Privacy Policy

Last update 23 May 2024 (v3.0)

This policy is divided into the following sections

A: Introduction/Purpose

B: Scope

C: Responsibility

D: Data Protection Principles

E: Uses of Personal Data

F: Purposes of Processing Personal Data

G: Legal Bases for Processing Personal Data

H: Data Subject Rights

I: Security

J: Data Transfers Outside the EEA

K: Disclosing Personal Data to Third Parties

L: Links and Third-Party Applications

M: Data Retention

N: Data protection queries and complaints

O: Definitions / Abbreviations

Introduction/Purpose

Genuity Science (Ireland) Limited collects, uses, Processes and stores Personal Data about healthcare providers, Data Subjects or research study participants, collaborators, customers, suppliers, clients and other individuals who come into contact with us. We handle Personal Data with due care and in accordance with applicable Data Protection Laws.

We take our data protection responsibilities seriously. We understand that Personal Data must be Processed in accordance with Data Protection Laws. In this regard our employees, consultants and other individuals who handle Personal Data on our behalf are expected to comply with this Policy and applicable Data Protection Laws.

Scope

This Privacy Policy applies to Personal Data processed by Genuity Science (Ireland) Limited (“Genuity Science”, “we”, “us” or “our”) in our roles as a Data Controller and/or as a Data Processor.

This Policy is not an exhaustive statement of all of our data protection practices. For example, we may apply specific policies within certain environments which, while consistent with this Policy, may contain certain variations. We might also include a particular privacy notice at the point of capturing Personal Data on a new service – any specific consents obtained, or information provided will apply to that service and will supplement this Privacy Policy. We may also introduce additional user choices on our platforms which will be clearly explained to users as required by applicable Data Protection Laws.

Responsibility

All Genuity Science personnel

All Genuity Science personnel are responsible for complying with this Policy.

The Company

  • Genuity Science is responsible for Processing of Personal Data.
  • Genuity Science has designed business practices to align with Data Protection Laws.
  • Genuity Science has established systems to respond to queries, requests and threats to the protection of the Personal Data that is processed by third parties on our behalf.
  • Genuity Science actively maintains and audits its systems and provides training to its personnel to ensure ongoing compliance with evolving laws and practices.
  • The nature of the Personal Data and the extent that a third party may be asked to Process Personal Data on our behalf will vary according to the responsibilities of that third party. Genuity Science will only share and receive Personal Data which is necessary to enable us and the relevant third party to perform our/their duties. In this context, information on current, past or prospective consultants, clients, or health care providers may be processed. Please see our Participant Data Privacy Statement for information relating to the processing of study participant’s data.

Role of the Data Protection Officer

In relation to data protection compliance the DPO’s responsibilities include, but are not limited to:

  • answering questions about the Processing of Personal Data as described in this Policy;
  • supervising requests by Data Subjects with regard to their Personal Data;
  • handling complaints by Data Subjects;
  • giving permission for Processing Special Categories of Personal Data pursuant to Data Protection Laws or privacy laws of other jurisdictions;
  • acting as our point of contact with data protection regulators and reporting to regulators as required;
  • giving instructions for audits, if any, to external auditors with regard to compliance with this Policy;
  • supervising the recording and reporting of Data Breaches (in accordance with the Data Breach Reporting Procedure); and
  • supporting our compliance with this Policy.

Data Protection Principles

When Processing Personal Data, we comply with the following data protection principles:

  • We obtain and Process Personal Data fairly;
  • We keep Personal Data only for one or more specified, explicit and lawful purposes;
  • We Process and disclose Personal Data only in ways which are compatible with these purposes;
  • We keep Personal Data safe and secure;
  • We keep Personal Data accurate, complete and, where appropriate, up-to-date;
  • We ensure that Personal Data is adequate, relevant and not excessive; and
  • We retain Personal Data for no longer than is necessary for the purposes for which we Process it.

Uses of Personal Data

Genuity Science Processes the following Personal Data:

Genuity Science’s Website:

  • Email addresses for replies to general information queries received through our website.

Genuity Science’s Research Studies:

  • As part of Genuity Science’s research studies, on the basis of the study participant’s consent and, where relevant, the legitimate interest of Genuity Science, Genuity Science Processes medical, health, lifestyle and data derived from DNA (genomic data) and information submitted by the research participant. This data is Processed in pursuit of our scientific research to uncover any correlations between an individual’s biological make up/health and disease. This data is all Processed on a pseudonymised (coded) basis.

