1. Introduction

Xenikos B.V. (“Xenikos”, “we”, “us”, “our”) sponsors ethically approved clinical trials (“Trial” or “Trials”). When you visit our website or participate or work in one of the Trials we sponsor, you trust us with your personally identifiable information (“Personal Data”). We are committed to keeping that trust. That starts with helping you understand our privacy practices.

This privacy notice (“Notice”) explains:

2. Identity and Contact Information

If you are an individual patient and you have any questions about this Notice or our processing of your Personal Data, or you would like to exercise your data protection rights, please first speak with your study doctor. Xenikos generally only has access to key-coded data, and we will be unable to identify you if we receive a request from you directly.
If you are not an individual patient, please contact us using one of the contact methods below.
Please allow up to one month for us to reply.

Clinical Trial Sponsor

Legal entity name: Xenikos B.V.
Address: Wilhelminasingel 14, 6524AL Nijmegen, The Netherlands
Email address: info@xenikos.com

Sponsor’s Data Protection Officer

For the attention of: Zia Maharaj, Senior Privacy Counsel
Legal entity name: VeraSafe, LLC
Address: 100 M Street S.E., Suite 600, Washington, D.C. 20003 USA
Phone: +1-617-398-7067
Email address: experts@verasafe.com

Sponsor’s Data Protection Representative in the UK

VeraSafe United Kingdom Ltd.
Address: 
37 Albert Embankment, London SE1 7TL, United Kingdom
Phone: +44 (20) 4532 2003
Contact form: www.verasafe.com/privacy-services/contact-article-27-representative

3. Scope of this Notice

What Is Covered by this Privacy Notice?

This Notice specifically applies to:

  • individual patientsand potential Trial participants in connection with our Trials and use of our experimental pharmaceutical products and/or future commercialized pharmaceutical products (if any);
  • health care providersand other study site personnel, in connection with our Trials; and
  • the website visitorsof xenikos.com, including those who contact info@xenikos.com or privacy@xenikos.com.

What Is Not Covered by this Privacy Notice?

  • Human Resources Personal Data
    This Notice does notapply to Personal Data collected by any other means or in different contexts, such as the Personal Data of our employees, job applicants, contractors, business owners, officers, directors, or staff of Xenikos.
  • Information Which Does Not Constitute Personal Data
    If we maintain information in a manner that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, with a particular individual or household, such information is not considered Personal Data and this Notice will not apply to our processing of that information.

4. Controllership

Within the scope of this Notice, Xenikos acts as a data controller for the Personal Data processed in the context of the Trials we sponsor and for the processing of your Personal Data that takes place when you visit our website. This means that we decide how and why Personal Data is collected and processed, or, in other words, we determine the purpose and means of the processing of your Personal Data.

In some jurisdictions, we may be considered a “joint controller” with another organization, such as the study site where the Trial is being conducted. This means that we jointly, together with the other organization, determine the purpose and means of the processing of your Personal Data. If you would like to know more about any other data controllers who might be joint controllers together with Xenikos, you may ask your study doctor or the study site for further details, specifically relating to the Trial that you are participating in.

5. Categories of Personal Data

Personal Data of Individual Trial Participants

Personal Data is collected by the clinic or other healthcare facilities where the Trial is being conducted or other third parties, such as your general medical practitioner. The personal data that is collected may include:

  • basic identifying information, such as your name, phone number, physical address, email address, sex, ethnicity, race, month and year of birth and unique Trial ID; and
  • health information, such as your medical history, current health status and reaction to the Trial drug or treatment.

However, even though Xenikos is a data controller for the Personal Data processed in the context of our Trials, Xenikos itself does not collect identifiable Personal Data, meaning that we are unable to identify you personally from the information we are collecting.

When any information relating to you is shared with us, it will first be key-coded (also known as “pseudonymized”) so that it is only linked to a study patient number and not to any direct personal identifier (such as your name). The key necessary to decode your information is stored securely at the Trial location and is not shared with Xenikos.

To comply with legislation governing the Trial, Xenikos may appoint a site monitor or inspector to review your identifiable information at the site or remotely via a secure online portal. The site monitor and/or inspector will not collect nor remove your information from the site and will not disclose your identity to Xenikos.

The Informed Consent Form will detail which information is collected from you, how it will be processed and analysed, and for how long it will be stored. You can ask your study doctor if you are unsure whether any specific information that you are being asked to provide is required as part of your participation in the Trial.

