EU-U.S. Privacy Shield Policy Statement of Circassia Pharmaceuticals, Inc.
It is Circassia’s policy to respect and protect Personal Information collected or maintained by or on behalf of Circassia—therefore, Circassia adheres to the EU-U.S. Privacy Shield Principles. In furtherance of this commitment, Circassia has certified to the EU-U.S. Privacy Shield Framework (“Privacy Shield”), as set forth by the U.S. Department of Commerce and the Federal Trade Commission (“FTC”), regarding the collection, use and retention of Personal Information from Citizens in support of Circassia’s human resources, commercial, supplier, and clinical operations (collectively, Circassia’s “Operations”). To learn more about Privacy Shield, and to view Circassia’s certification, please visit https://www.privacyshield.gov.
This Statement describes the principles pursuant to which Circassia manages Personal Information received: (i) from Employees, in support of Circassia’s human resources operations; (ii) in the course of Circassia’s operations involving current, prospective and former clients, customers, visitors and guests (collectively “Clients”); (iii) in the course of its related interactions with current, prospective and former suppliers, distributors, subcontractors and strategic partners (collectively, “Suppliers”); and (iv) physicians/investigators, health care professionals, and trial subjects (collectively, “Clinical Parties”). The categories of Personal Information covered by this Statement include Personal Information relating to Employees, Clients, Suppliers, and Clinical Parties. In connection with Circassia’s Operations, Circassia may now and/or in the future: (a) transfer Personal Information of Employees, Clients, Suppliers, and/or Clinical Parties outside of the EEA to the United States; and/or (b) access Personal Information regarding Employees, Clients, Suppliers, and/or Clinical Parties from the United States.
The following capitalized terms are used throughout this document and are defined as follows:
“Agent” or collectively, “Agents” means any third party that processes Personal Information pursuant to the instructions of, and solely for, Circassia or to which Circassia discloses Personal Information for use on its behalf.
“Circassia” or the “Company” collectively refers to Circassia Pharmaceuticals Inc. and any and all subsidiaries and affiliates thereof that are incorporated in any state or territory of the United States.
“Citizen” or collectively, “Citizens” means a lawful citizen or citizens of any EEA country and includes Employees, Clients, Suppliers, and Clinical Parties.
“EEA” means the European Economic Area which is composed of the following thirty-one (31) countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Ireland, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and United Kingdom.
“Employee” or collectively, “Employees,” means any Circassia Citizen-employee(s) (and any and all dependents thereof), including, but not limited to, temporary, permanent, and former employees, directors, contractors, workers and retirees. For purposes of this Statement only, the term “Employee” or “Employees” shall also include any of Circassia’s independent contractors and job applicants that are Citizens.
“Personal Information” means any information or set of information about an identified or identifiable Citizen, including, but not limited to: (a) first name or initial and last name; (b) home or other physical address; (c) telephone number; (d) email address or online identifier associated with the Citizen; (e) Social Security number or other similar identifier; (f) employment, financial or health information; or (g) any other information relating to a Citizen that is combined with any of the above. The term “Personal Information” does not include anonymized information or information that is reported in the aggregate (provided that such aggregated information is not identifiable to a natural person).
“Privacy Shield Principles” collectively means the following seven (7) privacy principles as described in the Privacy Shield: (1) Notice, (2) Choice, (3) Accountability for Onward Transfer, (4) Security, (5) Data Integrity and Purpose Limitation, (6) Access, and (7) Recourse, Enforcement and Liability, as well as the supplemental privacy principles and the associated guidance set forth in those certain “Frequently Asked Questions” as agreed to by the U.S. Department of Commerce and the European Commission.
“Process” or “Processing” of Personal Information means any operation or set of operations which is performed upon Personal Information, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
“Sensitive Personal Information” means Personal Information that reveals race, ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, biometric data where Processed to uniquely identify a person, any information that concerns medical or health conditions or sex life, or information relating to the commission of a criminal offense.
Capitalized terms not defined above have the definitions set forth in the respective paragraphs of this Statement.
Privacy Shield Principles
1. Notice: In the event that Circassia collects Personal Information from a Citizen, Circassia will furnish a notice to the Citizen that describes: (i) the types of Personal Information that it collects about such Citizens; (ii) the purposes for which it collects such information; (iii) the types of third parties to which it discloses such information, and the purposes for which it does so; and (iv) how to contact Circassia with any inquiries or complaints, including any relevant establishment in the EEA that can respond to such inquiries or complaints. Notice will be provided in clear and conspicuous language at the time of collection, or as soon as reasonably practicable thereafter. In any event, notice will be provided before Circassia discloses the Personal Information or uses such information for a purpose other than that for which the Personal Information was originally collected or processed.
