This Personal Data Protection Policy of EXOGENUS THERAPEUTICS, S.A. intends to make known to all customers, employees, service providers, or any entity that directly or indirectly relates to it within the scope of the development of its activity, the rules and principles of the organization regarding the protection of personal data. In this way, we intend to share with interested parties the data we collect and its purpose, also making known the measures we take to protect their privacy. EXOGENUS THERAPEUTICS, S.A. thus assumes a strict policy for Data Protection, ensuring that everyone who entrusts us with their personal data, knows how the data is processed and what their rights are in this matter, in strict compliance with the applicable legal provisions on the protection of Data, namely in the European Data Protection Regulation (Regulation number 2016/679 of April 27th 2016) and in Law number 58/2019 that ensures the implementation of the General Data Protection Regulation (GDPR) in the Portuguese legal system.
For the purposes of this policy and the General Data Protection Regulation (GDPR), it is understood that:
“Personal data” means information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, identifiers electronically or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Processing” means any operation or set of operations carried out on personal data or on sets of personal data, by automated or non-automated means, such as collecting, recording, organizing, structuring, storing, adapting or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of making available, comparison or interconnection, limitation, erasure, or destruction.
“Controller” means the natural or legal person, public authority, agency or other body that, individually or jointly with others, determines the purposes and means of processing personal data;
“Consent” is a free, specific, informed and explicit expression of will, by which the data owner accepts, by means of an unequivocal positive declaration or act, that the personal data concerning such subject can be processed;
“Health-related data” means personal data relating to the physical or mental health of a natural person, including the provision of health services, which reveal information about their state of health.
“Data Minimization” is the principle that imposes that the personal data collected must be limited to what is necessary in relation to the purposes for which they are processed.
“Personal Data Breach” refers to a breach of security that causes, accidentally or unlawfully, the destruction, loss, alteration, or unauthorized access to personal data transmitted or subject to any other type of processing.
Entity Responsible for the Processing of Personal Data
EXOGENUS THERAPEUTICS, S.A. is the entity responsible for the collection and processing of personal data. The professionals at EXOGENUS THERAPEUTICS, S.A. (whether employees or service providers) are an important element in the life cycle of customer data processing, insofar as, as a rule, they will be the ones who collect and process data. Professionals received specific training and follow a code of conduct that imposes a set of procedures and precautions in the way they handle data, in order to guarantee data confidentiality and, consequently, avoid security breaches and unauthorized access.
Purpose of Personal Data Collection
EXOGENUS THERAPEUTICS, S.A. collects personal data for precise, explicit, and legitimate purposes, and will never process such data in a way that is incompatible with these purposes. EXOGENUS THERAPEUTICS, S.A. uses personal data for the development of new therapeutic products of a biological nature, billing and collection of services provided, response to requests, complaints, and suggestions as well as for other purposes consented to by the holder or resulting from legal imposition. When collecting personal data, EXOGENUS THERAPEUTICS, S.A. informs the holder of the purpose for which they are collected, the conditions and period of storage, rights of holders and conditions of access, as well as the possibility of filing a complaint with the regulatory authority.
Personal data retention period
The data retention period varies according to the purpose for which the information is used. There are, however, legal requirements that oblige us to keep the data for a certain period of time. Thus, and whenever there is no specific legal requirement, the data will be stored and kept only for the minimum period necessary for the purposes that motivated their collection or subsequent processing, after which they will be deleted.
Data sharing with third parties
EXOGENUS THERAPEUTICS, S.A. will use your personal data only for the purpose for which you have given permission. EXOGENUS THERAPEUTICS, S.A. will not sell, trade or otherwise assign any personal information collected online or offline. The Personal Data of the Data Subject collected and processed by EXOGENUS THERAPEUTICS, S.A. are notshared with third parties without the consent of the Data Subject, with the exception of cases in which such transmission or communication is necessary for the execution of contractual provisions or for the fulfillment of a legal obligation to which EXOGENUS THERAPEUTICS, S.A. is subject.
