Version of December 14, 2022
The protection of individuals with regards to the processing of their Personal Data (as defined below) is a fundamental right that Owkin group, which includes without limitation Owkin Inc., Owkin France, Owkin UK Ltd and Owkin (Switzerland) Sàrl (together, “Owkin”), takes very seriously.
Owkin processes Personal Data as part of its relations with its visitors, its prospects, partners, clients, employees, job applicants, contacts, investors , services providers, patients, contractors and any users of its website: www.owkin.com (the “Website”) (all together the “Individuals”).
Owkin is firmly committed to conducting its business in accordance with the applicable data protection regulations and, in particular, the General Data Protection Regulation (EU) 2016/679 of April 27th, 2016 (“GDPR”), which aims to protect individuals’ rights with regards to the collection, use, retention, transfer, disclosure and destruction of their Personal Data.
Owkin strives to ensure adequate protection of Individuals’ Personal Data and to preserve the protection and security of Individuals’ Personal Data, as well as inform and uphold Individuals on their rights.
What Personal Data Owkin is collecting and processing about Individuals? Why is Owkin processing Individuals’ Personal Data? What are the legal basis that entitled Owkin to do so? From what sources does Owkin collect Individuals’ Personal Data? Who are the authorized parties allowed to process Individuals’ Personal Data by Owkin? How does Owkin ensure the security and the protection of Individuals’ Personal Data? How long will Owkin keep Individuals’ Personal Data? What are Individuals’ rights regarding the processing made by Owkin on Individuals’ Personal Data? How can Individuals’ exercise their rights?
Data Controller(s): Owkin and more specifically Owkin France.
Data Processor(s): natural person or legal entity who processes Personal Data on behalf of Owkin.
Data Recipient(s): individual or legal entity who receives Personal Data from Owkin. Data Recipients may therefore also be employees of Owkin or of external entities (e.g. partners such as healthcare organizations or healthcare professionals, suppliers, services providers, clients, exhibitors, banks, agents etc.).
Data Subject(s): the Individuals.
Personal Data: refers to any information or pieces of information that can directly or indirectly identify a Data Subject, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.
The processing of Personal Data may be managed directly by Owkin or via Data Processors specifically designated by Owkin.
Owkin does not process any Personal Data of Data Subjects if not relating to the Personal Data collected by or for its departments or processed in association with its departments and if it does not comply with the general principles of the GDPR.
Owkin may process Personal Data for the following purposes:
Owkin’s business and contractual relationship purposes
Management of contractual relationship, management of contact relationship, and business development.
Execution and management of the agreements concluded with Owkin’s academic partners (e.g. healthcare organizations such as hospitals, universities, research centers, healthcare professionals), Owkin’s non-academic partners (e.g. pharma companies, biotech companies or other corporate partners), Owkin’s service providers and/or Owkin’ suppliers.
Implementation and management of invoicing and accounting purposes.
Research and developments activities
Implementation and management of research and developments activities, including carrying out market research, scientific studies, whether clinical studies, observational studies, post-market studies, or any other kind of scientific research projects (including projects using data already available at Owkin or at Owkin’ partners for research purposes, and projects where additional data is derived from available human biological samples available at Owkin’ partners).
Compliance with legal, regulatory, industrial best practices and ethical obligations applicable to Owkin
Design, development, manufacturing & sales of software as medical devices in support of diagnosis, prognosis, screening in pathology (including activities of vigilance, post-market surveillance, ...).
Administrative formalities, registration, declarations, or audits, including but not limited to those applicable :
to the management of the recruitment
in the frame of the relationship between Owkin and health care professionals and/or health care organizations and/or academic institutions and/or hospitals in the country where Owkin operates.
Compliance with the requirements of the industry standards applicable to Owkin and with any applicable Owkin’ policies.
Ensuring the security of Personal Data collected and processed by Owkin.
Implementation and management of marketing campaigns, generally via email, SMS, phone, etc. and media advertising.
Implementation, communication and management of its newsletter based on Data Subjects consent.
Implementation and management of targeted advertising and segmentation.
Organization and management of events, in which Owkin participates or which Owkin is a sponsor.
