Contact UsCareers
Top bar

Clinical trials privacy notice (EN)

Ayala Pharmaceuticals, Inc. Clinical Trial Privacy Notice

Effective on: 26 Sep 2019


Ayala Pharmaceuticals, Inc. (“Ayala”, “we”, “us”, “our”) takes the protection of your personal information (“Personal Data”) very seriously. Personal Data is any information about you that can be used to identify you as a person. This Privacy Notice (this “Notice”) describes how we use your Personal Data when we conduct clinical trials (a “Trial” or the “Trials”) of drug substances.


This Notice does not apply to Personal Data we collect by other means, like Personal Data that we receive directly through our public website. This Notice does not apply to Personal Data or our employees or medical staff on our Trials.


For more information about how we process Personal Data about other types of people, please see our general privacy policy on our website located at


Within the scope of this Notice, Ayala acts as a data controller for the Personal Data we process. This means that we determine the purposes and the means of the processing of your Personal Data.

Basis of Processing

Before, during, and after each Trial, we will process your Personal Data for various purposes. In each case, we will rely on a legal basis of processing under the General Data Protection Regulation of the European Union (“GDPR”). We will only process your sensitive Personal Data (like health and genetic data) when allowed by law.


We process your Personal Data for safety and reliability purposes because we need to in order to comply with our legal obligations.


We process your Personal Data for scientific research purposes based on our legitimate interest in conducting clinical trials and performing valuable scientific and medical research.


If we process your Personal Data for other purposes after the end of a Trial, we will do so based on your consent or our legitimate interest in conducting further research.


Ayala will need to process data about your health in order for you to participate in a Trial. Health data is a “special category” of Personal Data under the GDPR. Special rules apply to working with it. When we process special categories of your Personal Data, we only do so when the processing is necessary for reasons of public interest in the area of public health. Those reasons include making sure our drugs are safe and effective and conducting our Trials safely. We also process your sensitive Personal Data based on your explicit consent.

How We Receive Personal Data

We receive your Personal Data when:

  • you provide it to us when you participate in a Trial; or
  • your doctors or healthcare providers provide it to us.

Categories Of Personal Data

Ayala itself will have access to the following types of your Personal Data:

  • health care information, such as the identity and contact information of your doctors and health care providers;
  • health information, such as your medical background, history, and reaction to the Trial drug; and
  • your genetic information.

Ayala’s service providers will have access to and process the following types of your Personal Data:

  • basic identifying information, such as your first and last name;
  • contact information; and
  • location information, such as the location of your testing site and Trial location.

Purposes Of Processing

We will process your Personal Data for the purposes of:

  • conducting the Trials;
  • ensuring that each Trial drug is safe and reliable; and
  • conducting related scientific and medical research.

We also process your Personal Data for the specific purposes described in the Trial information provided to you by Trial personnel.

Data Retention

Ayala will keep your Personal Data until we fulfill the purposes listed above, or for as long as required by applicable law.


Our Trials are long-term. We use them to track the effects of test medications using information collected from Trial participants like you. This means we will need to keep your Personal Data for a long time. However, in order to protect your privacy, the information of every Trial participant is “key-coded” before we enter it into the studies and reports. This means that we replace identifying information like your name and contact information with a code number.


Once your data has been key-coded and recorded in official Trial documents, we cannot remove it without affecting the accuracy of the studies and test results. European law requires us to keep Personal Data that is part of the master trial file for at least twenty-five years after the conclusion of the applicable Trial. This includes your identity and health information and any adverse effects of the drug you took during the Trial.

Sharing Personal Data With Third Parties

We will share your Personal Data with service providers who process Personal Data on our behalf and who agree to use your Personal Data only to assist us in conducting our Trials or as required by law.


Our service providers provide:

  • Clinical research (CRO) services;
  • Payment processing services;
  • Lab services;
  • Drug safety services;
  • Medical writing services;
  • Project management services; and
  • General consulting services.


We will also share your Personal Data with other third parties involved in the Trials. Some of these third parties are data controllers in their own right. These third parties include clinical sites like hospitals and medical offices, as well as public government agencies inside and outside of the European Union (EU) or the European Economic Area (EEA).


In some cases, countries outside of the EU or the EEA may not provide a level of protection equivalent to EU law. We will only transfer your Personal Data to these countries when there are appropriate safeguards in place. These safeguards include the European Commission-approved standard contractual data protection clauses.

Other Disclosure Of Your Personal Data

We may disclose your Personal Data:

  • if we’re required to by law;
  • if we need to in order to comply with official requests or legal proceedings;
  • if we sell or transfer part or all of our company; or
  • if necessary, to our group companies for business purposes, as described above.

If we have to disclose your Personal Data to a government or law enforcement, we may not be able to ensure that those officials will protect your Personal Data.

Data Integrity & Security

We have put in place technical, administrative, and physical measures that are designed to help protect your Personal Data from being accessed, disclosed, altered, or destroyed by unauthorized people. These measures include the use of measures like key-coding and encryption, where appropriate.

Your Rights

If we process your or your child’s Personal Data, you will have the right to request access to (or to update or correct) that Personal Data. You may also have the right to ask that we limit our processing of your Personal Data, as well as the right to object to our processing of your Personal Data. You may also have the right to data portability, which means that you may have the right to ask us to provide you with a copy of your Personal Data that another company like Ayala can process.


To submit these requests or raise any other questions, please contact us by using the information in the “Contact Us” section below.


You also have the right to lodge a complaint with a data protection regulator in one or more EEA countries.

Changes To This Notice

If we change this Notice, we will provide you with a copy of the revised Notice or update the web page you read it on. We will also update the “Effective” date.

Contact Us

If you have any questions about this Notice or our processing of your Personal Data, please contact our Data Protection Officer (DPO) at the contact information provided below. Please allow up to four weeks for us to reply.

Data Protection Officer

We have appointed VeraSafe as our DPO. Please contact VeraSafe on matters related to our use of your Personal Data. VeraSafe’s contact details are:


22 Essex Way #8203 Essex, VT 05451 USA


European Union Representative
We have also appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, please VeraSafe on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: or via telephone at: +420 228 881 031.


VeraSafe can also be contacted at:

VeraSafe Netherlands BV

Keizersgracht 391 A

1016 EJ Amsterdam The Netherlands