PrivacyPolicy

1. Recitals

The protection of individuals with regards to the processing of their Personal Data (as defined below) is a fundamental right that Owkin group, which includes without limitation Owkin, Inc., Owkin France, Owkin UK Ltd and Owkin (Switzerland) Sàrl, (together, “Owkin”) takes very seriously.

Owkin process Personal Data as part of its relations with its, visitors, prospects, partners and – more generally – any users of the website: www.owkin.com (the “Website”).

Owkin is committed to carrying out its business in accordance with the applicable data protection regulations and, in particular, the General Data Protection Regulation (EU) 2016/679 of April 27th, 2016 (“GDPR”), which aims to protect individuals’ rights with regards to the collection, use, retention, transfer, disclosure and destruction of their Personal Data.

This privacy policy (“Privacy Policy”) sets forth the types and the use of Personal Data Owkin may receive from your interactions with Owkin through its media platforms. Owkin strives to preserve the safety and security of your Personal Data, as well as inform you and uphold your rights.

Please read the following carefully and do not hesitate to contact our Data Protection Officer, Maître Eric Barbry, if you need further information or assistance: dpo-owkin@racine.eu.

Please note the following definitions of certain terms used in this policy: 

  • Personal Data: refers to any information or pieces of information that can directly or indirectly identify a Data subject, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual;
  • Data controller: Owkin and more specifically Owkin France;
  • Data processor: natural person or legal entity who processes Personal Data on behalf of Owkin; 
  • Data subject: visitors, users, Members of the website, clients, partners, and/or contacts of Owkin;
  • Data recipient: individual or legal entity who receives Personal Data from Owkin. Data recipients may therefore also be employees of Owkin or of external entities (partners, subcontractors, exhibitors, banks, service providers, agents etc.).
  • Member: user who registered on the Website by providing their email address and creating a password in order to access certain features of the Website.

In Article 12, the GDPR requires that data subjects are notified of their rights in a concise, transparent, comprehensible and easily accessible manner.

2. Objective

The purpose of this policy is to meet the information obligation of Owkin under the GDPR (Article 12) and to document the rights and obligations of its clients, partners and contacts regarding the processing of their Personal Data.

3. Scope

This Privacy Policy applies to all processing of the Personal Data of Owkin’s clients, partners and contacts. 

Owkin makes every effort to ensure that Personal Data is processed within the framework of strict internal governance. That being said, this Privacy Policy only covers Personal Data of which Owkin is the Data controller and therefore not any processing that may be established or performed outside the scope of governance specified by Owkin (“Shadow IT”).

The processing of Personal Data may be managed directly by Owkin or via a Data processor specifically designated by Owkin.

This Privacy Policy is independent of any other document that may apply in the context of the contractual relationship between Owkin and its clients, partners or contacts.

4. Purposes 

Owkin does not process any Personal Data of clients, partners or contacts if not relating to the Personal Data collected by or for its departments or processed in association with its departments and if it does not comply with the general principles of the GDPR. 

Owkin may use Personal Data for the following purposes:

  • Management of contractual relationship, management of contact relationship, and business development;
  • Implementation and management of targeted advertising and segmentation; 
  • Execution and management of an agreement with partners (hospitals, universities, research centers), a client (pharma companies, biotech companies or other corporate clients); 
  • Management of Members’ access to certain pages and information of the Website;
  • Implementation and management of marketing campaigns, generally via e-mail, SMS, phone, etc. and Media advertising ;
  • Implementation, communication and management of its newsletter based on your consent. Please note that you can opt out of our newsletter at any time by clicking the “unsubscribe” link at the bottom of our newsletters;
  • Organization and management of events, in which Owkin participates or which Owkin is a sponsor; 
  • Implementation and management of social selling campaign (including the collection of data relating to registrations, posts, likes, replies, forwards, comments, opinions, etc.);
  • Ensuring compliance with legal obligations. In certain cases, Owkin collects and uses your Personal Data to comply with laws;
  • Ensuring the security of Personal Data collected and processed; 
  • Implementation and management of surveys and statistics; 
  • Implementation and management of cookies in particular used on Owkin Website;
  • Implementation and management of invoicing and accounting purposes;
  • Implementation and management of the Website (case studies, contact forms, etc.).

Although the list is intended to be as exhaustive as possible, any new uses or modification or withdrawal of any existing processing will be notified to clients, partners and contacts by way of an amendment of this Privacy Policy. 

These purposes are based on the legitimate interests of Owkin to hold Personal Data concerning its contacts and Website users.

5. Types of Personal Data collected



Non-technical Personal Data
(depending on the circumstances)
Identity and identification (surname, first name, date of birth, pseudonym, client number, username and password).
Contact details (e-mail, postal address, phone number): notably for sending newsletters.
Professional activities, if applicable (company name, function).
Bank details, if required.
Data relating to current contracts.

Technical Personal Data
(depending on the circumstances)
Your internet browsing history and activity data (access times, page views, forms completed on the website, URLs clicked on, IP address, etc.);
Technical information such as the type of browser and operating system you use or your device information (unique device identifier, hardware model, operating system and version, mobile network information).