Implementation and management of social selling campaigns (including the collection of data relating to registrations, posts, likes, replies, forwards, comments, opinions, etc.).
Implementation and management of surveys and statistics.
Management of the recruitments
Management of the job advertisement and the job application, including the management of the pre-contractual relationship between Owkin and the job applicant.
Management of the Website purposes
Implementation and management of the Website (case studies, contact forms, etc.).
Protect Owkin’s rights and interest
Management of the investigation, pre-litigation, and litigation.
Protection of Owkin’ rights or those of third parties, including intellectual property rights, privacy, safety, and property.
Protect Owkin against any actions or omissions which are likely to cause harm to Owkin, including fraudulent actions or omissions.
Owkin is granted by the Individuals with a right to process their Personal Data for the aforementioned purposes. However, any data supplemented by the processing and analysis of Owkin, otherwise known as supplemented data, shall remain the exclusive property of Owkin (usage analysis, statistics, etc.).
5. LAWFULNESS OF THE PROCESSING CONDUCTED BY OWKIN
The purposes for which Owkin process Personal Data described above are based on the legal basis described below.
The processing is necessary for the purpose of the legitimate interest of Owkin or a third party in the meaning of the GDPR
When Owkin processes Personal Data for its legitimate interest, Owkin shall take into account Data Subject’s fundamental rights and interest to assess if the legitimate interests pursued by Owkin do not create an imbalance with Data Subject’s fundamental rights and interest.
For example, the processing of Personal Data by Owkin is based on its legitimate interest for the following purposes:
Protect Owkin from fraudulent actions or omissions;
Implementation and management of research and developments activities;
Management of contact relationship, and business development.
The processing is necessary for the purpose of the compliance with the legislation applicable to Owkin
Owkin may process Personal Data in order to comply with legal obligations applicable to Owkin.
For example, the processing of Personal Data by Owkin may be based on the compliance with legal obligation applicable to Owkin for the following purposes:
Monitoring the adverse event or devices deficiencies of marketed products;
Transparency regarding Owkin’s relationship with healthcare professionals and/or health care organizations or academic institutions or hospitals;
Financial and tax reporting.
The Data Subject has given consent of the processing of its Personal Data for one or more specific purposes
Owkin may process Personal Data for one or more specific purposes for which the Data Subject concerned will have clearly expressed its consent for the processing of its Personal Data for these purposes.
For example, the communication to Owkin’s newsletter to the Data Subject concerned is based on their consent. Any Data Subject which subscribed to Owkin’s newsletter can opt out at any time by clicking the “unsubscribe” link at the bottom of Owkin’ newsletters.
The processing is necessary for the purpose of the performance of a contract
Owkin may process Personal Data for the execution of a contract between the Data Subjects (or their employers) and Owkin.
For example, the processing of Personal Data by Owkin may be necessary for the performance of a contract for the following purposes:
Negotiation of contracts with Owkin’s partners, suppliers, service providers, clients;
Follow-up of Owkin’s contractual relationship with its partners, suppliers, service providers, clients.
The processing is necessary for reasons of public interest
When the applicable law of the Data Subject’s country entitles Owkin to do so, notably in the case of public interest, Owkin may process Personal Data of concerned Data Subjects.
For example, if in Data Subject’s country the law provides that Owkin may process Data Subject’s Personal Data in the area of public health to ensure a high standards of quality and safety of healthcare and medicinal products or medical devices, Owkin could process Data Subject’s Personal Data in the frame of scientific research projects aiming to improve the products marketed by Owkin or third parties or to develop new medicine products or medical devices.
6. TYPES OF PERSONAL DATA COLLECTED BY OWKIN
The Personal Data that Owkin is processing about Data Subjects, include a wide range of Personal Data and depends on Owkin's relationship with the Data Subjects, as well as the third parties with which Owkin is working, and which may provide Owkin with the access to Personal Data.
For example, Owkin may process the following Personal Data:
Non-technical Personal Data (depending on the circumstances)
Identity and identification (surname, first name, date of birth, pseudonym, client number, username, and password).
Contact details (e-mail, postal address, phone number), notably for sending newsletters.