Transfer of Data Outside the European Union
Personal Data collected and processed by EXOGENUS THERAPEUTICS, S.A. are not made available to third parties established outside the European Union. If, in the future, this transfer occurs, EXOGENUS THERAPEUTICS, S.A. undertakes to ensure that the transfer complies with the applicable legal provisions, namely regarding the suitability of the destination country, with regard to data protection and the requirements applicable to such transfers.
Technical, Organizational and Safety Measures Implemented
EXOGENUS THERAPEUTICS, S.A. is committed to ensuring the confidentiality, protection and security of the personal data made available to it, through the implementation of appropriate technical and organizational measures to protect personal data against destruction, loss, alteration, dissemination, unauthorized access or any other form of accidental or unlawful treatment. To ensure the security and maximum confidentiality of the data subject, EXOGENUS THERAPEUTICS, S.A. treats the information that the holder has provided in an absolutely confidential manner, in accordance with its internal security and confidentiality policies and procedures, which are periodically updated as needed, as well as in accordance with the legally established terms and conditions. Depending on the nature, scope, context, and purposes of data processing, as well as the risks arising from the processing to the rights and freedoms of the data subject, EXOGENUS THERAPEUTICS, S.A. undertakes to apply, both at the time of defining the means of processing and at the time of the processing itself, the necessary and appropriate technical and organizational measures for data protection and compliance with legal requirements.
Generally, EXOGENUS THERAPEUTICS, S.A. implemented the following measures:
Mechanisms capable of ensuring the confidentiality, integrity, availability and permanent resilience of processing systems and services;
Mechanisms that ensure the restoration of information systems and access to personal data in a timely manner in the event of a physical or technical incident;
Awareness training of all personnel involved in Personal Data Processing operations;
Regular audits in order to assess the effectiveness of the technical and organizational measures implemented;
Pseudonymization and encryption of personal data, whenever justified.
When you interact with our websites and newsletters, information is automatically collected about how you browse or use them. This information includes computer and connection information, such as statistics about page views, traffic to and from our websites, URL, ad data, IP address and device identifiers. This information may also include transaction history, web log history, how you browse our websites, the links you access from our websites or newsletters, if and when you open emails from EXOGENUS THERAPEUTICS, S.A. and your browsing activities from other websites. Most of this information is collected through “cookies”, “log files”, “web beacons” and other tracking technologies, as well as through your internet browser or device (e.g. IP address, MAC address, browser version, etc.).
“Cookies” are small text files that identify your computer on the server. “Cookies” do not by themselves identify the individual user, only the device used. “Cookies” are not used to collect personal data. This website uses “cookies” whose purpose is to determine the mode of use, interest, and number of accesses to the site, allowing for faster and more efficient navigation, eliminating the need to enter the same information repeatedly. In this way, EXOGENUS THERAPEUTICS, S.A. will be able to provide a more personalized and individualized service to its users.
EXOGENUS THERAPEUTICS, S.A. collects the information contained in the “log files” form that records activity and gathers statistics about your browsing habits. These entries are generated automatically and allow EXOGENUS THERAPEUTICS, S.A. to identify or eliminate errors, improve performance, and maintain website security.
Also known as “web bugs” are small strands of code that deliver a graphic image on a web page or in an email with the purpose of transferring data to EXOGENUS THERAPEUTICS, S.A.. The information collected via web beacons includes, in particular, IP addresses, as well as how you respond to an email campaign (eg what time the email was viewed, which links were clicked, etc.). We use web beacons on our websites or include them in emails we send to users. We use this information for a variety of purposes including, but not limited to: tracking site traffic, tracking unique visits, advertising, email logging and auditing, and personalization.
Rights of Personal Data Subjects
Under the terms of the General Data Protection Regulation, the data subject is guaranteed the right to access, update, rectify, limit the processing, or request the elimination of their personal data, upon request addressed to EXOGENUS THERAPEUTICS, S.A., via email firstname.lastname@example.org
Communication of Personal Data Violations
In the event of any failure or incident involving personal data, the healthcare professional must report it, in accordance with the procedures established for that purpose. Insofar as they have information about the incident, they should make it available when reporting. In particular, they shall communicate the nature of the personal data breach including, if possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records concerned.