Suppliers, Collaborators and Customers:

  • Personal details: name, title, position, work identification numbers, department, business unit, and contact details: address and phone number(s) work location.
  • Where Genuity Science acts as a Data Processor only, all relevant data is processed strictly in accordance with the Data Controller’s instructions and on either a pseudonymized or anonymized basis.

Purposes of Processing Personal Data

Genuity Science only uses Personal Data for the purpose(s) for which the Personal Data has been obtained.

The Processing purposes are clearly specified and, the Data Subject(s) will be informed about these purposes, at the time of Personal Data collection or as soon as reasonably possible thereafter, and to the extent reasonably possible.

Some examples of the reasons for which Genuity Science Processes Personal Data include, without limitation:

  • relationship management;
  • marketing, PR, promotional activities and information provision concerning us and/or our services and products;
  • the improvement of our websites, services and products;
  • management information;
  • determining business strategy;
  • carrying out internal audits or investigations and the implementation of audit measures for internal management;
  • preventing and detecting unlawful and/or criminal behaviour directed towards us or our customers and employees, and preventing theft and/or fraud;
  • scientific research into the correlation between health and disease;
  • providing services to customers and collaborators; and
  • fulfilling legal obligations.

Genuity Science only Processes Personal Data if one or more of the legitimate grounds set out below, which allow for compliant Processing of such Personal Data, apply:

Consent

Personal Data can be processed if the Data Subject has given his or her consent (in writing or via e-mail, or via the website personal cookie settings page, depending on how the request for consent is made). The consent relates to the specific purpose for which the Personal Data is required.

Genuity Science ensures that Data Subjects are adequately informed about the Processing purposes before consent is requested. If there are multiple Processing purposes, separate consents may be required for each Processing type. The consent(s) provided are held on file as evidence of the consent(s) given.

Data Subjects may withdraw their consent to these types of Processing activities at any time (Please also see legitimate interests below) either directly for website usage via the personal cookie settings page, or by contacting our Data Protection Officer (contact details outlined below). Study participants may withdraw their consent at any time by contacting their study clinic as explained in the Participant Privacy Policy.

Contractual Necessity

This applies, for example, in relation to Processing of Personal Data necessary for the purposes of:

  • accounts payable/accounts receivable, including any debt-collection process
  • relationship management
  • marketing, PR, promotional activities and
  • supply of contractual deliverables to customers and other parties.

Legitimate Interests

Examples of our or a third party’s legitimate interest for Processing include, without limitation, carrying out regular business activities including:

  • where a research participant withdraws their consent to processing of their pseudonymized Personal Data gathered as part of Genuity Science’s research studies and it has been included in a data freeze, the pseudonymized Personal Data can be processed for Genuity Science’s legitimate interests (and its commercial partners) in the pursuit of scientific research, provided that:
    • Genuity Science destroys the identifying link between the Personal Data and the participant;
    • destroys the participant’s bio-sample;
    • once the next data freeze has been carried out, the previous data freeze is archived;
    • Genuity Science is satisfied that to destroy the Personal Data or to cease Processing in respect of it would seriously impair the success of the scientific research, such that it has compelling legitimate grounds for engaging in continued Processing which override the interests, rights and freedoms of individual participants; and
    • the legitimate interest relates to the specific purpose for which the Personal Data is required;
  • the improvement of, and communication about, our websites, services and products’
  • determining business strategy;
  • carrying out internal audits or investigations and the implementation of audit measures for internal management;
  • preventing and investigating theft or fraud and/or breach of Genuity Science’s codes and policies, including possible legal offences, whether actual or suspected; and/or
  • guaranteeing rights, liberties, and/or the health or safety of our employees, contractors or third parties.

Legal obligation:

Such Processing may include, for example, the disclosure of Personal Data if legally demanded by the judiciary or a tax authority. Such Processing may also include Processing of Personal Data for anti-money laundering purposes.

