Clinical Trial Privacy Notice

Effective on: October 30, 2024

1. Introduction and Scope

TORL Biotherapeutics LLC (“TORL Bio”, “we”, “us”, “our”) sponsors ethically approved clinical trials. We take the protection of personally identifiable information (“Personal Data”) very seriously. This Privacy Notice (the “Notice”) addresses individual patients (“Participants”) and personnel (“Personnel”) (individually and together, “you,” “your”) whose Personal Data we may receive in connection with the clinical trials (“Trial” or “Trials”) we sponsor.

Please read this Notice to learn what we are doing with your Personal Data, how we protect it, and how you can exercise your privacy rights.

This Notice does not apply to Personal Data collected by any other means, like Personal Data collected through our public website. This Notice does not apply to our employees and contractors. If we do not process information in a manner that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual, such information is not considered Personal Data and this Notice will not apply to our processing of that information.

2. Controllership

Within the scope of this Notice TORL Bio generally acts as a data controller for the Personal Data processed in the context of the Trials we sponsor. This means that we alone determine the purpose and means of the processing of your Personal Data.

In some jurisdictions, we are considered a “joint controller” with another organization, such as the study site where the Trial is being conducted. This means that we jointly, together with the other organization, determine the purpose and means of the processing of your Personal Data. If you would like to know more about any other data controllers who might be joint controllers together with TORL Bio, you may ask your study doctor or the study site for further details, specifically relating to the Trial that you are participating in.

3. Categories of Personal Data

Participants:
Even though we are a data controller for the Personal Data processed in the context of our Trials, TORL Bio itself does not have access to identifiable Personal Data, meaning that we are unable to identify you personally from the information we have access to. Personal Data is collected by our service providers like the study site (the clinic or other healthcare facility where the Trial is being run) or other third parties, such as your doctors or our clinical research organizations. When any information relating to you is shared with us by our service providers, it will first be key-coded (also known as “pseudonymized”) so that we cannot identify you by any direct personal identifier (such as your name, social security number, address, or telephone number).

The following types of Personal Data may be processed in the context of our Trials:

• basic identifying information, such as your first and last name;
• demographic information, such as your ethnicity, race, month/year of birth and sex;
• contact information, such as your phone number, physical address and email address;
• location information, such as the location of your testing site and Trial location (i.e. study site);
• health care information, such as the identity and contact information of your doctors and health care providers;
• health information, such as your medical history, current health status and reaction to the Trial drug or treatment; and
• your genetic information.

Personnel:
The following types of Personal Data may be processed in the context of our Trials:

• basic identifying information, such as your first and last name;
• professional information, such as your place of practice, job title, the medical field in which you are active, professional qualifications and scientific activities;
• financial data, such as payment-related information; and
• location information, such as the location of your testing site and Trial location (i.e. study site).

4. How We Receive Personal Data

Participants:
We may receive your Personal Data when:

• you provide it directly to us (including when you provide your Personal Data to one of our service providers acting on our behalf);
• a study doctor (also known as an “investigator”) or other healthcare personnel at the study site provides it to us, or your healthcare provider provides it to us;
• we receive it from the clinical research organization that conducts the Trial on our behalf; and
• you provide it to us, the clinical research organization, or a study doctor when you complete a pre-screening questionnaire to confirm your eligibility to participate in the Trial.

Personnel:
We receive your Personal Data when:

• you provide it to us in your role as Personnel in the context of assisting in the operation of the Trial.

5. Purpose of Processing

Participants:
We may process your Personal Data for the purposes of:

• managing and facilitating the Trial;
• enabling your participation in the Trial;
• answering the research questions for the Trial and aggregating data to generate statistics relating to the Trial and/or study drug or health treatment;
• arranging for the delivery of drugs to you and collection of unused drugs from you in relation to the Trial;
• arranging your transportation to or from the study site;
• sending you reminders about your appointments at the study site, or to take your medication on time;
• monitoring and reporting on any adverse events, such as negative side effects;
• developing new medicinal drugs or health treatments;
• complying with legislation governing Trials;
• disclosing your Personal Data to the appropriate regulatory authorities, auditors, and ethics committees, if required by law;
• responding to your inquiries and requests; and
• communicating with you on the status of the Trial.

