Aimmune Privacy Shield Privacy Statement
Effective December 6, 2017
Aimmune Therapeutics, Inc. (“Aimmune”) participates in the EU/U.S. and Swiss/U.S. Privacy Shield programs administered by the United States Department of Commerce (“Privacy Shield”) and has certified to the Department of Commerce that Aimmune adheres to the Privacy Shield Principles. As part of our participation in the Privacy Shield, Aimmune has committed to processing all personal data1 Aimmune receives from EU member states, Switzerland and other participating countries in reliance on the Privacy Shield (“from the EU and Switzerland”) in accordance with its Privacy Shield commitments including the Privacy Shield Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement, and Liability.
This privacy statement applies only to personal data received from the EU and Switzerland through reliance on the Privacy Shield. To learn more about the Privacy Shield program, and to view Aimmune’s certification, please visit: https://www.privacyshield.gov/list.
In the event of a conflict between this Privacy Statement and the Privacy Shield Principles, the Privacy Shield Principles will control. In the event of a conflict between this Privacy Shield Privacy Statement and applicable laws, Aimmune will seek to comply with both requirements, but if that is not possible, Aimmune will comply with its obligations under applicable law. This policy does not apply to personal data Aimmune transfers about its employees and applicants, which are covered by a separate human-resources-oriented Privacy Shield Privacy Statement.
Aimmune’s Privacy Shield Privacy Statement is organized around the following principles:
At Aimmune, we notify individuals about the purposes for which we collect and use information about them, choices they have regarding certain uses and disclosures of their personal data, and how to contact us with inquiries or complaints. We provide this notice either through this privacy statement or other means such as, statements on our website, informed consent forms, and other disclosures. Categories of individuals about whom we collect personal data (as well as examples of how we may use personal data and the types of entities to whom we may disclose personal data, as further described in the Accountability for Onward Transfer Section below) include:
Study participants. Aimmune may collect personal data about study subjects as necessary to carry out the study the individual has agreed to participate in. Typically, study data Aimmune receives as a study sponsor is coded data which does not directly identify the individual study participant, but is linked to the name of the participant and other direct identifiers using a code that an investigator at the clinical trial site could use to determine who the information pertains to. Aimmune may obtain coded information including information such as the individual’s race and ethnic origin, gender, date of birth (or a portion thereof), information about physical or mental health or condition, responses to questionnaires completed by study participants, results of tests conducted during the study (including testing conducted on blood, urine or other biologic samples) and other information collected during a particular study.
Aimmune also may collect identifiable information in the course of carrying out its patient safety and efficacy obligations. Information collected may be transferred to our affiliates and third-party service providers performing study related duties and may be transferred to regulatory authorities.
Clinical research investigators, medical and healthcare professionals, and members of their staffs. The collection of personal data such as contact information, qualifications, and other information is to facilitate the proper conduct of research studies and to carry out other study related activities. Information collected may be transferred to our affiliates and third-party service providers performing study related duties and may be transferred to regulatory authorities.
Service providers. Aimmune maintains contact information, invoices and other billing information, together with other information which may be necessary to manage and oversee Aimmune’s service providers including conducting surveys, handling complaints and inquiries, audits, making disclosure under the requirements of any law applicable, any other directly related matters.
Prospective study participants, prospective investigators and users of Aimmune applications and websites. Individuals who make enquiries regarding Aimmune services may be asked to provide personal data in order to provide the requested information, products or services. Personal data provided may be used for the processing of requested transactions, improving the quality of our services, sending communications about our products and services, enabling our service providers to perform certain activities on our behalf and complying with our legal obligations, policies and procedures.
In many cases, such as information collected through our clinical trials, we collect personal data with the express consent of the trial participant. In other cases, Aimmune offers individuals the opportunity to choose (opt-out) whether their personal data is (i) to be disclosed to a third party (other than service providers performing tasks on Aimmune’s behalf pursuant to a contract) or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals.
For sensitive information,2 Aimmune obtains (directly or through another party such as a clinical trial investigator) affirmative express consent (opt-in) from individuals, with certain exceptions permitted by the Privacy Shield program, if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice.
We are committed to providing individuals with clear, conspicuous, and readily available mechanisms to exercise choice. Therefore, in addition to any other mechanisms that may be provided in particular cases, individuals may opt-out by contacting Aimmune using the points of contact in the “Contact Us” section below.
Participants in clinical trials may decide or be asked to withdraw from a clinical trial at any time. Any personal data collected prior to withdrawal may still be processed along with other data collected as part of the clinical trial, consistent with the informed consent form the trial participant agreed to in order to participate in the clinical trial.