Professional data, if applicable (notably the company name, function, as well as all the Personal Data related to candidate for a job offer such as the data related to the professional experiences and the education for the job application).
Bank details, if required.
Data relating to current contracts.
Technical Personal Data (depending on the circumstances)
Data Subjects internet browsing history and activity data (access times, page views, forms completed on the website, URLs clicked on, IP address, etc.).
Technical information such as the type of browser and operating system Data subject uses or Data Subject’s device information (unique device identifier, hardware model, operating system and version, mobile network information).
In some cases, notably for its research and development activities, Owkin may need to process sensitive Personal Data, as defined by the Article 9 of the GDPR. Owkin takes the protection of this sensitive Personal Data and more broadly the protection of all the Personal Data very seriously and takes all necessary measures, whether contractual, technical or organization to preserve the protection, integrity, and confidentiality of such Personal Data.
As provided above, specific privacy and data protection information’s notices and/or consent or non-opposition form, will be communicated to the concerned Data Subjects if necessary, regarding specific situations where Owkin may process their Personal Data.
7. PERSONAL DATA SOURCES
Personal Data is generally collected from Data Subjects directly (direct collection).
Collection may also be indirect via specialized partners, clients, service providers and suppliers of Owkin, which are authorized to do so in compliance with their applicable law or in application of their own privacy and data protection policies.
In such cases, Owkin takes the greatest of care to ensure the quality of data it receives. If Data Subjects have any question related to the initial collection of their Personal Data by the partner, client, services provider, or supplier of Owkin, where applicable Owkin could invite Data Subjects concerned to contact them directly and/or to refer to their data protection policies.
8. CHILDREN’S PERSONAL DATA
Owkin’s Website is not intended for children under thirteen (13) years old. Owkin does not knowingly process Personal Data from children under the age of thirteen (13) years old through Owkin’s Website.
If a parent or a guardian becomes aware that his or her children has provided Personal Data to Owkin through Owkin’s Website, he or she should contact Owkin's Data Protection Officer without delay to require the deletion of the Personal Data concerned in accordance with the applicable data protection laws.
9. PERSONAL DATA RECIPIENTS
Taking into account the purpose(s) for which Individuals’ Personal Data are processed, Owkin will ensure that Personal Data can only be accessed by authorized internal and external Data Recipients which need to know them.
Owkin’s internal Data Recipients
Depending on the purpose(s) of the processing and the Personal Data processed, the authorized staff from Owkin may include:
Communications and Marketing Department;
Departments responsible for managing the partners relationship and sales development, such as: Medical devices Department; Partnership Department Business Department; R&D Department;
Authorized employees from departments responsible for control and audit functions (departments responsible for internal control procedures, etc.).
Owkin’s external Data Recipients
Depending on the purpose(s) of the processing and the Personal Data processed, the Owkin’s external Data Recipient may include:
Partners of Owkin (e.g. healthcare organizations such as hospitals, research centers, universities, healthcare professionals, services providers, suppliers, pharma companies, biotech companies or other corporate partners);
Legal or administrative authorities, as required by the applicable laws to which Owkin may be subject;
Potential acquirers and other stakeholders in the event of a corporate operation such as a change of control of Owkin, resulting from a capital increase, merger, demerger, or by the total or partial sale of the business activities.
Data Recipients of the Personal Data are bound by a confidentiality obligation. In any case, Owkin only provides them with the information strictly needed to process Personal Data in compliance with the purposes identified.
Owkin decides which Data Recipients may access to which Personal Data by means of a contract or internal policies.
Personal Data may also be forwarded to any authority legally entitled to receive it. In such cases, Owkin is not liable for the manner in which said authorities access and process the Personal Data but will limit the Personal Data accessed by these authorities to the strict minimum required by such authorities.
Owkin will never sell Personal Data to any third parties.
10. RETENTION PERIOD
The retention period of Personal Data is defined by Owkin in accordance with its legal and contractual obligations and, failing this, depending on the specific needs, notably in accordance with the following principles:
Clients and partners’ Personal Data
For the duration of contractual relations with Owkin, which includes the duration of the contract, the terms of the warranties plus five (5) years for legal requirements, without prejudice to storage and retention obligations or the statute of limitations.
