The protection of individuals with regards to the processing of their Personal Data (as defined below) is a fundamental right that Owkin group, which includes without limitation Owkin, Inc., Owkin France, Owkin UK Ltd and Owkin (Switzerland) Sàrl, (together, “Owkin”) takes very seriously.
Owkin process Personal Data as part of its relations with its, visitors, prospects, partners and – more generally – any users of the website: www.owkin.com (the “Website”).
Owkin is committed to carrying out its business in accordance with the applicable data protection regulations and, in particular, the General Data Protection Regulation (EU) 2016/679 of April 27th, 2016 (“GDPR”), which aims to protect individuals’ rights with regards to the collection, use, retention, transfer, disclosure and destruction of their Personal Data.
Please read the following carefully and do not hesitate to contact our Data Protection Officer, Maître Eric Barbry, if you need further information or assistance: firstname.lastname@example.org.
Please note the following definitions of certain terms used in this policy:
- Personal Data: refers to any information or pieces of information that can directly or indirectly identify a Data subject, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual;
- Data controller: Owkin and more specifically Owkin France S.A.S.U.;
- Data processor: natural person or legal entity who processes Personal Data on behalf of Owkin;
- Data subject: customers, partner, and/or contacts of Owkin;
- Data recipient: a natural person or legal entity who receives Personal Data from Owkin. Data recipients may therefore also be employees of Owkin or of external entities (partners, subcontractors, exhibitors, banks, service providers, agents etc.).
In Article 12, the GDPR requires that data subjects are notified of their rights in a concise, transparent, comprehensible and easily accessible manner.
The purpose of this policy is to meet the information obligation of Owkin under the GDPR (Article 12) and to document the rights and obligations of its customers, partners and contacts regarding the processing of their Personal Data.
The processing of Personal Data may be managed directly by Owkin or via a Data processor specifically designated by Owkin.
Owkin does not process any Personal Data of customers, partners or contacts if not relating to the Personal Data collected by or for its departments or processed in association with its departments and if it does not comply with the general principles of the GDPR.
Owkin may use Personal Data for the following purposes:
- Management of contractual relationship, management of contact relationship, and business development;
- Implementation and management of targeted advertising and segmentation;
- Execution and management of an agreement with partners (hospitals, universities, research centers), a client (pharma companies, biotech companies or other corporate clients);
- Implementation and management of marketing campaigns, generally via e-mail, SMS, phone, etc. and Media advertising ;
- Implementation and management of its newsletter;
- Organization and management of events, in which Owkin participates or which Owkin is a sponsor;
- Implementation and management of social selling campaign (including the collection of data relating to registrations, posts, likes, replies, forwards, comments, opinions, etc.);
- Ensuring compliance with legal obligations. In certain cases, Owkin collects and uses your Personal Data to comply with laws;
- Ensuring the security of Personal Data collected and processed;
- Implementation and management of surveys and statistics;
- Implementation and management of cookies in particular used on Owkin Website;
- Implementation and management of invoicing and accounting purposes;
- Implementation and management of the Website (case studies, contact forms, etc.).
These purposes are based on the legitimate interests of Owkin to hold Personal Data concerning its contacts and Website users.
5. Types of Personal Data collected
Non-technical Personal Data
(depending on the circumstances)
|Identity and identification (surname, first name, date of birth, pseudonym, customer number).|
Contact details (e-mail, postal address, phone number): notably for sending newsletters.
Professional activities, if applicable (company name, function).
Bank details, if required.
Data relating to current contracts.
Technical Personal Data
(depending on the circumstances)
|Your internet browsing history and activity data (access times, page views, forms completed on the website, URLs clicked on, IP address, etc.);|
Technical information such as the type of browser and operating system you use or your device information (unique device identifier, hardware model, operating system and version, mobile network information).
6. Personal Data sources
Personal Data relating to its customers, partners and contacts is generally collected from them directly (direct collection).
Collection may also be indirect via specialized companies or partners and suppliers of Owkin. In such cases, Owkin takes the greatest of care to ensure the quality of data it receives.
7. Personal Data recipients – authorisation & traceability
Owkin ensures that Personal Data can only be accessed by authorised internal and external recipients.
|Internal recipients||External recipients|
|Authorised employees from Owkin:|
Communications and Marketing Department, Departments responsible for managing the customer relationship and sales development, Finance Department, IT Department, Legal Department, HR Department, Product Department, and their line managers.