2. Choice: In the event that Personal Information is to be used for a new purpose that is materially different from the purpose(s) for which the Personal Information was originally collected or subsequently authorized, or transferred to a non-Agent third party, Citizens will be provided, where practical and appropriate, with an opportunity to decline to have their Personal Information so used or transferred. In the event that the Personal Information used for a purpose other than that for which it was originally collected or subsequently authorized or transferred to the control of a non-Agent third party is Sensitive Personal Information, the Citizen’s affirmative express consent will be obtained prior to the use or transfer of the Sensitive Personal Information or as otherwise permitted in accordance with the Privacy Shield Principles.
3. Accountability for Onward Transfer: Circassia will endeavor to only transfer Personal Information to an Agent where such Agent has given assurances that it provides at least the same level of privacy protection as is required by the Privacy Shield Principles and this Statement and will notify Circassia if it makes a determination it can no longer meet this obligation. Where Circassia has knowledge that an Agent is using or sharing Personal Information in a way that is contrary to the Privacy Shield Principles and/or this Statement, Circassia will take reasonable steps to prevent or stop such Processing. With respect to onward transfers to Agents, Privacy Shield requires that, to the extent it is responsible for the event, Circassia shall remain liable should its Agents Process Personal Information in a manner inconsistent with the Privacy Shield Principles.
4. Security: Circassia takes reasonable and appropriate administrative, technical and physical precautions designed to protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction, regardless of whether such Personal Information is in electronic or tangible, hard copy form.
5. Data Integrity and Purpose Limitation: Circassia endeavors to limit the collection, usage, and retention of Personal Information to that which is relevant for the intended purposes of Processing, and takes reasonable steps designed to ensure that all Personal Information is reliable for its intended use, accurate, complete and current. Circassia depends on its Employees to keep Personal Information reliable, accurate, complete and current.
6. Access: Citizens may seek confirmation regarding whether Circassia is Processing Personal Information about them, request access to their Personal Information and ask that the Company correct, amend or delete that information, where it is inaccurate or has been processed in violation of the Privacy Shield Principles. Although Circassia makes good faith efforts to provide Citizens with access to their Personal Information, Circassia reserves the right to limit or deny such access where the burden or expense of providing access would be disproportionate to the risks to the Citizen’s privacy, where the rights of Citizens other than the subject Citizen would be violated, where the information is commercially proprietary or where doing so is otherwise consistent with the Privacy Shield Principles. If Circassia determines that access should be restricted in any particular instance, we will provide you with an explanation of why that determination has been made and a contact point for any further inquiries.
7. Recourse, Enforcement and Liability: Circassia has implemented mechanisms to verify its ongoing compliance with the Privacy Shield Principles and this Statement. Any party that violates the Privacy Principles and/or this Statement will be subject to disciplinary procedures in accordance with Circassia’s disciplinary procedures."
In compliance with the Privacy Shield Principles, Circassia commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Private Shield policy should first contact Circassia at: firstname.lastname@example.org
In the event of a dispute, Citizens are able to seek resolution of their questions or complaints regarding use and disclosure of their Personal Information in accordance with the Privacy Shield Principles contained in this Statement. If you feel that Circassia is not abiding by the terms of this Statement, or is not in compliance with the Privacy Shield Principles, please contact Circassia at the contact information provided below. In addition, Circassia has agreed to cooperate with JAMS Privacy Shield Dispute Resolution Program with respect to complaints related data of Clients, Suppliers, and Clinical Parties and with the local data protection authorities with respect to Employee and human resources data. For more information and to submit a complaint to JAMS, visit https://www.jamsadr.com/eu-us-privacy-shield. Such independent dispute resolution mechanisms are available to Citizens free of charge. If any request remains unresolved, Citizens may have a right to invoke binding arbitration under Privacy Shield. The FTC has jurisdiction over Circassia’s compliance with the Privacy Shield.
Limitation on Scope of Privacy Shield Principles
Adherence to these Privacy Shield Principles may be limited (i) to the extent required or allowed by applicable law, rule or regulation; (ii) to the extent necessary to respond to lawful requests by public authorities, including to meet national security, law enforcement, legal or governmental requirements; and/or (iii) to protect the health or safety of a Citizen.
Complaints and Contact Information
If you have questions regarding this Statement or any of Circassia’s privacy practices, please contact us by mail or e-mail at the following addresses:
Circassia Pharmaceuticals Inc.
Attn: Matthew Frankel
General Counsel and Chief Compliance Officer
5151 McCrimmon Parkway
Morrisville, NC 27560
Changes to this Statement
This Statement may be amended from time to time in a manner that is consistent with the requirements of the Privacy Principles. When this Statement is updated, the “Last Updated” date at the bottom of this document shall be amended accordingly. Any material changes to this Statement will be posted on Circassia’s website and available to the general public at www.circassia.com/privacy.
THIS STATEMENT HAS BEEN INITIALLY ADOPTED BY CIRCASSIA AS OF THE 30TH DAY OF SEPTEMBER, 2016.
Last Updated: August 1, 2018