Data Subject Rights:

Data Subjects have certain rights under applicable Data Protection Laws, as explained below. The procedures below explain how Data Subjects’ rights are given effect upon receipt by our Data Protection Officer of a written request or objection relating to the processing of their Personal Data by us when we are acting as a Data Controller:

Request for inspection and access:

Every Data Subject is entitled to apply to us requesting a summary and a copy of his/her Personal Data processed by us or on our behalf.

Request for correction/addition/removal:

If Personal Data processed by us is believed to be inaccurate or incomplete, the Data Subject is entitled to request that Genuity Science take measures to have such Personal Data corrected, added to, protected or deleted.

Objection by the Data Subject:

Every Data Subject is entitled to object to the Processing of his/her Personal Data based on the legitimate interests of the Data Controller.

Request for transfer of Personal Data:

Every Data Subject can request that Genuity Science provides his/her Personal Data in a structured and electronic form to the Data Subject or, if technically consistent with our information technology systems, to transfer the Personal Data in an electronic form directly to a third party identified (in writing) by the Data Subject.

Restriction of Processing:

Every Data Subject can request that Genuity Science restricts the Processing of his/her Personal Data where the accuracy of the Personal Data is contested, the Processing by us is unlawful, or Genuity Science no longer needs the Personal Data.

Right to object to automated decision making:

Every Data Subject has a right to object to any automated decision making, including Profiling, which produces legal effects concerning him or her or similarly significantly affects him/her.

Whilst Profiling is a key component to facilitate Genuity Science’s research studies, Genuity Science does not engage in automated decision-making based on such Profiling activities.

Security:

Security of Personal Data

  • Through our policies, Genuity Science has implemented a range of technical and organizational security measures to protect Personal Data from unlawful or unauthorized destruction, loss, change, disclosure, acquisition or access.
  • Genuity Science operates and encourages a culture of data privacy and security awareness supported by regular personnel training.
  • Genuity Science ensures that all Personal Data controlled by us is held securely using appropriate security measures.

Data Breach / Security Breach

In the event of a Data Breach, Genuity Science will comply with applicable Data Protection Laws governing the reporting of such breaches and manage the Data Breach in accordance with our Security Incident Response policy.

Our Security Incident Response policy is followed as soon as it is identified that a possible Data Breach has occurred.

Data Transfers Outside the EU/EEA

Research study Participants’ Data:

Genuity Science collates pseudonymized Personal Data collected from volunteer research participants for scientific research studies, in collaboration with its academic and/or commercial partners, in a database.

The database that contains participants’ pseudonymized Personal Data (including health, lifestyle and genomic data) is stored in the EU/EEA and all decisions about the Processing of EU/EEA research participants’ Personal Data are made in Ireland.

Access to EU/EEA citizens’ pseudonymized Personal Data may need to be provided to ithird party academic and/or commercial researcher entities located outside the EU/EEA,on a strictly controlled basis. This restricted access is deemed to be a data transfer for the purposes of Data Protection Laws. Any such data transfer occurs in accordance with applicable Data Protection Laws, utilizing an appropriate EU/EEA approved data transfer mechanism, such as Standard Contractual Clauses. Note, third party and/or commercial partners are prohibited from ever downloading personal data from the Genuity Science database. They are only permitted to download and export summary analysis results.

Genuity Science takes all reasonable and proportionate steps to ensure that this pseudonymized Personal Data is treated securely and in accordance with this Policy at all times.

Contact Data:

Genuity Science may receive Personal Data, such as contact information, from an individual through use of Genuity Science’s online contact forms or other communication channels. In some cases, where deemed necessary, Genuity Science shares that information with our parent company, HiberCell Inc. In such event, we have appropriate, EU Commission approved data transfer mechanisms in place to ensure the compliant transfer of such Personal Data.

Customer Data:

In the course of providing services to customers and other parties, Genuity Science may receive Personal Data of EU/EEA citizens in its role as a Data Processor of such Personal Data. Genuity Science will only transfer such Personal Data outside of the EU/EEA on the explicit direction of the customer in its capacity as a Data Controller and subject to the implementation of the appropriate EU Commission approved data transfer mechanisms, such as Standard Contractual Clauses.

Disclosing Personal Data to Third Parties:

From time-to-time, Genuity Science may disclose Personal Data to third parties or allow third parties to access Personal Data processed by us in accordance with Data Protection Laws.

Categories of third parties with whom Genuity Science may share Personal Data include commercial partners and academic institutions for the purpose of scientific research.