Authorised employees from departments responsible for control and audit functions (departments responsible for internal control procedures, etc.).
|Partners, external companies and subsidiaries of a single group of companies;|
Organisations, officers of the court and judicial officers in the context of their debt collection functions;
The body responsible for managing the list of cold-calling prohibitions;
Data processors’ authorised employees.
Recipients within Owkin of the Personal Data of customers, partners and contacts are bound by a confidentiality obligation. In any case, Owkin only provides them with the information needed to process Personal Data in compliance with the purposes identified.
Owkin decides which recipients may access which Personal Data by means of an authorisation policy.
All access to the processing of customers’, partners’ and contacts’ Personal Data is traceable.
Personal Data may also be forwarded to any authority legally entitled to receive it. In such cases, Owkin is not liable for the manner in which said authorities access and use the Personal Data.
Owkin may also disclose your Personal Data:
- to a prospective buyer of its business or assets, during the course of a fundraising or M&A operation;
Owkin will never sell your Personal Data to any third parties.
8. Retention period
The retention period of Personal Data is defined by Owkin in accordance with its legal and contractual obligations and, failing this, depending on the specific needs, notably in accordance with the following principles:
|Customer and Partner Personal Data||For the duration of contractual relations with Owkin, plus five (5) years for sales development purposes, without prejudice to storage and retention obligations or the statute of limitations.|
|Personal Data relating to contacts and potential customers||Three (3) years from collection of the Personal Data by Owkin or from the last contact made by the potential customer or contact.|
|Targeted advertising Personal Data||Six (6) months to one (1) year from collection, depending on the campaign.|
|Bank details||Deleted on expiry of the agreement.If a transaction is disputed: thirteen (13) months’ retention in the files following the data of debit|
After the specified periods, Personal Data is either deleted or retained after anonymisation, notably for statistical purposes. It may be retained in the event of pre-litigation and litigation.
Customers, partners and contacts are reminded that deletion or anonymisation are irreversible operations and Personal Data cannot be subsequently restored by Owkin.
9. Confirmation and access right
Customers, partners and contacts are entitled to request Owkin to issue confirmation of whether or not their Personal Data is being processed.
Customers, partners and contacts also enjoy an access right, subject to compliance with the following rules:
- The request is issued personally and is accompanied by a valid identity document;
- It is issued in writing to the following address: Legal Department – Owkin France – 12 rue Martel, 75010 Paris – France or e-mail address email@example.com
Customers, partners and contacts are entitled to request a copy of their Personal Data being processed by Owkin. However, in the event of any additional copies being requested, Owkin may require the customer, partner or contact to cover the associated costs.
If customers, partners or contacts request a copy of their Personal Data via electronic means, the requested information will be provided in a commonly used electronic format, unless specified otherwise.
Customers, partners and contacts are notified that this access right may not cover confidential information or data, or data for which communication is prohibited by law.
The access right may not be exercised in an abusive manner, i.e. exercised legally yet with the sole objective of undermining the proper execution of the service in question.
10. Updating and rectification
Owkin will meet updating requests:
- Automatically, for online modifications relating to fields that may be updated technically or legally;
- On written request, issued by the Data subject personally on proof of identity.
11. Right to deletion
The deletion right of customers, partners and contacts does not apply where processing is carried out in compliance with a legal obligation.
In other circumstances, customers, partners and contacts may request deletion of their data if any of the following criteria are met:
- the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- if the Data subject withdraws the consent on which the processing has been based and there exists no other legal basis;
- the Data subject objects to processing required for Owkin to pursue its legitimate interests and there exists no other pressing and legitimate reason to continue processing;
- the Data subject objects to the processing of its Personal Data for marketing purposes, including profiling;
- the Personal Data has been processed unlawfully.
In accordance with legislation of Personal Data protection, customers, partners and contacts are notified that this is an individual right that may only be exercised by the Data subject in relation to their own information: for security reasons, the department concerned must therefore verify your identity before communicating any of your confidential information to a person other than you.
12. Right to restrict processing
Customers, partners and contacts are notified that the right to restrict processing is not intended to apply when the processing carried out by Owkin is legal and all the Personal Data collected is necessary for performance of its services.
13. Personal Data portability right
Owkin will accede to Personal Data portability requests in the specific circumstances of Personal Data communicated by customers, partners and contacts personally, via online services provided by Owkin itself and for purposes based solely on personal consent. In such cases, the Personal Data will be communicated in structured and commonly used format able to be read by a machine.
