Contact UsCareers
Top bar

Clinical trials privacy notice (EN)

Ayala Pharmaceuticals, Inc. Clinical Trial Privacy Notice

Effective on: 20 Oct 2020


Ayala Pharmaceuticals, Inc. (“Ayala”, “we”, “us”, “our”) takes the protection of your personal information (“Personal Data”) very seriously. Personal Data is any information about you that can be used to identify you as a person. This Privacy Notice (this “Notice”) describes how we use your Personal Data when we conduct clinical trials (a “Trial” or the “Trials”) of drug substances.


This Notice does not apply to Personal Data we collect by other means, like Personal Data that we receive directly through our public website. This Notice does not apply to Personal Data of our employees or medical staff on our Trials.


For more information about how we process Personal Data about other types of people, please see our general privacy policy on our website located at

Within the scope of this Notice, Ayala acts as a data controller for the Personal Data we process. This means that we determine the purposes and the means of the processing of your Personal Data. Important note: Nothing in this Notice is intended to limit in any way your statutory right, including your rights to a remedy or means of enforcement.

Basis of Processing

Before, during, and after each Trial, we will process your Personal Data for various purposes. In each case, we will rely on a legal basis of processing under the General Data Protection Regulation of the European Union (“GDPR”). We will only process your sensitive Personal Data (like health and genetic data) when allowed by law.

We process your Personal Data for safety and reliability purposes because we need to in order to comply with our legal obligations.


We process your Personal Data for scientific research purposes based on our legitimate interest in conducting clinical trials and performing valuable scientific and medical research.


If we process your Personal Data for other purposes after the end of a Trial, we will do so based on your consent or our legitimate interest in conducting further research.  Ayala will need to process data about your health in order for you to participate in a Trial. Health data is a “special category” of Personal Data under the GDPR. Special rules apply to working with it. When we process special categories of your Personal Data, we only do so when the processing is necessary for reasons of public interest in the area of public health. Those reasons include making sure our drugs are safe and effective, and conducting our Trials safely. We also process your sensitive Personal Data based on your explicit consent.


The specific grounds on which we process your Personal Data, including your health data, may vary somewhat from the above in order to comply with the requirements of applicable local laws in jurisdictions where we sponsor Trials. If you are a patient in an Ayala Trial, please refer to the informed consent form you signed for more information about the legal grounds on which we process your Personal Data. If there is any conflict between this Notice and the informed consent form you signed in connection with your participation in a clinical study we sponsor, the informed consent form shall supersede this Notice in terms of the conflicting provision.

How We Receive Personal Data

We receive your Personal Data when:

  • you provide it to us when you participate in a Trial; or
  • your doctors or healthcare providers provide it to us.

Categories Of Personal Data

Ayala itself will have access to the following types of your Personal Data:

  • health care information, such as the identity and contact information of your doctors and health care providers;
  • health information, such as your medical background, history, and reaction to the Trial drug; and
  • your genetic information.


Ayala’s service providers will have access to and process the following types of your Personal Data:

  • basic identifying information, such as your first and last name;
  • contact information; and
  • location information, such as the location of your testing site and Trial location.

Purposes Of Processing

We will process your Personal Data for the purposes of:

  • conducting the Trials;
  • ensuring that each Trial drug is safe and reliable; and
  • conducting related scientific and medical research.


We also process your Personal Data for the specific purposes described in the Trial information provided to you by Trial personnel.

Data Retention

Ayala will keep your Personal Data until we fulfill the purposes listed above, or for as long as required by applicable law.


Our Trials are long-term. We use them to track the effects of test medications using information collected from Trial participants like you. This means we will need to keep your Personal Data for a long time. However, in order to protect your privacy, the information of every Trial participant is “key-coded” before we enter it into the studies and reports. This means that we replace identifying information like your name and contact information with a code number.


To the maximum extent permitted by law, once your data has been key-coded and recorded in official Trial documents, we cannot remove it without affecting the accuracy of the studies and test results. European law requires us to keep Personal Data that is part of the master trial file for at least twenty-five years after the conclusion of the applicable Trial. This includes your identity and health information and any adverse effects of the drug you took during the Trial.

Sharing Personal Data With Third Parties

We will share your Personal Data with service providers who process Personal Data on our behalf and who agree to use your Personal Data only to assist us in conducting our Trials or as required by law.


Our service providers provide:

  • Clinical research (CRO) services;
  • Payment processing services;
  • Lab services;
  • Drug safety services;
  • Medical writing services;
  • Project management services; and
  • General consulting services.


We will also share your Personal Data with other third parties involved in the Trials. Some of these third parties are data controllers in their own right. These third parties include clinical sites like hospitals and medical offices, as well as public government agencies inside and outside of the European Union (EU) or the European Economic Area (EEA).


In some cases, countries outside of the EU or the EEA may not provide a level of protection equivalent to EU law. We will only transfer your Personal Data to these countries when there are appropriate safeguards in place. These safeguards include the European Commission-approved standard contractual data protection clauses.

Other Disclosure Of Your Personal Data

We may disclose your Personal Data:

  • to the extent necessary, with regulators, courts or competent authorities, to comply with applicable laws, regulations and rules (including, without limitation, federal, state or local laws), and requests of law enforcement, regulatory and other governmental agencies or if required to do so by court order;
  • if, in the future, we sell or transfer, or we consider selling or transferring,  part or all of our company, business, shares or assets to a third party, we will disclose your Personal Data to such third party (whether actual or potential) in connection with the foregoing events; or
  • in the event that we are acquired by, or merged with, a third party entity, or in the event of bankruptcy or a comparable event, we reserve the right to transfer, disclose or assign your Personal Data in connection with the foregoing events; and/or
  • if necessary, to our group companies for business purposes, as described above.
  • If you want to receive the list of the current recipients of your Personal Data, please make your request by contacting us to


If we have to disclose your Personal Data to a government or law enforcement, we may not be able to ensure that those officials will protect your Personal Data.

Data Integrity & Security

We have put in place technical, administrative, and physical measures that are designed to help protect your Personal Data from being accessed, disclosed, altered, or destroyed by unauthorized people. These measures include the use of measures like key-coding and encryption, where appropriate.

Your Rights

If we process your or your child’s Personal Data, you will have the right to request access to (or to update or correct) that Personal Data. You may also have the right to ask that we limit our processing of your Personal Data, as well as the right to object to our processing of your Personal Data. You may also have the right to data portability, which means that you may have the right to ask us to provide you with a copy of your Personal Data that another company like Ayala can process.


To submit these requests or raise any other questions, please contact us by using the information in the “Contact Us” section below.


You also have the right to lodge a complaint with a data protection regulator in one or more EEA countries.

Changes To This Notice

If we change this Notice, we will provide you with a copy of the revised Notice or update the web page you read it on. We will also update the “Effective” date.

Contact Us

If you have any questions about this Notice or our processing of your Personal Data, please contact our Data Protection Officer (DPO) at the contact information provided below. Our DPO will respond to you as soon as possible, but no later than 4 weeks after you contact us.

Data Protection Officer

We have appointed VeraSafe as our DPO. Please contact VeraSafe on matters related to our use of your Personal Data. VeraSafe’s contact details are:



22 Essex Way #8203

Essex, VT 05451 USA



European Union Representative

We have also appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, please contact VeraSafe on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: or via telephone at: +420 228 881 031.


VeraSafe can also be contacted at:


VeraSafe Netherlands BV

Keizersgracht 391 A

1016 EJ Amsterdam

The Netherlands