Where we share Personal Data with third parties in our capacity as a Data Controller, notwithstanding the Processing of the Personal Data by the third party, Genuity Science remains a Controller of the Personal Data.

Where we share Personal Data with third parties in our capacity as a Data Processor, Genuity Science does so at the direction of the Data Controller only and notwithstanding the sub-processing of the Personal Data by the third party, Genuity Science remains a Processor of the Personal Data and responsible for such third-party sub-processing activities.

The Genuity Science website contains hyperlinks to external social platforms. Clicking on any of these links will direct you to an independent, third-party website with its own privacy policy, and which may place its own third-party cookies on your device. Genuity Science has no control over, and no responsibility or liability for, third-party websites that you may access via our website, or their collection, use and disclosure of your personal information through advertisement cookies or other technologies that you may encounter in connection with your use of such websites or third-party applications.

Data Retention:

Genuity Science keeps Personal Data of Data Subjects only as long as the Personal Data is adequate, relevant and limited to what is necessary in relation to the purposes for which that Personal Data has been collected.

Genuity Science periodically reviews the necessity to retain all the Personal Data it collects and processes in its research studies to asses if there is a necessity for ongoing retention for the purposes for which the data was collected.

To determine the appropriate retention period for Personal Data, Genuity Science considers the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of such Personal Data, the purposes for which Genuity Science processes Personal Data and whether Genuity Science can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. Any data that is no longer being used will be securely deleted.

Data Protection Queries and Complaints:

Genuity Science is committed to protecting Personal Data and Processing Personal Data in compliance with Data Protection Laws. If Data Subjects wish, they can raise a query or make a complaint about compliance with this Policy, Data Protection Laws and/or regulations by sending their complaint or query to our Data Protection Officer. The Data Protection Officer is responsible for handling complaints arising from, or made in accordance with, this Policy.

Should you wish to raise a query or make a complaint about compliance with our personal data processing practices, please contact the Genuity Science Data Protection Officer (DPO) regarding any questions or concerns relating to Genuity Science’s approach to data protection.

Please write to the DPO using the email address: dataprivacy@genuitysci.com or by post to:

The Data Protection Officer
Genuity Science (Ireland) Limited
Cherrywood Business Park, Building 4,
Dublin, D18 K7W4
Co. Dublin,
Ireland.

Every Data Subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State (EU) of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes on Data Protection Laws. The supervisory authority of Genuity Science is the Data Protection Commission which can be contacted via its website: www.dataprotection.ie

Definitions / Abbreviations

Term Explanation
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Data Controller” means an entity that controls Personal Data by deciding why and how the Personal Data is Processed.
“Data Processor” means an entity that processes Personal Data on behalf of the Controller. A Data Processor may include service providers (for example, a payroll service provider).
“Data Protection Officer” means the individual(s) appointed pursuant to Articles 37-39 of the GDPR to ensure that Genuity Science processes Personal Data in compliance with applicable Data Protection Laws.
“Data Protection Laws” means for the purposes of this Policy the GDPR, the Irish Data Protection Act 2018, the Irish Health Research Regulations 2018 and all European Union (with direct effect) laws and regulations relating to processing of personal data and privacy.

 
“Data Subject” means the living individual to whom the Personal Data relates.
“EEA” means the European Economic Area.
“GDPR” or “General Data Protection Regulation” means the General Data Protection Regulation (EU2016/679).
“Personal Data” is any information relating to a living individual which allows the identification of that individual. Personal Data can include a name, an identification number, details about an individual’s location or any other detail(s) that is specific to that individual which is capable of directly or indirectly identifying that individual.
“Processing” includes collecting, using, recording, organizing, altering, disclosing, destroying or holding Personal Data in any way. Processing can be done either manually or by using automated systems such as information technology systems and “Process” and “Processing” shall be interpreted accordingly.
“Profiling” is the automated Processing of Personal Data for the purpose of assessing certain aspects relating to an individual so as to analyze or predict the individual’s performance, decisions or behavior.
“Special Categories of Personal Data” are types of Personal Data that reveal any of the following information relating to an individual: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Special Categories of Personal Data also include the Processing of genetic

data, biometric data (for example, fingerprints or facial images), health data, data concerning sex life or sexual orientation and any Personal Data relating to a criminal offences or conviction