Personal Data of Healthcare Providers Participating in a Trial

We may collect the following types of Personal Data about healthcare providers in the context of our Trials:

  • basic identifying information, such as your first and last name;
  • contact information, such as your phone number, physical address and email address;
  • professional and employment-related information, such as your qualifications and job titles; and/or
  • location information, such as the location of your testing site and Trial location (i.e., study site).

Personal Data of Website Visitors

We may process the following types of Personal Data about you when you contact info@xenikos.com or privacy@xenikos.com:

  • basic identifying information, such as your first and last name;
  • contact information, such as your email address;
  • andwhatever information you share with us in your message.

When you visit our website we may process by means of functional session cookies a very limited amount of automatically generated data, such as your IP address and browser information.

6. How We Receive Personal Data

We may receive your Personal Data when:

  • you provide it directly to us (including when you provide your Personal Data to one of our service providers acting on our behalf);
  • a study doctor (also known as an “investigator”) or other healthcare personnel at the study site provides it to us, or your healthcare provider provides it to us;
  • we receive it from the clinical research organization that conducts the Trial on our behalf, and/or
  • you visit our website (via functional cookies only) or Trial-specific online portals

7. Purposes of Processing

Personal Data of Individual Trial Participants

Your personal data will be used to:

  • for your participation in the Trial,
  • to comply with legislation governing Trials,
  • monitoring and reporting on any adverse events,
  • answering the research questions for the Trial,
  • aggregating data to generate statistics relating to the Trial,
  • publishing anonymized results and
  • disclosing your data to the appropriate regulatory authorities, auditors, and ethics committees, if required by law.

Your personal information may also be used to:

  • introduce and keep the medicinal drug that was used in the Trial on the market;
  • enable a better understanding of diseases and associated health problems;
  • plan new studies, improving study methods and developing new medicinal drugs or health treatments; and/or
  • processing your requests to exercise your data protection rights;

We also process your Personal Data for the specific purposes described in the informed consent form provided to you by Trial personnel.

Personal Data of Healthcare Providers Participating in a Trial

We process the Personal Data of healthcare providers in the context of our Trials for the purposes of:

  • to confirm your qualifications and experience in order to comply with the suitability requirements for individuals conducting Trials in terms of clinical trials legislation;
  • managing and facilitating the Trial;
  • communicating with you on matters regarding the Trial;
  • to comply with legislation governing the Trial; and
  • processing your requests to exercise your data protection rights.

Personal Data of Website Visitors

We may process the Personal Data of website visitors for the purposes of:

8. Bases of Processing

We may process your Personal Data on the basis of:

  • Consent: We may ask for your consent to collect and process your Personal Data, including special categories of Personal Data, such as your health status and medical history.
  • Contract: We may process your Personal Data to fulfill a contract we have with you.
  • LegitimateInterests: We may process your Personal Data based on our legitimate interests related to Xenikos business or in facilitating and managing our Trials.
  • Compliance with Legal Obligations: We may need to process your Personal Data for us to comply with applicable laws or regulations, such as the laws regulating the safety and reliability of our Trials.
  • Public Interest

Where we process your Personal Data based on your consent, you may withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in the Trial.

Where we receive your Personal Data as part of a contract we may have with you, we require such Personal Data to be able to carry out the contract. Without that necessary Personal Data, we will not be able to fulfil our contractual obligation towards you.

When we rely on legitimate interests as a lawful basis of processing, you have the right to ask us more about how we decided to choose this legal basis. To do so, please use the contact details provided here.

Since we process special categories of Personal Data, such as your health status and medical history, the EU General Data Protection Regulation (“GDPR”) and the United Kingdom General Data Protection Regulation (“UK GDPR”) requires that we must have an additional legal ground to process this type of information. Xenikos may process your special categories of Personal Data on the basis of your explicit consent, or where the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

The specific grounds on which we process your Personal Data, including your health data, may vary somewhat from the above in order to comply with the requirements of local laws in jurisdictions where we sponsor Trials. If you are a participant in a Trial, please refer to the informed consent form you signed when you joined the Trial for more information about the legal grounds on which we process your Personal Data.

9. Data Retention

We will retain your Personal Data for as long as is necessary to fulfil the purpose for which we collected your Personal Data (listed above) and any other permitted linked purpose, and in compliance with our data retention policies as applicable from time to time. For example, we will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

Once your information has been entered into the Trial records, we cannot remove it without affecting the accuracy of the Trial and the test results. Some laws require us to keep Trial records for at least 25 years after the conclusion of the Trial. We will ensure that your Personal Data is safeguarded at all times.