We also process your Personal Data for the specific purposes described in the informed consent form provided to you by Trial Personnel.

Personnel:
We may process your Personal Data for the purposes of:

• managing our relationship with you;
• contacting Personnel for planning and organizing the Trials;
• conducting the Trials; and
• complying with applicable laws and regulations.

6. Automated Individual Decision-Making

If you participate in a Trial, you will be assigned a unique patient identification number. Depending on the Trial you participate in, this number may be used as part of an automatic process that randomly determines if you will receive the experimental drug substance or treatment that is being evaluated in the Trial, or if you will receive a different treatment. This type of automated decision-making is required in order to ensure that the Trial is conducted in an ethical way, and in accordance with good clinical practice standards.

 

7. Basis of Processing

We must have a valid reason to use your Personal Data. This is called a “lawful basis for processing”.

Participants:

• We process your Personal Data for safety and reliability purposes in order to comply with our legal obligations.
• We process your Personal Data for scientific research purposes based on our legitimate interest in conducting clinical trials and performing valuable scientific and medical research.
• If we process your Personal Data for other purposes after the end of a Trial, we will do so based on your consent or our legitimate interest in conducting further research.

TORL Bio will need to process data about your health in order for you to participate in a Trial. Health data is considered sensitive Personal Data (also known as a “special category” of Personal Data) and special rules apply to working with it. When we process special categories of your Personal Data, we only do so when the processing is necessary for reasons of public interest in the area of public health. Those reasons include making sure our drugs are safe and effective, and conducting our Trials safely. We also process your sensitive Personal Data based on your explicit consent.

The specific grounds on which we process your Personal Data, including your health data, may vary somewhat from the above in order to comply with the requirements of applicable local laws in jurisdictions where we sponsor Trials. If you are a patient in an TORL Bio Trial, please refer to the informed consent form you signed for more information about the legal grounds on which we process your Personal Data. If there is any conflict between any provision in this Notice and any provision in the informed consent form you signed in connection with your participation in a clinical trial we sponsor, the informed consent form shall supersede the conflicting provision in this Notice.

Personnel:

• TORL Bio may process your Personal Data based on our legitimate interests in facilitating the operation of our business and conducting Trials, making informed investigator selection decisions, and improving our principal investigator and Trial staff recruiting and contracting processes.
• We also process Personal Data because it is necessary for the performance of the contracts between TORL Bio and Trial sites, including by enabling us to communicate with you and other principal investigators about the performance of the relevant Trial.
• TORL Bio may process Personal Data of Trial personnel in order to comply with applicable laws and regulations, including clinical trial regulations requiring us and those acting on our behalf to collect Personal Data from individuals who participate in the conduct of a Trial.
• Personal Data may also be processed based on your consent.

8. Data Retention

Participants:
We will retain your Personal Data to the maximum extent permitted by law, once your data has been key-coded and recorded in official Trial documents, we cannot remove it without affecting the accuracy of the studies and test results. For example, European law and Good Clinical Practices requires us to keep Personal Data that is part of the clinical trial master file for at least twenty-five (25) years after the conclusion of the applicable Trial. Other laws may require different retention periods. This includes your identity and health information and any adverse effects of the drug you took during the Trial.

Personnel:
We will retain your Personal Data until we fulfil the purposes listed above, or for as long as we are required to keep it to comply with applicable laws or regulations. 

9. Sharing Personal Data With Third Parties

We may share Personal Data with service providers who process Personal Data on our behalf, and who agree to use the Personal Data only to assist us in fulfilling the purposes of processing, or as required by law.  Our service providers include parties providing:

• contract/clinical research organization services;
• patient recruitment services;
• quality assurance, safety and pharmacovigilance software and related services;
• data storage and archiving software and related services;
• data analytics and reporting software and services;
• services related to the collection, storage, testing, and transportation of biological material;
• software that randomly decides which treatment you will receive during the Trial;
• logistics and transport service providers; and
• electronic data capture software and hardware.

We will also share your Personal Data with other third parties involved in the Trials.

Some of these third parties are data controllers in their own right. These third parties include clinical sites like hospitals and medical offices, and public government agencies (i.e., National Health Authorities, Regulatory Authorities and Ethics Committees) and may be located in other countries. 

