to comply with a legal obligation.
Consent as the applicable law requires/permits means either: (a) an explicit, specific, informed, freely given unambiguous indication of your agreement to our processing of your personal information; or (b) an indication of your acceptance, following the provision of transparency information and a refusal to exercise your opt-out right (sometimes referred to as “implied consent”).
Legitimate Interests means our interest in conducting and managing our business as shown in Table 1. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests by undertaking an assessment. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your Consent or are otherwise required to in order to Comply with a Legal Obligation). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting our Senior Responsible Officer here.
Performance of a Contract means processing your personal information where it is necessary for the performance of a contract to which you, or your employer, are a party or to take steps at your or their request before entering such a contract.
Additional lawful processing conditions: Special Category Data
Legal Claims means processing your special category data because it is necessary for us to establish, exercise or defend legal claims.
Publicly Available means processing the special category data which you have volunteered for public consumption e.g. via open public media posts.
Vital Interests means processing your special category data where it is necessary to protect your (or another individual’s) life or death interests and you are incapable of giving Consent.
Our use of cookies and other similar technologies
At this moment, we do not use any cookies or equivalent technology on our website.
With whom we may share your personal information and where we may transfer it
Subject to legally permissible exemptions, the personal data of Everyone will not be disclosed for a purpose other than that for which they were collected but may be communicated to: (a) our Consultants and Representatives; (b) as legally permissible, further independent data controllers (including professional advisers and accountants) and government and regulatory entities e.g. HMRC. A current list of our third-party service providers, as well as other parties to whom personal data may be communicated, is available upon request by contacting us. Further, we may disclose your personal data to third parties to whom we may sell (or buy), transfer or merge part(s) of our business or our assets.
Restricted transfers
Except for the processing related to our website, which takes place in the USA, personal data is primarily stored within our company and on servers located within the European Union and/or the UK or other countries deemed adequate under the GDPR (“Adequate Countries”). However, subject to the provision of suitable safeguards, we have the right to move your personal data and our servers (including those provided by our third-party service providers and their sub-processors) to outside the Adequate Countries. In the absence of a decision on adequacy by the UK’s Secretary of State, the suitable safeguards include guarantees of a contractual or negotiated nature, including Binding Corporate Rules and international data transfer agreements. In the absence of a decision on adequacy or other suitable safeguards as described above, the transfer to and/or processing of your personal data by third parties outside the Adequate Countries will be carried out only with your Consent.
Other ways we collect your personal information
- We collect your personal information in a variety of ways, including but not limited to when you interact with us virtually (e.g., via the website) or in-person, by other online means, including by phone, at meetings or conferences, or any other direct means (“Direct Collection”); or
- Through government agencies, publicly available records and public sources and/or from industry associations, patient groups your peers or colleagues (“Indirectly”).
Where we collect personal information about you Indirectly in a manner or for a purpose not explained in this Privacy Notice we will let you know by contacting you with a supplemental privacy notice.
How long we retain your personal information for
We retain your personal information in accordance with our retention policy which sets out retention periods as may be required by law, or where there is a reason to keep it because of business need, legal action (actual or in reasonable contemplation), or for internal or external investigations. Once a retention period has lapsed, we take appropriate steps to dispose of your personal information.
How we protect your personal information
We adopt a variety of security measures and technologies (“Protections”) to help protect your personal information from unauthorised access, use, disclosure, alteration or destruction in line with the GDPR. We oblige our third-party service providers to provide at least the same level of Protection as stipulated in our contracts with them.
Your data subject rights regarding your personal information
The GDPR provides individuals with a number of rights over their personal information. Depending upon the lawful processing ground/condition relied upon to justify our processing of your personal information (see Table 1) you may be entitled to request:
- Access to your personal information (commonly known as a “data subject access request”) such as to receive a copy of the personal information we hold about you and the provision of supplemental accompanying information;
- Correction of the personal information that we hold about you, if the information is incomplete or inaccurate;
- Erasure of your personal information where there is no good reason for us continuing to process it or where you have exercised your right of objection;
- Objection to processing of your personal information where we are relying on a Legitimate Interests (or those of a third party);
- Restriction or suspension of processing of your personal information where we are relying on our Legitimate Interests;
- Transfer (portability) of your personal information to another party where we are relying on your Consent or Performance of a Contract; and
- Withdrawal of your Consent to the processing or your personal information, where we previously obtained it.
If you would like to exercise your rights, please contact us. We may ask you to verify your identity before fulfilling the request. Verification ensures that your personal data are kept secure. If you would like to make a complaint, please refer to the Contacting us and the Information Commissioner’s Office section for further information.
Depending on the nature of the request, you may not have to pay a fee. However, we may charge a reasonable fee if your request is unfounded or excessive. Alternatively, we may refuse to comply with the request in the terms made in such circumstances.
What to do if you do not wish for us to collect or hold your personal information
Where we are Directly Collecting you have the option not to share your personal information with us. If you object to the processing of your personal information, or if you have provided your Consent to processing and you later choose to withdraw it, we will respect that choice in accordance with our legal obligations and any legal exemptions which may apply. This could mean that we may not be able to perform the actions necessary to achieve the purpose(s) as set out in this notice or that you may be unable to engage with us.
Contacting us and the Information Commissioner’s Office
If you have any questions specifically about this Privacy Notice or wish to make a data subject request, please email [email protected] or write to us at 7600 Quorum, Oxford Business Park North, Oxford OX4 2JZ. If you are unsatisfied with how we have handled your personal information or request, please contact us in the first instance and we will aim to resolve the matter. If you are still unhappy, you also have the right to submit a complaint to the data protection supervisory authority that SpyBiotech is registered with in the United Kingdom, being the Information Commissioner’s Office (ICO).
Last revised date August 2024