10. Sharing Personal Data With Third Parties

Your Personal Data may be shared with third parties and recipients such as other companies within Xenikos’ group, service providers and other partners of Xenikos, contractors, government agencies, and with research institutions who will use study data only for the purposes described in Section 7 , or as required by law. These third parties and recipients may include:

  1. Parties that facilitate the Trial, such as laboratories conducting tests, couriers to safely ship the biological materials, parties that provide data management and biostatistics services to analyze the data and prepare for publication and parties that provide safety and pharmacovigilance services to monitor and report Trial data;
  2. Software and hosting providers to capture and help analyze the data;
  3. Auditors/inspectors appointed by or on behalf of Xenikos to check that all these services are performed properly and that the Trial is conducted in a compliant way;
  4. Regulators or competent authorities, such as the European Medicines Agency (EMA), the Food and Drug Administration (FDA) in the United States of America, the relevant Ethics Committees and Competent Authorities, to the extent necessary to comply with applicable laws, regulations and rules, for example in case of adverse events or in order to get marketing authorization;
  5. Study monitors appointed by or on behalf of Xenikos to check how the Trial is being run at the clinical site and to make sure all the appropriate data is collected, and
  6. the National Marrow Donor Program (“NMDP”), a Colorado non-profit corporation located in Minneapolis, and the data coordinating center of the Medical College of Wisconsin (“MCW”). NMDP is a member of the Blood and Marrow Transplant Clinical Trials Network (“BMT CTN”). The MCW oversees clinical trial operations for BMT CTN. NMDP, MCW and Xenikos collaborate in this Trial as independent controllers. If you have any questions about the processing of your personal data by NMDP or MCW, or you would like to exercise your data protection rights, please contact one of the contacts mentioned below under Section 15 ‘Your data protection rights.

Please note that only non-identifiable key-coded Personal Data will be shared with the third parties listed above, except for the third parties mentioned under c, d and e.

The Personal Data we may collect when you visit our website or when you contact info@xenikos.com or privacy@xenikos.com, will only be shared with our service providers who process Personal Data on our behalf, and who agree to use the Personal Data to assist us in fulfilling the purposes of processing as described in Section 7 above, or as required by law.

11. Transfers of Personal Data from the EU/EEA

The GDPR only allows us to transfer Personal Data outside of the European Union (“EU”) or the European Economic Area (“EEA”) if the country that the data is being transferred to offers an adequate level of protection for the Personal Data which is equivalent to EU law.

Some of our third-party service providers described above may be located in countries outside of the EU/EEA such as the United States of America (“USA”) and the United Kingdom (“UK”).

In some cases, the European Commission may have determined that the laws of certain countries provide an adequate level of protection to Personal Data, such as the UK. You can see here the full list of countries that the European Commission has recognized as providing an adequate level of protection to Personal Data.

For transfers of Personal Data to third countries which are not recognized as providing an adequate level of protection, such as the US, we will only transfer EU Personal Data to third parties in those countries when there are appropriate safeguards in place. These safeguards may include the Standard Contractual Clauses as approved by the European Commission under Article 46.2 of the GDPR. In cases where it is not reasonably possible to ensure such appropriate safeguards, data transfers will only be made if you have given your express consent to this.

12. Transfer of Personal Data from the UK

The UK GDPR only allows us to transfer Personal Data outside of the United Kingdom (“UK”) if the country that the data is being transferred to offers an adequate level of protection for the Personal Data which is equivalent to UK law. Xenikos is located in The Netherlands, which has been deemed as a country offering adequate protection for Personal Data subject to the UK GDPR.

Some of our third-party service providers described above may also be located in countries outside of the UK, such as the US. In some cases, the UK Information Commissioner’s Office (the “ICO”) may have determined that the laws of certain countries provide an adequate level of protection to Personal Data.

For transfers of Personal Data to third countries which are not recognized as providing an adequate level of protection, such as the US, we will only transfer UK Personal Data to third parties in those countries when there are appropriate safeguards in place. These safeguards may include the Standard Contractual Clauses as approved by the ICO. In cases where it is not reasonably possible to ensure such appropriate safeguards, data transfers will only be made if you have given your express consent to this.