3. ACCOUNTABILITY FOR ONWARD TRANSFER
Aimmune may disclose personal data from clinical trials conducted in the EU and Switzerland to regulators in the United States and other countries for regulatory and supervision purposes. Aimmune also may be required to disclose personal data in response to lawful requests by public authorities, including disclosures to meet national security or law enforcement requirements.
Aimmune’s disclosure of personal data to third parties is governed by the Notice and Choice Principles described above, except in the case of disclosures to regulators as described in this Privacy Statement and when disclosures are otherwise required by law.
Aimmune may transfer personal data to service providers acting on its behalf. In such cases Aimmune will transfer such data only for limited and specified purposes and subject to contractual safeguards for the data.
When transferring personal data to third-party controllers (i.e., entities that will control how personal data is processed) other in the case of disclosures to regulators or those otherwise required by law, Aimmune will comply with the Notice and Choice Principles as described above. Aimmune will enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made, the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.
Aimmune takes reasonable and appropriate measures to protect personal data from loss, misuse, and unauthorized access, disclosure, alternation, and destruction, taking into account the risks involved in the processing and nature of the personal data.
5. DATA INTEGRITY AND PURPOSE LIMITATION
Aimmune limits the personal data it collects to information that is relevant for the purposes of processing. Aimmune does not process personal data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, Aimmune takes reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.
Aimmune takes reasonable and appropriate measures to retain personal data only for as long as Aimmune has a legitimate legal or business need to do so, such as conducting clinical trials and related research and regulatory approvals, customer service, compliance with legal or contractual retention obligations, retention for audit purposes, security and fraud prevention, preservation of legal rights or other reasonable purposes consistent with the purpose of the collection of the information. Aimmune will adhere to the Principles for as long as it retains personal data transferred in reliance upon the Privacy Shield.
It is Aimmune’s policy to provide individuals with access to personal data about them that Aimmune holds about them and provides them with a means to request the correction, amendment, or deletion of that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, where the rights of persons other than the individual would be violated, or where providing access (such as in the case of blinded studies) could jeopardize the validity of a research study or its results.
Following the conclusion of a clinical trial and the analysis of the results, clinical trial participants may be eligible to obtain information about the treatment the individual received during the trial by contacting the investigator or other health care professional that the individual received treatment from during the clinical trial.
7. PRODUCT SAFETY AND EFFICACY MONITORING
Consistent with the Privacy Shield Supplemental Principle governing Pharmaceutical and Medical Products, the Notice, Choice, Accountability for Onward Transfer, and Access Principles set forth above do not apply to Aimmune’s product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices to the extent that adherence to the Principles interferes with compliance and regulatory requirements, including disclosures to agencies, such as the U.S. Food and Drug Administration.
8. RECOURSE, ENFORCEMENT AND LIABILITY
Aimmune internally monitors and assesses our compliance with our Privacy Shield Privacy statement and our Privacy Shield obligations. Under the Privacy Shield Principles, Aimmune may be liable in the event that a service provider to whom Aimmune transfers personal data such personal data in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage. An individual with an inquiry or complaint may contact us using the mailing or email address below.
In the case of human resources data Aimmune has agreed to cooperate with a panel of European Data Protection Authorities created for that purpose.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider, the International Centre for Dispute Resolution, the international division of the American Arbitration Association (ICDR-AAA), (free of charge to consumers) at http://go.adr.org/privacyshield.html.
Individuals also may be able to invoke binding arbitration, under certain circumstances where permitted by the Privacy Shield program, if the individual believes there has been a violation of Privacy Shield requirements that has not been appropriately addressed by Aimmune.
Aimmune’s compliance with its Privacy Shield obligations also is subject to investigation and enforcement by the U.S. Federal Trade Commission. Aimmune also is required by the Privacy Shield program to respond promptly to inquiries and requests for information from the U.S. Department of Commerce.
9. CONTACT US
If you have any inquiries or complaints regarding this policy or our privacy practices, contact us firstname.lastname@example.org.
10. POLICY CHANGES
Aimmune reserves the right to change their policy from time to time, consistent with the Privacy Shield Principles.
1. “Personal data” means data about an identified or identifiable individual received by Aimmune in the United States from the EU and Switzerland, and recorded in any form.
2. Sensitive information for purposes of this policy means personal data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying the sex life of the individual or information designated by the transferring organization as sensitive. In the case of information transferred pursuant to the Swiss Privacy Shield, sensitive information also includes information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings.