Biosciences

ND BIOSCIENCES | GENERAL PRIVACY NOTICE

1. INTRODUCTION

At ND Biosciences (ND Biosciences, we or us), we recognize the importance of your privacy and of transparency in our processing of your personal data. This general privacy notice (Privacy Notice) describes how we collect and process personal data about:

  • the representatives of our prospects, business and research partners and suppliers or any person involved with them; and
  • individuals who apply for a position with us; and
  • visitors of our

We may also have additional privacy notices that apply in specific circumstances.

2. SHORT VERSION

The following is a brief summary of (but not a replacement for) this Privacy Notice:

  • We collect the personal data which is provided to us by our business and research partners, the persons with whom we interact, or which we otherwise lawfully obtain in the course of our activities (see section 4);
  • We process such personal data in compliance with Swiss laws and other laws applicable to us, mainly for the purpose of carrying out our contractual obligations towards our business and research partners, to manage our business, and to comply with our legal obligations (see sections 6 and 7);
  • We do not share or transfer personal data unless this is both necessary for our professional activities and permitted by Swiss laws. This may for instance be the case when we use service providers or must interact with partners or subcontractors to conduct our activities (see sections 8 and 9)

You may contact us (info@nd-biosciences.com) to exercise your rights pertaining to your personal data (see section 13).

3. WHO IS RESPONSIBLE FOR THE PROCESSING OF YOUR PERSONAL DATA?

ND Biosciences SA, Route de la Corniche 5, c/o Biopôle SA, Bâtiment Alanine, 1066 Epalinges, is responsible for the processing, as controller, of your personal data. You will find our contact details below in section 13.

This privacy notice only applies to processing undertaken by or on behalf of us. Whilst we may provide links to other third party websites or services, we do not accept any responsibility or liability for their policies in relation to any personal data or their collecting processing of any personal data.

4. HOW WE COLLECT YOUR PERSONAL DATA


We collect the personal data that you or others provide to
We might obtain your personal data from you directly, or from other persons or entities we enter in contact with in the conduct of our work, such as our business partners, third parties involved with them, pharmaceutical companies or research institutions.

By providing your information to us, you acknowledge the processing set out in this privacy notice.

Some information is mandatory and some is optional
Whenever personal data is collected (e.g. in application forms), we will indicate whether the provision of such data is mandatory (e.g. with an asterisk) and the consequences of a refusal to provide the requested data.

We may also collect personal data from public sources
Insofar as it is permitted to us, we may also obtain personal data from publicly available or private sources, such as scientific databases or public/commercial registries, the press, websites, knowledge platforms, or social media.

The personal data we process may contain sensitive data
Due to the particularities of our activities, we may receive and process sensitive data about you, in particular health or genetic data (such as information relating to diseases, diagnostics, interventions, medicine intake, and so on.) (Sensitive Data).

We will process such Sensitive Data in accordance with applicable data protection laws, as specified in this Privacy Notice. In addition to the usual appropriate technical and organizational measures we implement to ensure the security and integrity of the personal data processed by us, we may implement additional measures in relation to Sensitive Data, as appropriate. These may include segregation, pseudonymization or restriction of access to the data.

5.  HOW WE PROCESS YOUR PERSONAL DATA

We process your personal data by automated means for the purposes indicated in this Privacy Notice and in accordance with applicable law

We process personal data entrusted to us in compliance with Swiss laws on data protection, and to the extent they apply to us, other data protection legislations, such as the EU General Data Protection Regulation (GDPR) or its equivalent in the United Kingdom, using computers or computer tools, in line with the purposes set out in this Privacy Notice.

We do not make decisions exclusively on the basis of an automated processing which have legal effects on the data subjects or affect them significantly (automated individual decision) and also do not process your personal data to create a profile about you (profiling).

We may combine your personal data with other information (aggregate) or erase any information that allows us to identify you (anonymize), so that it is no longer considered personal data under applicable data protection law, in which case this Privacy Notice will no longer apply and we may use such data for purposes not contemplated by this Privacy Notice (e.g. for internal research and development, for analytics purposes, or to develop and market new services). You may object to the anonymization or aggregation of your personal data for this purpose at any time (see section 12 below for additional information on your rights).

We take the technical and organizational appropriate security measures to prevent unauthorized access, disclosure, modification, alteration or destruction of your personal data, as specified  in section 11 below.

6. ON WHICH LEGAL GROUND DO WE PROCESS PERSONAL DATA?

We will only process your personal data if we have valid legal ground for doing so. Depending on the processing activity carried out, we will therefore only process your personal data if:

  • The processing is necessary to fulfill our contractual obligations to you or to take pre-contractual steps at your request (Contractual Necessity);

When the GDPR applies, Contractual Necessity is based on Article 6(1)(b) GDPR;

  • The processing is necessary for the fulfillment of our legitimate interests, and only to the extent that your interests or fundamental rights and freedoms do not require us to refrain from processing (Legitimate Interest);

Our Legitimate Interests include in particular (i) carrying out our contractual obligations towards our business and research partners (ii) protecting the security of our IT systems, architecture and networks; (iii) conducting research and further developing our products and services (including to develop novel therapies and diagnostics for neurodegenerative diseases); (iv) benefiting from cost-effective services (e.g. we may opt to use certain services offered by suppliers rather than undertaking the activity ourselves); and (iv) achieving our corporate and social goals. When the GDPR applies, Legitimate Interest is based on Article 6(1)(f) GDPR;

  • We have obtained your prior consent in a clear and unambiguous manner (Consent);

When the GDPR applies, Consent is based on Article 6(1)(a) GDPR;

  • The processing is necessary to comply with our legal or regulatory obligations (Legal Obligation);

When the GDPR applies, Legal Obligation is based on Article 6(1)(c) GDPR.

Moreover, we may in certain circumstances act as data processor for a business or research partner in connection with the provision of our services, in which case our partner will be the data controller. In this case, our processing of your personal data is governed by a contract between us and the relevant partner. This privacy notice does not address how our partners use your personal data. Please contact them directly for any inquiry relating to their use of your personal data.

In addition, we will only process Sensitive Data if (i) we are acting as processor as indicated above, (ii) we have obtained your explicit Consent for one or more specified purposes, or (iii) if we can rely on another lawful justification in accordance with applicable data protection laws.

7. PURPOSES FOR WHICH WE PROCESS YOUR PERSONAL DATA?

In General
We process your personal data for specific purposes and only to the extent relevant to achieve these purposes. In particular, we process your personal data for the following purposes:

For contract management purposes
If we are in a business relationship with you or one of our business or research partners for whom you work (or we are in discussions to enter into one), we process the personal data that is necessary for the management of our contractual relationship with our partners, as well as for the following other related purposed:

  • to carry out the tasks for which we are engaged, and to procure products and services from our suppliers and subcontractors
  • to interact with you, for instance to reply to your inquiries;
  • to track our activities (measuring our work time, etc.) and those of our suppliers;
  • to manage our archiving and records; and
  • for invoicing

The personal data that we process in this context includes:

  • personal data about individuals with whom we interact, such as the name, title, position, company name, email and/or postal address and the professional fixed and/or mobile phone number;
  • personal data relating to our interactions and the services provided;
  • any other information provided to us by you or third

We do so based on our Contractual Necessity (if we are in relation with you directly) or our Legitimate Interests (if you are representative of a legal person).

To carry out our contractual obligations towards our business and research partners
We process the personal data we need to carry out our contractual obligations. If you are our direct contractual partner, our basis for processing the data is our Contractual Necessity. In other cases, it is our Legitimate Interests in carrying out our contractual obligations to our business and research partners. In addition to the personal data we collect directly from the individual, or contact details of the individuals with whom we interact, we may receive from our partners Sensitive Data as described in Section 4.4.

The personal data which we must retain for record-keeping, tax or another legal obligation will, as a rule, be kept for the duration of the contractual relationship and thereafter for a period of 10 years (or such other retention period as applicable). Data relating to medical research or clinical studies may have to be retained for a longer period (e.g. 20 years). Shorter retention periods apply for personal data which must not be retained for the above reasons.

To conduct internal research and development
Unless you object to such processing, we may process your personal data to conduct research and further develop our product and services (including to develop novel therapies and diagnostics for neurodegenerative diseases), or for internal analysis and statistical purposes. You may object to such processing activities at any time (see section 13 below for additional information on your rights).

We do not use this information to identify you or attempt to link it to you. Any personal data collected for this purpose is anonymized within [7] days of its collection.

If you apply for a position with us
If you apply for a position, we will process your personal data exclusively for assessing your application in view of the possible establishment of an employment relationship, including to assess your capabilities and qualifications, and conduct reference checks, if and as authorized by Swiss law. Our legal basis for processing your personal is Contractual Necessity (to take pre-contractual steps at your request).

We will process the personal data you provide (e.g. your contact information, CV, résumé, cover letter, information relating to previous work experiences). In addition, if you provide us with links to your profile on social media platforms (such as LinkedIn) or with contact information for references, we will assume that we may gather information from these sources.

Any information you submit must be true, complete and not misleading. Should the information provided be inaccurate, incomplete, or misleading, subject to applicable law, this may lead to a rejection of your application during the application process or disciplinary action including immediate dismissal if you have been employed.

Personal data of applicants for roles at ND Biosciences who have not been hired is deleted at the end of the recruitment process. If an employment relationship is established following your application, your personal data will be entered into your HR file and further processed in accordance with our HR data processing policies.

If you visit our website
We do not collect your personal data when using our website www.nd-biosciences.com, except for information you may voluntarily provide us with by filling out a web form (e.g. contact form).

To comply with our other legal obligations
We may further process your personal data if we have a Legal Obligation to do so or for other Legitimate Interests. This will for instance be the case if we need to disclose certain information to public authorities or retain such information for tax or accounting purposes, or for the establishment, exercise or defense of legal claims. The personal data that we process for this purpose are those that we collected for one the purposes indicated elsewhere in this section. We retain the personal data for the duration of the legal obligation imposed on us.

If we have obtained your consent
In addition to the above, we may process your personal data if we have obtained your prior unambiguous consent for specific purposes. Consent given can be withdrawn at any time, but this does not affect data processed prior to withdrawal.

8. WHO HAS ACCESS TO PERSONAL DATA AND WITH WHOM ARE THEY SHARED?

In General
We only disclose your personal data to third parties if you expressly consent, if there is a legal obligation or permission to do so, if disclosure is necessary to assert, exercise or defend legal claims, or if the disclosure of data is directly connected with the conclusion or the performance of a contract with you or in your interest.

To our service providers or partners
We may transfer personal data to selected providers, acting as processors, or to our partners, to achieve the purposes listed in section 7, to the extent they need it to carry out the instructions we have given to them, or an agreement entered with them. We do not sell or transfer personal data to these third parties for their commercial use.

Such third parties include our (IT) systems, cloud service, and database providers, tax and accounting servicer providers, or the partners with whom we conduct scientific research.

To third parties where we have a legal obligation to do so or a legitimate interest in doing so
We may also disclose your personal data where we have a legitimate interest in doing so, for example:

(i) to respond to a request from a judicial authority or in accordance with a legal obligation; (ii) to defend against a claim or lawsuit; or (iii) in the context of restructuring, in particular if we transfer our assets, or any of our rights or obligations under a relevant agreement to another company.

9. TRANSFERS OUTSIDE OF SWITZERLAND OR THE EUROPEAN ECONOMIC AREA

We store your personal data in servers that are located in Switzerland.

In principle, we do not transfer your personal data to other countries or make it accessible there. However, in certain circumstances, your personal data may be made available to recipients located abroad, including to our subcontractors, our business or research partners, or domestic and foreign authorities or courts. For instance, when we use services provided by U.S. companies (we use for instance Microsoft 360 for managing our emails), it is possible that some data may be accessed from their headquarters in the U.S.

In such cases, we will ensure that such transfer or access is in accordance with Swiss data protection laws and will put in place the required appropriate safeguards (for instance by relying on standard clauses adopted by the European Commission) or we will rely on a statutory exceptions such as consent, performance of contracts, the establishment, exercise or enforcement of legal claims, overriding public interests or published personal data.

You may request further information in this regard and obtain a copy of the relevant guarantees upon request by sending a request to the contact address indicated in section 13.

10. HOW LONG DO WE STORE YOUR DATA?

We will erase or anonymize personal data as soon as it is no longer necessary for us to fulfill the purposes set out in Section 7. This period varies, depending on the type of data concerned and the applicable legal requirements. More information on each type of processing can be found in Section 7.

In view of the legal obligations incumbent upon us, certain information relating in particular to the contractual relationship must be retained for at least 20 years.

11. SECURITY

We are committed to the security of your personal data, and have in place physical, administrative and technical measures designed to keep secure your personal data and to prevent unauthorized access to it. We restrict access to your personal data to those persons who need to know it for the purpose described in this Privacy Notice.

Although we take appropriate steps to protect your personal data, no IT infrastructure is completely secure. Therefore, we cannot guarantee that data you provide to us is safe and protected from all unauthorized third-party access and theft. We waive any liability in this respect.

The internet is a global environment. As a result, by sending information to us electronically, such data may be transferred internationally over the internet depending upon your location. Internet is not a secure environment and this Privacy Notice applies to our use of your personal data once it is under our control only. Given the inherent nature of the internet, all internet transmissions are done at your own risk.

If we have reasonable reasons to believe that your personal data have been acquired by an unauthorized person, and applicable law requires notification, we will promptly notify you of the breach by email (if we have it) and/or by any other channel of communication (including by posting a notice on the Solution).

12. YOUR RIGHTS WITH REGARD TO THE PROCESSING OF YOUR PERSONAL DATA

Within the limits and under the conditions set forth in the law, you have the following rights:

  • to access your personal data as processed by us and obtain a copy thereof;
  • to request any correction or update thereof;
  • to request the erasure of your personal data;
  • to ask us to cease any specific processing of personal data that may have been obtained or processed in breach of applicable law,
  • to object to any processing of personal data for legitimate reasons; and
  • to withdraw your consent where we base our processing of your personal data on your consent (without such withdrawal affecting the lawfulness of processing made prior to);

You will find further details of your rights in sections 5 and 6 of this Privacy Notice in connection with each processing activity we perform.

If you want to exercise any of your rights, please contact us using the contact detailed listed below (see section 13). However, if we are processing your personal data on behalf of one of our partners, you should direct your privacy inquiries relating to the use of your personal data, including any requests to exercise your data protection rights, directly to the relevant partner.

The above does not restrict any other rights you might have pursuant to applicable data protection legislation under certain circumstances, such as the rights to ask for the restriction of the processing of your personal data, to oppose to certain types of processing or to request the portability of your personal data (i.e. to obtain the personal data you have provided us in a structured, commonly used and machine- readable format and/or to request the transmission of such personal data to a third party).

In addition to your rights outlined above, you may also have the right to lodge a complaint with a competent data protection supervisory authority (in particular in the Member State of your habitual residence, place of work or place of the alleged infringement) if you are not satisfied with how we process your personal data.

Although this is not required, we recommend that you contact us first (see section 13) as we might be able to respond to your request directly.

13. CONTACT US

If you believe your personal data has been used in a way that is not consistent with this Privacy Notice, or if you have any questions or queries regarding the collection or processing of your personal data, please contact us at info@nd-biosciences.com.

14. UPDATES OF THIS POLICY

This Privacy Notice may be subject to amendments. Any changes or additions to the processing of personal data as described in this privacy notice affecting you will be communicated to you through an appropriate channel, depending on how we normally communicate with you.