Privacy Statement

 

1.  Your privacy matters

Genomics Medicine Ireland Limited (“we”, “us” or “our”) collects, uses, processes and stores personal data about our staff, healthcare providers, research participants, suppliers, clients and other individuals who come into contact with us.

We take our data protection responsibilities seriously. We understand that personal data must be processed in accordance with the data protection law. In this regard our employees and consultants, and other individuals who handle personal data on our behalf, are expected to comply with applicable data protection law.

This Privacy Statement sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.

This Privacy Statement is not an exhaustive statement of all of our data protection practices. We may introduce additional user choices on our platforms which will be clearly explained to users as required by law.

2.  Our responsibilities

We are responsible for complying with this Privacy Statement.

We will only share and receive personal data which is necessary to enable us and the relevant third party to perform our/their duties.

3.  Data protection principles

When processing personal data, we comply with the following data protection principles:

  • we obtain and process personal data fairly;
  • we keep personal data only for one or more specified, explicit and lawful purposes;
  • we process and disclose personal data only in ways which are compatible with these purposes;
  • we keep personal data safe and secure;
  • we keep personal data accurate, complete and, where appropriate, up-to-date;
  • we ensure that personal data is adequate, relevant and not excessive; and
  • we retain personal data for no longer than is necessary for the purposes for which we process it.

4. How we use your personal data

We may collect and process personal data in relation to our suppliers and customers (and their staff). We may also collect and process personal data in relation to queries made via our website. We may use contact information collected from such website queries for our newsletter distribution and other marketing, at all times with your consent and in accordance with your preferences.

Some personal data may be categorised as Special Categories of Personal Data (as defined in applicable data protection law).  Examples of Special Categories of Personal Data that may be processed by us include, without limitation, genomic data (DNA, RNA, metabolites, proteins, microbiome) and phenotypic data (lifestyle, geographical and clinical information) We will undertake processing of the above-mentioned identity documents and/or any Special Categories of Personal Data with due care.

5.  The purposes of processing your personal data

We only use personal data for the purpose(s) for which the personal data has been obtained. Our Cookies Policy provides information on how we use cookies on our website.

The processing purposes are clearly specified and, to the extent reasonably possible, you will be informed about these (at the time of personal data collection or as soon as reasonably possible thereafter).

We analyse personal data to test for an association between the clinical and lifestyle (phenotypic and/or genomic) information. We filter this additional data for scientific or clinical relevance and requirements. This may include additional data which can be generated from the laboratory, genomic and clinical information (CNVs, structural variants, haplotypes).

Some examples of the reasons for which we process personal data include, but are not limited to:

  • identification of novel drug targets;
  • definition of the best treatment/medicines based on the phenotype and genotype of each clinical case;
  • diagnosis of patients with rare and complex diseases;
  • development of new diagnostics tests;
  • personnel and payroll accounts;
  • accounts payable / accounts receivable;
  • relationship management and information provision;
  • marketing, PR, promotional activities and information provision concerning us and/or our services and products;
  • the improvement of our websites, services and products;
  • management information;
  • determining business strategy;
  • carrying out internal audits or investigations and the implementation of audit measures for internal management;
  • preventing and detecting unlawful and/or criminal behaviour directed towards us or our customers and employees, and preventing theft and/or fraud; and/or
  • fulfilling legal obligations.

6.              Our legal bases for processing your personal data

We only process personal data if one or more of the legitimate grounds set out below, which allow for compliant processing of such personal data, apply, namely:

  • Consent. Personal data can be processed if you have given your consent. The consent relates to the specific purpose for which the personal data is required. We will ensure that you are adequately informed about the processing purposes before consent is requested. If there are multiple processing purposes, separate consents may be required for each processing type. The consent(s) provided will be held on file as evidence of the consent(s) given. Please note that you may withdraw their consent to these types of processing at any time by contacting our Data Protection Officer (see section 12 below).
  • Contractual Necessity. Personal data can be processed if required for the purposes of a contract. This will apply, for example, in relation to processing of personal data necessary for the purposes of:
  • employment contracts;
  • personnel and payroll accounts;
  • accounts payable/accounts receivable, including any debt-collection process;
  • relationship management and information provision;
  • marketing, PR, promotional activities;
  • conducting pension and insurance administration;
  • dealing with questions from you about the execution of the pension agreement and related services; and/or
  • identification of disease biomarkers.
  • Legitimate Interests. Personal data can be processed if required for the purposes of our legitimate interests. Examples of our or a third party’s legitimate interest for Processing include, but are not limited to:
  • carrying out regular business activities including:
  • the improvement of our website, services and products,
  • determining business strategy, and/or
  • carrying out internal audits or investigations and the implementation of audit measures for internal management;
  • personnel working on behalf of GMI, in its capacity as study sponsor, to monitor and confirm the conduct of the study;
  • approving and granting controlled data access (viewing and analysing only) to other groups including academic research groups, pharmaceutical/biotechnology research group and for-profit companies, to conduct health-related research and to increase the chance of important discoveries;
  • preventing and investigating (actual and/or suspected) theft or fraud and/or (actual and/or suspected) breach of GMI’s codes and policies, including possible legal offences; and/or
  • guaranteeing rights, liberties, and/or the health or safety of our employees, contractors or third parties.
  • Legal obligation. Personal data can be processed if necessary for the purposes of the discharge of a legal obligation. Such processing may include, for example, the disclosure of personal data if demanded by the judiciary or the tax authority.