10. International Transfers of Personal Data

Some of the abovementioned third parties may be located in countries outside of the EU or the EEA. In some cases, the European Commission may not have determined that those countries’ data protection laws provide a level of protection for your Personal Data. When the GDPR applies to the processing of your Personal Data, we will only transfer your Personal Data to third parties in countries which are recognized as providing an adequate level of protection for Personal Data, or who provide appropriate safeguards to protect your Personal Data. We ensure that the recipient of your Personal Data offers an adequate level of protection, for instance, by entering into appropriate data protection agreements and if required, the European Commission-approved standard contractual data protection clauses (or a similarly appropriate contractual transfer mechanism). These safeguards may include the model data protection clauses approved by the European Commission. To access these model clauses, please contact our Data Protection Officer.

11. Other Disclosure of Your Personal Data

We may disclose your Personal Data:

• with regulators or competent authorities, to the extent necessary to comply with applicable laws, regulations and rules (including, without limitation, federal, state or local laws);
• to the extent required by law, or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties);
• if, in the future, we sell or transfer, or consider selling or transferring, part or all of our company, business, shares or assets to a third party, and we disclose your Personal Data to such third party in connection with the sale or transfer; or
• in the event that we are acquired by, or merged with, a third party entity, or in the event of bankruptcy or a comparable event, we reserve the right to transfer, disclose or assign your Personal Data in connection with the foregoing events.
• If you want to receive the list of the current recipients of your Personal Data, please make your request by contacting us at  [email protected].

If we have to disclose your Personal Data to governmental or law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.

12. Data Integrity and Security

We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect Personal Data from unauthorized processing. These measures include the use of measures like key-coding and encryption, where appropriate.

13. Your Privacy Rights 

You have specific rights regarding your Personal Data that we collect and process. In this section, we first describe those rights and then we explain how you can exercise them.

Right to Know What Happens to Your Personal Data

This is called the right to be informed. It means that you have the right to obtain from us all information regarding our data processing activities that concern you, such as how we collect and use your Personal Data, how long we will keep it, and who it will be shared with, among other things.

We are informing you of how we process your Personal Data with this Notice.

We will always try to inform you about how we process your Personal Data. However, if we do not collect the Personal Data directly from you, the GDPR exempts us from the obligation to inform you (i) when providing the information is either impossible or unreasonably expensive; (ii) the gathering and/or transmission is required by law, or if (iii) the Personal Data must remain confidential due to professional secrecy or other statutory secrecy obligations.

Right to Know What Personal Data TORL Bio Has About You

This is called the right of access. This right allows you to ask for full details of the Personal Data we hold on you. You have the right to obtain from us, including confirmation of whether or not we process Personal Data concerning you, and, where that is the case, a copy or access to the Personal Data and certain related information. Once received and confirmed that the request came from you or your authorized agent, you have the right to have disclosed to you information required under the GDPR, which may include:

• The categories of your Personal Data that we process;
• The categories of sources for your Personal Data;
• Our purposes for processing your Personal Data;
• Where possible, the retention period for your Personal Data, or, if not possible, the criteria used to determine the retention period;
• The categories of third parties with whom we share your Personal Data;
• The specific pieces of Personal Data we process about you in an easily-sharable format;
• If we rely on legitimate interests as a lawful basis to process your Personal Data, the specific legitimate interests (for example, to process a request made by you); and
• The appropriate safeguards used to transfer Personal Data from the EEA or the UK to a third country, if applicable.

Under some circumstances, we may deny your access request. In that event, we will respond to you with the reason for the denial.

Right to Change Your Personal Data

This is called the right to rectification. It gives you the right to ask us to correct without undue delay anything that you think is wrong with the Personal Data we have on file about you, and to complete any incomplete Personal Data.

Right to Delete Your Personal Data

This is called the right to erasure, right to deletion, or the right to be forgotten. This right means you can ask for your Personal Data to be deleted. Sometimes we can delete your information, but other times it is not possible for either technical or legal reasons. If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason for denying your deletion request.

Right to Ask Us to Limit How We Process Your Personal Data

This is called the right to restrict processing. It is the right to ask us to only use or store your Personal Data for certain purposes. You have this right in certain instances, such as where you believe the data is inaccurate or the processing activity is unlawful.

