Effective on: 26 Sep 2019
Ayala Pharmaceuticals, Inc. (“Ayala”, “we”, “us”, “our”) takes the protection of your personal information (“Personal Data”) very seriously. Personal Data is any information about you that can be used to identify you as a person. This Privacy Notice (this “Notice”) describes how we use your Personal Data when we conduct clinical trials (a “Trial” or the “Trials”) of drug substances.
This Notice does not apply to Personal Data we collect by other means, like Personal Data that we receive directly through our public website. This Notice does not apply to Personal Data or our employees or medical staff on our Trials.
Within the scope of this Notice, Ayala acts as a data controller for the Personal Data we process. This means that we determine the purposes and the means of the processing of your Personal Data.
Before, during, and after each Trial, we will process your Personal Data for various purposes. In each case, we will rely on a legal basis of processing under the General Data Protection Regulation of the European Union (“GDPR”). We will only process your sensitive Personal Data (like health and genetic data) when allowed by law.
We process your Personal Data for safety and reliability purposes because we need to in order to comply with our legal obligations.
We process your Personal Data for scientific research purposes based on our legitimate interest in conducting clinical trials and performing valuable scientific and medical research.
If we process your Personal Data for other purposes after the end of a Trial, we will do so based on your consent or our legitimate interest in conducting further research.
Ayala will need to process data about your health in order for you to participate in a Trial. Health data is a “special category” of Personal Data under the GDPR. Special rules apply to working with it. When we process special categories of your Personal Data, we only do so when the processing is necessary for reasons of public interest in the area of public health. Those reasons include making sure our drugs are safe and effective and conducting our Trials safely. We also process your sensitive Personal Data based on your explicit consent.
We receive your Personal Data when:
Ayala itself will have access to the following types of your Personal Data:
Ayala’s service providers will have access to and process the following types of your Personal Data:
We will process your Personal Data for the purposes of:
We also process your Personal Data for the specific purposes described in the Trial information provided to you by Trial personnel.
Ayala will keep your Personal Data until we fulfill the purposes listed above, or for as long as required by applicable law.
Our Trials are long-term. We use them to track the effects of test medications using information collected from Trial participants like you. This means we will need to keep your Personal Data for a long time. However, in order to protect your privacy, the information of every Trial participant is “key-coded” before we enter it into the studies and reports. This means that we replace identifying information like your name and contact information with a code number.
Once your data has been key-coded and recorded in official Trial documents, we cannot remove it without affecting the accuracy of the studies and test results. European law requires us to keep Personal Data that is part of the master trial file for at least twenty-five years after the conclusion of the applicable Trial. This includes your identity and health information and any adverse effects of the drug you took during the Trial.
We will share your Personal Data with service providers who process Personal Data on our behalf and who agree to use your Personal Data only to assist us in conducting our Trials or as required by law.
Our service providers provide:
We will also share your Personal Data with other third parties involved in the Trials. Some of these third parties are data controllers in their own right. These third parties include clinical sites like hospitals and medical offices, as well as public government agencies inside and outside of the European Union (EU) or the European Economic Area (EEA).
In some cases, countries outside of the EU or the EEA may not provide a level of protection equivalent to EU law. We will only transfer your Personal Data to these countries when there are appropriate safeguards in place. These safeguards include the European Commission-approved standard contractual data protection clauses.
We may disclose your Personal Data:
If we have to disclose your Personal Data to a government or law enforcement, we may not be able to ensure that those officials will protect your Personal Data.
We have put in place technical, administrative, and physical measures that are designed to help protect your Personal Data from being accessed, disclosed, altered, or destroyed by unauthorized people. These measures include the use of measures like key-coding and encryption, where appropriate.
If we process your or your child’s Personal Data, you will have the right to request access to (or to update or correct) that Personal Data. You may also have the right to ask that we limit our processing of your Personal Data, as well as the right to object to our processing of your Personal Data. You may also have the right to data portability, which means that you may have the right to ask us to provide you with a copy of your Personal Data that another company like Ayala can process.
To submit these requests or raise any other questions, please contact us by using the information in the “Contact Us” section below.
You also have the right to lodge a complaint with a data protection regulator in one or more EEA countries.
If we change this Notice, we will provide you with a copy of the revised Notice or update the web page you read it on. We will also update the “Effective” date.
If you have any questions about this Notice or our processing of your Personal Data, please contact our Data Protection Officer (DPO) at the contact information provided below. Please allow up to four weeks for us to reply.
We have appointed VeraSafe as our DPO. Please contact VeraSafe on matters related to our use of your Personal Data. VeraSafe’s contact details are:
22 Essex Way #8203 Essex, VT 05451 USA
European Union Representative
We have also appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, please VeraSafe on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form:
https://www.verasafe.com/privacy-services/contact-article-27-representative/ or via telephone at: +420 228 881 031.
VeraSafe can also be contacted at:
VeraSafe Netherlands BV
Keizersgracht 391 A
1016 EJ Amsterdam The Netherlands