14. Automated individual decision-making
Owkin does not carry out automated individual decision-making.
15. Rights after death
Customers, partners and contacts are notified that they have the right to issue instructions concerning the retention, deletion and communication of their data after their death. The communication of specific instructions for the exercise of rights after death are to be issued by e-mail at firstname.lastname@example.org or by post at Legal Department – Owkin France – 12 rue Martel, 75010 Paris – France, accompanied by a copy of a signed identity document.
16. Optional or mandatory nature of responses
Customers, partners and contacts are notified on every Personal Data collection form of the mandatory or optional nature of responses by means of an asterisk.
If a response is mandatory, Owkin will explain the consequences of non-response to customers, partners and contacts.
17. Right of use
Owkin is assigned by customers, partners and contacts a right to use and process their Personal Data for the aforementioned purposes.
However, any data supplemented by the processing and analysis of Owkin, otherwise known as supplemented data, shall remain the exclusive property of Owkin (usage analysis, statistics, etc.).
18. Data processors
Owkin notifies its customers, partners and contacts that it may engage any processor of its choice to process their Personal Data.
In any such case, Owkin ensures that the processor complies with its obligations under the GDPR.
Owkin undertakes to sign a contract with all processors, imposing on the latter the same Personal Data protection obligations that apply to Owkin. Furthermore, Owkin reserves the right to perform an audit on the processor to verify the latter’s compliance with its obligations under the GDPR.
Owkin is required to implement security techniques of a physical or logical nature which it judges to be appropriate to prevent the destruction, loss, degradation or unauthorised disclosure of Personal Data in an accidental or illegal manner.
The main elements of these measures are:
- management of Personal Data access rights;
- internal back-up;
- identification processes;
- security audits;
- implementation of an IT system security policy;
- implementation of business continuity and disaster recovery plans;
- utilisation of security protocols and/or solutions.
20. Personal Data breach
In the event of any breach of Personal Data, Owkin undertakes to notify CNIL, the ICO or the PFPDT as set out in the GDPR.
Should any such breach present a high level of risk for customers, partners and contacts and the data has not been protected, Owkin shall:
- notify the customers, partners and contacts concerned;
- issue the necessary information and recommendations to the customers, partners and contacts concerned.
21. Data Protection Officer
Owkin has designated a Data Protection Officer.
The contact details of the Data Protection Officer are as follows:
- Name: Eric Barbry, Partner at Racine law firm;
- E-mail address: email@example.com ;
- Tel: 01 44 82 43 00.
If Personal Data is to be subjected to additional processing, Owkin will notify the Data Protection Officer in advance.
Should customers, partners and contacts wish to obtain any particular information or pose a specific question, they may contact the Data Protection Officer who will provide a response within a reasonable period in light of the question posed or information requested.
In the event of encountering any problem with the processing of Personal Data, customers, partners and contacts may contact the designated Data Protection Officer.
22. Processing record
As Data controller, Owkin undertakes to maintain a record recording all completed processing activities.
This record is a document or software that lists all processing carried out by Owkin in its capacity as Data controller.
Owkin undertakes to provide any supervisory authority on request with all information enabling said authority to verify the compliance of processing with applicable Personal Data protection regulations.
23. Right to submit a complaint to CNIL, ICO or PFPDT
Customers, partners and contacts concerned by the processing of their Personal Data have the right to submit a complaint to a supervisory authority, i.e. CNIL in France, ICO in United Kingdom or PFPDT in Switzerland, should they believe that the processing of their Personal Data does not comply with EU data protection regulations, at the following address:
|FranceCNIL – Service des plaintes3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07 Phone number: 01 53 73 22 22|
|United KingdomInformation Commissioner’s Office – Complaint serviceWycliffe House, Water Ln, Wilmslow SK9 5AF, United KingdomPhone number: 0303 123 1113|
|SwissePréposé federal à la protection des données et à la transparenceFeldeggweg 1|
CH-3003 BernePhone number: +41 (0)58 462 43 95
24. Regulatory developments
Any new version of this policy will be notified to customers and contacts via all reasonable means defined by Owkin, including electronically (e.g. notification via e-mail or online).
25. For further information
For any further general information about Personal Data protection, please consult the CNIL website at: www.cnil.fr., the ICO website at: https://ico.org.uk/, and the PFPDT website at: https://www.edoeb.admin.ch/edoeb/fr/home.html