6. Personal Data sources

Personal Data relating to its clients, partners and contacts is generally collected from them directly (direct collection). 

Collection may also be indirect via specialized companies or partners and suppliers of Owkin. In such cases, Owkin takes the greatest of care to ensure the quality of data it receives. 

7. Personal Data recipients – authorisation & traceability

Owkin ensures that Personal Data can only be accessed by authorised internal and external recipients.

Internal recipients External recipients 
Authorised employees from Owkin:
Communications and Marketing Department, Departments responsible for managing the client relationship and sales development, Finance Department, IT Department, Legal Department, HR Department, Product Department, and their line managers.

Authorised employees from departments responsible for control and audit functions (departments responsible for internal control procedures, etc.).
Partners, external companies and subsidiaries of a single group of companies;
Organisations, officers of the court and judicial officers in the context of their debt collection functions;
The body responsible for managing the list of cold-calling prohibitions;
Data processors’ authorised employees.

Recipients within Owkin of the Personal Data of clients, partners and contacts are bound by a confidentiality obligation. In any case, Owkin only provides them with the information needed to process Personal Data in compliance with the purposes identified.

Owkin decides which recipients may access which Personal Data by means of an authorisation policy. 

All access to the processing of clients’, partners’ and contacts’ Personal Data is traceable. 

Personal Data may also be forwarded to any authority legally entitled to receive it. In such cases, Owkin is not liable for the manner in which said authorities access and use the Personal Data.

Owkin may also disclose your Personal Data:

  • to a prospective buyer of its business or assets, during the course of a fundraising or M&A operation;
  • if Owkin is under a duty to disclose or share your Personal Data in order to comply with a legal obligation, or in order to enforce or apply its terms of use or other terms and conditions you have agreed to; or to protect the rights, property, or safety of Owkin, its partners or employees.

Owkin will never sell your Personal Data to any third parties.

8. Retention period

The retention period of Personal Data is defined by Owkin in accordance with its legal and contractual obligations and, failing this, depending on the specific needs, notably in accordance with the following principles:

ProcessingRetention period
Client and Partner Personal DataFor the duration of contractual relations with Owkin, plus five (5) years for sales development purposes, without prejudice to storage and retention obligations or the statute of limitations.
Personal Data relating to contacts and potential clientsThree (3) years from collection of the Personal Data by Owkin or from the last contact made by the potential client or contact.
Targeted advertising Personal DataSix (6) months to one (1) year from collection, depending on the campaign.
Bank detailsDeleted on expiry of the agreement.If a transaction is disputed: thirteen (13) months’ retention in the files following the data of debit

After the specified periods, Personal Data is either deleted or retained after anonymisation, notably for statistical purposes. It may be retained in the event of pre-litigation and litigation.

Clients, partners and contacts are reminded that deletion or anonymisation are irreversible operations and Personal Data cannot be subsequently restored by Owkin.

9. Confirmation and access right 

Clients, partners and contacts are entitled to request Owkin to issue confirmation of whether or not their Personal Data is being processed. 

Clients, partners and contacts also enjoy an access right, subject to compliance with the following rules:

  • The request is issued personally and is accompanied by a valid identity document;
  • It is issued in writing to the following address: Legal Department – Owkin France – 12 rue Martel, 75010 Paris – France or e-mail address legal@owkin.com 

Clients, partners and contacts are entitled to request a copy of their Personal Data being processed by Owkin. However, in the event of any additional copies being requested, Owkin may require the customer, partner or contact to cover the associated costs.

If clients, partners or contacts request a copy of their Personal Data via electronic means, the requested information will be provided in a commonly used electronic format, unless specified otherwise. 

Clients, partners and contacts are notified that this access right may not cover confidential information or data, or data for which communication is prohibited by law. 

The access right may not be exercised in an abusive manner, i.e. exercised legally yet with the sole objective of undermining the proper execution of the service in question.

10. Updating and rectification

Owkin will meet updating requests:

  • Automatically, for online modifications relating to fields that may be updated technically or legally; 
  • On written request, issued by the Data subject personally on proof of identity.

11. Right to deletion 

The deletion right of clients, partners and contacts does not apply where processing is carried out in compliance with a legal obligation. 

In other circumstances, clients, partners and contacts may request deletion of their data if any of the following criteria are met:

  • the Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; 
  • if the Data subject withdraws the consent on which the processing has been based and there exists no other legal basis; 
  • the Data subject objects to processing required for Owkin to pursue its legitimate interests and there exists no other pressing and legitimate reason to continue processing; 
  • the Data subject objects to the processing of its Personal Data for marketing purposes, including profiling;
  • the Personal Data has been processed unlawfully.

In accordance with legislation of Personal Data protection, clients, partners and contacts are notified that this is an individual right that may only be exercised by the Data subject in relation to their own information: for security reasons, the department concerned must therefore verify your identity before communicating any of your confidential information to a person other than you. 