Job applicant’s Personal Data
Unless otherwise requested by the job applicant, their Personal Data are processed and stored during two (2) years from the collection of their Personal Data, Owkin may request the job applicant to extend this retention period of two (2) years every (2) years.The retention period set forth above is without prejudice to the storage and retention obligations or the statute of limitations that may apply to Owkin.
Personal Data relating to contacts and potential clients
Three (3) years from collection of the Personal Data by Owkin or from the last contact made by the potential client or contact.
Targeted advertising Personal Data
Six (6) months to one (1) year from collection, depending on the campaign.
Information related to bank details (i.e. data related to bank or payment cards)
until full payment is made or;
until the goods are received or the service is provided. This period shall be extended by the withdrawal period for distance sales of goods and services.
For the management of the claim, the data related to payment cards may be kept within intermediate storage for evidence purposes in the event of a disputed payments transaction for thirteen (13) months' following the data of debit. This delay may be extended up to fifteen (15) months to take into account the possibility of using deferred payment cards.
After the specified periods, Personal Data is either deleted or retained after anonymization, notably for statistical purposes. It may be retained in the event of pre-litigation and litigation.
Data Subjects are reminded that deletion or anonymization are irreversible operations and Personal Data cannot be subsequently restored by Owkin.
11. DATA SUBJECTS’ RIGHTS
As Data Subjects and in accordance with applicable data protection laws, Individuals are entitled to exercise the following rights:
Confirmation and access right
Data Subjects are entitled to request Owkin to issue confirmation of whether or not their Personal Data is being processed and will benefit from access rights and a right to request a copy of their Personal Data. Any abuse of this right will be subject to costs that would be borne by the Data Subjects.
If Data Subjects request a copy of their Personal Data via electronic means, the requested information will be provided in a commonly used electronic format, unless specified otherwise.
Data Subjects are notified that this access right may not cover confidential information or data for which communication is prohibited by law.
The access right may not be exercised in an abusive manner, i.e. exercised legally with the sole objective of undermining the proper execution of the service in question.
Updating and rectification rights
Data Subjects are entitled to request Owkin to rectify their Personal Data, in the event that their Personal Data should be inaccurate, incomplete, or obsolete.
Right to deletion
The deletion right of Data Subject does not apply where processing is conducted in compliance with a legal obligation or if the processing is necessary for the establishment, exercise, or defense of legal claims.
In other circumstances, Data Subjects may request deletion of their data if any of the following criteria are met:
the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
if a Data Subject withdraws the consent on which the processing has been based and there exists no other legal basis;
the Data Subject objects to processing required for Owkin to pursue its legitimate interests and there exists no other pressing and legitimate reason to continue processing;
the Data Subject objects to the processing of its Personal Data for marketing purposes, including profiling;
the Personal Data has been processed unlawfully.
In accordance with legislation of Personal Data protection, Data Subjects are notified that this is an individual right that may only be exercised by the Data Subjects in relation to their own information.
Rights to restrict processing
Data Subjects are notified that the right to restrict processing is not intended to apply when the processing conducted by Owkin is made in order to comply with laws and regulations applicable to Owkin and/or when the processing of the Personal Data is necessary for performance of its services.
Personal Data Portability right
Owkin will accede to Personal Data portability requests in the specific circumstances of Personal Data communicated Data Subjects personally, via online services provided by Owkin itself and for purposes based solely on personal consent.
In such cases, the Personal Data will be communicated in structured and commonly used format able to be read by a machine.
Automated individual decision-making
Owkin does not conduct automated individual decision-making.
Rights after death
Data Subjects are notified that they have the right to issue instructions concerning the retention, deletion, and communication of their data after their death.
Any request related to the exercise of the rights described above shall be subject to a written request sent by e-mail at firstname.lastname@example.org or by post at Legal Department – Owkin France – 12 rue Martel, 75010 Paris - France, accompanied by a copy of a signed identity document. In accordance with data protection laws and regulations, Data Subjects are notified that the rights set forth above are individual rights that may only be exercised by the Data Subjects themselves in relation to their own information, so that for security reasons, Owkin must verify Data Subject’s identity before communicating any Personal Data to the concerned Data Subject.