Right to Ask Us to Stop Using Your Personal Data

This is called the right to object. This is your right to tell us to stop using your Personal Data. You have this right where we rely on a legitimate interest of ours (or of a third party). You may also object at any time to the processing of your Personal Data for direct marketing purposes.

We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Data to establish, exercise, or defend a legal claim.

Right to Port or Move Your Personal Data

This is called the right to data portability. It is the right to ask for and receive a portable copy of your Personal Data that you have given us or that you have generated by using our Services, so that you can:

• Move it;
• Copy it;
• Keep it for yourself; or
• Transfer it to another organization.

We will provide your Personal Data in a structured, commonly used, and machine readable format. When you request this information electronically, we will provide you a copy in electronic format.

Right Related to Automated Decision Making

For decisions that may seriously impact you, you have the right not to be subject to automatic decision making, including profiling. But in those cases, we will always explain to you when we might do this, why it is happening and the effect.

Right to Withdraw Your Consent

Where we rely on your consent as the legal basis for processing your Personal Data, you may withdraw your consent at any time. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect processing performed on other lawful grounds. If you withdraw your consent, you may be ineligible to participate in the Trial.

How to Exercise Your Rights

Participants:
To exercise your rights, please first speak with your study doctor instead of contacting us directly, so that we can ensure that your confidentiality is preserved. Where appropriate, your doctor will pass on your request to TORL Bio.

In order to correctly respond to your privacy rights requests, the study doctor will need to confirm that YOU made the request. Consequently, they may require additional information to confirm that you are who you say you are.

The study doctor will request the minimum amount of information from you required to verify your request and will only request information that is already held pertaining to you.  Any Personal Data you provide related to the request will be used only in order to verify your identity or authority to make the request.

If you are unable to exercise your rights through your study doctor for any reason, you may contact our Data Protection Officer, VeraSafe, by sending an email to [email protected], or by using the information in the “Contact Us” section below. In order to preserve your confidentiality, please do not contact TORL Bio directly.

Personnel:
You may contact our Data Protection Officer, VeraSafe, by sending an email to [email protected], or by using the information in the “Contact Us” section below.

In order to correctly respond to your privacy rights requests, the Data Protection Officer will need to confirm that YOU made the request. Consequently, they may require additional information to confirm that you are who you say you are.

The Data Protection Officer will request the minimum amount of information from you required to verify your request and will only request information that is already held pertaining to you.  Any Personal Data you provide related to the request will be used only in order to verify your identity or authority to make the request.

Participants and Personnel:
You also have the right to lodge a complaint with a data protection regulator in your applicable jurisdiction.

14. Privacy of Children

Our Trials are generally not directed at, or intended for use by, children under the age of 18, however where this is the case, we obtain parental or legal guardian consent before processing Personal Data about children.

15. Contact Us

If you are a Participant and have any questions about this Notice or our processing of your Personal Data, please contact your study doctor. If you are Personnel and have any questions about this Notice or our processing of your Personal Data, please contact our Data Protection Officer at the contact information provided below. Our Data Protection Officer will respond to you as soon as possible, but no later than one month after you contact us. If we need more time (up to 3 months in total), we will inform you of the reason why and the extension period in writing

Data Protection Officer
We have appointed VeraSafe as our DPO. Personnel, please contact VeraSafe on matters related to our use of your Personal Data. VeraSafe’s contact details are:

VeraSafe
100 M Street S.E., Suite 600
Washington, D.C. 20003
Email: [email protected]
Web: https://www.verasafe.com/about-verasafe/contact-us/
Tell: +1 617 398 7067

European Union Representative
We have appointed VeraSafe as our representative in the EU for data protection matters. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/ or use the contact details provided below:

VeraSafe
Plaza de la Solidaridad 12, Floor 5
29006, Malaga
Malaga
Spain

United Kingdom Representative
VeraSafe has also been appointed as our representative in the United Kingdom for data protection matters. To make an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at +44 (20) 4532 2003 or use the contact details provided below:

VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
United Kingdom

16. Changes to this Notice

If we change this Notice, we will provide you with a copy of the revised Notice or update the web page you read it on. We will also update the “Effective” date.