12. Right to restrict processing 

Clients, partners and contacts are notified that the right to restrict processing is not intended to apply when the processing carried out by Owkin is legal and all the Personal Data collected is necessary for performance of its services. 

13. Personal Data portability right 

Owkin will accede to Personal Data portability requests in the specific circumstances of Personal Data communicated by clients, partners and contacts personally, via online services provided by Owkin itself and for purposes based solely on personal consent. In such cases, the Personal Data will be communicated in structured and commonly used format able to be read by a machine. 

14. Automated individual decision-making 

Owkin does not carry out automated individual decision-making.

15. Rights after death

Clients, partners and contacts are notified that they have the right to issue instructions concerning the retention, deletion and communication of their data after their death. The communication of specific instructions for the exercise of rights after death are to be issued by e-mail at legal@owkin.com or by post at Legal Department – Owkin France – 12 rue Martel, 75010 Paris – France, accompanied by a copy of a signed identity document.

16. Optional or mandatory nature of responses 

Clients, partners and contacts are notified on every Personal Data collection form of the mandatory or optional nature of responses by means of an asterisk. 

If a response is mandatory, Owkin will explain the consequences of non-response to clients, partners and contacts.

17. Right of use 

Owkin is assigned by clients, partners and contacts a right to use and process their Personal Data for the aforementioned purposes. 

However, any data supplemented by the processing and analysis of Owkin, otherwise known as supplemented data, shall remain the exclusive property of Owkin (usage analysis, statistics, etc.).

18. Data processors 

Owkin notifies its clients, partners and contacts that it may engage any processor of its choice to process their Personal Data.

In any such case, Owkin ensures that the processor complies with its obligations under the GDPR. 

Owkin undertakes to sign a contract with all processors, imposing on the latter the same Personal Data protection obligations that apply to Owkin. Furthermore, Owkin reserves the right to perform an audit on the processor to verify the latter’s compliance with its obligations under the GDPR. 

19. Security 

Owkin is required to implement security techniques of a physical or logical nature which it judges to be appropriate to prevent the destruction, loss, degradation or unauthorised disclosure of Personal Data in an accidental or illegal manner.

The main elements of these measures are:

  • management of Personal Data access rights;
  • internal back-up;
  • identification processes; 
  • security audits;
  • implementation of an IT system security policy;
  • implementation of business continuity and disaster recovery plans;
  • utilisation of security protocols and/or solutions.

20. Personal Data breach 

In the event of any breach of Personal Data, Owkin undertakes to notify CNIL, the ICO or the PFPDT as set out in the GDPR. 

Should any such breach present a high level of risk for clients, partners and contacts and the data has not been protected, Owkin shall: 

  • notify the clients, partners and contacts concerned; 
  • issue the necessary information and recommendations to the clients, partners and contacts concerned.

21. Data Protection Officer 

Owkin has designated a Data Protection Officer.

The contact details of the Data Protection Officer are as follows:

  • Name: Eric Barbry, Partner at Racine law firm;
  • E-mail address: dpo-owkin@racine.eu ;
  • Tel: 01 44 82 43 00.

If Personal Data is to be subjected to additional processing, Owkin will notify the Data Protection Officer in advance.

Should clients, partners and contacts wish to obtain any particular information or pose a specific question, they may contact the Data Protection Officer who will provide a response within a reasonable period in light of the question posed or information requested.

In the event of encountering any problem with the processing of Personal Data, clients, partners and contacts may contact the designated Data Protection Officer.

22. Processing record 

As Data controller, Owkin undertakes to maintain a record recording all completed processing activities.

This record is a document or software that lists all processing carried out by Owkin in its capacity as Data controller.

Owkin undertakes to provide any supervisory authority on request with all information enabling said authority to verify the compliance of processing with applicable Personal Data protection regulations.

23. Right to submit a complaint to CNIL, ICO or PFPDT 

Clients, partners and contacts concerned by the processing of their Personal Data have the right to submit a complaint to a supervisory authority, i.e. CNIL in France, ICO in United Kingdom or PFPDT in Switzerland, should they believe that the processing of their Personal Data does not comply with EU data protection regulations, at the following address: 

France CNIL – Service des plaintes 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07, Phone number: 01 53 73 22 22
United Kingdom Information Commissioner’s Office – Complaint service, Wycliffe House, Water Ln, Wilmslow, SK9 5AF, United Kingdom, Phone number:  0303 123 1113
Swisse Préposé federal à la protection des données et à la transparence Feldeggweg 1, CH-3003 Berne, Phone number:  +41 (0)58 462 43 95

24. Regulatory developments 

This Privacy Policy may be amended or supplemented at any time in the event of legal or judicial developments, or in response to new uses and any decisions or recommendations issued by CNIL, ICO or PFPDT.

Any new version of this policy will be notified to clients and contacts via all reasonable means defined by Owkin, including electronically (e.g. notification via e-mail or online).

25. For further information

For any further general information about Personal Data protection, please consult the CNIL website at: www.cnil.fr., the ICO website at: https://ico.org.uk/, and the PFPDT website at: https://www.edoeb.admin.ch/edoeb/fr/home.html