7.  Your rights

  • You have certain rights under applicable data protection law, as explained below.
  • Request for inspection and access: you are entitled to apply to us requesting a summary and a copy of your personal data processed by us or on our behalf.
  • Request for correction/addition/removal: if personal data processed by us are believed to be inaccurate or incomplete, you are entitled to request that we take measures to have these personal data corrected, added to, protected or deleted.
  • Objection by you: you are entitled to object to the processing of your personal data based on the legitimate interests legal basis.
  • Request for transfer of personal data: you can request that we provide your personal data in a structured and electronic form to you or, if technically consistent with our information technology systems, to transfer the personal data in an electronic form directly to a third party identified (in writing) by you.
  • Restriction of processing: you can request that we restrict the processing of your personal data where the accuracy of the personal data is contested, the processing by us is unlawful, or we no longer need the personal data.
  • Right to object to automated decision-making: you have a right to object to any automated decision making, including profiling, which produces legal effects concerning you or similarly significantly affects you.

8.  Should you wish to exercise any of the above rights please contact our Data Protection Officer (details in section 12 below) Our Security Measures

Through our policies, we have implemented a range of measures to protect personal data.  These measures include, but are not limited to, restricting access to our central IT services, routine and continued vulnerability assessment of all infrastructure, robust password policy for all systems, encryption for data in transit and at rest, data back up and developing and enforcing a clean desk policy.

We operate and encourage a culture of data privacy and security awareness supported by regular employee training at induction and throughout their time working with us. We have appropriate technical and organisational measures in place to protect personal data from unlawful or unauthorised destruction, loss, change, disclosure, acquisition or access. We ensure that all personal data controlled by us is held securely using appropriate security measures.

In the event of the occurrence of a data breach, we will comply with applicable laws governing the reporting of such breaches.

9.  Disclosing personal data to third parties

From time to time, we may disclose personal data to third parties, or allow third parties to access personal data processed by us.

The following are the categories of third parties to which we disclose personal data:

  • Human resources service providers (e.g. payroll, person and medical providers); and
  • Investigating doctors, principal investigators and researcher collaborators (including industry partners).

10.  Our data retention practices

We will keep personal data of yours only as long as the personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which that personal data are processed. The following are our timelines for data retention:

Public data is retained for 3 years from the date of initial receipt or download. Public data includes already released marketing material, commonly known, easily accessible information, etc. GMI also downloads publicly available genomic data sets, which have their own terms and conditions with their use.

  • Operational data shall be retained for 5 years from the date of initial receipt. Operational data includes, but is not limited to, data for basic business operations, communications with vendors, employees, CVs, CRM and website queries.
  • Confidential data shall be retained for 7 years from the date of initial receipt. Confidential data includes, but is not limited to, employee related contracts, external contracts, individual financial information and payroll.
  • Employee related data shall be retained for duration of employment plus 7 years.
  • Blood samples shall be retained for 10 years after the study start date.
  • Critical data shall be retained for 20 years from commencement of study date. (this includes Master file data (this refers to a data subjects’ lifestyle questionnaire and their signed consent form))
  • Phenotypic and biological data are retained indefinitely.

11.  Data Transfers outside the EEA

From time to time, we may transfer your personal data outside the EEA. We may transfer information internationally to our service providers, business partners, and government or public authorities. When making these transfers, we will take steps to ensure that your personal data is adequately protected and transferred in accordance with the requirements of data protection law.  This may involve the use of data transfer agreements in the form approved by the European Commission or another mechanism recognised by data protection law as ensuring an adequate level of protection for Personal Data transferred outside the EEA (for example, the standard contractual clauses). For further information about these transfers and to request details of the safeguards in place, please contact our Data Protection Office (see section 12 below).

12.  Data Protection Officer

Our Data Protection Officer is Hilary Lemass, Genomics Medicine Ireland, Cherrywood Business Park, Building 4, Dublin D18 K7W4, Ireland.
email: dataprivacy@genomicsmed.ie   telephone:  +353 1 567 6500

13.  Complaints Procedure

If you wish, you can raise a query or make a complaint about compliance with our personal data processing practises, please contact our Data Protection Officer.

You may also make a complaint in respect of our compliance with applicable data protection laws to the Irish Data Protection Commissioner. However, we encourage you to contact our Data Protection Officer in the first instance.