The response time for Data Subject’s request may vary depending on the complexity of the request or if the Data Subject submitted a large number of requests.
12. DATA PROCESSORS
Owkin notifies Data Subjects that it may engage any Data Processor of its choice to process their Personal Data.
In any such case, Owkin ensures that the Data Processor complies with its obligations under applicable data privacy laws and regulations and in particular with the GDPR.
Owkin undertakes to sign a contract with all Data Processor, imposing on the latter the same Personal Data protection obligations that apply to Owkin. Furthermore, Owkin reserves the right to perform an audit on the Data Processor to verify the latter's compliance with its obligations under the GDPR.
Owkin has implemented technical and organizational measures to protect the integrity and confidentiality of Data Subjects’ Personal Data. These measures take into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects.
This measure includes for instance security techniques of a physical or logical nature which Owkin judges to be appropriate to prevent the destruction, loss, degradation or unauthorized disclosure of Personal Data in an accidental or illegal manner. The main elements of these measures include notably and without limitation:
Management of Personal Data access rights;
Implementation of an IT system security policy;
Implementation of business continuity and disaster recovery plans;
Use of security protocols and/or solutions.
14. PERSONAL DATA BREACH
In the event of any breach of Personal Data, Owkin undertakes to notify competent data supervisory authority (e.g., CNIL in France, ICO in the United Kingdom, PFPDT in Switzerland) as set out in the GDPR.
Should any such breach present a high level of risk for Data Subjects and the Personal Data has not been protected, Owkin shall:
Notify the Data Subjects concerned;
Issue the necessary information and recommendations to the Data Subjects concerned.
15. DATA PROTECTION OFFICER
Owkin has appointed a Data Protection Officer. The contact details of the Data Protection Officer are as follows:
Name: Patrice NAVARRO – Hogan Lovells Law Firm (French);
E-mail address: email@example.com;
Telephone: +33 1 53 67 47 47.
Should Data Subjects wish to obtain any particular information or pose a specific question, they may contact the Data Protection Officer who will provide a response within a reasonable period in light of the question posed or information requested.
In the event of encountering any problem with the processing of Personal Data, Data Subjects may contact the Data Protection Officer.
16. PROCESSING RECORD
As Data Controller, Owkin undertakes to maintain a record recording all completed processing activities. This record is a document or software that lists all processing conducted by Owkin in its capacity as Data Controller.
Owkin undertakes to provide any competent supervisory authority on request with all information enabling said authority to verify the compliance of processing with applicable Personal Data protection regulations.
17. RIGHT TO SUBMIT A COMPLAINT TO SUPERVISORY AUTHORITY
Data Subjects concerned by the processing of their Personal Data have the right to submit a complaint to the competent supervisory authority (e.g. CNIL in France, ICO in United Kingdom or PFPDT in Switzerland) should they believe that the processing of their Personal Data does not comply with the applicable EU data protection laws and regulations, at the following address:
Commission Nationale de l’Informatique et des Libertés (CNIL) – Service des plaintes
3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
Phone number: +33 1 53 73 22 22
Information Commissioner’s Office (ICO) – Complaint service
Wycliffe House, Water Ln, Wilmslow, Cheshire, SK9 5AF, United Kingdom
Phone number: +44 303 123 1113
Préposé fédéral à la protection des données et à la transparence (PFPDT)
Phone number: +41 (0)058 462 43 95
19. FOR FURTHER INFORMATION
For any further general information about Personal Data protection, please consult the website of the competent supervisory authority (e.g. for France, CNIL website at: www.cnil.fr., for United Kingdom ICO website at: https://ico.org.uk/, for Switzerland the PFPDT website at: https://www.edoeb.admin.ch/edoeb/fr/home.html).
If Data Subjects need any further information or assistance, do not hesitate to contact Owkin at the following address:
By e-mail at: firstname.lastname@example.org;
Or by post at the attention of the Legal Department – Owkin France – 12 rue Martel, 75010 Paris - France.
Take a closer look