13. Other Disclosure of Your Personal Data

We may disclose your Personal Data:

  • with regulators or competent authorities, to the extent necessary to comply with applicable laws, regulations and rules (including, without limitation, federal, state or local laws);
  • to the extent required by law, or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties);
  • if, in the future, we sell or transfer, or consider selling or transferring, part or all of our company, business, shares or assets to a third party, and we disclose your Personal Data to such third party in connection with the sale or transfer; and/or
  • in the event that we are acquired by, or merged with, a third-party entity, or in the event of bankruptcy or a comparable event, we reserve the right to transfer, disclose or assign your Personal Data in connection with the foregoing events.

If we have to disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.

14. Data Integrity and Security

We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect Personal Data from unauthorized processing. This includes unauthorized access, disclosure, alteration, or destruction.

15. Your Data Protection Rights

You have specific rights regarding your Personal Data that we collect and process.

For individual patients: to exercise the rights we explain below, please first speak with your study doctor instead of contacting us directly. Xenikos has access to key-coded data only and will be unable to identify you if you would approach Xenikos directly. Where appropriate, your doctor will pass on your request to Xenikos.

To exercise your data protection rights, please email us at . Please note we may ask you to provide additional information to help us identify you and swiftly treat your request.

Right to Know What Happens to Your Personal Data

This is called the “right to be informed”. It means that you have the right to obtain from us all information regarding our data processing activities that concern you, such as how we collect and use your Personal Data, how long we will keep it, and who it will be shared with, among other things.

We are informing you of how we process your Personal Data with this Notice.

Right to Know What Personal Data Xenikos Has About You

This is called the “right of access”. This right allows you to ask for full details of the Personal Data we hold about you.

Once we receive and confirm that the request came from you or your authorized agent, we will disclose these details to you, including the categories of your Personal Data that we process, our purposes for processing your Personal Data;

  • the categories of third parties with whom we share your Personal Data and.
  • the specific pieces of Personal Data we process about you in an easily sharable format.

Under some circumstances, we may deny your access request. In that event, we will respond to you with the reason for the denial.

Right to Change Your Personal Data

This is called the “right to rectification”. It gives you the right to ask us to correct anything that you think is wrong with the Personal Data we have on file about you, and to complete any incomplete Personal Data.

Right to Delete Your Personal Data

This is called the “right to erasure”, “right to deletion”, or the “right to be forgotten”. This right means you can ask for your Personal Data to be deleted.

Sometimes we can delete your information, but other times it is not possible for either technical or legal reasons. If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason for denying your deletion request.

Right to Ask Us to Limit How We Process Your Personal Data

This is called the “right to restrict processing”. It is the right to ask us to only use or store your Personal Data for certain purposes. You have this right in certain instances, such as where you believe the data is inaccurate or the processing activity is unlawful.

Right to Ask Us to Stop Using Your Personal Data

This is called the “right to object”. This is your right to tell us to stop using your Personal Data. You have this right where we rely on a legitimate interest of ours (or of a third party).

We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Data to establish, exercise, or defend a legal claim.

Right to Port or Move Your Personal Data

This is called the “right to data portability”. It is the right to ask for and receive a portable copy of your Personal Data that you have given us.

We will provide your Personal Data in a structured, commonly used, and machine-readable format. When you request this information electronically, we will give you a copy in electronic format.

Right Related to Automated Decision Making

If you participate in a Trial we sponsor, you will be assigned a unique patient identification number. For a given Trial, this number may be as part of an automatic process that randomly determines if you will receive the experimental drug product or treatment that is being evaluated, or if you will receive a placebo or different treatment. This type of automated decision-making is required in order to ensure that the applicable Trial is conducted in an ethical way, and in accordance with the pharmaceutical industry’s standards.

For decisions that may seriously impact you, you have the “right not to be subject to automatic decision-making”. But in those cases, we will always explain to you when we might do this, why it is happening, and the potential effect on you. If you are a participant in a Trial, please refer to the informed consent form you signed when you joined the Trial for more information.

Right to Withdraw Your Consent

Where we rely on your consent as the legal basis for processing your Personal Data, you may withdraw your consent at any time. If you withdraw your consent, our use of your Personal Data before you withdraw is still lawful.

As discussed above, if we requested your consent to process your Personal Data, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in the Trial.

Right to Lodge a Complaint with a Supervisory Authority

If the GDPR applies to our processing of your Personal Data, you have the right to lodge a complaint with a supervisory authority if you are not satisfied with how we process your Personal Data.

Specifically, you can lodge a complaint in the Member State of the European Union of your habitual residence, place of work, or the alleged violation of the GDPR.

17. Changes to this Notice

If we change this Notice, we will publish the revised Notice on our website. We will also update the “Effective” date.